configuring trusts between an Windows NT4 domain and sevrer 2008 domain

-

hi guys,

i'm @ wits end trying configure trust between windows nt4 , windows server 2008 domains.

there 2 ms articles have followd advising different changes in default domain controllers gpo in 2008 domain , these follows:

i have set allow cryptography algorithms compatible windows nt 4.0 setting

and following gpo settings:
  network access: allow anonymous sid/name translation -   enabled
  network access: not allow anonymous enumeration of sam accounts -    disabled
  network access: not allow anonymous enumeration of sam accounts , shares -   disabled
  network access: let permissions apply anonymous users -   enabled
  network access: named pipes can accessed anonymously -   enabled
  network access: restrict anonymous access named pipes , shares -   disabled
  network security: lan manager authentication level -   "send ntlm response only"
  microsoft network client: digitally sign communications (always) -   disabled
  microsoft network client: digitally sign communications (if server agrees) -   enabled
  microsoft network server: digitally sign communications (always) -   disabled
  microsoft network server: digitally sign communications (if client agrees) -   enabled
  domain member: digitally encrypt or sign secure channel data (always) -   disabled
  domain member: digitally encrypt secure channel data (when possible)   - enabled
  domain member: digitally sign secure channel data (when possible) -   enabled
  domain member: require strong (windows 2000 or later) session key -   disabled

the 2008 domain trusts nt4 domain when trying sset nt4 side of trust error 'could not find domain controller domain'. can ping 2008 dc nt4 side , following shows in nt4 betbios cache:

              netbios remote cache name table
 
    name              type       host address    life [sec]
------------------------------------------------------------
2008-domain    <00>  group       0.0.0.0             175
2008-domain    <1c>  group       10.30.105.49        -1
2008-domain    <1b>  unique      10.30.105.49        -1
2008-dc        <03>  unique      10.30.105.49        -1
2008-dc        <00>  unique      10.30.105.49        -1
2008-dc        <20>  unique      10.30.105.49        -1
can hlep me out working?

thanks in advance



hi shadowman123,

i'm little confused i've read other people have sucessfully created nt4 trust. saying completly impossible nt4 domain trust 2008 domain?

sainath irp_mj_create - have 2 domains never upgraded 1 reason or another. we're consolodating domains , need migrate off of nt4 in interim need trusts between domains.
hi,

have configure on nt4 domain, ntlmv2 authentication (this can break existing trust using ntlmv1).
after installing sp4, perform following steps configure lm compatibility level on windows nt workstations , servers. make sure sp4 windows nt installed.
  1. run registry editor (regedt32.exe).
  2. from hkey_local_machine subtree, go following key:
    hkey_local_machine\system\currentcontrolset\control\lsa\
  3. click add value on edit menu.
  4. add following values: 
          value name: lmcompatibilitylevel
            data type: reg_dword
            data:  5
  5. hkey_local_machine subtree, go following key:
    hkey_local_machine\system\currentcontrolset\control\lsa\msv1_0
  6. click add value on edit menu.
  7. add following values: 
          value name: ntlmminclientsec
            data type: reg_dword
            data:  0 (default) or defined above
      
            value name: ntlmminserversec
            data type: reg_dword
            data:  0 (default) or defined above
  8. click ok , quit registry editor.
  9. shut down , restart windows nt.
please read support article careful:
how disable lm authentication on windows nt4

on windows 2008 domain need modify group policy
configuring following policy setting: computer configuration\windows settings\security settings\local polices\security options\network security: lan manager authentication level selecting “send ntlmv2 response only\refuse lm & ntlm” option in policy setting.

please careful;
i’ve heard of administrators have implemented setting (a) older network appliances stop working since rely on ntlmv1 , can’t ntlmv2, , (b) integrated windows authentication can fail external users trying access sharepoint sites. there may other side effects environment, sure test if plan on making change on network.
certifications: mcsa 2003 mcse 2003


Windows Server  >  Windows Server General Forum



Comments

Post a Comment

Popular posts from this blog

CRL Revocation always failed

-
hi all, i try configure radius server nps, somehow certificate authentication client failed with reason: reason = revocation function unable check revocation because revocation server offline. then check certificate client, certutil -f -urlfetch -verify client7.cer, result follow: issuer:     cn=entca     dc=intra     dc=domain     dc=co     dc=sg subject:     cn=computer.intra.domain.co.sg cert serial number: 1c5b00de000000000041 dwflags = ca_verify_flags_allow_untrusted_root (0x1) dwflags = ca_verify_flags_ignore_offline (0x2) dwflags = ca_verify_flags_full_chain_revocation (0x8) dwflags = ca_verify_flags_console_trace (0x20000000) dwflags = ca_verify_flags_dump_chain (0x40000000) chainflags = cert_chain_revocation_check_chain (0x20000000) hcce_local_machine cert_chain_policy_base -------- cert_chain_context -------- chaincontext.dwinfostatus = ce...
Read more

Failed to query the results of bpa xpath

-
Image
i have new server installed hyper v, iis , domain services roles on it.  i checking event log , see warning multiple times, idea how rid of it?? failed query results of bpa xpath: microsoft/windows/fileservices:$reports$\*\result.xml:/resultdatabase/result. error: device attached system not functioning., last error: system cannot find path specified.. follow me on twitter <<< levalencia blog <<< hi, similar issue discussed in forum: to rid of warnings: 1. go dashboard 2. click on add roles , features 3. click next "before begin step" 4. select "role based or feature based installation" , click next 5. select given server server pool , click next 6. in server roles step make sure following checked:   file , storage services > file , iscsi services > file server, click next 7.click next through rest of steps , install server role 8. rerun bpa scan described earlier for more information please refer foll...
Read more

0x300000d errors in Microsoft Remote Desktop client

-
we use rd connect home users office. @ server side remote desktop gateway configured on 2008r2 server. experience following:   for years worked fine, starting last year users apple macbook experienced connection errors after new version of microsoft remote desktop in app store , automatic update. after couple of weeks error disappaered when new updates released. since 6 8 weeks problem again. because don’t have macbook cannot reproduce problem.   starting couple of weeks samsung s6 experiencing problems, here version 8.1.37.135 installed, error displayed is: can’t connect tot remote pc because remote desktop gateway server temporaraily unavailable. try connecting later or contact network administrator assistance. error code  0x300000d   because has worked fine years expect issues on client can configuration error on gateway server.   who pin point real cause?   however, testing other rd gateway server works ok settings identically....
Read more