Windows 2000 and Windows Server 2003 Setup Does Not Succeed When You Upgrade from a Windows NT 4.0-Based Primary Domain Controller (811961)
The information in this article applies to:
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows Server 2003, Standard Edition
- Microsoft Windows Server 2003, Datacenter Edition
- Microsoft Windows Server 2003, 64-Bit Datacenter Edition
- Microsoft Windows Server 2003, Enterprise Edition
- Microsoft Windows Server 2003, 64-Bit Enterprise Edition
IMPORTANT: This article contains information about modifying the registry.
Before you modify the registry, make sure to back it up and make sure that you
understand how to restore the registry if a problem occurs. For information
about how to back up, restore, and edit the registry, click the following
article number to view the article in the Microsoft Knowledge Base: 256986 Description of the Microsoft Windows Registry SYMPTOMSWhen you upgrade a Microsoft Windows NT 4.0-based primary
domain controller (PDC) to Windows 2000 or Windows Server 2003 by using
Winnt32.exe (including the /checkupgradeonly switch), the upgrade may not succeed. When this behavior occurs,
the following error message is recorded in the System Compatibility report:
No quarantined trusted domains can exist during NT 4 PDC
upgrade CAUSE You receive this error message when you are upgrading a
Windows NT 4.0-based PDC in a domain where security identifier (SID) filtering
has been enabled for one or more trusted domains. RESOLUTIONWARNING: If you use Registry Editor incorrectly, you may cause serious
problems that may require you to reinstall your operating system. Microsoft
cannot guarantee that you can solve problems that result from using Registry
Editor incorrectly. Use Registry Editor at your own risk.
Windows NT 4.0 Service Pack 4 (SP4) adds
support for SID filtering. With SID filtering, the administrator of a trusting
domain can quarantine SIDs from specified trusted domains. The Setup program
(Winnt32.exe) for Windows 2000 and Windows Server 2003 requires that you
disable SID filtering on external trusts before you can upgrade a Windows NT
4.0-based PDC to Windows 2000 or Windows Server 2003. To disable SID filtering,
you remove the NetBIOS names of quarantined domains in the
QuarantinedDomains value
in the registry (you do this by deleting the
QuarantinedDomains
value). To do this:
- From the console of the Windows NT 4.0-based PDC in a a
trusting domain that you want to upgrade to Windows 2000 or Windows Server
2003, log on with an account that is a member of the Domain Administrators
group.
- Start Registry Editor (Regedt32.exe).
- Locate the following registry value:
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters Value: QuarantinedDomains
Data type: REG_MULTI_SZ - Back up the QuarantinedDomains registry value.
- Delete the QuarantinedDomains value from the
registry. This step disables SID filtering for all outgoing external trusts.
Note Deleting the quarantined NetBIOS domain names is not sufficient
to allow Winnt32.exe (Setup) to succeed. You must delete the
QuarantinedDomains
value. You do not have to restart the computer or the Netlogon service for the
registry deletion to take affect. - For consistent behavior, delete the quarantined domains on
all Windows NT 4.0-based backup domain controllers (BDCs) in the domain where
you are upgrading the Windows NT 4.0-based PDC..
- Upgrade the PDC to Windows 2000 or Windows Server 2003 by
using Winnt32.exe.
- Reconfigure SID filtering as required.
If you
apply SID filtering to any trusted domains in the future, remember that the
methods to quarantine a domain differ on Windows NT 4.0-based domain
controllers and Windows 2000-based and Windows Server 2003-based servers. For
Windows 2000-based and Windows Server 2003-based domain controllers, use Netdom
on one of the domain controllers. For Windows NT 4.0-based BDCs, add the new
trusted domain's NetBIOS domain name to the
QuarantinedDomains
registry value on all the Windows NT 4.0-based BDCs in the trusting domain for
consistent behavior.
MORE INFORMATIONSID filtering increases the security of communications
across domains or forests. By using SID filtering, an administrator can specify
that the domain controllers in a particular domain quarantine a trusted domain.
This causes the domain controllers in a trusting domain to remove all the SIDs
that do not originate from the trusted domain. This can help to prevent
authorization data from passing to resources that are located in the trusting
domain. After you upgrade a Windows NT 4.0-based PDC, it is a good idea to
determine whether SID filtering is still necessary. For more information about
how to determine this in Windows Server 2003, click Start,
click Help and Support, type securing external
trusts in the Search box, and then press ENTER.
Modification Type: | Major | Last Reviewed: | 4/13/2006 |
---|
Keywords: | kbprb KB811961 |
---|
|