Using Windows NT 4.0 RAS Servers in a Windows 2000 Domain (240855)


The information in this article applies to:

  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows NT Server 4.0
This article was previously published under Q240855

SYMPTOMS

When you connect a remote Windows-based client to a Windows NT 4.0 Remote Access Services (RAS) or Routing and Remote Access Services (RRAS) server that is a member of a Windows 2000 domain, authentication may not succeed if you log on with a Windows 2000 domain account.

Additionally, authentication may not succeed when you connect to a RAS server running Windows 2000 that is a member of a Windows NT 4.0 domain that is accessing user account properties for a user account in a trusted Windows 2000 domain.

If you log on with a local account to Windows NT 4.0 RAS or RRAS servers, or Windows 2000, the connection may succeed.

CAUSE

A server running Windows NT 4.0 and RAS or RRAS in the LocalSystem security context that is a member of a Windows 2000 domain cannot validate remote access credentials of domain accounts unless the server is also a domain controller. If the server is not a domain controller, only accounts in the local accounts database are validated. By default, the LocalSystem security account on the RAS or RRAS server running Windows NT 4.0 does not have any permissions to read properties of objects in Windows 2000 Active Directory.

This security situation also exists for the following configurations:
  • A server running Windows NT 4.0 and RAS or RRAS that is a member of a Windows NT 4.0 domain that is accessing user account properties for a user account in a trusted Windows 2000 domain.
  • A RAS server running Windows 2000 that is a member of a Windows NT 4.0 domain that is accessing user account properties for a user account in a trusted Windows 2000 domain.
In both of these cases, a RAS server running Windows NT 4.0 or later must access user account properties in a Windows 2000 domain.

RESOLUTION

To enable a Windows 2000-based domain controller to allow a RAS or RRAS server running Windows NT 4.0 Service Pack 4 or later or a RAS server running Windows 2000 in a trusted Windows NT 4.0 domain to access user account properties from a remote Windows 2000-based domain controller, select the Permissions compatible with pre-Windows 2000 servers option during the domain controller promotion process (Dcpromo.exe). Or, type the following line at a Windows 2000 command prompt on the domain controller computer, and then restart the domain controller computer:

net localgroup "Pre-Windows 2000 Compatible Access" everyone /add

If you have multiple domain controllers, you need to do this on only one of them.

NOTE: Windows NT 4.0 RAS or RRAS servers that are not running Service Pack 4 or later will not work in any of these scenarios.

Active Directory security must be loosened in this situation because the usual Active Directory security, which uses user principal names, certificates, and the Kerberos version 5 protocol, is not used by RAS servers running Windows NT 4.0 or Windows 2000 that are members of a Windows NT 4.0-based domain. Without Kerberos authentication, the RAS server does not have permission to read user account properties in the Active Directory domain. Therefore, the security of the Active Directory domain must be loosened so that the RAS server can use NTLM security to read user account properties.

MORE INFORMATION

If your Windows 2000 Active Directory was upgraded from a prerelease version earlier than RC2 (specifically, Beta 3 or RC1), this may not work. The new built-in "Pre-Windows 2000 Compatible Access" group requires a schema and security update. Note that if the first domain controller in your forest was installed using RC2 or later, you do not require and should not apply the following fix: A supported hotfix is now available from Microsoft, but it is only intended to correct the problem that this article describes. Apply it only to systems that are experiencing this specific problem.

To resolve this problem, contact Microsoft Product Support Services to obtain the hotfix. For a complete list of Microsoft Product Support Services telephone numbers and information about support costs, visit the following Microsoft Web site:

http://support.microsoft.com/contactus/?ws=support

Note In special cases, charges that are ordinarily incurred for support calls may be canceled if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question.

Please refer to your Beta documentation for information about how to obtain support and fixes for Windows 2000 RC2.

The English-language version of this fix should have the following file attributes or later: 
   Date        Time     Version      Size     File name     Platform
   -----------------------------------------------------------------
   09/14/1999  06:12p   N/A          81,128   Fixlegcy.exe  x86
This fix cleans up the Active Directory information that is used to authenticate users on Windows NT 4.0 RAS servers before RC2. This is no longer needed in RC2 because the new "Pre-Windows 2000 Compatible Access" group handles this starting in RC2. After you run this fix on a domain controller using the included instructions, you still need to use the net localgroup command that is listed in the "Resolution" section above to allow Windows NT 4.0 RAS servers to authenticate users from your Windows 2000 domain.
Modification Type:MinorLast Reviewed:10/17/2005
Keywords:kbprb KB240855
©2004 Microsoft Corporation. All rights reserved.