After you switch from mixed mode to native mode in Windows 2000, clients cannot log on to a Windows 2000 domain (298861)
The information in this article applies to:
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Professional SP1
This article was previously published under Q298861 SYMPTOMSAfter you switch a Microsoft Windows 2000 domain from mixed mode to native mode, Windows 2000-based client computers cannot log on to the domain. CAUSEThis problem occurs when a domain user on the Windows 2000-based computer tries to authenticate to the domain by using the Kerberos protocol, and the Windows NT hash for the domain user account is not available or is missing on the Windows 2000-based client computer. In this case, authentication fails, and the system does not try to authenticate by using NTLM authentication.
By default, the Windows 2000-based client first tries to use Kerberos
authentication in a Windows 2000 domain if all other computers that are involved in the logon are also running Windows 2000. For example, a domain user on a Windows 2000-based client computer will try to use Kerberos authentication when the user authenticates to a Windows 2000-based domain controller that is part of the same forest. However, if Kerberos authentication fails, NTLM is used to authenticate the domain user account. RESOLUTION
To resolve this problem, obtain the latest service pack for Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
260910 How to obtain the latest Windows 2000 service pack
STATUS This problem was first corrected in Windows 2000 Service Pack 3.
| Modification Type: | Minor | Last Reviewed: | 9/23/2005 |
|---|
| Keywords: | kbHotfixServer kbQFE kbbug kbfix kbQFE kbSecurity kbWin2000PreSP3Fix kbWin2000sp3fix KB298861 kbAudITPRO |
|---|
|