none
Windows 2008 domain and NT 4 clients RRS feed

  • Question

  • All Windows 2003 domain controllers will be replaced with  Windows 2008 R2 domain controllers

    Domain functional level is Windows 2003 will be upgraded later

    There are few NT 4 and Windows 2000 clients .

    Will upgrading all domain controllers to 2008 r2 cause problem for NT 4.0 and Windows 2000. Consider domain functional level is still 2003.

    Monday, November 26, 2012 2:49 PM

Answers

  • If your production environment includes client computers that run platforms that do not support SMB packet signing (for example, Microsoft Windows NT® 4.0 with Service Pack 2 (SP2)) or if it includes client computers that run platforms that do not support secure channel signing (for example, Windows NT 4.0 with Service Pack 3 (SP3)), you might have to modify default security policies to ensure that client computers running older versions of the Windows operating system or non-Microsoft operating systems will be able to access domain resources in the upgraded domain.More here :http://technet.microsoft.com/en-us/library/cc731654(WS.10).aspx

    Transitioning a Windows 2003 Domain to Windows 2008 R2
    http://networkadminkb.com/KB/a15/transitioning-a-windows-2003-domain-to-windows-2008-r2.aspx

    Adding first Windows Server 2008 R2 Domain Controller within Windows 2003 network
    http://kpytko.wordpress.com/2011/08/25/adding-first-windows-server-2008-r2-domain-controller-within-windows-2003-network/

    Hope this helps


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Monday, November 26, 2012 5:01 PM
  • I would agree with Sandesh that you need to update the security settings to be able to establish a secure channel between NT clients and your DCs. However, this is not recommended for security reasons and will be applied globally.

    Note also that NT clients are no longer supported by Microsoft and that its integration was not tested by Microsoft but may work. Note also that Microsoft CSS can provide a best effort level of troubleshooting for such clients and will not escalate or provide hotfixes for them.

    Windows 2000 clients are also not supported by Microsoft and Microsoft CSS will ensure the same level of support.

    So, you can be able to integrate these client computers but you may face issues in the future which may not be fixed. That is why you will need to upgrade your client computers / servers to a higher OS.

    For the Domain Functional level, note that it will not impact member servers or clients. Just note that your DCs OS in your domain should be equal or higher to your DFL. That means that you can raise your DFL or even FFL to Windows Server 2008 R2 and get benefits from the use of new features. However, you will no longer be able to add Windows Server 2003 DCs in this case.


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Monday, November 26, 2012 7:25 PM
  • All Windows 2003 domain controllers will be replaced with  Windows 2008 R2 domain controllers

    Domain functional level is Windows 2003 will be upgraded later

    There are few NT 4 and Windows 2000 clients .

    Will upgrading all domain controllers to 2008 r2 cause problem for NT 4.0 and Windows 2000. Consider domain functional level is still 2003.

    Windows 2008/R2 comprised of enhanced security features such as AES/DES 128/256 with kerberos & it might not be work with NT server. I hope you are aware by running NT servers, you are compromising with your environment's security because there is no more patches or service packs been released. Its better to move away from NT before its too late.

     Question

    • Can a Windows NT 4.0 member join a Windows Server 2008 R2 domain?
    • Can Windows7/2008 R2 join an NT 4.0 domain?
    • Can I create a two-way or outbound trust between an NT 4.0 PDC and Windows Server 2008 R2 PDCE?

    http://blogs.technet.com/b/askds/archive/2010/07/30/friday-mail-sack-newfie-from-the-grave-edition.aspx#nt4


    Awinish Vishwakarma - MVP

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Tuesday, November 27, 2012 9:08 AM
    Moderator

All replies

  • If your production environment includes client computers that run platforms that do not support SMB packet signing (for example, Microsoft Windows NT® 4.0 with Service Pack 2 (SP2)) or if it includes client computers that run platforms that do not support secure channel signing (for example, Windows NT 4.0 with Service Pack 3 (SP3)), you might have to modify default security policies to ensure that client computers running older versions of the Windows operating system or non-Microsoft operating systems will be able to access domain resources in the upgraded domain.More here :http://technet.microsoft.com/en-us/library/cc731654(WS.10).aspx

    Transitioning a Windows 2003 Domain to Windows 2008 R2
    http://networkadminkb.com/KB/a15/transitioning-a-windows-2003-domain-to-windows-2008-r2.aspx

    Adding first Windows Server 2008 R2 Domain Controller within Windows 2003 network
    http://kpytko.wordpress.com/2011/08/25/adding-first-windows-server-2008-r2-domain-controller-within-windows-2003-network/

    Hope this helps


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Monday, November 26, 2012 5:01 PM
  • Hello,

    Please read kb942564 (for Windows NT):

    The Net Logon service on Windows Server 2008 and on Windows Server 2008 R2 domain controllers does not allow the use of older cryptography algorithms that are compatible with Windows NT 4.0 by default

    For Windows 2000, you can join them to Active Directory and use them as member servers. You just can't promote them to DCs.

    Regards

    Monday, November 26, 2012 7:06 PM
  • I would agree with Sandesh that you need to update the security settings to be able to establish a secure channel between NT clients and your DCs. However, this is not recommended for security reasons and will be applied globally.

    Note also that NT clients are no longer supported by Microsoft and that its integration was not tested by Microsoft but may work. Note also that Microsoft CSS can provide a best effort level of troubleshooting for such clients and will not escalate or provide hotfixes for them.

    Windows 2000 clients are also not supported by Microsoft and Microsoft CSS will ensure the same level of support.

    So, you can be able to integrate these client computers but you may face issues in the future which may not be fixed. That is why you will need to upgrade your client computers / servers to a higher OS.

    For the Domain Functional level, note that it will not impact member servers or clients. Just note that your DCs OS in your domain should be equal or higher to your DFL. That means that you can raise your DFL or even FFL to Windows Server 2008 R2 and get benefits from the use of new features. However, you will no longer be able to add Windows Server 2003 DCs in this case.


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Monday, November 26, 2012 7:25 PM
  • All Windows 2003 domain controllers will be replaced with  Windows 2008 R2 domain controllers

    Domain functional level is Windows 2003 will be upgraded later

    There are few NT 4 and Windows 2000 clients .

    Will upgrading all domain controllers to 2008 r2 cause problem for NT 4.0 and Windows 2000. Consider domain functional level is still 2003.

    Windows 2008/R2 comprised of enhanced security features such as AES/DES 128/256 with kerberos & it might not be work with NT server. I hope you are aware by running NT servers, you are compromising with your environment's security because there is no more patches or service packs been released. Its better to move away from NT before its too late.

     Question

    • Can a Windows NT 4.0 member join a Windows Server 2008 R2 domain?
    • Can Windows7/2008 R2 join an NT 4.0 domain?
    • Can I create a two-way or outbound trust between an NT 4.0 PDC and Windows Server 2008 R2 PDCE?

    http://blogs.technet.com/b/askds/archive/2010/07/30/friday-mail-sack-newfie-from-the-grave-edition.aspx#nt4


    Awinish Vishwakarma - MVP

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Tuesday, November 27, 2012 9:08 AM
    Moderator