Basically, here is the problem and the situation where you can meet this!
Imagine that you have a NT 4.0 Domain with all workstations running W2KPRO.
Let's say that's a scenario where you upgraded the clients before the
infrastructure. No problem. Everything is fine, W2KPRO tries to authenticate
with Kerberos first and makes a fall-back to NTLM next to authenticate
against the Windows NT 4.0 Domain.
Now, you want to upgrade the NT 4.0 Domain. You will proceed to an
in-place-upgrade. So, you upgrade your NT 4.0 PDC.
Note: Basically, it is better to install a brand new machine as a BDC. The
new machine will be sized and configured (partitioned) correctly to receive
the Windows 2000 installation. (SYSVOL, Logs, DIT, System, etc ...) Once the
PDC-BDC replication is done, you promote this BDC to a PDC. Next you proceed
to the W2K in-place-upgrade. Advantage: If you have to go back to the
original situation (for any reason), you didn't touch the original
installations.
No big trouble with tapes and so on ... You remove the new machine and you
promote your old PDC, which is a BDC, to a PDC.
With the W2K upgrade completed, your PDC is a PDC FSMO able to "talk" NTLM
or/and Kerberos. All the clients are W2KPRO. What's the default
authentication protocol for W2KPRO? Kerberos of course! Because there is a
W2K DC able to "talk" Kerberos, all the W2KPRO will authenticate by using
Kerberos. But this DC is the ONLY machine able to "talk" kerberos! It means
that ALL W2KPRO will authenticate with this single DC!
First issue! So, make sure that, once you've the first W2k DC, you may have
some more W2k DCs to share the authentication load.
Imagine that you upgrade the NT 4.0 PDC of a domain housing 2000 W2KPRO
Clients (i.e. in a single building) You may have a disaster the Monday
morning ... A single DC will have a hard-life to authenticate 2000 Clients
in the same 15 minutes ...
Next, imagine that you have to go back to the original situation (unstable,
etc ...) and that W2k DC is the only DC! Here is the trick! You re-insert
(or restore, or re-promote) the original PDC, which is a BDC at that time,
to a NT 4.0 PDC. Now, the only machine able to talk "Kerberos" is not there
anymore.
You may think, that the W2KPRO will try Kerberos first and fall-back to NTLM
next? Answer: No!
This is where the problem arises. The W2KPRO client will never fallback to
NTLM as soon as one Kerberos authentication has succeeded.
Big problem! The only way to re-use NTLM is to remove the W2KPRO clients
from the Domain and re-join the Domain again.
Conclusion: Once the in-place-upgrade done, add some more W2k DCs. You will
share the Kerberos authentication load. You will avoid the annoying
situation where the W2KPRO don't use NTLM anymore because even if you
removed the in-place-upgraded DC, you will have some other DCs to handle the
Kerberos authentications.
I presume that we should have a registry key somewhere to reset the W2KPRO
Client to NTLM but I can't find any KB article about this.
Does anyone have the registry information allowing a W2KP client to be
'switched' back into NTLM mode without rejoining the domain ?
List info: http://www.activedir.org/mail_list.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
