Active Directory

First DC in Domain Problem

Why do Windows 2000-based clients connect only to the Domain Controller that was upgraded first in a Mixed-Mode Domain?

After you upgrade the first of multiple Windows NT Server 4.0-based domain controllers to Windows 2000 or to Windows Server 2003, all of the domains Windows 2000 Professional and Windows XP-based clients connect to that domain controller for authentication purposes. These clients do not connect to any other domain controller; therefore, the upgraded domain controller may become overloaded. You may also experience loss of fault tolerance capability. Read 284937 for more info.

To resolve this problem, obtain the latest service pack for Windows 2000.

Before you apply the latest service pack to a computer that you want to upgrade from Windows NT Server 4.0 to Windows 2000 Service Pack 1 (SP1), follow these steps on the Windows NT Server 4.0 primary domain controller (PDC):

Sponsored Content

Passwords Haven’t Disappeared Yet

123456. Qwerty. Iloveyou. No, these are not exercises for people who are brand new to typing. Shockingly, they are among the most common passwords that end users choose in 2021. Research has found that the average business user must manually type out, or copy/paste, the credentials to 154 websites per month. We repeatedly got one question that surprised us: “Why would I ever trust a third party with control of my network?

On the computer that is running the Windows NT Server 4.0 PDC, start Registry Editor (Regedt32.exe).

  1. Locate and click the following key in the registry:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\
  1. Click Add Value on the Edit menu, and then add the following registry value:Value name: NT4Emulator

    Data type: REG_DWORD

    Radix: Hex

    Value data: 0x1

  2. Quit Registry Editor.
  3. Apply the latest service pack for Windows NT 4.0.

Note: If you run Dcpromo.exe before you add the registry key, all Windows 2000 Professional and member servers must rejoin the domain. You can use the Netdom utility to rejoin member servers.

You can also use this procedure to upgrade a computer that is running Windows NT 4.0 as a backup domain controller (BDC). You do not need to make any changes to the computers that are running Windows 2000 Professional or to member servers in the domain.

This procedure is a temporary solution. When you have sufficient Windows 2000 domain controllers, you can remove the NT4emulator registry value on all the Windows 2000 domain controllers.

To perform remote administration on Windows 2000 domain controllers that have the NT4emulator registry value after you install the Windows 2000 Administration Tools package, follow these steps:

  1. On the computer that is running Windows 2000 Professional or a member server, start Registry Editor (Regedt32.exe).
  2. Locate and click the following key in the registry:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\
  1. Click Add Value on the Edit menu, and then add the following registry value:Value name: NeutralizeNT4Emulator

    Data type: REG_DWORD

    Radix: Hex

    Value data: 0x1

  2. Quit Registry Editor.

Use Dcpromo.exe to upgrade, and then apply the latest service pack.

Links

Windows 2000-Based Clients Connect Only to the Domain Controller That Was Upgraded First in a Mixed-Mode Domain – 284937

Related Topics:

Don't leave your business open to attack! Come learn how to protect your AD in this FREE masterclass!REGISTER NOW - Thursday, December 2, 2021 @ 1 pm ET

Active Directory (AD) is leveraged by over 90% of enterprises worldwide as the authentication and authorization hub of their IT infrastructure—but its inherent complexity leaves it prone to misconfigurations that can allow attackers to slip into your network and wreak havoc. 

Join this session with Microsoft MVP and MCT Sander Berkouwer, who will explore:

  • Whether you should upgrade your domain controllers to Windows Server
    2019 and beyond
  • Achieving mission impossible: updating DCs within 48 hours
  • How to disable legacy protocols and outdated compatibility options in
    Active Directory

Sponsored by: