Using Windows NT 4.0 RAS Servers in a Windows 2000 Domain

ID: Q240855

The information in this article applies to:
  • Microsoft Windows NT Server version 4.0
  • Routing and Remote Access Service (RRAS) version 1.0
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server

SYMPTOMS

When you connect a remote Windows-based client to a Windows NT 4.0 Remote Access Services (RAS) or Routing and Remote Access Services (RRAS) server that is a member of a Windows 2000 domain, authentication may not succeed if you log on with a Windows 2000 domain account.

Additionally, authentication may not succeed when you connect to a RAS server running Windows 2000 that is a member of a Windows NT 4.0 domain that is accessing user account properties for a user account in a trusted Windows 2000 domain.

If you log on with a local account to Windows NT 4.0 RAS or RRAS servers, or Windows 2000, the connection may succeed.


CAUSE

A server running Windows NT 4.0 and RAS or RRAS in the LocalSystem security context that is a member of a Windows 2000 domain cannot validate remote access credentials of domain accounts unless the server is also a domain controller. If the server is not a domain controller, only accounts in the local accounts database are validated. By default, the LocalSystem security account on the RAS or RRAS server running Windows NT 4.0 does not have any permissions to read properties of objects in Windows 2000 Active Directory.

This security situation also exists for the following configurations:

  • A server running Windows NT 4.0 and RAS or RRAS that is a member of a Windows NT 4.0 domain that is accessing user account properties for a user account in a trusted Windows 2000 domain.


  • A RAS server running Windows 2000 that is a member of a Windows NT 4.0 domain that is accessing user account properties for a user account in a trusted Windows 2000 domain.


In both of these cases, a RAS server running Windows NT 4.0 or later must access user account properties in a Windows 2000 domain.


RESOLUTION

To enable a Windows 2000-based domain controller to allow a RAS or RRAS server running Windows NT 4.0 Service Pack 4 or later or a RAS server running Windows 2000 in a trusted Windows NT 4.0 domain to access user account properties from a remote Windows 2000-based domain controller, select the Permissions compatible with pre-Windows 2000 servers option during the domain controller promotion process (Dcpromo.exe). Or, type the following line at a Windows 2000 command prompt on the domain controller computer, and then restart the domain controller computer:

net localgroup "Pre-Windows 2000 Compatible Access" everyone /add
If you have multiple domain controllers, you need to do this on only one of them.

NOTE: Windows NT 4.0 RAS or RRAS servers that are not running Service Pack 4 or later will not work in any of these scenarios.

Active Directory security must be loosened in this situation because the usual Active Directory security, which uses user principal names, certificates, and the Kerberos version 5 protocol, is not used by RAS servers running Windows NT 4.0 or Windows 2000 that are members of a Windows NT 4.0-based domain. Without Kerberos authentication, the RAS server does not have permission to read user account properties in the Active Directory domain. Therefore, the security of the Active Directory domain must be loosened so that the RAS server can use NTLM security to read user account properties.


MORE INFORMATION

If your Windows 2000 Active Directory was upgraded from a prerelease version earlier than RC2 (specifically, Beta 3 or RC1), this may not work. The new built-in "Pre-Windows 2000 Compatible Access" group requires a schema and security update. Note that if the first domain controller in your forest was installed using RC2 or later, you do not require and should not apply the following fix: A supported fix that corrects this problem is now available from Microsoft, but it has not been fully regression tested and should be applied only to systems experiencing this specific problem.

To resolve this problem, contact Microsoft Product Support Services to obtain the fix. For a complete list of Microsoft Product Support Services phone numbers and information on support costs, please go to the following address on the World Wide Web:

http://www.microsoft.com/support/supportnet/overview/overview.asp
Please refer to your Beta documentation for information about how to obtain support and fixes for Windows 2000 RC2.

The English-language version of this fix should have the following file attributes or later: 

   Date        Time     Version      Size     File name     Platform
   -----------------------------------------------------------------
   09/14/1999  06:12p   N/A          81,128   Fixlegcy.exe  x86
This fix cleans up the Active Directory information that is used to authenticate users on Windows NT 4.0 RAS servers before RC2. This is no longer needed in RC2 because the new "Pre-Windows 2000 Compatible Access" group handles this starting in RC2. After you run this fix on a domain controller using the included instructions, you still need to use the net localgroup command that is listed in the "Resolution" section above to allow Windows NT 4.0 RAS servers to authenticate users from your Windows 2000 domain.

Additional query words: ntrouter RRAS steel head steelhead

Keywords : ntras ntdomain ntsecurity
Version : WINDOWS:2000; winnt:1.0,4.0
Platform : WINDOWS winnt
Issue type : kbprb


Last Reviewed: December 29, 1999
© 2000 Microsoft Corporation. All rights reserved. Terms of Use.