Determining Domain Migration Strategies |
If you are using Routing and Remote Access Service (RRAS) in a Windows NT environment to provide your users with remote access to the corporate network, consider upgrading your RRAS server early in the process of upgrading member servers. Upgrading early is valuable because of the way the RRAS process works in Windows NT; specifically, the way it checks RRAS properties such as availability of RRAS access or dial-back for a user.
RRAS must run even when there are no users logged onto the system. The service runs as LocalSystem. When a service logs on as LocalSystem, it logs on with NULL credentials, which means the service does not provide a user name or password. This means that the account cannot be used to access network resources relying on NTLM authentication unless the remote computer allows access with NULL credentials (referred to as a NULL session). RRAS in Windows NT uses the LocalSystem account.
By default, Active Directory does not accept querying of object attributes through NULL sessions, so in a mixed environment, a Windows NT RRAS server is not able to retrieve user RRAS properties unless all of the following conditions are met:
Use the workaround in the last condition only after understanding its impact on Active Directory security. If this workaround conflicts with your security requirements, it is recommended that you upgrade the Windows NT RRAS server to Windows 2000 and make it a member of a Windows 2000 mixed or native domain. This will prevent inconsistent behavior while the domain is in mixed mode, as described in the second condition.