Internet Authentication Service

Windows 2000 Mixed-Mode Domains or Windows NT 4.0 Domains

Windows 2000 mixed-mode domains are mainly used for migration from Windows NT 4.0 to Windows 2000. For IAS, a mixed-mode domain acts exactly like a Windows NT 4.0 domain.

For an IAS server that is a member in a Windows 2000 mixed-mode domain, the following authentication and remote access management features are available:

Dial-in User Account Properties
- Remote Access Permissions include only Allow access and Deny access
Missing the "Control access through Remote Access Policy" option makes it more difficult to use groups with Policy-based management because the user's remote access permission overrides remote access policy permissions. For more information about managing through policy in a mixed-mode domain, see "Remote Access Policies" earlier in this chapter.
- Callback options

Just as in Windows 2000 native mode domains, in order for the IAS server to access user account dial-in properties stored in Active Directory, the Internet Authentication service must run in the security context of a computer account that is a member of the RAS and IAS Servers security group. This assignment can be implemented through the Active Directory Users and Computers or by registering the IAS server in the Internet Authentication Service snap-in. You can also use the netsh ras add registeredserver command.

If IAS is a member of Windows NT 4.0 domain but has to authenticate users against a trusted Active Directory domain, it is not able to gain access to Active Directory because its computer account cannot become a member of the RAS and IAS Servers security group. In this case, verify that the Everyone group is added to the Pre-Windows 2000 Compatible Access group with the net localgroup "Pre-Windows 2000 Compatible Access" command. If not, issue the net localgroup "Pre-Windows 2000 Compatible Access" everyone /add command on a domain controller computer and then restart the domain controller computer.