Deleting NT4Emulator registry entry resolves a past problem

vsmith3rdvsmith3rd Member Posts: 142 ■■■□□□□□□□
I posted this problem here, but for the longest time, I could not find a solution.

http://www.techexams.net/forums/viewtopic.php?t=39037

It took the sixth Microsoft representative that one of my company's engineers spoke to, to resolve the situation.

There were a couple registry entries called NT4Emulator and NeutralizeNT4Emulator on the DC.

HKEY_LOCAL_MACHINE/System/CurrentControlSet/Services/Netlogon/Parameters/NT4Emulator
and
HKEY_LOCAL_MACHINE/System/CurrentControlSet/Services/Netlogon/Parameters/NeutralizeNT4Emulator

This is some really obscure entry thats occasionally used for Active Directory DCs installed on NT Server networks with a large 2000/XP client base. Apparently, 2000/XP, by default, prefers Active Directory DCs. One could have a network of 100 NT4 DCs, and all is fine. Upgrade just one NT4 DC to Server 2000/2003 AD DC, and once its discovered by the clients, they will ignore the NT4 DCs, and only authenticate to the AD DCs. Enabling The NT4Emulator allows the (in this case 2003 Server) Actv Dir DC to Emulate an NT4 server, preventing the flood of authentication requests from every client on the network. This entry was set on the DC long before I started working for the company, as the DCs were upgraded some time ago. I know this is an old issue, but I thought I'd share, as this could prevent someone's headache down the road.

The Neutralize entry allow the emulating DC to still authenticate new AD DCs using Kerberos. We deleted both entries (they were set to 1, which could have been changed to zero) as the network no longer has any NT4 DCs, and the DC now allows client authentication.
Certified Lunatic.

Comments

Sign In or Register to comment.