Options
Deleting NT4Emulator registry entry resolves a past problem
I posted this problem here, but for the longest time, I could not find a solution.
http://www.techexams.net/forums/viewtopic.php?t=39037
It took the sixth Microsoft representative that one of my company's engineers spoke to, to resolve the situation.
There were a couple registry entries called NT4Emulator and NeutralizeNT4Emulator on the DC.
HKEY_LOCAL_MACHINE/System/CurrentControlSet/Services/Netlogon/Parameters/NT4Emulator
and
HKEY_LOCAL_MACHINE/System/CurrentControlSet/Services/Netlogon/Parameters/NeutralizeNT4Emulator
This is some really obscure entry thats occasionally used for Active Directory DCs installed on NT Server networks with a large 2000/XP client base. Apparently, 2000/XP, by default, prefers Active Directory DCs. One could have a network of 100 NT4 DCs, and all is fine. Upgrade just one NT4 DC to Server 2000/2003 AD DC, and once its discovered by the clients, they will ignore the NT4 DCs, and only authenticate to the AD DCs. Enabling The NT4Emulator allows the (in this case 2003 Server) Actv Dir DC to Emulate an NT4 server, preventing the flood of authentication requests from every client on the network. This entry was set on the DC long before I started working for the company, as the DCs were upgraded some time ago. I know this is an old issue, but I thought I'd share, as this could prevent someone's headache down the road.
The Neutralize entry allow the emulating DC to still authenticate new AD DCs using Kerberos. We deleted both entries (they were set to 1, which could have been changed to zero) as the network no longer has any NT4 DCs, and the DC now allows client authentication.
http://www.techexams.net/forums/viewtopic.php?t=39037
It took the sixth Microsoft representative that one of my company's engineers spoke to, to resolve the situation.
There were a couple registry entries called NT4Emulator and NeutralizeNT4Emulator on the DC.
HKEY_LOCAL_MACHINE/System/CurrentControlSet/Services/Netlogon/Parameters/NT4Emulator
and
HKEY_LOCAL_MACHINE/System/CurrentControlSet/Services/Netlogon/Parameters/NeutralizeNT4Emulator
This is some really obscure entry thats occasionally used for Active Directory DCs installed on NT Server networks with a large 2000/XP client base. Apparently, 2000/XP, by default, prefers Active Directory DCs. One could have a network of 100 NT4 DCs, and all is fine. Upgrade just one NT4 DC to Server 2000/2003 AD DC, and once its discovered by the clients, they will ignore the NT4 DCs, and only authenticate to the AD DCs. Enabling The NT4Emulator allows the (in this case 2003 Server) Actv Dir DC to Emulate an NT4 server, preventing the flood of authentication requests from every client on the network. This entry was set on the DC long before I started working for the company, as the DCs were upgraded some time ago. I know this is an old issue, but I thought I'd share, as this could prevent someone's headache down the road.
The Neutralize entry allow the emulating DC to still authenticate new AD DCs using Kerberos. We deleted both entries (they were set to 1, which could have been changed to zero) as the network no longer has any NT4 DCs, and the DC now allows client authentication.
Certified Lunatic.
Comments
-
Options
sprkymrk
Member Posts: 4,884 ■■■□□□□□□□
Wow, I remember this problem with NT4 DCs in an AD environment, it was a common issue back in the day.
Glad you got it sorted out.All things are possible, only believe. -
Options
dynamik
Banned Posts: 12,312 ■■■■■■■■■□
+1 for Wow.
That's really obscure.
Thanks for sharing the fix
-
Options
royal
Member Posts: 3,352 ■■■■□□□□□□
Funny how skipping a basic NT4 upgrade procedure that's even documented in MCSE books will cause obscure problems.“For success, attitude is equally as important as ability.” - Harry F. Banks