Computers Added to AD not authenticating to NT4 BDC

Discussion in 'Server Setup' started by Steve Hoddinott, Dec 5, 2003.

  1. I am testing upgrading our Domain from NT4 to Windows2003
    with Active Directory.

    I have taken 2 BDC's from the live Domain into a test
    environment.
    Promoted 1 BDC to be the PDC and Upgraded it to Windows
    2003.

    I am testing whether Computers and Users can login to the
    domain after the upgrade.
    Existing user accounts and client computers (Win98 & XP)
    that were in the domain before the upgrade,
    can be authenticated by either the Windows 2003 DC or the
    NT4 BDC.

    New computers that are added to AD after the upgrade will
    only authenticate to the Windows 2003 DC.
    If the Windows 2003 DC is disconnected from the network:
    Existing users (that have logged onto that client
    before) can logon using there cached details.
    Users who have not logged onto the client before,
    can not log on, they receive the message:
    "The System cannot log you on now because
    domain XXXXX is not available"

    This is not the result I was expecting, is this the way
    Windows 2003 should work ?

    In a live environment a Windows 2003 DC would always be
    available.
    I know that XP clients will always look for a Windows 2003
    DC, before using a NT4 BDC.
    We have a number of sites (connected via a WAN) that will
    only have a NT4 BDC for sometime after Windows 2003 DC's
    are installed at our main site. Would XP computers at the
    remote site authenicate to the local NT4 BDC or would they
    find the Windows 2003 DC at the main site ?
    It is not possible for me to test the WAN connection, so
    it would be useful to know the expected behaviour before
    going live.

    Regards

    Steve Hoddinott
     
    Steve Hoddinott, Dec 5, 2003
    #1
    1. Advertisements

  2. Hi Steve,

    In Active Directory domain (Windows 2000/2003), Windows XP clients (as well
    as Windows 2000/2003 clients/member server) will NEVER contact the Windows
    NT BDC for authentication. Once the Windows 2000/2003 DC is not available,
    these clients will not be able to log on or they can only use cached logon.
    This is for security reasons. NT BDC can only be used for old clients as
    Windows 9X/ME/NT. This is what Active Directory domain is designed to be.
    Unless you make some preparations prior to upgrade, the BDC will stop
    authenticating XP clients after upgrade. XP clients will be aware of this
    upgrade and they only contact the 2003 DC for authentication.

    In this case, I would suggest you install more Windows Server 2003 DCs into
    this domain so it can provide high availability services to the clients for
    authentication. Please refer to the following articles for more
    information:

    284937 Windows 2000-Based Clients Connect Only to the Domain Controller That
    http://support.microsoft.com/?id=284937

    - This applies to Windows Server 2003 domain and Windows XP clients as
    well.

    Please feel free to let me know if you need further assistance. I look
    forward to hearing from you.

    Regards,

    Eric Shen
    Product Support Services
    Microsoft Corporation

    This posting is provided "AS IS" with no warranties, and confers no rights.

    Get Secure! - www.microsoft.com/security
     
    Eric Shen [MSFT], Dec 5, 2003
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.