Microsoft KB Archive/254311

= Enable Windows NT 4.0-Based RAS Servers in a Windows 2000-Based Domain =

PSS ID Number: 254311

Article Last Modified on 8/4/2003

-

The information in this article applies to:


 * Microsoft Windows 2000 Server

-



This article was previously published under Q254311



SUMMARY
This article explains how to enable Microsoft Windows NT Server 4.0-based Remote Access Service (RAS) servers in a Microsoft Windows 2000-based domain by making certain adjustments to Active Directory.



MORE INFORMATION
When you use Windows NT 4.0-based RAS servers in a Windows 2000-based domain, the Windows NT 4.0 servers must be running Service Pack 4 (SP4) or later. Otherwise, they cannot gain access to the Windows 2000-based domain controllers to verify that a user has dial-in permissions.

Also, when you set up a Windows NT 4.0-based RAS or Routing and Remote Access Service (RRAS) server as a member of a Windows 2000-based domain, you must make certain adjustments to Active Directory so that the server can access the Remote Access credentials of domain accounts.

To adjust Active Directory to allow for Windows NT 4.0 RAS servers, use one of the following methods:

When you create a Windows 2000-based domain by using the Active Directory Installation Wizard to upgrade a server to domain controller, select the option to allow pre-Windows 2000 servers to access Active Directory. If you enabled this access when you created the domain, no further action is required.

or

If you add a Windows NT 4.0-based RAS server to a domain that has not been adjusted to allow pre-Windows 2000 server access, you can use the following command to adjust domain security, and then restart the domain controller: net localgroup "Pre-Windows 2000 Compatible Access" everyone /add Using this command can compromise security because it allows anonymous users to read information on this domain. When there are no longer any Windows NT 4.0-based RAS servers in the domain, you can remove legacy access to Active Directory by using the following command.

Warning If you remove the legacy access and there are still Windows NT 4.0-based member servers in the environment, the Windows NT 4.0-based member servers will fail. net localgroup "Pre-Windows 2000 Compatible Access" everyone /delete

Note You have to ensure that you reboot all the domain controllers after adding or removing the Everyone group in the "Pre-Windows 2000 Compatible Access", otherwise it will not take affect. Also remember that if you only reboot the single DC on which you implement this, then only that DC will be affected. You must also reboot the remainder of the DCs in the domain.

Additional query words: win2krelnotes

Keywords: kbinfo KB254311

Technology: kbwin2000Search kbwin2000Serv kbwin2000ServSearch

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© 2004 Microsoft Corporation. All rights reserved.