Article ID: 281648
Article Last Modified on 3/1/2007
APPLIES TO
- Microsoft Windows 2000 Service Pack 1
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Service Pack 1
This article was previously published under Q281648
SYMPTOMS
When you attempt to join a Windows 2000-based computer to a Microsoft Windows NT 4.0-based domain, you may receive the following error message:
CAUSE
This behavior can occur because the Local Group Policy, specifically those in the Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options folder have a restrictive setting.
Some of the policies that may cause this behavior are:
- Digitally sign client communications (always)
- Digitally sign server communications (always)
- Digitally sign server communications (when possible)
- LAN Manager Authentication Level set to Send LM and NTLM - use NTLMv2 session security if negotiated
- Secure channel: Digitally encrypt or sign secure channel data (always)
- Secure channel: Require strong (Windows 2000 or later) session key
RESOLUTION
To work around this behavior, set the values back to what they would be if a clean install had occurred.
Examine the preceding policies and set them back to their default settings.
The default settings of these policies are:
- Digitally sign client communications (always) - disabled
- Digitally sign server communications (always)- disabled
- Digitally sign server communications (when possible) - disabled
- LAN Manager Authentication Level set to Send LM and NTLM - use NTLMv2 session security if negotiated - (default) send LM & NTLM responses
- Secure channel: Digitally encrypt or sign secure channel data (always) - disabled
- Secure channel: Require strong (Windows 2000 or later) session key - disabled
Restart your computer and you should be able to join the domain.
STATUS
This behavior is by design.
Keywords: kberrmsg kbenv kbprb KB281648