MORE INFORMATION

A related problem on computers that are running Windows 2000 or later versions of Windows

The ability of client computers that are running Windows 2000 or later versions of Windows to establish security channels to Windows Server 2008-based domain controllers will not be affected by the Allow cryptography algorithms compatible with Windows NT 4.0 policy. However, when these client computers use the NetJoinDomain function together with the NETSETUP_JOIN_UNSECURE join option against a Windows Server 2008-based domain controller, the domain controller returns the following error code:

This problem occurs when the policy setting is Disabled or Not Configured.

Note The "STATUS_DOWNGRADE_DETECTED" error has multiple root causes. Therefore, this error does not necessarily indicate that you are experiencing this problem.

You may experience this problem on computers that are running the following operating systems:

• Windows 2000
• Windows XP
• Windows Server 2003
• The release version of Windows Vista

Note Computers that are running Windows Vista with Service Pack 1 (SP1) or later versions of Windows Vista are not affected.

The NetJoinDomain function is used together with the NETSETUP_JOIN_UNSECURE option in the following scenarios. (This function is also used in other scenarios.)

• You use Windows Deployment Services (WDS) or Remote Installation Services (RIS) to install a Windows operating system.
• You use the Active Directory Migration Tool (ADMT) to perform computer account migration of a Windows operating system.

Microsoft is researching this problem and will post more information in this article when the information becomes available.

How to troubleshoot these problems

When you cannot establish a security channel from a client computer to a Windows Server 2008-based domain controller, follow these steps to troubleshoot the problem:

1. If the client computer is running Windows NT 4.0, upgrade Windows NT 4.0 to Windows 2000 or to later versions. If you cannot perform the upgrade, follow the steps in the "Workaround" section.
2. If the client computer is running Windows 2000 or a later version of Windows, and the client computer runs an unsecured domain join operation, follow the steps in the "Workaround" section as a temporary solution.
3. If the client computer is running Windows 2000 or a later version of Windows, and you are not sure whether the client computer is performs an unsecured join operation, examine the %systemroot%\Debug\Netsetup.log file. If the client computer is performing an unsecured join operation, information that resembles the following is logged:

   11/09 02:21:04 Failed to validate machine account for ComputerName against SPN_Name: 0xc0000388
   11/09 02:21:04 NetpJoinDomain: w9x: status of validating account: 0x4f1

   Note The NETLOGON service runs only on a computer that joins a domain.
4. If the client computer is not running Windows, follow these steps:
   1. Determine which domain controller is processing security channel requests.
      
      Note You can use event logs and trace logs to determine the domain controller.
   2. Make sure that the NETLOGON service is started. To do this, follow these steps:
      • Click Start, click Run, type Services.msc, and then click OK.
      • In the Services console, make sure that the status for the NETLOGON service is Started.
      • If the status is not Started, right-click the NETLOGON service, and then click Start.
   3. Enable debug logging for the NETLOGON service on the Windows Server 2008-based domain controller that processes security channel requests. To do this, use one of the following methods.
      
      Method 1
      1. Click Start, click Run, type cmd, and then click OK.
      2. At the command prompt, type the following command:

         Nltest.exe /DBFLAG:2000FFFF

      Note If the NETLOGON service is not started, you receive a "RPC_S_UNKNOWN_IF" error message.
      
      Method 2
      
      Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

      1. Click Start, click Run, type regedit, and then click OK.
      2. Locate and then right-click the following registry subkey:

         HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

      3. Point to New, and then click String Value.
      4. Type DBFLAG, and then double-click the DBFLAG registry entry.
      5. In the Edit String box, type 2000FFFF in the Value data box.
      6. Exit Registry Editor.
   4. Open the %systemroot%\Debug\Netlogon.log file in Notepad, and then search for the following error message:

      the client ClientComputerName$ is asking for NT4 crypto and this server disallows it.

   5. If you find this error message, the client computer is using old cryptography algorithms that are used in Windows NT 4.0 to establish a security channel to the Windows Server 2008-based domain controller.
   6. Disable debug logging for the NETLOGON service on the Windows Server 2008-based domain controller. To do this, type the following command at a command prompt:

      Nltest.exe /DBFLAG:0