When you run the Active Directory (AD) installation wizard, DCPROMO, to create a new AD domain (as opposed to creating an additional domain controller—DC—in an existing domain), you encounter a configuration screen that lets you specify default permissions for user and group objects within AD. If your domain will include any Windows NT 4.0 RAS servers, you should select "Permissions compatible with pre-Windows 2000 Servers" to ensure that the system will reliably authenticate and grant access to dial-up users. Why? To help us understand this Win2K domain configuration issue, let's look quickly at how NT 4.0 processes dial-up user authentication requests.
NT 4.0 Authentication
When you dial into an NT 4.0 RAS or RRAS server, NT uses the LocalSystem account to query the directory service (i.e., Win2K's AD or NT 4.0's SAM) to verify that you have dial-up permissions. The system performs this authentication query without supplying a username or password to the directory service—a process that's known as establishing a NULL session. NT 4.0 supports NULL sessions; however, Win2K, by default, does not. As a result, if you attempt to dial in to a domain that consists of a mix of Win2K and NT 4.0, the system won't always authenticate you—unless you selected "Permissions compatible with pre-Windows 2000 Servers" when you created the domain's first DC.
If your NT 4.0 RAS servers are member servers in a Win2K DC-NT 4.0 BDC domain, your dial-up access will be inconsistent. The RAS server will authenticate you and grant access when it happens to query a NT 4.0 BDC, but not when it queries a W2K DC. Unfortunately, in mixed DC-BDC environments, you can't specify which DC the RAS server passes the authentication request to. However, if your RAS servers also serve as BDCs, they can authenticate you against the local copy of the SAM and grant access.
Workarounds
The easiest way to ensure that your migration to Win2K doesn't interfere with your dial-up access is to select "Permissions compatible with pre-Windows 2000 Server" when you configure AD on the first DC in your domain. When you select this option, you add the Everyone Group to the Pre-Windows 2000 Compatible Access local group on the Win2K DC. This configuration lets anyone query AD for the required User object attributes—which, essentially, lets Win2K support NULL sessions. If you don't select "Permissions compatible with pre-Windows 2000 Server" on the first DC you create, you can specify it later by opening a command prompt and issuing the command
net local group "Pre-Windows 2000 Compatible Access" Everyone/Add
After you wrap up your migration, open the Microsoft Management Console (MMC) AD Users and Computers snap-in and remove the Everyone Group to strengthen your domain security.
Another option is to upgrade all your RAS member servers to Win2K, which you can do before you configuring any Win2K DCs. When considering this option, take into account that RAS isn't the only service or application that utilizes NULL sessions; SQL Server and some third-party applications can as well.
Thanks to those of you who have emailed me your questions—they help me to write about relevant Win2K issues. If you have any questions or topics that you would like me to address in upcoming columns, email me at [email protected].
