A. Windows XP and Win2K clients always prefer to authenticate against an Active Directory (AD) DC. After these clients discover such a DC, they won't use other available NT 4.0 DCs for authentication. The clients establish this preference by setting a flag in their local security database. For example, if you plan to upgrade only your PDC to Windows 2003 and you have several NT 4.0 BDCs, the Windows 2003 DC will authenticate all XP and Win2K clients, which could cause performance problems. To help ensure that you don't overload the Windows 2003 DC, you can configure it to emulate an NT 4.0 DC by performing the following steps:
- Log on to the NT 4.0 PDC before you upgrade it.
- Start a registry editor (e.g., regedit.exe).
- Navigate to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters registry subkey.
- From the Edit menu, select New, DWORD Value.
- Enter the name NT4Emulator, then press Enter.
- Double-click the new value, set it to 1, then click OK.
For subsequent BDC upgrades, you can perform the same registry update. However, before you do, you need to neutralize the Windows 2003 DC's NT 4.0 emulation; otherwise, you won't be able to use Dcpromo to upgrade other servers to DCs because Dcpromo will see only an NT 4.0 DC in the domain. To prepare to upgrade other BDCs to Windows 2003,in addition to adding the above registry entry on each BDC, you need to navigate to the registry subkey in Step 3 and add the registry entry NeutralizeNT4Emulator (of type REG_DWORD) with a value of 1. You should also set the NeutralizeNT4Emulator value on any XP and Win2K clients on which you want to use the administration tools to manage the AD domain.
After all the DCs are running Windows 2003 or you have enough to handle the XP and Win2K client traffic, you can remove the NT4Emulator registry entry and restart the DCs. While the DCs are running in NT4Emulator mode, clients won't download or implement any Group Policy Objects (GPOs) unless the clients have the NeutralizeNT4Emulator registry entry set.
