Skip navigation

JSI Tip 3149. After demoting the last Windows 2000 DC, Windows 2000 Pro can't log on to the NT 4.0 domain?

After the demotion of the last Windows 2000 domain controller from an Active Directory mixed-mode domain, Windows 2000 clients can NOT log on to the Windows NT 4.0 domain?

When you try to log on, you receive:

The system cannot log you on to this domain because the system's machine account in its primary domain is missing or the password on that account is incorrect.

Once a Windows 2000 client has been a member of a Windows 2000 Active Directory domain, it can NOT be authenticated by a Windows NT 4.0 domain controller. The secure channel had been set up using Kerberos as its default authentication protocol and can NOT revert to Windows NT LAN Manager authentication.

If we remove the Windows 2000 client from the domain and re-add it, it will revert to Windows NT LAN Manager authentication when Kerberos fails.

The simplest way to do this is to use Netdom 2.0 from the Windows 2000 Support Tools:

NETDOM REMOVE /d:<mydomain> <mywksta> /ud:<mydomain>\<adminuser> /pd:<password>
NETDOM ADD /d:<mydomain> <mywksta> /ud:<mydomain>\<adminuser> /pd:<password>

You can do it using the GUI:

01. Control Panel / System.

02. Select the Network Identification tab and press Properties.

03. Under Member Of, press Workgroup and type the name of a workgroup to join.

04. Press OK and OK.

05. Restart the computer.

06. Control Panel / System.

07. Select the Network Identification tab and press Properties.

08. Under Member Of, press Domain and type the name of a domain to join.

09. You are prompted for a domain admin's credentials.

10. Restart the computer.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.