Client computers may not work correctly when you add a Windows Server 2008-based domain controller to an existing pre-Windows Server 2008 domain

Article translations Article translations
Article ID: 946405 - View products that this article applies to.
Expand all | Collapse all

SYMPTOMS

When you add a Windows Server 2008-based domain controller to an existing pre-Windows Server 2008 domain that uses the default domain policies, client computers in the domain may not work correctly.

CAUSE

This problem may occur if the Security Templates files for the NoLMHash policy setting on the Windows Server 2008-based domain controller do not match the Security Templates files for the NoLMHash policy setting on the pre-Windows Server 2008-based domain controllers.

When you perform a clean install of Windows Server 2008 and then install the Active Directory directory service on the computer, the Security Templates files are changed to enable the NoLmHash policy.

If you add Windows Server 2008 as the domain controller to an existing domain by using the default domain policy, the NoLMHash policy of the existing domain controller is disabled. Additionally, the NoLMHash policy in Windows Server 2008 is enabled.

RESOLUTION

If a client that requires LMHash exists in the domain, disable the NoLMHash policy in Windows Server 2008.

To disable the NoLMHash policy by using Group Policy in Windows Server 2008, follow these steps:
  1. Click Start, click Control Panel, click Administrative Tools, and then click Local Security Policy.
  2. Expand Security Settings, expand Local Policy, and then click Security Options.
  3. In the list of the available policies, double-click Network Security: Do not save the value of hash of LAN in the next password change.
  4. Click Disable, and then click OK.

MORE INFORMATION

For more information, click the following article numbers to view the articles in the Microsoft Knowledge Base:
299656 How to prevent Windows from storing a LAN manager hash of your password in Active Directory and local SAM databases
823659 Client, service, and program incompatibilities that may occur when you modify security settings and user rights assignments

Properties

Article ID: 946405 - Last Review: February 12, 2009 - Revision: 2.0
APPLIES TO
  • Windows Server 2008 Datacenter
  • Windows Server 2008 Enterprise
  • Windows Server 2008 for Itanium-Based Systems
  • Windows Server 2008 Standard
Keywords: 
kbexpertiseadvanced kbtshoot kbprb KB946405

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com