Article ID: 946405 - View products that this article applies to.
When you add a Windows Server 2008-based domain controller to an existing pre-Windows Server 2008 domain that uses the default domain policies, client computers in the domain may not work correctly.
This problem may occur if the Security Templates files for the NoLMHash policy setting on the Windows Server 2008-based domain controller do not match the Security Templates files for the NoLMHash policy setting on the pre-Windows Server 2008-based domain controllers.
When you perform a clean install of Windows Server 2008 and then install the Active Directory directory service on the computer, the Security Templates files are changed to enable the NoLmHash policy.
If you add Windows Server 2008 as the domain controller to an existing domain by using the default domain policy, the NoLMHash policy of the existing domain controller is disabled. Additionally, the NoLMHash policy in Windows Server 2008 is enabled.
If a client that requires LMHash exists in the domain, disable the NoLMHash policy in Windows Server 2008.
To disable the NoLMHash policy by using Group Policy in Windows Server 2008, follow these steps:
For more information, click the following article numbers to view the articles in the Microsoft Knowledge Base:
(https://support.microsoft.com/kb/299656/ )How to prevent Windows from storing a LAN manager hash of your password in Active Directory and local SAM databases
(https://support.microsoft.com/kb/823659/ )Client, service, and program incompatibilities that may occur when you modify security settings and user rights assignments
Article ID: 946405 - Last Review: February 12, 2009 - Revision: 2.0