Windows 2000 and Windows Server 2003 Setup Does Not Succeed When You Upgrade from a Windows NT 4.0-Based Primary Domain Controller

When you upgrade a Microsoft Windows NT 4.0-based primary domain controller (PDC) to Windows 2000 or Windows Server 2003 by using Winnt32.exe (including the /checkupgradeonly switch), the upgrade may not succeed. When this behavior occurs, the following error message is recorded in the System Compatibility report:

You receive this error message when you are upgrading a Windows NT 4.0-based PDC in a domain where security identifier (SID) filtering has been enabled for one or more trusted domains.

WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

Windows NT 4.0 Service Pack 4 (SP4) adds support for SID filtering. With SID filtering, the administrator of a trusting domain can quarantine SIDs from specified trusted domains. The Setup program (Winnt32.exe) for Windows 2000 and Windows Server 2003 requires that you disable SID filtering on external trusts before you can upgrade a Windows NT 4.0-based PDC to Windows 2000 or Windows Server 2003. To disable SID filtering, you remove the NetBIOS names of quarantined domains in the QuarantinedDomains value in the registry (you do this by deleting the QuarantinedDomains value). To do this:

1.	From the console of the Windows NT 4.0-based PDC in a a trusting domain that you want to upgrade to Windows 2000 or Windows Server 2003, log on with an account that is a member of the Domain Administrators group.
2.	Start Registry Editor (Regedt32.exe).
3.	Locate the following registry value: Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters Value: QuarantinedDomains Data type: REG_MULTI_SZ
4.	Back up the QuarantinedDomains registry value.
5.	Delete the QuarantinedDomains value from the registry. This step disables SID filtering for all outgoing external trusts. Note Deleting the quarantined NetBIOS domain names is not sufficient to allow Winnt32.exe (Setup) to succeed. You must delete the QuarantinedDomains value. You do not have to restart the computer or the Netlogon service for the registry deletion to take affect.
6.	For consistent behavior, delete the quarantined domains on all Windows NT 4.0-based backup domain controllers (BDCs) in the domain where you are upgrading the Windows NT 4.0-based PDC..
7.	Upgrade the PDC to Windows 2000 or Windows Server 2003 by using Winnt32.exe.
8.	Reconfigure SID filtering as required. If you apply SID filtering to any trusted domains in the future, remember that the methods to quarantine a domain differ on Windows NT 4.0-based domain controllers and Windows 2000-based and Windows Server 2003-based servers. For Windows 2000-based and Windows Server 2003-based domain controllers, use Netdom on one of the domain controllers. For Windows NT 4.0-based BDCs, add the new trusted domain's NetBIOS domain name to the QuarantinedDomains registry value on all the Windows NT 4.0-based BDCs in the trusting domain for consistent behavior.

SID filtering increases the security of communications across domains or forests. By using SID filtering, an administrator can specify that the domain controllers in a particular domain quarantine a trusted domain. This causes the domain controllers in a trusting domain to remove all the SIDs that do not originate from the trusted domain. This can help to prevent authorization data from passing to resources that are located in the trusting domain.
After you upgrade a Windows NT 4.0-based PDC, it is a good idea to determine whether SID filtering is still necessary. For more information about how to determine this in Windows Server 2003, click Start, click Help and Support, type securing external trusts in the Search box, and then press ENTER.