Microsoft KB Archive Search

Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

  1. Home
  2. You cannot connect to a Windows Server 2003 Active Directory domain that has been upgraded from Windows 2000 Active Directory

You cannot connect to a Windows Server 2003 Active Directory domain that has been upgraded from Windows 2000 Active Directory

View products that this article applies to.

Symptoms

You cannot connect to a Microsoft Windows Server 2003 Active Directory domain that has been upgraded from Microsoft Windows 2000 Active Directory by using the Active Directory Service Interfaces (ADSI) WinNT provider.

Notes
This problem only occurs when you try to connect to a built-in container in Active Directory, such as the Pre-Windows 2000 Compatible Access group.
This problem does not occur if you try to connect to a domain where Windows Server 2003 Active Directory was a new installation.

↑ Back to the top

Cause

This problem occurs because of the following difference in permissions:
On a domain where Windows Server 2003 Active Directory has been upgraded from Windows 2000 Active Directory, the Pre-Windows 2000 Compatible Access group has the Read Permissions permission only.
On a domain where Windows Server 2003 Active Directory was a new installation, the Pre-Windows 2000 Compatible Access group has the Read Permissions permission and the Read all Properties permission.

↑ Back to the top

Resolution

To resolve this problem, obtain the latest service pack for Windows Server 2003. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
889100 How to obtain the latest service pack for Windows Server 2003

↑ Back to the top

Workaround

To work around this problem, add the ANONYMOUS LOGON group to the Pre-Windows 2000 Compatible Access group, and then grant the Pre-Windows 2000 Compatible Access group the Read all Properties permission on the built-in container.

↑ Back to the top

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section. This problem was corrected in Windows Server 2003 Service Pack 1 (SP1).

↑ Back to the top

References

For more information about permissions and group membership changes in Windows Server 2003, click the following article number to view the article in the Microsoft Knowledge Base:
278259 Everyone group does not include anonymous security identifier

↑ Back to the top

Keywords: KB890757, kbfix, kbqfe

↑ Back to the top

Article Info
Article ID : 890757
Revision : 2
Created on : 11/1/2006
Published on : 11/1/2006
Exists online : False
Views : 376