Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

Client computers may not work correctly when you add a Windows Server 2008-based domain controller to an existing pre-Windows Server 2008 domain


View products that this article applies to.

Symptoms

When you add a Windows Server 2008-based domain controller to an existing pre-Windows Server 2008 domain that uses the default domain policies, client computers in the domain may not work correctly.

↑ Back to the top


Cause

This problem may occur if the Security Templates files for the NoLMHash policy setting on the Windows Server 2008-based domain controller do not match the Security Templates files for the NoLMHash policy setting on the pre-Windows Server 2008-based domain controllers.

When you perform a clean install of Windows Server 2008 and then install the Active Directory directory service on the computer, the Security Templates files are changed to enable the NoLmHash policy.

If you add Windows Server 2008 as the domain controller to an existing domain by using the default domain policy, the NoLMHash policy of the existing domain controller is disabled. Additionally, the NoLMHash policy in Windows Server 2008 is enabled.

↑ Back to the top


Resolution

If a client that requires LMHash exists in the domain, disable the NoLMHash policy in Windows Server 2008.

To disable the NoLMHash policy by using Group Policy in Windows Server 2008, follow these steps:
  1. Click Start, click Control Panel, click Administrative Tools, and then click Local Security Policy.
  2. Expand Security Settings, expand Local Policy, and then click Security Options.
  3. In the list of the available policies, double-click Network Security: Do not save the value of hash of LAN in the next password change.
  4. Click Disable, and then click OK.

↑ Back to the top


More information

For more information, click the following article numbers to view the articles in the Microsoft Knowledge Base:
299656 How to prevent Windows from storing a LAN manager hash of your password in Active Directory and local SAM databases
823659 Client, service, and program incompatibilities that may occur when you modify security settings and user rights assignments

↑ Back to the top


Keywords: KB946405, kbprb, kbtshoot, kbexpertiseadvanced

↑ Back to the top

Article Info
Article ID : 946405
Revision : 2
Created on : 2/12/2009
Published on : 2/12/2009
Exists online : False
Views : 355