When a Windows NT 4.0-based computer tries to use the NETLOGON service to establish a security channel to a Windows Server 2008-based domain controller, the operation may fail
June 23, 2009Mouthfull huh? Some background…
We introduced a couple of months ago in our main data centres a few Windows 2008 domain controllers. Mails started dripping in from our Linux/Unix friends, claiming they had authorization issues on their SAMBA systems. And if we performed any major changes lately? 
First of all you inquire into the more detailed nature of the actual problem. And (with the 2008 domain controllers in the back of your mind) you ask politely how their auth modules are configured. Because that last question proves to be a ballbreaker when talking to the “X” guys. They have the irritating habit of hard-coding a couple of domain controllers in there, preferably two that are configured to go down at the same time when patching No but all jokes aside it turns out their talking to one of the upgraded machines and that the get the following errors :
“[2009/02/16 08:22:14, 0] auth/auth_domain.c:(170) domain_client_validate: Domain password server not available.
[2009/02/16 08:22:20, 0] auth/auth_domain.c:(118) connect_to_domain_password_server: unable to setup the NETLOGON credentials to machine XXXXXXX. Error was : NT code 0xc0000388.
[2009/02/16 08:22:20, 0] auth/auth_domain.c:(118)”
Woops. The XXXXXXX. machine is a W2K8 one. We never took the time to investigate this properly (found some “pre-auth” messages in the security logs but what the hell, who doesn’t) as the “X” guys claimed the SAMBA systems in trouble had -and I quote- “old software versions” . They would initiate an upgrade…
One week ago we were installing a fresh 2008 forest and there the question was raised if we wanted to provide support for SAMBA? What the hell, SAMBA? And were kindly referred as well to a support article : http://support.microsoft.com/kb/942564 with the ringing title as seen above in the blog subject. So instantly the SAMBA ordeal sprung into my mind. And last but not least. During those exciting months and weeks (see above) we were contacted by some of our customers for which we upgraded their forest to a W2K8 FFL. They were not able to add machines via the RIS installation sequence anymore. MMM strange and when properly investigating (yes we did do that this time) we came upon the same ‘pre-auth’ failures as well. So we put one and two together and started adding those “Allow cryptography algorithms compatible with Windows NT 4.0.” settings to our customized domain controller policies in the customer’s forest. And bang away was the RIS problem . Once we added the same in our corporate forest , the SAMBA problem was gone as well…
Makes you wonder doesn’t it…
