No announcement yet.

NT4 Crypto on 2008 Functional Level Domain

  • Filter
  • Time
  • Show
Clear All
new posts

  • NT4 Crypto on 2008 Functional Level Domain


    I've begun the process of upgrading our Server 2003 DC's to Server 2008 and, as expected, after upgrading the first server our old SNAP file server couldn't authenticate to the domain due to it's age and using NT 4.0 cryptography for authentication.

    Until a new server is purchased I've set GP policy "Allow cryptography algorithms compatible with Windows NT 4.0" to enable so that users can use the SNAP server.

    My question is this: After all our DC's are upgraded to 2008 and I raise the functional level to 2008 will that work-around still work for accessing the old SNAP server using NT 4.0 level cryptography?

    I found the following info on the Petri site and it makes me think once I ditch the last 2003 server my SNAP server won't authenticate regardless of the GP policy:

    "However, be aware of the fact that regardless of the domain or function level, servers running Windows NT Server 4.0 are NOT supported by domain controllers that are running Windows Server 2008, meaning you MUST have additional DCs running Windows 2000/2003 to support older NT 4.0 servers"

    Anyone have experience with this?



  • #2
    Re: NT4 Crypto on 2008 Functional Level Domain

    The Allow NT4 Cryptography setting will continue to function after raising your forest and domain functional levels to WIN2008R2.

    NT 4.0 is no longer supported by Microsoft, therefore was not tested by the Microsoft product groups against Windows Server 2008 R2 domain controllers.

    This MS Article documents what level of testing and support you can expect with NT 4.0 clients and the various domain controller OS's

    Check the Client, Server, and Application Interoperability section.
    Last edited by ScottMcD; 18th January 2011, 23:09. Reason: Upgrade from 3rd to 5th grade grammer.


    • #3
      Re: NT4 Crypto on 2008 Functional Level Domain

      Thanks for the tip. The Server seems to have stopped authenticating anyway. It does fine for a few hours after a reboot then users lose access to it.