[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1695
  • Last Modified:

Connect Windows NT To Windows 2008 Server Domain

I have a CNC machine running Windows NT 4 that is connected to our network, and I am really struggling with getting it connected to the domain on our 2008 server. I've searched every corner of the web I could find, and here's as far as I got:

1. Attempting to connect the NT machine to the domain results in this error message: 'The domain controller for this domain cannot be located.' See the attachment for a screenshot.

2. I enabled the group policy on the server 'allow cryptography algorithms compatible with Windows NT 4.0' (whatever that means) by following the instructions at this link here. That doesn't seem to fix anything.

3. Apparently downloading something called dsclient.exe fixes the issue as well, but I was unable to find a download for it anywhere online either.

4. I am able to connect to the Internet.

The position of IT was passed upon me when our previous IT stopped working here, so I'll use that as the reason why I'm not as network-savvy as most IT's - hence my post here. Does anyone have anything for me that might work?
domainerror.jpg
0
swordswinger710
Asked:
swordswinger710
  • 8
  • 4
  • 4
  • +2
1 Solution
 
djcanterCommented:
Make sure the DNS server listed on the workstation is the domain controllers IP address.
That sounds like the real issue. Unable to find a DC for domain.
(Network, Local Area Network Connection, Properties, Internet Protocol, Properties)
0
 
swordswinger710Author Commented:
Thank you for your quick response - how exactly would I go about doing that?
0
 
swordswinger710Author Commented:
I can't seem to find the location you mentioned anywhere on the NT station. I'm sorry, I don't quite understand what you think I need to do.
0
Configuration Guide and Best Practices

Read the guide to learn how to orchestrate Data ONTAP, create application-consistent backups and enable fast recovery from NetApp storage snapshots. Version 9.5 also contains performance and scalability enhancements to meet the needs of the largest enterprise environments.

 
Schnell SolutionsSystems Infrastructure EngineerCommented:
What is the highest operating system of your DCs?

If it is Windows Server 2008 it can work with Windows NT with these procedures that you have

If it is Windows Server 2008 R2 it doesn't work with Windows NT. You won't be able to join new computers with Windows NT in this case and the ones working before the upgrade can work, but if they lost the security channel and it needs to be reset the computer with NT won't join the domain anymore. Here is what Microsoft says about the security channel between Windows NT and Windows Server 2008 R2 or Windows 7:

*********

Secure channels between computers running Windows NT 4.0 and Windows 7 or Windows Server 2008 R2 are not tested by Windows product groups and are therefore not supported. Affected operations include validation of trusts, creation of outbound trusts, domain joins, and authentications over secure channels. CSS can provide best-effort support, but escalation support or hotfixes will not be provided.

Improved default security settings block establishing and maintaining domain join and a secure channel but those operations can work after default security settings are changed.



*******

Information in these links:

http://support.microsoft.com/?kbid=942564

http://technet.microsoft.com/en-us/library/upgrade-domain-controllers-to-windows-server-2008-r2(v=WS.10).aspx


I also remember having a similar issue that Microsoft said that there is not workaround for it, that Widows NT is not supported anymore
0
 
swordswinger710Author Commented:
Thank you schnellsolutions, unfortunatley, my windows server is 2008 R2. So does that mean there is no possible way to connect to the domain with NT?

Thank you again djcanter - what in the world is Samba, and will this even work if my server is 2008 R2?
0
 
Schnell SolutionsSystems Infrastructure EngineerCommented:
No,

You can't. Non-Officially you can TRY to do all these things that apply for Windows Server 2008, but with Windows Server 2008 R2 is another history. It happened in my network, I contacted Microsoft and they told me that there is not workaround for this

Actually I still have dozens of Windows NT servers connected to domains in Windows Server 2008 R2 but it is not possible anymore to join any new computer. Additionally from time to time it had happened that suddenly one of the Windows NT 4.0 Servers stop working with the security channel and... "nothing to do". A forced upgrade or migration to a higher operating system
0
 
djcanterCommented:
The article is for Win NT. Samba is the SMB protocol. Typically referred to in linux. But the doc is step by step setting up networking for NT.

again, I think your problem is DNS, Can you even ping server.domain from the comomand
line ?
0
 
swordswinger710Author Commented:
Thank you scnellsolutions - could I somehow connect to a folder on the domain server then?

And djcanter - thanks again, I went through that and did change a few things, but will have to wait until tomorrow to restart the machine as it's currently unstoppable. I did try to ping the server (btm.local) from the command line though, and it worked just fine - got a reply back from 192.168.123.200.
0
 
btetlow-expertCommented:
I have seen this before --- DNS on NT is not resolving to allow connection to the domain.

A "fix"   use your HOSTS table on NT, and enter in the IP address and DNS name there.

Given that you can "PING" the server, this means you do have network connections.

In your WINNT folder, system32\drivers\etc, you should find your local HOSTS table, and simple use of notepad, or your favorite text editor is all that's needed.   If it's never been touched before, you'll see a sample of the format it expects the file to be setup in...  Just 2 columns really...

Also, you do NOT have to restart the system for this entry to take effect, so you can test it easily once you've entered and saved the information from the command line.

I couldn't tell from your last note if you PINGed the IP address, or it's domain name --- so if you used the domain name, then this idea probably won't help.
0
 
Schnell SolutionsSystems Infrastructure EngineerCommented:
You can access the share,

If not done, enable this policy for your DC:

Computer Configuration \ Policies \ Administrative Templates \ System \ NetLogon \ Allow cryptography algorithms compatible with Windows NT 4.0

With this you will be able to control that NetLogon use old encryption for newer operating systems like Windows 2008 R2, Vista, 7, etc. So you will be able to access the share. If it doesn't work you can make a test configuring a folder with anonymous and everyone access to discard that it is not an authentication issue
0
 
swordswinger710Author Commented:
Okay, so here's where I'm at today:

I followed the instructions here provided by djcanter and restarted the computer/machine.

I pinged btm.local as well as 192.168.123.200 from the command line and got a response both times.

I edited the Hosts table as descibed by btetlow-expert by adding 192.168.123.200 btm.local.

I created a folder called EDM Computers TEST on the domain server and allowed everyone to access it under the Permissions properties as suggested by schnellsolutions (I'd already enabled his policy  to the server yesterday).

My results? No further, I still get the same message upon trying to connect to the domain as shown in the picture in the first post, and get a 'Login failure' message upon trying to open the EDM Computers Test folder I created as shown in the attached image.

Is there anything else I should try?
foldererror.jpg
0
 
Schnell SolutionsSystems Infrastructure EngineerCommented:
Does it ask you for credentials? Or it just returns you the message telling "Login failure"
0
 
swordswinger710Author Commented:
I only get that message upon trying to open the folder - when I click OK, the message goes away and nothing else happens.
0
 
btetlow-expertCommented:
When you're trying to open the folder --- did you navigate to the system using the domain name(BCM.LOCAL), or the IP address?

If by name, try navigating to it using your web browser and use the IP address instead of the name.

In browser you would type in:     \\192.168.123.200\(folder name)  

You don't NEED to be part of a domain in order to access files on a system that is -- you just need credentials to log in....

That said -- I think you're really trying to add it to your 2008-based domain.

...A thought ---  Do you have NETBIOS enabled on your DC server?     Normal practice is that it's not enable much anymore... but your NT system is legacy, and I have some systems that are also legacy and I'm forced to have that enabled.

ALSO --- keep in mind that the NT system only understands a limited length system name.  It appears that issue might not be part of the problem, but you might try this...

On the NT system...  cmd prompt....    tracert 192.168.123.200   It should display the system name back to you.... Does it match what you're expecting when you attempt to connect to domain?

I took over a system that had a hidden   "ad." in front of the domain name!    Perhaps there's a hidden portion that your NT system is picking up on, or I should say NOT picking up on.
0
 
swordswinger710Author Commented:
I'm trying to map a drive to the shared folder, and I'm just doing that through the NT Explorer.

The web address thing just says "Windows cannot find '\\192.168.123.200\E'. Check the spelling and try again, or try searching for the item by clicking the Start button and then clicking Search."

I enabled NETBIOS on my server (by choosing Advanced Properties of the Internet Protocl Version 4 (TCP/APv4) and clicking Enable NetBIOS over TCP/IP - if that's correct), but still get one of these two errors when trying to connect - "Login failure: the user has not been granted the requested logon type at this computer." "An error occurred in network provider Microsoft Windows Network. Error 2114. The Server service is not started."

I also ran the tracert, which returns a lovely domain name of btm.local. There currently is much smoke coming out of my ears.
0
 
btetlow-expertCommented:
Make sure that's "E$" not just the letter (unless you made a share with JUST the letter itself).    Alternately, you could create a share on the system you're trying to connect to, and gain access that way.   The "$" are built-in and hidden.

If you do create a share on the other system, keep the share name short.  As I recall (consider it old memory that may be incorrect), NT was still using the older style naming and there were limits in the length that made them not available to older systems.   If you consider the DOS form of 8.3, then you'll be safe.
0
 
swordswinger710Author Commented:
I tried the $, but that didn't help. Would you be willing to step me through creating a share on the system as you suggested? I thought I knew how, but ovbiously, I'm doing something wrong.
0
 
btetlow-expertCommented:
Navigate to the drive that shows the folder(s) you want to share.  You're interested in the lowest level that has all the data you want to share.

E:\
E:\FOLDERNAME1
E:\FOLDERNAME1\DATA2SHARE

If you want to share everything on the "E" drive, start there --- I don't recommend this unless you know it's a very trusted plan.

If you want to share everything that's within the "FOLDERNAME1", then start here....

If you only want to share a folder within a folder "DATA2SHARE", then start here....

If you RIGHT CLICK on the folder you want to share.... initially, you're forced to select by specific users or groups.  If you select PROPERTIES, and then SHARING, then ADVANCED SHARING you can now give it a name -- put a check into the "share this folder" box, and it will allow you to either use the existing name, or you can replace it with whatever you want. I would avoid using spaces in the name.

Next, you'll see the number of users is some astronomical number -- lower that to the number of expected simultaneous users unless you don't care how many "share" users are  connected.

Fill out comments if you want... then select the PERMISSIONS box.   Here, you can decide how much access users need, as well as isolating it to specific users you want to allow in.  If it's EVERYONE, know that this literally means anyone and everyone on your network could gain access.  In this case for the NT station, you may be forced there, but you can create a user for that station to connect with, and then use just that instead of everyone.

Click OK, APPLY as needed.... done....   You should now be able to gain access from any system with the proper credentials.

I would strongly recommend creation of a user specifically for this purpose, and even go so far as to limit them to only being able to log into that system when you create the user.

Only give the access you know is required -- if they only need to copy FROM the folder, then READ is all that's needed.  If they need to place files there, then they'll need read & write.  NO ONE should get FULL except administrator types of users that would normally have full access.
0
 
Seth SimmonsSr. Systems AdministratorCommented:
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 8
  • 4
  • 4
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now