Configure Protection From Domain Controller Overload

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Before installing Windows Server 2003 on the Windows NT 4.0 PDC, shield the domain controller by configuring it to emulate a Windows NT 4.0–based domain controller. By shielding the domain controller, clients running Windows 2000, Windows XP, and Windows Server 2003 will not recognize it as an Active Directory domain controller. Clients will authenticate with the new Windows Server 2003–based domain controller as if it were a Windows NT 4.0–based domain controller. This step protects the domain controller from being overloaded with authentication requests from Active Directory clients.

Maintain the emulation setting until enough Windows Server 2003–based domain controllers are in each site to service all Active Directory clients.

Note

• After removing the NT4Emulator registry entry, Windows 2000, Windows XP, and Windows Server 2003 clients will not immediately begin to use the Kerberos authentication protocol. This will be delayed until each client resets its secure channel or is restarted.

If no Windows 2000, Windows XP, or Windows Server 2003 clients are running in a particular site, or if a Windows Server 2003–based domain controller has the capacity to support the number of clients that are present in the site, you do not need this configuration.

Caution

• The registry editor bypasses standard safeguards, allowing settings that can damage your system, or even require you to reinstall Windows. If you must edit the registry, back it up first and see the Windows Server 2003 Resource Kit Registry Reference.

To configure emulation on a Windows NT 4.0–based domain controller before upgrade

1. In the Run dialog box, type regedit, and then press ENTER.

2. In the registry editor, navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

3. Click Edit, click New, and then click DWORD Value.

4. For the new entry name, type NT4Emulator, and then press ENTER.

5. Double-click the entry name that you typed in the previous step.

6. In the Edit DWORD Value dialog box, type 1 in the Value data: box, and then click OK.

7. Click Registry, and then click Exit to close the registry editor.

Repeat this procedure as needed on each Windows NT 4.0–based domain controller that you plan to upgrade to Windows Server 2003.

After you protect the PDC from becoming overloaded, you must be sure to neutralize the emulation on any additional domain controllers you upgrade. Additional domain controllers in the same domain must be able to contact an Active Directory domain controller in their domain for the Active Directory installation to succeed.

On Windows NT 4.0 BDCs, setting the NT4Emulator registry entry before the operating system upgrade will protect the domain controller from overload. Setting the NeutralizeNT4Emulator registry entry immediately afterward allows the BDC to contact an Active Directory domain controller that has the NT4Emulator registry entry set and successfully install Active Directory. For more information about neutralizing Windows NT 4.0 emulation, see "Neutralize Windows NT 4.0 Domain Controller Emulation" later in this chapter.

After you upgrade all domain controllers, or you have enough Windows Server 2003–based domain controllers to authenticate the clients in your domain that are running Windows 2000, Windows XP, and Windows Server 2003, you can reverse this configuration by editing the registry again and removing the NT4Emulator registry entry.