Using Routing and Remote Access Service in a Mixed Environment

  • Article

If you are using Routing and Remote Access Service (RRAS) in a Windows NT environment to provide your users with remote access to the corporate network, consider upgrading your RRAS server early in the process of upgrading member servers. Upgrading early is valuable because of the way the RRAS process works in Windows NT; specifically, the way it checks RRAS properties such as availability of RRAS access or dial-back for a user.

RRAS must run even when there are no users logged onto the system. The service runs as LocalSystem. When a service logs on as LocalSystem, it logs on with NULL credentials, which means the service does not provide a user name or password. This means that the account cannot be used to access network resources relying on NTLM authentication unless the remote computer allows access with NULL credentials (referred to as a NULL session). RRAS in Windows NT uses the LocalSystem account.

By default, Active Directory does not accept querying of object attributes through NULL sessions, so in a mixed environment, a Windows NT RRAS server is not able to retrieve user RRAS properties unless all of the following conditions are met:

  • The domain is in mixed mode and the Windows NT RRAS server is also a BDC. In this case, RRAS has local access to the SAM.

  • The domain is in mixed mode and the Windows NT RRAS server contacts a Windows NT BDC, which results in behavior identical to current Windows NT behavior. This behavior is based on the location of the secure channel.

  • The domain is in mixed or native mode and Active Directory security has been relaxed to grant the built-in user "Everyone" permissions to read any property on any user object. Active Directory Installation Wizard allows the user to select this configuration by means of a "Weaken the permissions" option on certain Active Directory objects.

Use the workaround in the last condition only after understanding its impact on Active Directory security. If this workaround conflicts with your security requirements, it is recommended that you upgrade the Windows NT RRAS server to Windows 2000 and make it a member of a Windows 2000 mixed or native domain. This will prevent inconsistent behavior while the domain is in mixed mode, as described in the second condition.