Windows 2000 and Windows NT trust relationships are in place, but a Windows 2000 domain controller (DC1) using a highly secure security template is blocking access from Windows NT domain users. To restore access while keeping the trusts intact, what action should the administrator take on DC1?

Difficulty: Medium

Apply a less restrictive custom security template to DC1
Apply a less restrictive custom policy to Windows NT domain controller
Ensure the Windows 2000 domain is configured in mixed mode
Ensure the Windows 2000 domain is configured to run in native mode
None of above

Correct Answer: Apply a less restrictive custom security template to DC1

Explanation:

Introduction / Context:
Windows 2000 introduced security templates that can harden domain controllers substantially (for example, restricting LM/NTLM, enforcing SMB signing, tightening cipher suites). When a Windows 2000 DC is locked down with an aggressive template, legacy Windows NT 4.0 clients and trusted domains may fail authentication or resource access even though two-way trusts exist. This scenario tests your understanding of interoperability between mixed-generation domains and the impact of security templates on legacy access.

Given Data / Assumptions:

Two Windows NT domains and a Windows 2000 domain have mutual trusts.
DC1 (a Windows 2000 domain controller) uses a highly secure template.
Users from the NT domain cannot access resources on DC1, but trusts themselves are configured.
Goal: allow NT users to access DC1 while keeping the domain topology unchanged.

Concept / Approach:
Highly secure DC templates often disable or restrict down-level protocols (e.g., NTLMv1, unsigned SMB). NT 4.0 domains may still rely on these legacy mechanisms. The most direct, least disruptive fix is to adjust the security template applied to DC1 to a less restrictive custom profile that explicitly allows necessary down-level compatibility (e.g., permit NTLM where required, relax SMB signing requirements if appropriate). Changing domain mixed/native mode does not address authentication protocol mismatches and would not by itself re-enable access for NT clients.

Step-by-Step Solution:

Confirm the failure correlates with DC1’s hardening (event logs, security options).Duplicate the existing template and create a more compatible custom template.Lower specific settings (e.g., LAN Manager auth level, SMB signing) to permit NT access.Reapply the adjusted template to DC1 and test NT domain user access.

Verification / Alternative check:
After applying the less restrictive template, verify successful NT user authentication, access to shared resources, and absence of related security failures in the DC’s event logs. Ensure that you only relax the minimum settings required.

Why Other Options Are Wrong:

Apply a less restrictive policy to NT DCs: the access problem originates on DC1’s restrictions.
Mixed/native mode changes: domain functional level does not directly fix protocol-level blocks from hardening.
None of above: incorrect because template relaxation on DC1 is appropriate.

Common Pitfalls:
Over-relaxing unrelated settings; changing domain mode unnecessarily; assuming trusts alone guarantee interoperability without ensuring protocol compatibility.

Final Answer:
Apply a less restrictive custom security template to DC1.

Discussion & Comments

No comments yet. Be the first to comment!

Windows 2000 and Windows NT trust relationships are in place, but a Windows 2000 domain controller (DC1) using a highly secure security template is blocking access from Windows NT domain users. To restore access while keeping the trusts intact, what action should the administrator take on DC1?

More Questions from Windows 2000 Server

Discussion & Comments