Windows Server 2008 R2 and Windows 7 restricts NTLM authentication usage out of the box. This feature is known as NTLM blocking. NTLM blocking prevents NTLM from being used for authentication
The NetLogon service is responsible for implementing pass-through authentication. To perform pass-through authentication, the service:
- Selects the domain to pass the authentication request to.
- Selects the server within the domain.
- Passes the authentication request through to the selected server.
Selecting the domain is straightforward. The domain name is passed to LsaLogonUser. LsaLogonUser supports interactive logons, service logons, and network logons. Since the domain name specified is not trusted by the domain, the authentication request is processed on the computer being connected to as if the domain name specified were that domain name. NetLogon does not differentiate between a nonexistent domain, an untrusted domain, and an incorrectly typed domain name.
NTLM and Pass-through Authentication (119536)
Configuring server exceptions to allow NTLM
Conditions for Kerberos to be used over an External Trust
Interactive logon across external trusts will attempt Kerberos. On Windows XP and Windows Server 2003, NTLM will be tried if Kerberos fails. Windows Vista and newer operating systems will not allow fallback to NTLM
for interactive logon over external trusts.
This ONY applies to Windows workstations. How about individual applications ? it will depends !!!
Kerberos Authentication Over An External Trust – Is It Possible?
Encounter 2 issues w/o no answer yet – related to SAM but not UPN
a. User from Domain SG is able to login to the PC’s in Domain HK using SAM account, but can’t change the password.
b. User from Domain HK is able to login to the PC’s in Domain SG using SAM account and also able to change the password, but the user can’t login to the IIS web in the same PC with Windows Integrated Auth.
Q: how SAM to resolve the Domain Name in the trusted domain without WINS replication enable between domain?
Points to be noted:
1. Domain DNS’ name & Domain NetBios Name: Intra.xxx.net but xxx_Domain.
2. Understanding the NetBIOS Node Types: Enhanced h-node
Clients that use the Enhanced h-node type use the p-node type and b-node type, and DNS to resolve NetBIOS names to IP addresses. Enhanced h-noe type is the default node type used for Windows 2000, Windows XP, and Windows Server 2003 NetBIOS clients who have a configured WINS server for name resolution. The order in which Enhanced h-node type clients resolve NetBIOS name are:
- NetBIOS name cache.
- NetBIOS name server – WINS
- Broadcasting name resolution method.
- LMHOSTS file
- DNS name cache
- HOSTS file
- DNS server
3. How to disable NetBIOS name resolution: Disable NetBIOS over TCP/IP
4. How to make sure NetBIOS name resolution works ?
- NetBIOS over TCP/IP is enabled
- TCP/IP NetBIOS Helper Service is running
samAccountName vs userPrincipalName
Crossing Domain Boundaries: Name Resolution
Understanding NetBIOS Name Resolution
Using GlobalNames Zone in Windows Server 2008
Working on the FW ports for the project, and noted that Microsoft confuses IT guy again – DFSR port
In reference 1, Microsoft mentioned that TCP 5722 is for “RPC, DFSR (SYSVOL)” and this article is applied up to W2K12 R2 (dated on Mar 28 2014)
But the fact is: TCP 5722 is fixed for DFSR in W2K8 only. In Windows 2012, DFSR is back to dynamic port as the same W2K3.
If you want to fix the port in W2K12, yes, possbile but have to install the File Services Tools feature with the Distributed File System Tools option and enjoy dfsrdiag command
1. Active Directory and Active Directory Domain Services Port Requirements
2. 2012R2 DC – Configure Static DFSR Replication Port
Export VMs OVA from v5.5.0 (3248547), and Deploying OVA into v5.5.0 (3000241) but fails with “Failed to Deploy OVF/OVA package: The operation is not supported on the object”, the root cause is due to the video card settings, funny!
This will help on the site migration