Q: I heard that in certain migration scenarios, it might be necessary to disable the Kerberos authentication protocol on Windows domain controllers (DCs). Can you provide an example of such a migration scenario? Also, how do you disable Kerberos and what are the possible side-effects?

A: Kerberos is always the first authentication protocol of choice on Windows 2000 Professional and later clients, but it's not supported on older Windows clients such as Windows NT 4.0 or Windows 98.

Imagine the following migration scenario. You've migrated all your client platforms to Windows XP and want to perform an in-place upgrade of your s NT 4.0 domain to Active Directory (AD). The very first step in this scenario is to upgrade your NT 4.0 PDC to Windows Server 2003—all the remaining DCs are still on NT 4.0. In this scenario, the Windows 2003 DC might become overloaded by Kerberos authentication traffic. This is because all XP clients will try to authenticate to it. This is a typical scenario in which you might want to temporarily disable the Kerberos authentication protocol on the Windows 2003 DC.

To disable Kerberos, Microsoft provides a registry setting that is available for Win2K Service Pack 2 (SP2) environments. The setting is called NT4Emulator (of type REG_DWORD) and should be added to the HKEY_LOCAL_MACHINE/System/CurrentControlSet/Services/Netlogon/ Parameters registry key of a Win2K SP2 or later DC and set its value to 1. This setting takes effect only after a system reboot.

The creation of this key on a Win2K SP2 or later DC also creates these three problems:

  1. It makes it impossible to manage the AD using any of the Microsoft Management Console (MMC)-based AD management tools from a domain member client or server.
  2. It won't let you promote machines to new DCs in the domain of the DC that has NT4Emulator enabled.
  3. It won't allow the application of Group Policy to Win2K and later clients and thus hinders leveraging the full potential of AD for these clients.

To work around these problems, you must make the following registry change on the clients from which you want to use the AD management tools (for problem 1), on the machines that are about to be promoted to DCs (for problem 2), and on the clients that you want to use to test Group Policy in your new AD domain (for problem 3): Add the NeutralizeNT4Emulator registry value (of type REG_DWORD) in the HKEY_LOCAL_MACHINE/System/CurrentControlSet/Services/Netlogon/Parameters registry key and set it's value to 1. As with NT4Emulator, this setting only takes effect after a system reboot.

In general, disabling the Kerberos protocol via the NT4Emulator key should be seen as a short-term workaround until sufficient AD DCs are available in the upgraded domain to handle the Kerberos authentication workload.