I'm tightening my network's security posture by increasing the values of the HKEY_LOCAL_MACHINE\SYSTEM\\Current-ControlSet\\Control\\Lsa\\LMCompatibility-Level registry subkey. With an allWindows NT network (workstations and servers), I've currently set all workstations to Level 3 (Send NTLMv2 authentication only) and the domain controllers (DCs) to Level 2 (Send NTLM authentication only). I want to raise the DCs to Level 5 (DC refuses LM and NTLM authentication; accepts only NTLMv2) and use only NT LAN Manager v2 (NTLMv2) authentication. However, if the DCs run at Level 5, what impact will this change have when I bring a new DC online? Does the initial NT server installation default to a lower authentication level? If so, can the new DC join the domain and receive a copy of the SAM database? How can I use only NTLMv2 authentication and still bring new DCs into the domain?
NTLMv2 is an enhanced version of the NTLM authentication protocol that shipped with NT Service Pack 4 (SP4). You can use this version for authentication only between SP4 or post-SP4 NT machines. When you enforce NTLMv2 authentication on your existing SP4 DCs, new DCs installed with first-release NT Server 4.0 software won't be able to join the domain. If you've set up auditing for logon/logoff events, an event such as Event ID 529 Unknown user name or bad password will appear in the Security log of the existing SP4 DCs.
The only way to remedy this problem is a temporary change to the LMCompatibilityLevel setting on your SP4 DCs. For example, you could lower the level to 0 (Send LM response and NTLM response; never use NTLMv2). If your new DCs are able to join the domain, a successful logon message will appear in the Security log of the existing SP4 DCs. (For more information about the NTLM-related registry settings I refer to, see my March 2001 column.)