I've read that Kerberos replaces the much weaker Windows NT LAN Manager (NTLM) authentication in Windows 2000 and later. Are there any circumstances under which Win2K still uses NTLM?

Yes, Win2K still uses NTLM in certain situations. You should know the circumstances under which this occurs because NTLM is much more vulnerable to eavesdropping and subsequent cracking. For Win2K to use Kerberos when a user logs on, all computers involved—workstations, domain controllers (DCs), and servers—must be Win2K or later and members of the same domain or at least the same forest. In addition, the user account that's logging on must be an Active Directory (AD) user account, not an account in a computer's local SAM or an account from an NT domain.

In the following situations, NTLM rather than Kerberos authenticates logons. When a user with an AD domain account logs on at an NT or Windows 9x workstation, NTLM will authenticate the logon because pre-Win2K versions of Windows don't support Kerberos. For the same reason, even when a user logs on with an AD domain account to a Win2K workstation but maps a drive to an NT server, NTLM will authenticate the logon. Also, when a user maps a drive to a Win2K server but uses a local account in that server's SAM, Win2K uses NTLM—even if the workstation and server are part of an AD domain.