Required Settings for Samba NT4 Domains: Difference between revisions

From SambaWiki
m (Mmuehlfeld moved page Required settings for NT4-style domains to Required Settings for Samba NT4 Domains: Update title to TitleCase)
(Rewrote "Required Settings for Samba NT4 Domains")
Line 1: Line 1:
= General information =
= General Information =


Microsoft discontinued the official support for NT4 domains many years ago. However, with some modifications, you can still use later published Windows operating systems with a Samba NT4 domain. Anyway consider migrating to a Samba Active Directory (AD) to avoid problems if a future update from Microsoft disables or removes the unsupported NT4 features. For details about migrating, see [[Migrating_a_Samba_NT4_domain_to_a_Samba_AD_domain_(classic_upgrade)|Migrating a Samba NT4 Domain to Samba AD (classic upgrade)]].
'''Samba usually doesn't require any changes on your Windows OS! Please read very carefully, why and in which situations you should do them! The changes mentioned on this page are only necessary if you want to join Windows 7 and later or Server 2008 and later to a <u>Samba NT4-style domain</u>. If this isn't your situation, then it's highly recommended <u>NOT</u> do do any registry changes! None of this modifications described on this page is required/recommended, if you run Samba as an Active Directory Domain Controller!'''


'''If your operating system is not mentioned on this page, or you are running a Samba Active Directory (AD), the Samba team highly recommends <u>NOT</u> to set any registry modification!'''








= Joining Windows 7 or later / Windows Server 2008 or later to a Samba NT4-style domain =


If you try to join any Windows 7 or later / Windows Server 2008 or later, you'll encounter an error
= Joining Windows 7 and Later / Windows Server 2008 and Later to a Samba NT4 Domain =


During the join, you see the following error message:
The following error occourred attempting to join the domain "SAMDOM":

The following error occurred attempting to join the domain "SA":
The specified domain either does not exist or could not be contacted.
The specified domain either does not exist or could not be contacted.


To enable the client to join the Samba NT4 domain:
The following registry change work with any Samba version, that isn't already [[Samba_Release_Planning|discontinued]]:

* Save the following content to a plain text file named "samba_7_2008_fix.reg" using a text editor like "Notepad" or "Editor" (not Word/Wordpad/OpenOffice/LibreOffice/etc.):


Windows Registry Editor Version 5.00
Windows Registry Editor Version 5.00
Line 24: Line 27:
"DNSNameResolutionRequired"=dword:00000000
"DNSNameResolutionRequired"=dword:00000000


* Log in using the local "Administrator" account.
Do the changes manually in <tt>regedit.exe</tt> or save the above in a plain text file with Notepad/Editor (not Word/Wordpad/OpenOffice/LibreOffice/...!) and name it <tt>sambafix.reg</tt>. Make sure, that the file has the ending <tt>.reg</tt>. Then you can import it directly to your registry by double-clicking, if you have the sufficient permissions.


After the next reboot, you can join the machine to your domain.
* Double-click the file to import it to the Windows registry.


* Reboot to take the changes effect.








= Windows 8.1: Encountering Error code 0x80090345 launching Windows Credential Manager =


= Windows 7 / Windows Server 2008 R2: Changing the Primary Domain DNS Name of This computer to "" Failed. =
If you are joined to a samba NT4-style domain then the following registry change should work for you see Workaround section in [https://support.microsoft.com/en-us/kb/3000850 KB3000850] for more details


During joining the machine to the NT4 domain you receive the following error:
Windows Registry Editor Version 5.00

Changing the Primary Domain DNS name of this computer to "" failed. The name will remain "...".
The error was:
The specified domain either does not exist or could not be contacted
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Protect\Providers\df9d8cd0-1501-11d1-8c7a-00c04fc297eb]
"ProtectionPolicy"=dword:00000001


You can ignore this error message or install a Microsoft hotfix on the Windows machine. For details, see [http://support.microsoft.com/kb/2171571 KB2171571].
you will need to reboot after making the above registry change.




Line 47: Line 52:




= Windows 10: There are currently no logon servers available to service the logon request. =


= Windows 8.1 / Windows Server 2012 R2: Error code 0x80090345 launching Windows Credential Manager =
If you have successfully joined Windows 10 to your Samba NT4 domain and try to login, you will encounter the following error


After installing the [https://support.microsoft.com/en-us/kb/3000850 November 2014 update rollup (KB3000850)] you see the following error:
There are currently no logon servers available to service the logon request.


Error code 0x80090345 launching Windows Credential Manager
To workaround, set in your PDCs smb.conf:


To fix this problem:
server max protocol = NT1


* Save the following content to a plain text file named "samba_8_2012_fix.reg" using a text editor like "Notepad" or "Editor" (not Word/Wordpad/OpenOffice/LibreOffice/etc.):
After you've restarted Samba, you will be able to login with a domain account on Windows 10.


Windows Registry Editor Version 5.00
Be aware, that this setting prevent your clients to use newer SMB protocol versions than SMB1 with this server! However, this is the way the Samba team recommends. There are suggestions out there, to disable newer SMB version on Windows 10 client(s) in general. However this will prevent them from using newer protocol version with <u>any</u> SMB servers, instead of a single one (PDC)!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Protect\Providers\df9d8cd0-1501-11d1-8c7a-00c04fc297eb]
"ProtectionPolicy"=dword:00000001


* Log in using the local "Administrator" account.


* Double-click the file to import it to the Windows registry.


* Reboot to take the changes effect.




= Error: Changing the Primary Domain DNS name of this computer to "" failed. =


If you encounter the following error on Windows 7 or Windows Server 2008R2, it can safely be ignored or silenced by a Microsoft hotfix (See [http://support.microsoft.com/kb/2171571 KB2171571]).


Changing the Primary Domain DNS name of this computer to "" failed. The name will remain ".....".
The error was:
The specified domain either does not exist or could not be contacted


= Windows 10: There Are Currently No Logon Servers Available to Service the Logon Request =


After you have successfully joined Windows 10 to your Samba NT4 domain, you fail to log on and receive the error:


There are currently no logon servers available to service the logon request.


To fix the problem:


* Set in your primary domain controllers (PDC) "smb.conf" file:
= IMPORTANT: Registry changes that should never be done! =


server max protocol = NT1
There are many pages on the internet, which suggest to change the values of <tt>RequireSignOrSeal</tt> and <tt>RequireStrongKey</tt>. '''This is <u>NOT</u> recommended by the Samba team, as it will break interoperability with other Windows and Samba versions!'''


:Note that this setting prevent all your clients to use a newer SMB protocol version than SMB1 when communicating with the PDC. Anyway, the Samba team recommends to use this workaround. Disabling newer SMB versions on the Windows 10 client instead prevent this machine communicating using newer SMB version with <u>all</u> Samba/Windows hosts.
If you have already changed these parameters, turn them back to <tt>1</tt> as shown below and reboot:

* Restart Samba.





= IMPORTANT: Registry Changes That You Should Never Set! =

'''The Samba team recommends not to change the values of "RequireSignOrSeal" and "RequireStrongKey". It will break the interoperability with other Windows and Samba installations!'''

If you changed these parameters, reset the values of both keys back to "1":

* Save the following content to a plain text file named "reset_RequireSignOrSeal_RequireStrongKey.reg" using a text editor like "Notepad" or "Editor" (not Word/Wordpad/OpenOffice/LibreOffice/etc.):


Windows Registry Editor Version 5.00
Windows Registry Editor Version 5.00
Line 90: Line 112:
"RequireSignOrSeal"=dword:00000001
"RequireSignOrSeal"=dword:00000001
"RequireStrongKey"=dword:00000001
"RequireStrongKey"=dword:00000001

* Log in using the local "Administrator" account.

* Double-click the file to import it to the Windows registry.

* Reboot to take the changes effect.

Revision as of 01:50, 27 August 2016

General Information

Microsoft discontinued the official support for NT4 domains many years ago. However, with some modifications, you can still use later published Windows operating systems with a Samba NT4 domain. Anyway consider migrating to a Samba Active Directory (AD) to avoid problems if a future update from Microsoft disables or removes the unsupported NT4 features. For details about migrating, see Migrating a Samba NT4 Domain to Samba AD (classic upgrade).

If your operating system is not mentioned on this page, or you are running a Samba Active Directory (AD), the Samba team highly recommends NOT to set any registry modification!



Joining Windows 7 and Later / Windows Server 2008 and Later to a Samba NT4 Domain

During the join, you see the following error message:

The following error occurred attempting to join the domain "SA":
The specified domain either does not exist or could not be contacted.

To enable the client to join the Samba NT4 domain:

  • Save the following content to a plain text file named "samba_7_2008_fix.reg" using a text editor like "Notepad" or "Editor" (not Word/Wordpad/OpenOffice/LibreOffice/etc.):
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManWorkstation\Parameters]

"DomainCompatibilityMode"=dword:00000001
"DNSNameResolutionRequired"=dword:00000000
  • Log in using the local "Administrator" account.
  • Double-click the file to import it to the Windows registry.
  • Reboot to take the changes effect.



Windows 7 / Windows Server 2008 R2: Changing the Primary Domain DNS Name of This computer to "" Failed.

During joining the machine to the NT4 domain you receive the following error:

Changing the Primary Domain DNS name of this computer to "" failed. The name will remain "...".
The error was:

The specified domain either does not exist or could not be contacted

You can ignore this error message or install a Microsoft hotfix on the Windows machine. For details, see KB2171571.




Windows 8.1 / Windows Server 2012 R2: Error code 0x80090345 launching Windows Credential Manager

After installing the November 2014 update rollup (KB3000850) you see the following error:

Error code 0x80090345 launching Windows Credential Manager

To fix this problem:

  • Save the following content to a plain text file named "samba_8_2012_fix.reg" using a text editor like "Notepad" or "Editor" (not Word/Wordpad/OpenOffice/LibreOffice/etc.):
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Protect\Providers\df9d8cd0-1501-11d1-8c7a-00c04fc297eb]
"ProtectionPolicy"=dword:00000001
  • Log in using the local "Administrator" account.
  • Double-click the file to import it to the Windows registry.
  • Reboot to take the changes effect.



Windows 10: There Are Currently No Logon Servers Available to Service the Logon Request

After you have successfully joined Windows 10 to your Samba NT4 domain, you fail to log on and receive the error:

There are currently no logon servers available to service the logon request.

To fix the problem:

  • Set in your primary domain controllers (PDC) "smb.conf" file:
server max protocol = NT1
Note that this setting prevent all your clients to use a newer SMB protocol version than SMB1 when communicating with the PDC. Anyway, the Samba team recommends to use this workaround. Disabling newer SMB versions on the Windows 10 client instead prevent this machine communicating using newer SMB version with all Samba/Windows hosts.
  • Restart Samba.



IMPORTANT: Registry Changes That You Should Never Set!

The Samba team recommends not to change the values of "RequireSignOrSeal" and "RequireStrongKey". It will break the interoperability with other Windows and Samba installations!

If you changed these parameters, reset the values of both keys back to "1":

  • Save the following content to a plain text file named "reset_RequireSignOrSeal_RequireStrongKey.reg" using a text editor like "Notepad" or "Editor" (not Word/Wordpad/OpenOffice/LibreOffice/etc.):
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\System\CCS\Services\Netlogon\Parameters]

"RequireSignOrSeal"=dword:00000001
"RequireStrongKey"=dword:00000001
  • Log in using the local "Administrator" account.
  • Double-click the file to import it to the Windows registry.
  • Reboot to take the changes effect.