When you add a Windows Server 2008-based domain controller to an existing pre-Windows Server 2008 domain that uses the default domain policies, client computers in the domain may not work correctly.
This problem may occur if the Security Templates files for the NoLMHash policy setting on the Windows Server 2008-based domain controller do not match the Security Templates files for the NoLMHash policy setting on the pre-Windows Server 2008-based domain controllers.
When you perform a clean install of Windows Server 2008 and then install the Active Directory directory service on the computer, the Security Templates files are changed to enable the NoLmHash policy.
If you add Windows Server 2008 as the domain controller to an existing domain by using the default domain policy, the NoLMHash policy of the existing domain controller is disabled. Additionally, the NoLMHash policy in Windows Server 2008 is enabled.
If a client that requires LMHash exists in the domain, disable the NoLMHash policy in Windows Server 2008.
To disable the NoLMHash policy by using Group Policy in Windows Server 2008, follow these steps:
- Click Start, click Control Panel, click Administrative Tools, and then click Local Security Policy.
- Expand Security Settings, expand Local Policy, and then click Security Options.
- In the list of the available policies, double-click Network Security: Do not save the value of hash of LAN in the next password change.
- Click Disable, and then click OK.
For more information, click the following article numbers to view the articles in the Microsoft Knowledge Base:
How to prevent Windows from storing a LAN manager hash of your password in Active Directory and local SAM databases
Client, service, and program incompatibilities that may occur when you modify security settings and user rights assignments