This document is intended to answer many basic Windows 2000 questions, as they apply to Fermilab's computing enviromnent. Comments and/or suggestions can be sent to the W2K Migration Working Group at
http://www-win2k.fnal.gov/pub/Docs/comments.asp.

Question: Why is a registry entry change required on W2K domain member workstations to access NT4 domain resources?

Answer: This is to ensure the mimimum authentication encryption being used is NTLMv2.

Question: What is the registry entry change required on W2K/XP workstations to access NT4 domain resources with a FERMI account?

Answer: HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/Lsa/lmcompatabilitylevel
REG_DWORD 0x00000005 (5) - for domain members
REG_DWORD 0x00000003 (3) - for non domain members such as laptops

Question: What do I need to get a standard Windows 2000 account?

Answer: Standard NT4 user accounts require a kerberos principal before an account will be created in the Windows 2000 domain. If their present NT4 domain account exceeds 8 characters + matches their email username + the user will not need to use a unix system then they can get a kerberos principal and W2K domain account that matches their NT4 domain username.

Question: What about any specialized accounts?

Answer: The FNAL domain has quite a few user_home accounts used to access the NT4 domain from home and offsite. These accounts do not need a kerberos principal. At this time these accounts will also not be moved in to the W2K domain (nor their home system). The user will still connect directly to the NT4 domain.

Question: What do I need to get a Windows 2000 Administration account?

Answer: Windows 2000 accounts used for administrative purposes do not need a kerberos principal. The W2K Migration Working group is presently developing a naming convention for admin accounts but all accounts related to a user in the domain will start with your Windows 2000 username, a word describing privs and the location. In Jud's case regarding Directorate desktop support, I would imagine a user account of something like: <username>_admin_<OU>

Question: Are shared accounts allowed?

Answer: In the case of shared accounts (i.e. more than one person using the SAME account and password) to manage items is not allowed in the W2K domain. The W2K Migration Working group is examining this issue and how to handle this. We plan on publishing a set of guidelines to follow, but as always their may be cases outside of our tests and we will need to work with the admins to find a solution.

Question: Do I need to be in the W2K Domain by January 1st?

Answer: No. This is now the target date for the lab-wide migration to begin. The migration is a huge undertaking which will take some time. You do have to abide by your local organization's migration plans. Please see your local NT Windows administrator for more information or email wk2mig@fnal.gov.

Question: I can't install windows 2000 on my system what should I do?

Answer: First you should consult with your local Windows/PC expert. They should be able to give you the proper information as it relates to you. For example: You may need a hardware upgrade.

Question: Do I need to get a kerberos principle to be in the Windows 2000 domain?

Answer: Yes.

Question: Am I required to have W2K on my desktop to be in the windows 2000 domain?

Answer: Yes. The Fermilab Windows 2000 domain is designed to run in native mode. To allow NT4 machines as domain members would require mixed mode. There are currently no plans for the Fermilab Windows 2000 domain to operate in mixed mode.

Question: Can I use the MIT KDC instead of the Windows KDC to log in?

Answer: The trust will be there to allow authentication via the MIT KDC. But you should be aware that problems may arise as new service packs are installed. You also would not be able to use your MIT KDC credentials to login remotely. The W2K Migration Working Group does not reccomend this approach.

Question: Can I add my machine to the windows 2000 domain?

Answer: No. Your local Windows/PC support people need to do this for you.

Question: Do I need to get a new username if my present username is more than 8 characters?

Answer: No. See above #1.

Question: Will all windows machines be put in the Windows 2000 domain?

Answer: It depends. Any Windows machine which is permanant and considered to be a user's everyday desktop will certainly be in the Windows 2000 domain. Teststands may not fall into this catagory. Old NT4 desktops have an exemption while their organization plans the migration in accordance with the lab's W2K MIgration plans.

Question: Are there kerberized clients in Windows 2000 (telnet, ssh, ftp)?

Answer: You need to use 3rd party tools like WRQ or Exceed 7. More information on this subject can be found at http://www.fnal.gov/docs/strongauth/

Question: Will my login be different when I'm in the domain?

Answer:

Question: Will I have to do anything different to get at my files in the NT4 domain once migrated?

Answer: Once logged into the Windows 2000 domain, you should still be able to access your old NT4 resources. This is done via a trust relationship between the old NT4 domain(s) and the new W2K domain. This authentication method will be NTLMv2 and is hoped to be transparent.

Question: Why does my machine and my account have to be in the w2k domain?

Answer: This is to comply with the Fermilab mandated Strong Authentication policy.

Question: Is my Windows NT 4.0 software compatible with Windows 2000?

Answer: Most software that runs under NT 4.0 will run under Windows 2000; however there have been some software packages that do not run under Windows 2000. Some software requires power user or administrator privileges to run, and some require that they be run from the account that they were installed from. Both Beams Division and the TOC group has tested various software packages under Windows 2000. Beams Division's results are at http://www-bdnew.fnal.gov/network/w2k-software.htm, and the TOC group's results are at http://www-toc.fnal.gov/compatibility.htm. It is recommended that a user check these pages before upgrading to Windows 2000. If you do not see your software listed on these pages, then Beams Division and the TOC group have not tested it under Windows 2000, and you will have to contact your software vendor for compatibility information.

Question: What are the minimum hardware requirements recommended to upgrade to Windows 2000.

Answer: The Windows 2000 Migration Working Group hardware recommendations are located at http://www-win2k.fnal.gov/ws.asp. Also see the Beams Division's recomendations are located at http://www-bdnew.fnal.gov/network/Win2K%20Admin%20Setup.htm#Preparation.

Question: Should I upgrade from Windows NT 4.0 to Windows 2000 or do a fresh install of Windows 2000?

Answer: The Windows 2000 Migration Working Group recommends a fresh install. Also see the Beams Division upgrade vs. fresh install issues at http://www-bdnew.fnal.gov/network/Win2K%20Admin%20Setup.htm#Upgrade for more information.

last modified 1/22/03    email helpdesk@fnal.gov