If you are planning to upgrade your Active Directory infrastructure to 2008 R2 and you still have external NT 4.0 trusts in place, you’ll need to make some decisions before you upgrade. Trust relationships are no longer supported between these two types of Windows domains.
The work-around (cryptography algorithms compatible with Windows NT 4.0 policy) that have been available for previous versions of Active Directory are no longer supported. Here is an excerpt from Microsoft KB article:
“The Net Logon service on Windows Server 2008 and on Windows Server 2008 R2 domain controllers does not allow the use of older cryptography algorithms that are compatible with Windows NT 4.0 by default“
A summary from the article … “Windows NT 4.0 trusts cannot be created between Windows Server 2008 R2-based domains and Windows NT 4.0-based domains. The workaround steps that are documented later in this article apply to only Windows Server 2008. Security changes that are in Windows Server 2008 R2 prevent trust between Windows Server 2008 R2-based domains and Windows NT 4.0-based domains. This behavior is by design.”
This is probably a good thing that will force us to stop putting in place security measures simply to keep these unsupported domains online.
