We installed a new Windows 2008 R2 member server in a Windows 2000 Native domain. After the installation was finished we added a domain service account to the local administrators group. After adding the service account we noticed that the SID was not resolved in the display of the local administrators group. At first we suspected some issues with active directory, but all tests prove that Active Directory was able to authenticate the user and computer account without any issue. Nevertheless we knew possible issues could occur as the Windows Server 2008 R2 does no longer uses LM and NTLM, but enforces the use of Kerberos. Now Kerberos was introduced in Windows 2000 so it should be able to use Kerberos. We made sure that all domain controllers had all SP4 installed prior to installing our first Windows Server 2008 R2. After loosening the local security settings the SID where correctly resolved.
Following Security setting need to be set in Windows Server 2008 R2 to make sure that domain SID can be resolved:
Click Start-> Run -> Windows Settings -> Security Settings -> Local Policies -> Security Options
Policy: Domain Member: Digitally encrypt or sign secure channel data (always) - Setting: Disabled
Policy: Domain Member: Digitally encrypt secure channel data (When possible) - Setting: Disabled
Policy: Domain Member: Digitally sign secure channel data (When Possible) - Setting: Disabled
Note: these settings are all enabled by default, and are the recommended settings. Preferable you should update the domain controller and domain/forest instead of down grading the security just for compatibility. These settings will only be applied after the server has been rebooted.