There are some issues with salts and Windows 2000. Using an empty salt—which is the only one that Kerberos 4 supported, and is therefore known as a Kerberos 4 compatible salt—does not work, as far as we can tell from out experiments and users' reports. Therefore, you have to make sure you keep around keys with all the different types of salts that are required. Microsoft have fixed this issue post Windows 2003.
Microsoft seems also to have forgotten to implement the checksum algorithms `rsa-md4-des' and `rsa-md5-des'. This can make Name mapping (see Create account mappings) fail if a `des-cbc-md5' key is used. To make the KDC return only `des-cbc-crc' you must delete the `des-cbc-md5' key from the kdc using the kadmin del_enctype command.
kadmin del_enctype lha des-cbc-md5
You should also add the following entries to the krb5.conf file:
[libdefaults] default_etypes = des-cbc-crc default_etypes_des = des-cbc-crc
These configuration options will make sure that no checksums of the unsupported types are generated.