M
Mhairi
Guest
We have recently upgraded a few dc's to windows 2008, whilst keeping
some DCs at 2003. Mostly all member servers are 2003, however we
have a few older nt4 machines with data on them. The nt4 servers were
migrated years ago from the older domain structure into a single
domain in active directory. All has been fine up until recently.
The PDC emulator is on a windows 2008 DC now.
When logging onto the affected nt4 server/s the user manager for
domains shows the
main domain, but when you look at local groups, the domain groups
which are inside are showing as 'DOMAIN NAME\account unknown'.
WINS and DNS entries are the same on all servers which exhibit this
issue, and I have 2 NT servers without this issue and their WINS and
DNS entries are the same as the failing servers.
All local users are appearing on the server ok.
Any ref to a domain group there is the following - DOMAIN NAME\account
unknown
I can log onto the server as any domain user - this is OK.
Authentication appears to be fine.
Users who are accessing the files data have no security permissions
applied - everything is open.
The security permissions on the file structure are granted via local
groups - however no security is being supplied as the server cannot
see the global groups within these local groups.
A few days ago I tried to see if I could find any similarities between
servers which had this issue:
I ran the SET command at cmd prompt, to find out which DC had
authenticated me. All the servers with the issue were authenticating
via the 2008DC.
Servers without the problem authenticated me via a 2003 DC.
However, this is only really showing which DC authenticated my log on
to the nt4 server, and not the server's authentication to the domain.
I since found an article advising an entry in the lmhosts file to
force a particular DC for authentication of secure channel between
server and AD. I specified a 2003DC, but this still failed and I am
still left with the problem.
I believe that nt4 servers will always look to the PDC for
authentication, and if this is the case then I will probably have to
move my role from the 2008DC to a 2003DC, this will explain why my fix
failed anyway.
Has anyone else encountered this issue?
Sorry for such a long post.
some DCs at 2003. Mostly all member servers are 2003, however we
have a few older nt4 machines with data on them. The nt4 servers were
migrated years ago from the older domain structure into a single
domain in active directory. All has been fine up until recently.
The PDC emulator is on a windows 2008 DC now.
When logging onto the affected nt4 server/s the user manager for
domains shows the
main domain, but when you look at local groups, the domain groups
which are inside are showing as 'DOMAIN NAME\account unknown'.
WINS and DNS entries are the same on all servers which exhibit this
issue, and I have 2 NT servers without this issue and their WINS and
DNS entries are the same as the failing servers.
All local users are appearing on the server ok.
Any ref to a domain group there is the following - DOMAIN NAME\account
unknown
I can log onto the server as any domain user - this is OK.
Authentication appears to be fine.
Users who are accessing the files data have no security permissions
applied - everything is open.
The security permissions on the file structure are granted via local
groups - however no security is being supplied as the server cannot
see the global groups within these local groups.
A few days ago I tried to see if I could find any similarities between
servers which had this issue:
I ran the SET command at cmd prompt, to find out which DC had
authenticated me. All the servers with the issue were authenticating
via the 2008DC.
Servers without the problem authenticated me via a 2003 DC.
However, this is only really showing which DC authenticated my log on
to the nt4 server, and not the server's authentication to the domain.
I since found an article advising an entry in the lmhosts file to
force a particular DC for authentication of secure channel between
server and AD. I specified a 2003DC, but this still failed and I am
still left with the problem.
I believe that nt4 servers will always look to the PDC for
authentication, and if this is the case then I will probably have to
move my role from the 2008DC to a 2003DC, this will explain why my fix
failed anyway.
Has anyone else encountered this issue?
Sorry for such a long post.