M
Mhairi
Guest
Re: nt4 servers on AD2003 with server 2008 - global \local securitygroup problem
On 13 Oct, 11:42, Mhairi <mhairipot...@blueyonder.co.uk> wrote:
> We have recently upgraded a few dc's to windows 2008, whilst keeping
> some DCs at 2003. Mostly all member servers are 2003, however we
> have a few older nt4 machines with data on them. The nt4 servers were
> migrated years ago from the older domain structure into a single
> domain in active directory. All has been fine up until recently.
>
> The PDC emulator is on a windows 2008 DC now.
> When logging onto the affected nt4 server/s the user manager for
> domains shows the
> main domain, but when you look at local groups, the domain groups
> which are inside are showing as 'DOMAIN NAME\account unknown'.
> WINS and DNS entries are the same on all servers which exhibit this
> issue, and I have 2 NT servers without this issue and their WINS and
> DNS entries are the same as the failing servers.
>
> All local users are appearing on the server ok.
> Any ref to a domain group there is the following - DOMAIN NAME\account
> unknown
> I can log onto the server as any domain user - this is OK.
> Authentication appears to be fine.
> Users who are accessing the files data have no security permissions
> applied - everything is open.
> The security permissions on the file structure are granted via local
> groups - however no security is being supplied as the server cannot
> see the global groups within these local groups.
>
> A few days ago I tried to see if I could find any similarities between
> servers which had this issue:
> I ran the SET command at cmd prompt, to find out which DC had
> authenticated me. All the servers with the issue were authenticating
> via the 2008DC.
> Servers without the problem authenticated me via a 2003 DC.
> However, this is only really showing which DC authenticated my log on
> to the nt4 server, and not the server's authentication to the domain.
>
> I since found an article advising an entry in the lmhosts file to
> force a particular DC for authentication of secure channel between
> server and AD. I specified a 2003DC, but this still failed and I am
> still left with the problem.
> I believe that nt4 servers will always look to the PDC for
> authentication, and if this is the case then I will probably have to
> move my role from the 2008DC to a 2003DC, this will explain why my fix
> failed anyway.
> Has anyone else encountered this issue?
> Sorry for such a long post.
p.s I should say that none of the servers are showing anything in the
event logs
On 13 Oct, 11:42, Mhairi <mhairipot...@blueyonder.co.uk> wrote:
> We have recently upgraded a few dc's to windows 2008, whilst keeping
> some DCs at 2003. Mostly all member servers are 2003, however we
> have a few older nt4 machines with data on them. The nt4 servers were
> migrated years ago from the older domain structure into a single
> domain in active directory. All has been fine up until recently.
>
> The PDC emulator is on a windows 2008 DC now.
> When logging onto the affected nt4 server/s the user manager for
> domains shows the
> main domain, but when you look at local groups, the domain groups
> which are inside are showing as 'DOMAIN NAME\account unknown'.
> WINS and DNS entries are the same on all servers which exhibit this
> issue, and I have 2 NT servers without this issue and their WINS and
> DNS entries are the same as the failing servers.
>
> All local users are appearing on the server ok.
> Any ref to a domain group there is the following - DOMAIN NAME\account
> unknown
> I can log onto the server as any domain user - this is OK.
> Authentication appears to be fine.
> Users who are accessing the files data have no security permissions
> applied - everything is open.
> The security permissions on the file structure are granted via local
> groups - however no security is being supplied as the server cannot
> see the global groups within these local groups.
>
> A few days ago I tried to see if I could find any similarities between
> servers which had this issue:
> I ran the SET command at cmd prompt, to find out which DC had
> authenticated me. All the servers with the issue were authenticating
> via the 2008DC.
> Servers without the problem authenticated me via a 2003 DC.
> However, this is only really showing which DC authenticated my log on
> to the nt4 server, and not the server's authentication to the domain.
>
> I since found an article advising an entry in the lmhosts file to
> force a particular DC for authentication of secure channel between
> server and AD. I specified a 2003DC, but this still failed and I am
> still left with the problem.
> I believe that nt4 servers will always look to the PDC for
> authentication, and if this is the case then I will probably have to
> move my role from the 2008DC to a 2003DC, this will explain why my fix
> failed anyway.
> Has anyone else encountered this issue?
> Sorry for such a long post.
p.s I should say that none of the servers are showing anything in the
event logs