If anyone here is interested, I have been able to nail the issue. After deeper investigation, I found that moving the W2K3 servers into client's OU (different GPOs that force the client to "Send NTLMv2 response only") resolved the issue. The problem was caused by domain member servers of forestA.com not being able to negotiate NTLM dialect with forestA.com DCs. forestA.com DCs are configured to "Send NTLMv2 response only". Windows servers (if not explicitly configured) default to "Send LM&NTLM responses" (see http://www.microsoft.com/resources/documentation/windowsserv/2003/standard/proddocs/en-us/576.asp <http://www.microsoft.com/resources/documentation/windowsserv/2003/standard/proddocs/en-us/576.asp> for details) forestB.com DCs are using less strict Domain Controllers GPO, hence servers in forestA.com were able to negotiate NTLM dialect with forestB.com DCs, but not with forestA.com DCs. The interesting part is that apparently Task Scheduler is not capable of doing Kerberos and tries only NTLM (and I was trying to chase Kerberos) So for the sake of others: if you configure your DCs to "Send NTLMv2 only", the default settings of W2K3 member servers will prevent them from talking to DCs using NTLM. Forcing the clients to "Send NTLMv2" will make the problem disappear. Guy
________________________________ From: [EMAIL PROTECTED] on behalf of Guy Teverovsky Sent: Thu 10/28/2004 5:00 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] A weird one (or Joeware vs. MS) Hi Eric, All W2K3. And yes, as I wanted to eliminate any other issues, I was using forestA's domain accounts, which are members of local Administrators group (and the member servers GPO regarding user rights is at defaults). I even tried forestA's Admnistrator account. 2 W2K3 forests. Both at W2K3 FFL with all domains at W2K3 Native mode. forestB.com has 3 child domains ([EMAIL PROTECTED] can schedule the job on host.forestA.com) forestA.com is a single domain (this is where the W2K3 hosts are) forestA.com trusts forestB.com The problem is observed only on W2K3 member servers. The following works against W2K member server or XP (with the same RSoP), but fails against W2K3 (Standard and Enterprise): C:\>schtasks /Create /RU ForestA\administrator /RP "password" /SC Daily /TN test1 /TR c:\WINDOWS\system32\cmd.exe /ST 22:00:00 /S X.X.X.X X.X.X.X is a host in ForestA.com. Tell me if you need more info (DC's RSoP, member servers RSoP ?). Thanks a lot ! Guy On Wed, 2004-10-27 at 19:22 -0700, Eric Fleischman wrote: > Silly question perhaps: does the acct in question have log on as a batch > job (and any other rights required, perhaps log on locally?) that it > needs for the job to run? > > I can set this up in my lab tomorrow to see if it works/fails and take a > peak, just let me know what OSs are involved (all 2003, since it is a > forest trust I think you said below?). > > ~Eric > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky > Sent: Wednesday, October 27, 2004 6:50 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] A weird one (or Joeware vs. MS) > > Already tried most of what you mentioned. Same error when using forestA > account on the console of host.forestA.com box. > > Scheduling remotely - same error. Nothing in event log and the sniffer > does not even show Kerb traffic (I'll do more tests tomorrow, but > meanwhile I was not successful at catching any authentication traffic > between the host and DCs from either forest, but it could be the > hour...). > It looks like the API just fails and says: "Hey! I am not aware of the > account domain you are trying to make me look at !" > (tried ForestA\user, upn and kerb principal - same result) > Tried both by IP and by hostname. The error I get: > > C:\>schtasks /Create /RU ForestA\administrator /RP "password" /SC > Daily /TN test1 /TR c:\WINDOWS\system32\cmd.exe /ST 22:00:00 /S X.X.X.X > > WARNING: The task name "test1" already exists. Do you want to replace it > (Y/N)?y > WARNING: The scheduled task "test1" has been created, but may not run > because the account information could not be set. > > Clocks are synced and alright across the forests. The event logs are > perfectly clean. Actually this is the only issue I have with the server > (and it's ALL W2K3 member servers in the forestA that show this > behavior). The strange thing that I have found right now is that the > forestA DCs are immune to this weirdness (forestA accounts can be used > to schedule jobs on forestA DCs). > > Guy > > > On Wed, 2004-10-27 at 16:29 -0400, joe wrote: > > I have to say that seems to be a weird one... But I am glad that cpau > helps > > it work for you. :o) > > > > Are you doing this remotely? What happens if you sit down on > > host.forestA.com with a forestA userid and try to schedule the task? > > Also > > can you try to schedule it remotely with just the IP address? If that > works, > > the issue is probably somewhere in kerberos and I would start looking > for > > ker errors and verify SPN's are properly registered and time between > the > > machines is correct, etc. > > > > joe > > > > > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Guy > Teverovsky > > Sent: Wednesday, October 27, 2004 3:11 PM > > To: [EMAIL PROTECTED] > > Subject: [ActiveDir] A weird one (or Joeware vs. MS) > > > > Here is a weird one: > > 2 forests with one way forest trusts: > > forestA.com trusts forestB.com > > > > I try to schedule a a task on host.forestA.com with account > FORESTA\user > > (tried everything up to member of Enterprise Admins, Domain Admins, > > BUILTIN\Administrators) and I get "0x80070005 Access Denied" error - > bad > > credentials, when submitting the task (tried both GUI and > schdtasks.exe) The > > same task can be scheduled using CHILD_OF_FORESTB\user account (notice > that > > the host is in forestA and forestB accounts are OK, but it's own > accounts > > are denied). > > Local machine's accounts are also fine - the problem is only with > host's > > forest accounts. > > > > This happens on all W2K3 servers and ONLY on W2K3 (XP, W2K are fine). > > > > Wrapping the same task with joe's CPAU resolves the issue and the task > is > > executed correctly. > > > > I tried to sniff the traffic, but it looks like the task scheduler > does not > > even try to authenticate the forestA accounts. > > > > In our test environment the scheduled tasks do work as expected, but > there > > we currently have 2-way forest trust and some other things not yet > > implemented in production, so I can not rely on the test environment > > regarding this issue. > > > > I am starting to run out of ideas here... > > > > Guy > > > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
<<winmail.dat>>
