All, Recently we've added another 6 or so domain controllers to our Windows 2k (Native Mode) domain. All servers are using the same configuration (SP3, bunch of hotfixes).
We have started getting reports of NT v4.0 Servers "falling off" the domain. Users are unable to log onto the server with a domain account, but can with a local account. When I look at the usrmgr entries for the Administrators group (for example), all of the domain accounts are listed as "Account Unknown". All NT v4.0 Servers are SP6a. I've removed one of the NT machines from AD, deleted the computer account, re-added it, and that seems to work. When the machine reboots however, the problems come back. I've used the NLTEST utilities from the reskit, but keep getting Access Denied errors when using the SC_QUERY and SC_RESET commands, so cant see what server the machine has tried to form a secure channel with. Now......If I turn off all the new domain controllers, and force the server to use one of the old ones, the problem goes away, so obviously there is some difference between the DC's. I've gone through technet for hours, google, done file diffs on registry dumps, and a bunch of other things, but cant see why a machine would be able to form a secure channel with one domain controller, but not another. I initially suspected it to be the SMB signing issue I've had before, but all domain controllers are set to the same values. I'm starting to wonder if it may be this problem: http://support.microsoft.com/default.aspx?scid=kb;en-us;275020 Could anyone possibly shed some light on this one ? We are trying to replace the old Domain Controllers (Dual PII 700's) with new ones (Dual Operons), but at this stage, I cant remove any of the old DC's due to this problem. Our Windows 2000 / 2003 Servers don't appear to be having any issues with the new servers, and things like Exchange are quite happily using them for GC's etc. Obviously getting rid of NT v4.0 is the preferred solution, however that wont be completed until about September. TIA Glenn List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
