Ok, thanks for the info. What happens if you try to connect to a non-admin share? Say like sysvol. I am wondering about signing/encryption settings. I have had issues with that in the past between 2K and K3. I believe that is where it will blow out but it has been awhile since I have looked at a trace showing that failure. Your nameres seems to be working ok though so we know that it is communicating with the proper place so DNS is probably out of the picture for you at least. :)
You will probably find that K3 DCs have that enabled as mandatory by default in their local settings (undefined in domain and domain controllers policy). Run secpol.msc from the command line so you can look at what your real settings are. If the signing/encryption stuff is all in sync, I would try connecting via IP to see if it is some sort of kerb related issue. But seriously, my gut says it is SMB signing. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Lilianstrom Sent: Tuesday, June 20, 2006 12:01 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Problem removing last w2k DC from a w2k3 domain joe wrote: > What do you see in the network trace? Is it attempting the connection? Is it > establishing the TCP/IP connection and then blowing out in the NetBIOS > handshake? Does it get through the handshake and then fail? > I get a connection and then the access denied returned to the client. SMB Negotiate Protocol Request SMB Negotiate Protocol Response SMB Session Setup AndX Request SMB Session Setup AndX Response SMB Tree Connect AndX Request, Path: \\FBDC1\D$ SMB Tree Connect AndX Response, Error: STATUS_ACCESS_DENIED SMB Logoff AndX Request SMB Logoff AndX Response, Error: STATUS_ACCESS_DENIED I have a logon/logoff in the security log on the w2k3 DC. al > -- > O'Reilly Active Directory Third Edition - > http://www.joeware.net/win/ad3e.htm > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Al Lilianstrom > Sent: Tuesday, June 20, 2006 10:53 AM > To: ActiveDir@mail.activedir.org > Subject: Re: [ActiveDir] Problem removing last w2k DC from a w2k3 domain > > Al Mulnick wrote: >> Denying access? Hmm.... so logged on to the w2K machine you can't >> access the admin$ share of either of the DC's right? > > Correct. > > I can access any member server admin$ share from the w2k machine. I can > access the w2k3 DC admin$ share from any other w2k3 machine in the domain. > > I just can't access the w2k3 DC admin$ share from the w2k DC. > > al > >> >> On 6/20/06, *Al Lilianstrom* <[EMAIL PROTECTED] >> <mailto:[EMAIL PROTECTED]>> wrote: >> >> Robert Rutherford wrote: >> > Hi, >> > >> > It does sound like our old pal DNS. >> > >> > If you run a dcdiag and netdiag, do they both run clean? If not > then >> > please post the results. >> >> Both clean. Every test I can think of comes up clean. The only real >> symtom was in the orginal message - lack of admin access to the w2k3 > DCs >> from the w2k DC. Checking the event log on the w2k3 DC I see the >> computer and user log in and out successfully. Just something denying >> access. >> >> > If all is clean and it's a test environment then pull it and >> clean it up >> > with ntdsutil et al. >> >> Sounds like a fun way to spend the morning. :-) >> >> al >> >> > If it's a new situation then just replicate and see if you still > have >> > the issue. I have always found a couple of hours helps many ills. >> > >> > BR >> > >> > Rob >> > >> > Robert Rutherford >> > QuoStar Solutions Limited >> > >> > The Enterprise Pavilion >> > Fern Barrow >> > Wallisdown >> > Poole >> > Dorset >> > BH12 5HH >> > T: +44 (0) 8456 440 331 >> > F: +44 (0) 8456 440 332 >> > M: +44 (0) 7974 249 494 >> > E: [EMAIL PROTECTED] >> <mailto:[EMAIL PROTECTED]> >> > W: www.quostar.com <http://www.quostar.com> >> > -----Original Message----- >> > From: [EMAIL PROTECTED] >> <mailto:[EMAIL PROTECTED]> >> > [mailto:[EMAIL PROTECTED] >> <mailto:[EMAIL PROTECTED]>] On Behalf Of Al > Lilianstrom >> > Sent: 19 June 2006 20:52 >> > To: ActiveDir@mail.activedir.org >> <mailto:ActiveDir@mail.activedir.org> >> > Subject: [ActiveDir] Problem removing last w2k DC from a w2k3 > domain >> > >> > I've in the process of upgrading my test domain (empty root and 1 >> child) >> > >> > to w2k3 R2 based DCs and (thanks to help from the friendly folks >> here) >> > am just about done. I have one last w2k dc left to remove. It >> doesn't >> > want to go peacefully. >> > >> > I moved the FSMO roles off and the next day tried to dcpromo it >> down to >> > a simple server. I get >> > >> > Managing the network session with FBDC1.fnal.gov >> <http://FBDC1.fnal.gov> failed >> > >> > "Access is denied. " >> > dcpromoui t:0x848 00479 Exit State::GetFailureMessage The >> > operation failed because: >> > >> > Managing the network session with FBDC1.fnal.gov >> <http://FBDC1.fnal.gov> failed >> > >> > A quick check shows that I can't get to the admin shares of my >> new w2k3 >> > dc/FSMO role holder from the w2k dc. I can get to the admin >> shares of >> > the other simple servers but not either of the 2 DCs. Other >> systems can >> > access the admin shares via the domain admin account I'm using on > the >> > w2k DC. >> > >> > I've been searching and have found people having a similar >> problem when >> > promoting a w2k machine to be a DC but not when demoting. I've >> tried a >> > number of the things that were suggested in those articles and >> they have >> > >> > had no affect. >> > >> > There is no firewall in the way. AD replication and FRS work. >> > >> > Any ideas before I rip it out? >> > >> > al >> > >> >> -- >> >> Al Lilianstrom >> CD/CSS/CSI >> [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> >> List info : http://www.activedir.org/List.aspx >> List FAQ : http://www.activedir.org/ListFAQ.aspx >> List archive: http://www.activedir.org/ml/threads.aspx >> <http://www.activedir.org/ml/threads.aspx> >> >> > -- Al Lilianstrom CD/CSS/CSI [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
