RE: [ActiveDir] Nt v4.0 in 2k Domain Issue
Neil, Yes, they are in the same domain unfortunately. G. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil Sent: Friday, 17 June 2005 9:29 PM To: 'ActiveDir@mail.activedir.org' Subject: RE: [ActiveDir] Nt v4.0 in 2k Domain Issue I found I needed to set "Network access: Allow anonymous SID/Name translation" to "Enabled". This is required to allow translation across trusts but then again, your NT servers are in the same domain as the DCs (I assume). neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: 17 June 2005 12:15 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Nt v4.0 in 2k Domain Issue The first that I thought of was the RestrictAnonymous registry configuration on W2K DCs. (http://www.jsifaq.com/SUBF/TIP2600/rh2625.htm) (QUOTE: -> Never set RestrictAnonymous to a 2 in a mixed-mode environment that includes down-level clients) Also have a look at "Client, service, and program incompatibilities that may occur when you modify security settings and user rights assignments" (http://support.microsoft.com/?id=823659) Especially take a look at the configuration with the "Network access" words. Maybe you recognize a configuration that is the source of your problem Cheers #JORGE# -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Glenn Corbett Sent: vrijdag 17 juni 2005 12:52 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Nt v4.0 in 2k Domain Issue All, Recently we've added another 6 or so domain controllers to our Windows 2k (Native Mode) domain. All servers are using the same configuration (SP3, bunch of hotfixes). We have started getting reports of NT v4.0 Servers "falling off" the domain. Users are unable to log onto the server with a domain account, but can with a local account. When I look at the usrmgr entries for the Administrators group (for example), all of the domain accounts are listed as "Account Unknown". All NT v4.0 Servers are SP6a. I've removed one of the NT machines from AD, deleted the computer account, re-added it, and that seems to work. When the machine reboots however, the problems come back. I've used the NLTEST utilities from the reskit, but keep getting Access Denied errors when using the SC_QUERY and SC_RESET commands, so cant see what server the machine has tried to form a secure channel with. Now..If I turn off all the new domain controllers, and force the server to use one of the old ones, the problem goes away, so obviously there is some difference between the DC's. I've gone through technet for hours, google, done file diffs on registry dumps, and a bunch of other things, but cant see why a machine would be able to form a secure channel with one domain controller, but not another. I initially suspected it to be the SMB signing issue I've had before, but all domain controllers are set to the same values. I'm starting to wonder if it may be this problem: http://support.microsoft.com/default.aspx?scid=kb;en-us;275020 Could anyone possibly shed some light on this one ? We are trying to replace the old Domain Controllers (Dual PII 700's) with new ones (Dual Operons), but at this stage, I cant remove any of the old DC's due to this problem. Our Windows 2000 / 2003 Servers don't appear to be having any issues with the new servers, and things like Exchange are quite happily using them for GC's etc. Obviously getting rid of NT v4.0 is the preferred solution, however that wont be completed until about September. TIA Glenn List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ == Please access the attached hyperlink for an important electronic communications disclaimer: http://www.csfb.com/legal_terms/disclaimer_external_email.shtml == List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.actived
RE: [ActiveDir] Nt v4.0 in 2k Domain Issue
Hmmm Further to that, just gone and checked both the working and non-working DC's. All of the servers have the same (and expected values) for all of the options in both those articles. There were some minor policy differences around things that wouldn't have been involved (like remembering the last logged on user). Glenn -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Glenn Corbett Sent: Saturday, 18 June 2005 12:28 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Nt v4.0 in 2k Domain Issue Jorge, Thanks for that. This may well be my problem, since points: 2. Down-level members can't set up a netlogon secure channel. 4. Windows NT clients can't change their password after it expires. Seem to be exactly the problem I'm having. The error message when trying to log onto these servers with a domain account essentially says (I cant remember the exact wording) that the trust between the server and the domain has expired. I'm presuming that a workstation / server trust account would have the same password changing issue, even though the article doesn't explictly mention it. The Require Strong Key from the second article also might be the culprit, since the symptons are the same as well. I *thought* the DC security policy had this set correctly, but I might be wrong. Thats a nice article actually, you obviously have magic fingers with the MS Support site *grin* Time to wander back into work and have a look at this (going interstate in 4 hours and want to fix this before I fly outughI hate 5am flights). Thanks Again Glenn -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Friday, 17 June 2005 9:15 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Nt v4.0 in 2k Domain Issue The first that I thought of was the RestrictAnonymous registry configuration on W2K DCs. (http://www.jsifaq.com/SUBF/TIP2600/rh2625.htm) (QUOTE: -> Never set RestrictAnonymous to a 2 in a mixed-mode environment that includes down-level clients) Also have a look at "Client, service, and program incompatibilities that may occur when you modify security settings and user rights assignments" (http://support.microsoft.com/?id=823659) Especially take a look at the configuration with the "Network access" words. Maybe you recognize a configuration that is the source of your problem Cheers #JORGE# -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Glenn Corbett Sent: vrijdag 17 juni 2005 12:52 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Nt v4.0 in 2k Domain Issue All, Recently we've added another 6 or so domain controllers to our Windows 2k (Native Mode) domain. All servers are using the same configuration (SP3, bunch of hotfixes). We have started getting reports of NT v4.0 Servers "falling off" the domain. Users are unable to log onto the server with a domain account, but can with a local account. When I look at the usrmgr entries for the Administrators group (for example), all of the domain accounts are listed as "Account Unknown". All NT v4.0 Servers are SP6a. I've removed one of the NT machines from AD, deleted the computer account, re-added it, and that seems to work. When the machine reboots however, the problems come back. I've used the NLTEST utilities from the reskit, but keep getting Access Denied errors when using the SC_QUERY and SC_RESET commands, so cant see what server the machine has tried to form a secure channel with. Now..If I turn off all the new domain controllers, and force the server to use one of the old ones, the problem goes away, so obviously there is some difference between the DC's. I've gone through technet for hours, google, done file diffs on registry dumps, and a bunch of other things, but cant see why a machine would be able to form a secure channel with one domain controller, but not another. I initially suspected it to be the SMB signing issue I've had before, but all domain controllers are set to the same values. I'm starting to wonder if it may be this problem: http://support.microsoft.com/default.aspx?scid=kb;en-us;275020 Could anyone possibly shed some light on this one ? We are trying to replace the old Domain Controllers (Dual PII 700's) with new ones (Dual Operons), but at this stage, I cant remove any of the old DC's due to this problem. Our Windows 2000 / 2003 Servers don't appear to be having any issues with the new servers, and things like Exchange are quite happily using them for GC's etc. Obviously getting rid of NT v4.0 is the preferred solution, however that wont be completed until about September. TIA Glenn List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://ww
RE: [ActiveDir] Nt v4.0 in 2k Domain Issue
Jorge, Thanks for that. This may well be my problem, since points: 2. Down-level members can't set up a netlogon secure channel. 4. Windows NT clients can't change their password after it expires. Seem to be exactly the problem I'm having. The error message when trying to log onto these servers with a domain account essentially says (I cant remember the exact wording) that the trust between the server and the domain has expired. I'm presuming that a workstation / server trust account would have the same password changing issue, even though the article doesn't explictly mention it. The Require Strong Key from the second article also might be the culprit, since the symptons are the same as well. I *thought* the DC security policy had this set correctly, but I might be wrong. Thats a nice article actually, you obviously have magic fingers with the MS Support site *grin* Time to wander back into work and have a look at this (going interstate in 4 hours and want to fix this before I fly outughI hate 5am flights). Thanks Again Glenn -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: Friday, 17 June 2005 9:15 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Nt v4.0 in 2k Domain Issue The first that I thought of was the RestrictAnonymous registry configuration on W2K DCs. (http://www.jsifaq.com/SUBF/TIP2600/rh2625.htm) (QUOTE: -> Never set RestrictAnonymous to a 2 in a mixed-mode environment that includes down-level clients) Also have a look at "Client, service, and program incompatibilities that may occur when you modify security settings and user rights assignments" (http://support.microsoft.com/?id=823659) Especially take a look at the configuration with the "Network access" words. Maybe you recognize a configuration that is the source of your problem Cheers #JORGE# -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Glenn Corbett Sent: vrijdag 17 juni 2005 12:52 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Nt v4.0 in 2k Domain Issue All, Recently we've added another 6 or so domain controllers to our Windows 2k (Native Mode) domain. All servers are using the same configuration (SP3, bunch of hotfixes). We have started getting reports of NT v4.0 Servers "falling off" the domain. Users are unable to log onto the server with a domain account, but can with a local account. When I look at the usrmgr entries for the Administrators group (for example), all of the domain accounts are listed as "Account Unknown". All NT v4.0 Servers are SP6a. I've removed one of the NT machines from AD, deleted the computer account, re-added it, and that seems to work. When the machine reboots however, the problems come back. I've used the NLTEST utilities from the reskit, but keep getting Access Denied errors when using the SC_QUERY and SC_RESET commands, so cant see what server the machine has tried to form a secure channel with. Now..If I turn off all the new domain controllers, and force the server to use one of the old ones, the problem goes away, so obviously there is some difference between the DC's. I've gone through technet for hours, google, done file diffs on registry dumps, and a bunch of other things, but cant see why a machine would be able to form a secure channel with one domain controller, but not another. I initially suspected it to be the SMB signing issue I've had before, but all domain controllers are set to the same values. I'm starting to wonder if it may be this problem: http://support.microsoft.com/default.aspx?scid=kb;en-us;275020 Could anyone possibly shed some light on this one ? We are trying to replace the old Domain Controllers (Dual PII 700's) with new ones (Dual Operons), but at this stage, I cant remove any of the old DC's due to this problem. Our Windows 2000 / 2003 Servers don't appear to be having any issues with the new servers, and things like Exchange are quite happily using them for GC's etc. Obviously getting rid of NT v4.0 is the preferred solution, however that wont be completed until about September. TIA Glenn List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List arch
RE: [ActiveDir] Nt v4.0 in 2k Domain Issue
I found I needed to set "Network access: Allow anonymous SID/Name translation" to "Enabled". This is required to allow translation across trusts but then again, your NT servers are in the same domain as the DCs (I assume). neil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: 17 June 2005 12:15 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Nt v4.0 in 2k Domain Issue The first that I thought of was the RestrictAnonymous registry configuration on W2K DCs. (http://www.jsifaq.com/SUBF/TIP2600/rh2625.htm) (QUOTE: -> Never set RestrictAnonymous to a 2 in a mixed-mode environment that includes down-level clients) Also have a look at "Client, service, and program incompatibilities that may occur when you modify security settings and user rights assignments" (http://support.microsoft.com/?id=823659) Especially take a look at the configuration with the "Network access" words. Maybe you recognize a configuration that is the source of your problem Cheers #JORGE# -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Glenn Corbett Sent: vrijdag 17 juni 2005 12:52 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Nt v4.0 in 2k Domain Issue All, Recently we've added another 6 or so domain controllers to our Windows 2k (Native Mode) domain. All servers are using the same configuration (SP3, bunch of hotfixes). We have started getting reports of NT v4.0 Servers "falling off" the domain. Users are unable to log onto the server with a domain account, but can with a local account. When I look at the usrmgr entries for the Administrators group (for example), all of the domain accounts are listed as "Account Unknown". All NT v4.0 Servers are SP6a. I've removed one of the NT machines from AD, deleted the computer account, re-added it, and that seems to work. When the machine reboots however, the problems come back. I've used the NLTEST utilities from the reskit, but keep getting Access Denied errors when using the SC_QUERY and SC_RESET commands, so cant see what server the machine has tried to form a secure channel with. Now..If I turn off all the new domain controllers, and force the server to use one of the old ones, the problem goes away, so obviously there is some difference between the DC's. I've gone through technet for hours, google, done file diffs on registry dumps, and a bunch of other things, but cant see why a machine would be able to form a secure channel with one domain controller, but not another. I initially suspected it to be the SMB signing issue I've had before, but all domain controllers are set to the same values. I'm starting to wonder if it may be this problem: http://support.microsoft.com/default.aspx?scid=kb;en-us;275020 Could anyone possibly shed some light on this one ? We are trying to replace the old Domain Controllers (Dual PII 700's) with new ones (Dual Operons), but at this stage, I cant remove any of the old DC's due to this problem. Our Windows 2000 / 2003 Servers don't appear to be having any issues with the new servers, and things like Exchange are quite happily using them for GC's etc. Obviously getting rid of NT v4.0 is the preferred solution, however that wont be completed until about September. TIA Glenn List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ == Please access the attached hyperlink for an important electronic communications disclaimer: http://www.csfb.com/legal_terms/disclaimer_external_email.shtml == List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Nt v4.0 in 2k Domain Issue
The first that I thought of was the RestrictAnonymous registry configuration on W2K DCs. (http://www.jsifaq.com/SUBF/TIP2600/rh2625.htm) (QUOTE: -> Never set RestrictAnonymous to a 2 in a mixed-mode environment that includes down-level clients) Also have a look at "Client, service, and program incompatibilities that may occur when you modify security settings and user rights assignments" (http://support.microsoft.com/?id=823659) Especially take a look at the configuration with the "Network access" words. Maybe you recognize a configuration that is the source of your problem Cheers #JORGE# -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Glenn Corbett Sent: vrijdag 17 juni 2005 12:52 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Nt v4.0 in 2k Domain Issue All, Recently we've added another 6 or so domain controllers to our Windows 2k (Native Mode) domain. All servers are using the same configuration (SP3, bunch of hotfixes). We have started getting reports of NT v4.0 Servers "falling off" the domain. Users are unable to log onto the server with a domain account, but can with a local account. When I look at the usrmgr entries for the Administrators group (for example), all of the domain accounts are listed as "Account Unknown". All NT v4.0 Servers are SP6a. I've removed one of the NT machines from AD, deleted the computer account, re-added it, and that seems to work. When the machine reboots however, the problems come back. I've used the NLTEST utilities from the reskit, but keep getting Access Denied errors when using the SC_QUERY and SC_RESET commands, so cant see what server the machine has tried to form a secure channel with. Now..If I turn off all the new domain controllers, and force the server to use one of the old ones, the problem goes away, so obviously there is some difference between the DC's. I've gone through technet for hours, google, done file diffs on registry dumps, and a bunch of other things, but cant see why a machine would be able to form a secure channel with one domain controller, but not another. I initially suspected it to be the SMB signing issue I've had before, but all domain controllers are set to the same values. I'm starting to wonder if it may be this problem: http://support.microsoft.com/default.aspx?scid=kb;en-us;275020 Could anyone possibly shed some light on this one ? We are trying to replace the old Domain Controllers (Dual PII 700's) with new ones (Dual Operons), but at this stage, I cant remove any of the old DC's due to this problem. Our Windows 2000 / 2003 Servers don't appear to be having any issues with the new servers, and things like Exchange are quite happily using them for GC's etc. Obviously getting rid of NT v4.0 is the preferred solution, however that wont be completed until about September. TIA Glenn List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/