subject:"RE\: \[ActiveDir\] Nt v4.0 in 2k Domain Issue"

RE: [ActiveDir] Nt v4.0 in 2k Domain Issue

2005-06-17 Thread Glenn Corbett

Neil,

Yes, they are in the same domain unfortunately.

G.
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ruston, Neil
Sent: Friday, 17 June 2005 9:29 PM
To: 'ActiveDir@mail.activedir.org'
Subject: RE: [ActiveDir] Nt v4.0 in 2k Domain Issue

I found I needed to set "Network access: Allow anonymous SID/Name
translation"  to "Enabled". This is required to allow translation across
trusts but then again, your NT servers are in the same domain as the DCs (I
assume).

neil

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida
Pinto
Sent: 17 June 2005 12:15
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Nt v4.0 in 2k Domain Issue


The first that I thought of was the RestrictAnonymous registry configuration
on W2K DCs. (http://www.jsifaq.com/SUBF/TIP2600/rh2625.htm) (QUOTE: -> Never
set RestrictAnonymous to a 2 in a mixed-mode environment that includes
down-level clients)

Also have a look at "Client, service, and program incompatibilities that may
occur when you modify security settings and user rights assignments"
(http://support.microsoft.com/?id=823659) Especially take a look at the
configuration with the "Network access" words. Maybe you recognize a
configuration that is the source of your problem

Cheers
#JORGE#

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Glenn Corbett
Sent: vrijdag 17 juni 2005 12:52
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Nt v4.0 in 2k Domain Issue

All,

Recently we've added another 6 or so domain controllers to our Windows 2k
(Native Mode) domain.  All servers are using the same configuration (SP3,
bunch of hotfixes).

We have started getting reports of NT v4.0 Servers "falling off" the domain.
Users are unable to log onto the server with a domain account, but can with
a local account.  When I look at the usrmgr entries for the Administrators
group (for example), all of the domain accounts are listed as "Account
Unknown".  All NT v4.0 Servers are SP6a.

I've removed one of the NT machines from AD, deleted the computer account,
re-added it, and that seems to work.  When the machine reboots however, the
problems come back.  I've used the NLTEST utilities from the reskit, but
keep getting Access Denied errors when using the SC_QUERY and SC_RESET
commands, so cant see what server the machine has tried to form a secure
channel with.

Now..If I turn off all the new domain controllers, and force the server
to use one of the old ones, the problem goes away, so obviously there is
some difference between the DC's.

I've gone through technet for hours, google, done file diffs on registry
dumps, and a bunch of other things, but cant see why a machine would be able
to form a secure channel with one domain controller, but not another.  I
initially suspected it to be the SMB signing issue I've had before, but all
domain controllers are set to the same values.

I'm starting to wonder if it may be this problem:
http://support.microsoft.com/default.aspx?scid=kb;en-us;275020

Could anyone possibly shed some light on this one ?  We are trying to
replace the old Domain Controllers (Dual PII 700's) with new ones (Dual
Operons), but at this stage, I cant remove any of the old DC's due to this
problem.

Our Windows 2000 / 2003 Servers don't appear to be having any issues with
the new servers, and things like Exchange are quite happily using them for
GC's etc.

Obviously getting rid of NT v4.0 is the preferred solution, however that
wont be completed until about September.

TIA

Glenn

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be copied,
disclosed to, retained or used by, any other party. If you are not an
intended recipient then please promptly delete this e-mail and any
attachment and all copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


==
Please access the attached hyperlink for an important electronic
communications disclaimer: 

http://www.csfb.com/legal_terms/disclaimer_external_email.shtml


==

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.actived

RE: [ActiveDir] Nt v4.0 in 2k Domain Issue

2005-06-17 Thread Glenn Corbett

Hmmm

Further to that, just gone and checked both the working and non-working
DC's.  All of the servers have the same (and expected values) for all of the
options in both those articles.  There were some minor policy differences
around things that wouldn't have been involved (like remembering the last
logged on user).

Glenn
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Glenn Corbett
Sent: Saturday, 18 June 2005 12:28 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Nt v4.0 in 2k Domain Issue

Jorge,

Thanks for that.  This may well be my problem, since points:

2. Down-level members can't set up a netlogon secure channel.
4. Windows NT clients can't change their password after it expires.

Seem to be exactly the problem I'm having.  The error message when trying to
log onto these servers with a domain account essentially says (I cant
remember the exact wording) that the trust between the server and the domain
has expired. I'm presuming that a workstation / server trust account would
have the same password changing issue, even though the article doesn't
explictly mention it.

The Require Strong Key from the second article also might be the culprit,
since the symptons are the same as well.  I *thought* the DC security policy
had this set correctly, but I might be wrong.

Thats a nice article actually, you obviously have magic fingers with the MS
Support site *grin*

Time to wander back into work and have a look at this (going interstate in 4
hours and want to fix this before I fly outughI hate 5am flights).

Thanks Again

Glenn


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida
Pinto
Sent: Friday, 17 June 2005 9:15 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Nt v4.0 in 2k Domain Issue

The first that I thought of was the RestrictAnonymous registry configuration
on W2K DCs. (http://www.jsifaq.com/SUBF/TIP2600/rh2625.htm) (QUOTE: -> Never
set RestrictAnonymous to a 2 in a mixed-mode environment that includes
down-level clients)

Also have a look at "Client, service, and program incompatibilities that may
occur when you modify security settings and user rights assignments"
(http://support.microsoft.com/?id=823659) Especially take a look at the
configuration with the "Network access" words. Maybe you recognize a
configuration that is the source of your problem

Cheers
#JORGE#

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Glenn Corbett
Sent: vrijdag 17 juni 2005 12:52
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Nt v4.0 in 2k Domain Issue

All,

Recently we've added another 6 or so domain controllers to our Windows 2k
(Native Mode) domain.  All servers are using the same configuration (SP3,
bunch of hotfixes).

We have started getting reports of NT v4.0 Servers "falling off" the domain.
Users are unable to log onto the server with a domain account, but can with
a local account.  When I look at the usrmgr entries for the Administrators
group (for example), all of the domain accounts are listed as "Account
Unknown".  All NT v4.0 Servers are SP6a.

I've removed one of the NT machines from AD, deleted the computer account,
re-added it, and that seems to work.  When the machine reboots however, the
problems come back.  I've used the NLTEST utilities from the reskit, but
keep getting Access Denied errors when using the SC_QUERY and SC_RESET
commands, so cant see what server the machine has tried to form a secure
channel with.

Now..If I turn off all the new domain controllers, and force the server
to use one of the old ones, the problem goes away, so obviously there is
some difference between the DC's.

I've gone through technet for hours, google, done file diffs on registry
dumps, and a bunch of other things, but cant see why a machine would be able
to form a secure channel with one domain controller, but not another.  I
initially suspected it to be the SMB signing issue I've had before, but all
domain controllers are set to the same values.

I'm starting to wonder if it may be this problem:
http://support.microsoft.com/default.aspx?scid=kb;en-us;275020

Could anyone possibly shed some light on this one ?  We are trying to
replace the old Domain Controllers (Dual PII 700's) with new ones (Dual
Operons), but at this stage, I cant remove any of the old DC's due to this
problem.

Our Windows 2000 / 2003 Servers don't appear to be having any issues with
the new servers, and things like Exchange are quite happily using them for
GC's etc.

Obviously getting rid of NT v4.0 is the preferred solution, however that
wont be completed until about September.

TIA

Glenn

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://ww

RE: [ActiveDir] Nt v4.0 in 2k Domain Issue

2005-06-17 Thread Glenn Corbett

Jorge,

Thanks for that.  This may well be my problem, since points:

2. Down-level members can't set up a netlogon secure channel.
4. Windows NT clients can't change their password after it expires.

Seem to be exactly the problem I'm having.  The error message when trying to
log onto these servers with a domain account essentially says (I cant
remember the exact wording) that the trust between the server and the domain
has expired. I'm presuming that a workstation / server trust account would
have the same password changing issue, even though the article doesn't
explictly mention it.

The Require Strong Key from the second article also might be the culprit,
since the symptons are the same as well.  I *thought* the DC security policy
had this set correctly, but I might be wrong.

Thats a nice article actually, you obviously have magic fingers with the MS
Support site *grin*

Time to wander back into work and have a look at this (going interstate in 4
hours and want to fix this before I fly outughI hate 5am flights).

Thanks Again

Glenn


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida
Pinto
Sent: Friday, 17 June 2005 9:15 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Nt v4.0 in 2k Domain Issue

The first that I thought of was the RestrictAnonymous registry configuration
on W2K DCs. (http://www.jsifaq.com/SUBF/TIP2600/rh2625.htm) (QUOTE: -> Never
set RestrictAnonymous to a 2 in a mixed-mode environment that includes
down-level clients)

Also have a look at "Client, service, and program incompatibilities that may
occur when you modify security settings and user rights assignments"
(http://support.microsoft.com/?id=823659) Especially take a look at the
configuration with the "Network access" words. Maybe you recognize a
configuration that is the source of your problem

Cheers
#JORGE#

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Glenn Corbett
Sent: vrijdag 17 juni 2005 12:52
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Nt v4.0 in 2k Domain Issue

All,

Recently we've added another 6 or so domain controllers to our Windows 2k
(Native Mode) domain.  All servers are using the same configuration (SP3,
bunch of hotfixes).

We have started getting reports of NT v4.0 Servers "falling off" the domain.
Users are unable to log onto the server with a domain account, but can with
a local account.  When I look at the usrmgr entries for the Administrators
group (for example), all of the domain accounts are listed as "Account
Unknown".  All NT v4.0 Servers are SP6a.

I've removed one of the NT machines from AD, deleted the computer account,
re-added it, and that seems to work.  When the machine reboots however, the
problems come back.  I've used the NLTEST utilities from the reskit, but
keep getting Access Denied errors when using the SC_QUERY and SC_RESET
commands, so cant see what server the machine has tried to form a secure
channel with.

Now..If I turn off all the new domain controllers, and force the server
to use one of the old ones, the problem goes away, so obviously there is
some difference between the DC's.

I've gone through technet for hours, google, done file diffs on registry
dumps, and a bunch of other things, but cant see why a machine would be able
to form a secure channel with one domain controller, but not another.  I
initially suspected it to be the SMB signing issue I've had before, but all
domain controllers are set to the same values.

I'm starting to wonder if it may be this problem:
http://support.microsoft.com/default.aspx?scid=kb;en-us;275020

Could anyone possibly shed some light on this one ?  We are trying to
replace the old Domain Controllers (Dual PII 700's) with new ones (Dual
Operons), but at this stage, I cant remove any of the old DC's due to this
problem.

Our Windows 2000 / 2003 Servers don't appear to be having any issues with
the new servers, and things like Exchange are quite happily using them for
GC's etc.

Obviously getting rid of NT v4.0 is the preferred solution, however that
wont be completed until about September.

TIA

Glenn

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be copied,
disclosed to, retained or used by, any other party. If you are not an
intended recipient then please promptly delete this e-mail and any
attachment and all copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List arch

RE: [ActiveDir] Nt v4.0 in 2k Domain Issue

2005-06-17 Thread Ruston, Neil

I found I needed to set "Network access: Allow anonymous SID/Name translation"  
to "Enabled". This is required to allow translation across trusts but then 
again, your NT servers are in the same domain as the DCs (I assume).

neil

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida 
Pinto
Sent: 17 June 2005 12:15
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Nt v4.0 in 2k Domain Issue


The first that I thought of was the RestrictAnonymous registry configuration on 
W2K DCs. (http://www.jsifaq.com/SUBF/TIP2600/rh2625.htm) (QUOTE: -> Never set 
RestrictAnonymous to a 2 in a mixed-mode environment that includes down-level 
clients)

Also have a look at "Client, service, and program incompatibilities that may 
occur when you modify security settings and user rights assignments"
(http://support.microsoft.com/?id=823659) Especially take a look at the 
configuration with the "Network access" words. Maybe you recognize a 
configuration that is the source of your problem

Cheers
#JORGE#

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Glenn Corbett
Sent: vrijdag 17 juni 2005 12:52
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Nt v4.0 in 2k Domain Issue

All,

Recently we've added another 6 or so domain controllers to our Windows 2k 
(Native Mode) domain.  All servers are using the same configuration (SP3, bunch 
of hotfixes).

We have started getting reports of NT v4.0 Servers "falling off" the domain. 
Users are unable to log onto the server with a domain account, but can with a 
local account.  When I look at the usrmgr entries for the Administrators group 
(for example), all of the domain accounts are listed as "Account Unknown".  All 
NT v4.0 Servers are SP6a.

I've removed one of the NT machines from AD, deleted the computer account, 
re-added it, and that seems to work.  When the machine reboots however, the 
problems come back.  I've used the NLTEST utilities from the reskit, but keep 
getting Access Denied errors when using the SC_QUERY and SC_RESET commands, so 
cant see what server the machine has tried to form a secure channel with.

Now..If I turn off all the new domain controllers, and force the server to 
use one of the old ones, the problem goes away, so obviously there is some 
difference between the DC's.

I've gone through technet for hours, google, done file diffs on registry dumps, 
and a bunch of other things, but cant see why a machine would be able to form a 
secure channel with one domain controller, but not another.  I initially 
suspected it to be the SMB signing issue I've had before, but all domain 
controllers are set to the same values.

I'm starting to wonder if it may be this problem: 
http://support.microsoft.com/default.aspx?scid=kb;en-us;275020

Could anyone possibly shed some light on this one ?  We are trying to replace 
the old Domain Controllers (Dual PII 700's) with new ones (Dual Operons), but 
at this stage, I cant remove any of the old DC's due to this problem.

Our Windows 2000 / 2003 Servers don't appear to be having any issues with the 
new servers, and things like Exchange are quite happily using them for GC's etc.

Obviously getting rid of NT v4.0 is the preferred solution, however that wont 
be completed until about September.

TIA

Glenn

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

==
Please access the attached hyperlink for an important electronic communications 
disclaimer: 

http://www.csfb.com/legal_terms/disclaimer_external_email.shtml

==

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Nt v4.0 in 2k Domain Issue

2005-06-17 Thread Jorge de Almeida Pinto

The first that I thought of was the RestrictAnonymous registry configuration
on W2K DCs. (http://www.jsifaq.com/SUBF/TIP2600/rh2625.htm) (QUOTE: -> Never
set RestrictAnonymous to a 2 in a mixed-mode environment that includes
down-level clients)

Also have a look at "Client, service, and program incompatibilities that may
occur when you modify security settings and user rights assignments"
(http://support.microsoft.com/?id=823659) Especially take a look at the
configuration with the "Network access" words. Maybe you recognize a
configuration that is the source of your problem

Cheers
#JORGE#

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Glenn Corbett
Sent: vrijdag 17 juni 2005 12:52
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Nt v4.0 in 2k Domain Issue

All,

Recently we've added another 6 or so domain controllers to our Windows 2k
(Native Mode) domain.  All servers are using the same configuration (SP3,
bunch of hotfixes).

We have started getting reports of NT v4.0 Servers "falling off" the domain.
Users are unable to log onto the server with a domain account, but can with
a local account.  When I look at the usrmgr entries for the Administrators
group (for example), all of the domain accounts are listed as "Account
Unknown".  All NT v4.0 Servers are SP6a.

I've removed one of the NT machines from AD, deleted the computer account,
re-added it, and that seems to work.  When the machine reboots however, the
problems come back.  I've used the NLTEST utilities from the reskit, but
keep getting Access Denied errors when using the SC_QUERY and SC_RESET
commands, so cant see what server the machine has tried to form a secure
channel with.

Now..If I turn off all the new domain controllers, and force the server
to use one of the old ones, the problem goes away, so obviously there is
some difference between the DC's.

I've gone through technet for hours, google, done file diffs on registry
dumps, and a bunch of other things, but cant see why a machine would be able
to form a secure channel with one domain controller, but not another.  I
initially suspected it to be the SMB signing issue I've had before, but all
domain controllers are set to the same values.

I'm starting to wonder if it may be this problem:
http://support.microsoft.com/default.aspx?scid=kb;en-us;275020

Could anyone possibly shed some light on this one ?  We are trying to
replace the old Domain Controllers (Dual PII 700's) with new ones (Dual
Operons), but at this stage, I cant remove any of the old DC's due to this
problem.

Our Windows 2000 / 2003 Servers don't appear to be having any issues with
the new servers, and things like Exchange are quite happily using them for
GC's etc.

Obviously getting rid of NT v4.0 is the preferred solution, however that
wont be completed until about September.

TIA

Glenn

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


This e-mail and any attachment is for authorised use by the intended 
recipient(s) only. It may contain proprietary material, confidential 
information and/or be subject to legal privilege. It should not be copied, 
disclosed to, retained or used by, any other party. If you are not an intended 
recipient then please promptly delete this e-mail and any attachment and all 
copies and inform the sender. Thank you.
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Nt v4.0 in 2k Domain Issue

RE: [ActiveDir] Nt v4.0 in 2k Domain Issue

RE: [ActiveDir] Nt v4.0 in 2k Domain Issue

RE: [ActiveDir] Nt v4.0 in 2k Domain Issue

RE: [ActiveDir] Nt v4.0 in 2k Domain Issue

5 matches

Site Navigation

Mail list logo

Footer information