Jump to content

Re: nt4 servers on AD2003 with server 2008 - global \local securitygroup problem

Featured Replies

Posted

On 13 Oct, 11:42, Mhairi <mhairipot...@blueyonder.co.uk> wrote:

> We have recently upgraded a few dc's to windows 2008, whilst keeping

> some DCs at 2003. Mostly all member servers are 2003, however we

> have a few older nt4 machines with data on them. The nt4 servers were

> migrated years ago from the older domain structure into a single

> domain in active directory. All has been fine up until recently.

>

> The PDC emulator is on a windows 2008 DC now.

> When logging onto the affected nt4 server/s the user manager for

> domains shows the

> main domain, but when you look at local groups, the domain groups

> which are inside are showing as 'DOMAIN NAME\account unknown'.

> WINS and DNS entries are the same on all servers which exhibit this

> issue, and I have 2 NT servers without this issue and their WINS and

> DNS entries are the same as the failing servers.

>

> All local users are appearing on the server ok.

> Any ref to a domain group there is the following - DOMAIN NAME\account

> unknown

> I can log onto the server as any domain user - this is OK.

> Authentication appears to be fine.

> Users who are accessing the files data have no security permissions

> applied - everything is open.

> The security permissions on the file structure are granted via local

> groups - however no security is being supplied as the server cannot

> see the global groups within these local groups.

>

> A few days ago I tried to see if I could find any similarities between

> servers which had this issue:

> I ran the SET command at cmd prompt, to find out which DC had

> authenticated me. All the servers with the issue were authenticating

> via the 2008DC.

> Servers without the problem authenticated me via a 2003 DC.

> However, this is only really showing which DC authenticated my log on

> to the nt4 server, and not the server's authentication to the domain.

>

> I since found an article advising an entry in the lmhosts file to

> force a particular DC for authentication of secure channel between

> server and AD. I specified a 2003DC, but this still failed and I am

> still left with the problem.

> I believe that nt4 servers will always look to the PDC for

> authentication, and if this is the case then I will probably have to

> move my role from the 2008DC to a 2003DC, this will explain why my fix

> failed anyway.

> Has anyone else encountered this issue?

> Sorry for such a long post.

 

p.s I should say that none of the servers are showing anything in the

event logs

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...