Jump to content

Featured Replies

Posted

We have the oddest issue that I will try to explain as fully as possible.

 

 

We have been using domainA (resource domain) quite happily for a number of years. We have a requirement to migrate out or users to domainB (user domain). We are admins over both.

 

 

We have set up the two way external trust between domainA and domainB. domainA is a child of rootdomain forest. domainB is the only domain in it's forest.

 

 

We have migrated all Groups from domainA to domainB (domain local, global, universal). We maintained SID history.

 

 

We have migrated a couple of domainA users to domainB. Both accounts are active in their respective domains. We maintained SID history.

 

 

We have new users in domainB, not migrated.

 

 

The problem:

 

When we add the migrated permission Groups to a user in domainB for a resource in domainA, we cannot always access the resource. If we access by name (netbios or FQDN) it does not work. When we access by IP, it works.

 

 

If we restart the computer, it doesnt work. If we then log off, log on, access BY NAME works no problem. If we then reboot and try again, access fails. Access continues to fail for ANY/ALL users until a log off, log on occurs.

 

 

We have thoroughly checked DNS and can nslookup both forward and reverse no problem. We have even enabled WINS and configured that.

 

 

We have almost fully eliminated Group Policy, just the default domain policy to eliminate now, which doesnt (on the face of it) look like the issue.

 

 

This is also non-OS specific. It happens on Windows7, Server 2003, Server 2008, Server 2012.

 

 

Also, its not just AD groups. users' home drives have their domainA\userID permissions set and have been migrated with SID history - this also fails to connect after a restart, but works perfectly well after a log off log on. It is almost as if the Kerberos ticket is not being built correctly.

 

 

 

If anyone has any suggestions, we would hugely appreciate the ideas!

 

 

Thanks,

 

chris

 

Continue reading...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...