nt4 servers on AD2003 with server 2008 - global \local security groupproblem

[Guest Mhairi]

We have recently upgraded a few dc's to windows 2008, whilst keeping

some DCs at 2003. Mostly all member servers are 2003, however we

have a few older nt4 machines with data on them. The nt4 servers were

migrated years ago from the older domain structure into a single

domain in active directory. All has been fine up until recently.

 

The PDC emulator is on a windows 2008 DC now.

When logging onto the affected nt4 server/s the user manager for

domains shows the

main domain, but when you look at local groups, the domain groups

which are inside are showing as 'DOMAIN NAME\account unknown'.

WINS and DNS entries are the same on all servers which exhibit this

issue, and I have 2 NT servers without this issue and their WINS and

DNS entries are the same as the failing servers.

 

All local users are appearing on the server ok.

Any ref to a domain group there is the following - DOMAIN NAME\account

unknown

I can log onto the server as any domain user - this is OK.

Authentication appears to be fine.

Users who are accessing the files data have no security permissions

applied - everything is open.

The security permissions on the file structure are granted via local

groups - however no security is being supplied as the server cannot

see the global groups within these local groups.

 

A few days ago I tried to see if I could find any similarities between

servers which had this issue:

I ran the SET command at cmd prompt, to find out which DC had

authenticated me. All the servers with the issue were authenticating

via the 2008DC.

Servers without the problem authenticated me via a 2003 DC.

However, this is only really showing which DC authenticated my log on

to the nt4 server, and not the server's authentication to the domain.

 

I since found an article advising an entry in the lmhosts file to

force a particular DC for authentication of secure channel between

server and AD. I specified a 2003DC, but this still failed and I am

still left with the problem.

I believe that nt4 servers will always look to the PDC for

authentication, and if this is the case then I will probably have to

move my role from the 2008DC to a 2003DC, this will explain why my fix

failed anyway.

Has anyone else encountered this issue?

Sorry for such a long post.