Re: nt4 servers on AD2003 with server 2008 - global \local securitygroup problem

[Guest Mhairi]

Re: nt4 servers on AD2003 with server 2008 - global \local securitygroup problem

 

On 13 Oct, 11:42, Mhairi <mhairipot...@blueyonder.co.uk> wrote:

> We have recently upgraded a few dc's to windows 2008, whilst keeping

> some DCs at 2003. Mostly all member servers are 2003, however we

> have a few older nt4 machines with data on them. The nt4 servers were

> migrated years ago from the older domain structure into a single

> domain in active directory. All has been fine up until recently.

>

> The PDC emulator is on a windows 2008 DC now.

> When logging onto the affected nt4 server/s the user manager for

> domains shows the

> main domain, but when you look at local groups, the domain groups

> which are inside are showing as 'DOMAIN NAME\account unknown'.

> WINS and DNS entries are the same on all servers which exhibit this

> issue, and I have 2 NT servers without this issue and their WINS and

> DNS entries are the same as the failing servers.

>

> All local users are appearing on the server ok.

> Any ref to a domain group there is the following - DOMAIN NAME\account

> unknown

> I can log onto the server as any domain user - this is OK.

> Authentication appears to be fine.

> Users who are accessing the files data have no security permissions

> applied - everything is open.

> The security permissions on the file structure are granted via local

> groups - however no security is being supplied as the server cannot

> see the global groups within these local groups.

>

> A few days ago I tried to see if I could find any similarities between

> servers which had this issue:

> I ran the SET command at cmd prompt, to find out which DC had

> authenticated me. All the servers with the issue were authenticating

> via the 2008DC.

> Servers without the problem authenticated me via a 2003 DC.

> However, this is only really showing which DC authenticated my log on

> to the nt4 server, and not the server's authentication to the domain.

>

> I since found an article advising an entry in the lmhosts file to

> force a particular DC for authentication of secure channel between

> server and AD. I specified a 2003DC, but this still failed and I am

> still left with the problem.

> I believe that nt4 servers will always look to the PDC for

> authentication, and if this is the case then I will probably have to

> move my role from the 2008DC to a 2003DC, this will explain why my fix

> failed anyway.

> Has anyone else encountered this issue?

> Sorry for such a long post.

 

p.s I should say that none of the servers are showing anything in the

event logs