Note the bottom paragraph of the Q article - "In a Mixed-mode domain, universal groups cannot be created. If a Windows 2000-based computer is located in a down-level or Mixed-mode domain, different behavior occurs. Other domains may be in Native mode and universal groups may have been created that contain the user as a member. The domain controller authenticating the logon request will add the SIDs of the global groups of which the user is a member to the user's token and the local computer adds SIDs for groups of which the user is a member on the local computer as appropriate. When an attempt to use resources in another domain occurs, the computer hosting the resource contacts a domain controller for that domain, which adds the SIDs of the groups local to that domain (which may include universal groups) of which the user is a member to the user's token. "
EN states he's in mixed-mode. GC's are of minimal use in a mixed-mode environment - and clearly play no part in Group SIDs as the LSA handles that for Global and LD groups. The GC only cares when we're dealing with Universals. Tested this two years ago to prove it out to a customer. They are mandatory for Exchange 2000. Not, however for mixed mode logon. GC's are nice to have, especially if you want to use UPNs for logon. In fact, if EN is using UPN's, the user will be denied. Rick Kingslan - Microsoft MVP [Windows NT/2000] Microsoft Certified Trainer MCSA, MCSE+I - Windows NT / 2000 "Any sufficiently advanced technology is indistinguishable from magic." --- Arthur C. Clarke > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]] On Behalf Of Al > Lilianstrom > Sent: Friday, May 31, 2002 8:35 AM > To: [EMAIL PROTECTED] > Subject: Re: [ActiveDir] 2 AD DCs but only one accepting > authentication > > > You can't logon with out a GC. So when DC1 goes away so will > your ability to logon. See > http://support.microsoft.com/default.aspx?scid=kb;EN-US;q21697 0 for more. al > EN wrote: > > I have 2 AD DCs, and when the first created DC of the domain fails, > the 2nd DC doesn't accept logons. I'm running mixed mode the GC only > being on the first DC shouldn't matter right? Has anyone else > encounted this type of problem? When I promoted the 2nd server to a > DC, everything went smoothly, > sysvol and netlogon shares were created properly. > > Each DC has a DNS server as well, with the 1st DC having an AD > Integrated DNS, while the 2nd has a Primary DNS, and yet another stand > alone has a secondary dns. All the dns records "seem" right, in that > the svr records are showing up in each DNS server. > > Any ideas on what too look for to maybe solve this problem? > > thanks > > Ernesto > -- Al Lilianstrom CD/OSS/CSI [EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
