Do you have a disjoint name space or have you really tighted down your security on those OUs?
Joe,
The security has not been tighted down too much. We have a limited number of people who can add machines to the OU.
As for your other question - I'm assuming you mean DNS names. The machines that have had the problem have different roots.
The DCs are dcX.b.c.fnal.gov where the regular servers and workstations are srvr1.fnal.gov and wks1.fnal.gov. We have a empty root - c.fnal.gov and users and computers reside in OUs that are in b.c.fnal.gov
the puzzling part to me is that the problem is random.
thanks for any light you can shine on this.
al
joe
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Lilianstrom Sent: Sunday, January 11, 2004 9:29 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] computer accounts created without serviceprincipalname
Hi,
We have a w2k sp3 based domain and while troubleshooting a IIS problem we noticed that the machine that was causing problems was only doing NTLM authentication while the other servers the IIS server was serving were using Kerberos authentication. We checked that our policies were being applied properly - all ok. I talked with our local windows security expert and he suggested checking for the existance of the serviceprincipalname as if it wasn't there then the server would have no way of doing Kerberos as it could not accept tickets. Checked the servers entry in AD and SPN was missing. After it was put in manually everything started working properly.
I check one OU and came up with a significant number of machines without the SPN. Some were upgrades from NT, some were new installs. I've been looking on Microsoft for an article on what might be wrong and have come up empty.
Any ideas?
al
--
Al Lilianstrom CD/CSS/CSI [EMAIL PROTECTED]
List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
