I found I needed to set "Network access: Allow anonymous SID/Name translation" to "Enabled". This is required to allow translation across trusts but then again, your NT servers are in the same domain as the DCs (I assume).
neil -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jorge de Almeida Pinto Sent: 17 June 2005 12:15 To: [email protected] Subject: RE: [ActiveDir] Nt v4.0 in 2k Domain Issue The first that I thought of was the RestrictAnonymous registry configuration on W2K DCs. (http://www.jsifaq.com/SUBF/TIP2600/rh2625.htm) (QUOTE: -> Never set RestrictAnonymous to a 2 in a mixed-mode environment that includes down-level clients) Also have a look at "Client, service, and program incompatibilities that may occur when you modify security settings and user rights assignments" (http://support.microsoft.com/?id=823659) Especially take a look at the configuration with the "Network access" words. Maybe you recognize a configuration that is the source of your problem Cheers #JORGE# -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Glenn Corbett Sent: vrijdag 17 juni 2005 12:52 To: [email protected] Subject: [ActiveDir] Nt v4.0 in 2k Domain Issue All, Recently we've added another 6 or so domain controllers to our Windows 2k (Native Mode) domain. All servers are using the same configuration (SP3, bunch of hotfixes). We have started getting reports of NT v4.0 Servers "falling off" the domain. Users are unable to log onto the server with a domain account, but can with a local account. When I look at the usrmgr entries for the Administrators group (for example), all of the domain accounts are listed as "Account Unknown". All NT v4.0 Servers are SP6a. I've removed one of the NT machines from AD, deleted the computer account, re-added it, and that seems to work. When the machine reboots however, the problems come back. I've used the NLTEST utilities from the reskit, but keep getting Access Denied errors when using the SC_QUERY and SC_RESET commands, so cant see what server the machine has tried to form a secure channel with. Now......If I turn off all the new domain controllers, and force the server to use one of the old ones, the problem goes away, so obviously there is some difference between the DC's. I've gone through technet for hours, google, done file diffs on registry dumps, and a bunch of other things, but cant see why a machine would be able to form a secure channel with one domain controller, but not another. I initially suspected it to be the SMB signing issue I've had before, but all domain controllers are set to the same values. I'm starting to wonder if it may be this problem: http://support.microsoft.com/default.aspx?scid=kb;en-us;275020 Could anyone possibly shed some light on this one ? We are trying to replace the old Domain Controllers (Dual PII 700's) with new ones (Dual Operons), but at this stage, I cant remove any of the old DC's due to this problem. Our Windows 2000 / 2003 Servers don't appear to be having any issues with the new servers, and things like Exchange are quite happily using them for GC's etc. Obviously getting rid of NT v4.0 is the preferred solution, however that wont be completed until about September. TIA Glenn List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ============================================================================== Please access the attached hyperlink for an important electronic communications disclaimer: http://www.csfb.com/legal_terms/disclaimer_external_email.shtml ============================================================================== List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
