NT4 Server suddenly cannot authenticate on our W2K3 domain

NT4 Server suddenly cannot authenticate on our W2K3 domain

Post by cGJyaWxsM » Sun, 05 Dec 2004 04:05:06


Problem:
Our NT4 member server can no longer authenticate on our domain.

Situation:
A few months ago, we performed an in-place upgrade of our NT4 domain when
migrating to W2K3, and used the interim mode - while we eventually
decommission our NT4 BDC's and member servers.

When doing so, we were prompted to create a new domain name - creating
(example) ** ourccompany.local ** to replace NT4's netbios OURCOMPANY_NT
domain name. In interim mode, it appears that we do not have problems with
using either name to log into our network (in fact, we only see the
OURCOMPANY_NT option listed at our client logins).

2 weeks ago, one of our NT4 BDC's that also hosted a WINS server crashed and
was removed from our network. Fortunately, we already had created another
WINS server on a W2K3 DC (and then started another WINS server on another
W2K3 DC). We also changed the DHCP scopes and static IP clients to reflect
the change.

Recently, though, we have had problems with a NT4 member server receiving
the "cannont authenticate" - that a trust relationship is not established
(one that was there a week ago)

We can sucessfully ping to this static server IP address, and it's static
DNS/WINS settings are configured correctly (and the settings worked a week
ago!).

Although I can't claim to be a WINS expert, I did notice that we still have
WINS active registrations listing our old (removed) WINS server as OWNER (one
includes the problematic NT4 server's Network Monitor agent).

Questions are:
1) Current Problem: Would the fact that the WINS owner of this (and other
active WINS registrations) references a server not on our network? If so,
how do these records get refreshed to our current WINS servers (*I thought it
would happen automatticaly). Is there a way to force them (it doesn't appear
that the administrator can change the owner IP address directly)

2) Could we be having difficulty (either now, or when we remove our last NT4
BDC and switch to native mode (on this note, we do not have any W2K DC's).

Your assistance in addressing these questions, and helping me learn how to
bring our NT4 member server back onto the network, would be greatly
appreciated.
--
pbrill1
 
 
 

NT4 Server suddenly cannot authenticate on our W2K3 domain

Post by v-reb » Tue, 07 Dec 2004 19:04:05

ello,

I have a couple of quesitons regarding to this issue:

1. How many domain? Domain name?
2. What is the detailed error message? IP settings? Please take a screen
shot of the error mesage and
3. How about other clients?
4. What is the result if you dijoin and rejoin domain?

Any updat, let us get in touch!

Best regards,

Rebecca Chen

MCSE2000 MCDBA CCNA


Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

=====================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
with
and
reflect
have
(one
it
appear
NT4


 
 
 

NT4 Server suddenly cannot authenticate on our W2K3 domain

Post by cGJyaWxsM » Fri, 10 Dec 2004 03:37:02

i Rebecca,

Responses to the questions are below:
Any assistance would be greatly appreciated.


1 domain.

The NT4 domain (example) was COMPANY_NT, the W2K3 domain name chosen is "
company.net "


I couldn't get a screenprint from my associate at the remote location, but
the language read:

"The system cannot log you on to this domain because the system's computer
account in it's primary domain is missing, or the password on that account is
incorrect"
(we saw this message after we had removed the the computer from AD, and were
attempting to rejoin it to the domain - using the administrator
account...where the login password had been verified to be correct)


This (so far) is the only client on our network that has experienced this
problem

Unsucessful. The error message that responds to Q2 appears, and the NT4
member server that we're speaking of...refuses to join the domain



 
 
 

NT4 Server suddenly cannot authenticate on our W2K3 domain

Post by v-reb » Fri, 10 Dec 2004 17:42:42

Hello,


Step 1. Check Network Connection between the two DCs:

Please check if you can ping thought from NT to win2k3 server.

Step 2. Check Name Resolution:

Windows NT4 still needs NetBIOS name resolution to locate the domain. A
easy way to resolve the name resolution issue, please refer to the
following KB to create a LMHOSTS file for name resolution and check whether
the problem can be resolved:

180094 How to Write an LMHOSTS File for Domain Validation and Other Name
http://www.yqcomputer.com/

Note: Please note that there must be a total of 20 characters within the
quotations. If you are not sure on this, please send me your LMHOSTS file
and I will double-check it for you.



Step 3. Check SMB Signing in Domain Controller Security Policy:

3.1 On the Windows Server 2003 DC, click Start->Adminitrative Tools->Domain
Controller Security Policy.

3.2 Browse to:

Security Settings\Local Policies\Security Options

3.3 Disable the following settings:

Microsoft network server: Digitally sign communications (always)
Microsoft network client: Digitally sign communications (always)

3.4 Restart the Windows Server 2003 PDC.

Step 4: Install DSclient on NT server

Download DSclient and install it on NT server:

How to install the Active Directory client extension
http://www.yqcomputer.com/ ;en-us;288358

Step 5: Use domain admin account to join the NT to win2k3 domain.

HTH!



Best regards,

Rebecca Chen

MCSE2000 MCDBA CCNA


Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

=====================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
 
 
 

NT4 Server suddenly cannot authenticate on our W2K3 domain

Post by v-reb » Fri, 10 Dec 2004 17:44:57

If the issue persists, please take the screen shot of the error message,
also save the Event logs on both DC, zip them and send zip file to
XXXX@XXXXX.COM for research.

Any udpate, let us get in touch!

Best regards,

Rebecca Chen

MCSE2000 MCDBA CCNA


Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

=====================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
 
 
 

NT4 Server suddenly cannot authenticate on our W2K3 domain

Post by cGJyaWxsM » Sun, 12 Dec 2004 06:47:04

One of the steps seemed to work (maybe diabling digitally signed
communications?) Thanks!
 
 
 

NT4 Server suddenly cannot authenticate on our W2K3 domain

Post by v-reb » Tue, 14 Dec 2004 10:53:34

You are welcome!

I believe SMB signing is the most possibility. :)

Best regards,

Rebecca Chen

MCSE2000 MCDBA CCNA


Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

=====================================================

When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.

=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.