During step 2 I'm logged in as admin not as the new user. I should have mentioned that.
w2k format does the same thing.
Snewo
Main Topics
Browse All Topics
Loading Advertisement...
Question
AD User Permissions Problem - Very Strange
When I follow the following steps, I run into a permissions problem. Any ideas?
For this example: Domain = mydomain
Step 1: Log into a DC (we'll call server1) and create a new AD user: User logon name: newuser PW: password Member of Domain Users.
Step 2: Log into a different server in the domain (we'll call that server2)
Step 3: While on server2, I try to map a network drive to a share on server1.
- The share called sharename$ has permissions of Everyone with full control.
- Security tab has users given read&exe; List Contents; Read;
- I use this for folder when mapping: \\server1\sharename$
- I choose connect using a different username and use the following: Username: mydomain\newuser Password: password
When I select ok to make this network drive, I get another login window again. It tells me my password is bad. If I wait for a while, everything seems to work eventually. I suspected a password synchronization issue, but I reset the password on all domain controllers to the same value and tried again - still got the same error. If I waited a little while again - poof it works. Any ideas?
Help!
Snewo
This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.
Subscribe now for full access to Experts Exchange and get
Instant Access to this Solution
- Plus...
- 30 Day FREE access, no risk, no obligation
- Collaborate with the world's top tech experts
- Unlimited access to our exclusive solution database
- Never be left without tech help again
Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.
- "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
- "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
- "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.
See what Experts Exchange can do for you.
Got a question?
We've got the answer.
Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.
Need individual assistance?
Our experts are ready to help.
If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.
Want to learn from the best?
Read articles from industry experts.
Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.
Working on a long term project?
Store your work and research.
Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.
Access the answers to your technology questions today.
30-day free trial. Register in 60 seconds.
What Makes Experts Exchange Unique?
Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.
Trusted by the world's most respected brands.
Faithfully serving IT professionals since 1996.
Try it out and discover for yourself.
30-day free trial. Register in 60 seconds.
Free Tech Articles
-
WARNING: 5 Reasons why you should NEVER fix a computer for free.
It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
-
SCCM OSD Basic troubleshooting
SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
-
Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
-
Create a Win7 Gadget
This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
-
Outlook continually prompting for username and password
There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
-
Backup Exchange 2010 Information Store using Windows Backup
There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...
Cloud Class Webinars
- Avoiding Bugs in Microsoft Access
Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
- Top 10 Best New Features in Visio 2010
Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
- IT Consultant Business Secrets Revealed
Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
- Disaster Recovery and Business Continuity
Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
- Organize Your Visio Diagrams with Containers and Lists
Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
- How to Us Objects, Properties, Events and Methods in Microsoft Access
Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...
Join the Community
Give a Little. Get a Lot.
Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.
Answers
Obviously the w2k format does the same, but I experienced that sometime (without reasons) the w2k3 format is the only accepted. I have (in a customer site) on this behaviour a Microsoft SRQ open (since 3 months) and still investigating, meanwhile they can not use the w2k format... don't ask why... :) So, before getting crazy, just try the w2k3 format and see what happen, may be you are in the same situation.
Let me know.
Cheers
Pino
It's all about replication. Server2 does not have the account information yet (if it's a DC).
Convergence is the state of equilization - meaning, until full sync (convergence) the account information is not available. Depending on your topology and/or traffic, replication may be slow.
From Server2 you should run NETDIAG and see if there are issues that are not apparent on the surface.
You misunderstood me Pino. I meant that I tried, but the w2k format does the same thing.
Netman, I ran netdiag. There are two items that came up with issues. The 2nd one smells like the cause of the issue I'm having.
1 - DNS test. Both of my DNS servers gave me warnings stating that the DC is not registered correctly. Since I'm not using Windows DNS servers, I'm guessing this is to be expected. Is that a problem? We do not want to change out DNS infrastructure.
2 - Domain membership test Failed. "hs system volume has not completely replicated to the local machines. This machine is not working properly as a DC."
Since I'd like to fix this issue, I did a little research. Is this: http://support.microsoft.c
Snewo
Each DC does NOT need to run DNS. As long as one DNS server is reachable you're fine. Pino - if you are not 100% sure of what you advise people then don't advise people. We're dealing with Production networks here, bad advice is the last thing people need.
Now....
Please type NET SHARE on this server at the CMD prompt. Let me know if SYSVOL shows up in the results.
Netman66:
I'm absolutely sure about my consultancy buddy: the common scenario is 2 DC, so if YOU suggest only one DNS AD Integrated, if that goes down, the other DC (without its own DNS as you suggest) is not able to supply the correct service nor AD capable to work correctly.
If YOU want expose people to this kind of risk, you're free, but please, at least, avoid to tell others to think like you. I do this job since 26 years: I'm strictly sure about what I write.
The real world is not a blog or a website where show how many books you have read or how you are good to search the Internet... the real world is made by experienced people dealing with real scenarios. Just keep a VERY low profile when you do not know whom is writing kiddo.
Pino
FYI: http://support.microsoft.c
Extract:
Question: What are the common mistakes that are made when administrators set up DNS on network that contains a single Windows 2000 or Windows Server 2003 domain controller?
Answer: The most common mistakes are:
• The domain controller is not pointing to itself for DNS resolution on all network interfaces.
• The "." zone exists under forward lookup zones in DNS.
• Other computers on the local area network (LAN) do not point to the Windows 2000 or Windows Server 2003 DNS server for DNS.
Question: Why do I have to point my domain controller to itself for DNS?
Answer: The Netlogon service on the domain controller registers a number of records in DNS that enable other domain controllers and computers to find Active Directory-related information. If the domain controller is pointing to the Internet service provider's (ISP) DNS server, Netlogon does not register the correct records for Active Directory, and errors are generated in Event Viewer. In Windows Server 2003, the recommended DNS configuration is to configure the DNS client settings on all DNS servers to use themselves as their own primary DNS server, and to use a different domain controller in the same domain as their alternative DNS server, preferably another domain controller in the same site. This process also works around the DNS "Island" problem in Windows 2000. You must always configure the DNS client settings on each domain controller's network interface to use the alternative DNS server addresses in addition to the primary DNS server address.
Right...
You're wrong and I stick to that. You stated you HAD to have DNS on a DC. Wrong. In this case the user has a non-MS DNS solution in place already. As long as it supports DDNS and SRV records then it's fine. As far as redundancy goes you can run any number of DNS servers and they don't HAVE to be on the DC as you so adamently stated. I've been in this industry as long as you have so you can quit throwing stones anytime now.
Now back to the question.
Stop FRS server on both DCs. Set startup type to manual (it's temporary).
On the primary DC (the one that has the good SYSVOL) open up Regedit and go here:
HKEY_LOCAL_MACHINE\SYSTEM\
In the Burflags key, set the value to D4. Close Regedit.
On the bad DC, go to the same key as above only make the value D2.
Restart FRS on the good DC (the one you changed to D4) and set the startup type to Automatic.
Wait a few minutes.
Restart FRS on the bad DC (the one you changed to D2) and set the startup type to Automatic.
Wait.
SYSVOL should rebuild itself on the bad server from the good server. When it is successful, SYSVOL with share out automatically.
You should be good to go.
One note. Whatever DNS you are using, be sure the SRV records, A and PTR records exist for both servers properly.
Ok, I'm in the process of doing what you suggested. Our Linux guy says we do not have PTR records or SRV records. We only have A records. He says all DNS entries were set-up per the documentation and recommendation of the MCSE we had in to do our AD installation. I guess something was missed? What resources should be in the SRV and PTR records?
It feels like we're almost there.
Snewo
Your DNS must support SRV records at the bare minimum for AD to work. DDNS is not required, however you'll have a huge headache trying to add all the proper records by hand if your DNS doesn't support this.
Make sure there is nothing blocking proper communication between servers.
In MS DNS, all the SRV records are located under _msdcs.domain.com (or inside domain.com in a folder named _msdcs for Windows 2000). I'm not sure what how non-MS DNS represents SRV records, but they must be compliant in order for any domain query for SRV records to succeed. It could be (and this is a guess) that the SRV records are not complete or setup properly. Please note that I am only making a guess here.
As long as your Linux guys know how to setup DNS for AD, then you should be okay.
You can test SRV records by pinging the GUID of the domain (ping GUID) or the GUID of the server (ping GUID.domain.com) and you should get a reply.
This might help: http://go.microsoft.com/fw
And this page pretty much spells it out and contains most of the things you may need to know - same applies to 2003 AD.
http://www.microsoft.com/t
Here is the results of the repadmin:
-----------
Replication Summary Start Time: 2006-03-22 17:12:53
Beginning data collection for replication summary, this may take awhile:
.....
Source DC largest delta fails/total %% error
WORKINGDC 27m:19s 0 / 3 0
Destination DC largest delta fails/total %% error
DCWITHERRORS 27m:19s 0 / 3 0
Assertion
-------
The DCDIAG gives me the following issues:
- Can't ping the GUID, so Connectivity test failed.
- kccevent test failed. EventID: 0x80000785
- Schema test failed for CrossRefValidation. LDAP Error 0x3a
Yesterday was hectic so I'll see I plan to see if we have everything set-up per Netman66's last link.
Snewo
OK, so looking at the Linux DNS entries, I suspect things are not correct. Since the entires on this DNS server (We're using Bind 9.2.something fyi) were dynamically created, how do I get the working DC to dynamically create this information again? Hopefully this will solve the issue. Of course, I'd like to limit any downtime needed to do this.
Snewo
On the working DC (actually everything inside your LAN should point only there), make sure you ONLY point to the Bind DNS installation and that on the Properties of TCP/IP> Advanced button > DNS tab that Register in DNS is checked off. On the Bind server, make sure that the domain zone for your AD allows Dynamic Updates (not sure where this is found).
Restart the Netlogon Service on this DC and the records should be created if the Bind server is setup properly.
Once the SRV records are created, replication should start properly as the other server can now locate the primary DC by service record.
Keep us posted.
By saying "leave it checked off", I meant make sure the checkmark is there - sorry about the confusing sentence.
Yes, it will remain "checked" always.
You can add the second DNS server as a secondary as long as the records get created on the first. If they aren't being created we have to find out the root cause of this.
Doesn't seem to have fixed the problem. I'm going to do it again since it's simple enough. I don't remember if I removed the backup DNS when I did it a second time with the box checked off.
Are there logs on the working DC that I can use to verify that it's doing what we think it's doing? The way I'm testing the non-working DC is to run netdiag on it and look for the errors. I assume that'll catch it.
Snewo
It still does not appear to be working. I'm getting some msdcs entries in our DNS, but there's obviously some disconnect here.
Do you have any other ideas for me to try? If not I'm wondering if it's beyond forum help. This may be time to bring in the MCSE again and put him in a room with the Linux guy and let them figure it out.
Snewo
snewo,
I won't bother you, but in your shoes here is what I'll do (this will preserve your DNS structure but using an intermediate step):
1) Install the Microsoft DNS server on both yours DC
2) Create the zone as Active Directory Integrated
3) In each DNS tab for the network connections on both servers for all NICs (Advanced tab of TCP protocol) ensure that the check box "Register this connection's addresses in DNS" IS Checked
4) Change your DNS config on your servers (dc1 and dc2) so that each server uses itself as primary and the other one as secondary
5) On each server issue these commands (in a CMD window)
ipconfig /flushdns
net stop netlogon
net start netlogon
ipconfig /registerdns
6) Be sure that both servers are Global Catalog (NTDS Settings in the Active Directory Site and Services). Give the system some time (20 minutes are ok) then run on one of them these commands (in a CMD window)
REPADMIN /REPLSUM /BYSRC /BYDEST /SORT:DELTA
DCDIAG.EXE /e
Now you should have no issues (if you still have issues, let us know the issue type, otherwise just continue the next steps)
7) in the zones yourdomain.com and _msdcs.yourdomain.com (in both yours DC) be sure to add the NS record for the Linux machines. To do it (a) add the A record for the linux machine, (b) open the property page for the zone and in the Name Servers tab add the linux machine, then confirm. Do it on BOTH zones.
8) In the property page for the zones (both of them) in the Zone Transfer tab be sure that the check box Allow zone transfer IS checked and the second option is selected (transfer to the servers listed in the Name Servers tab)
9) On the Linux box change the Zone Type of yourdomain.com and _msdcs.yourdomain.com to SECONDARY ZONE, and give the DC1 and DC2 addresses as master servers, than RELOAD the zones from the master.
At this point you should see both zones on the Linux machine exactly the same of the 2003 zones. Now you can revert the situation to the previous one, promoting again yourdomain.com and _msdcs.yourdomain.com to primary zone on Linux, and uninstalling the DNS servers from DC1 and DC2, restoring the previous DNS configuration for the net cards (but leaving the check boxex as are now).
If you issue again:
REPADMIN /REPLSUM /BYSRC /BYDEST /SORT:DELTA
DCDIAG.EXE /e
your situation should be normal with no issues at all.
Cheers
Pino
If you are not able to use an MS DNS solution for the AD and Forward to the *nix DNS then you'll need to get someone that understands Windows DNS to work with your Linux guy.
If you have time, install a test server (use any computer), DCPROMO it and allow the Wizard to install and configure DNS during this process. When it's complete, you can look at DNS to see exactly what entries are needed. As you add services to the test server (to match production) you have a perfect lab to see what other records get added to DNS.
3 Ways to Join
Business Accounts
- Perfect for organizations
- Multiple users
- Save over 36%
- Create a Business Account
Answer for Membership
- Earn free access
- Showcase your knowledge
- No credit card required
- Sign Up to Answer
Loading Advertisement...
by: gdefrancescoPosted on 2006-03-21 at 08:31:43ID: 16248417
Hiya,
I miss some... why being logged as newuser you choose to map using a different user and give the same one? anyway, try the current w2k3 format for the user name: newuser@mydomain. Let me know.
Cheers
Pino