Solved

After 2003 server converted to BDC (Backup Domain Controller) exisitng shares are now restricted

Posted on 2006-06-09
15
427 Views
Last Modified: 2012-05-05
Office layout:
2000 Server (S2000) PDC AD
2003 Server (S2003) BDC, Exchange

We have been running with S2000 as the only Domain Controller / AD.
S2003 was just a server that hosted shares and Exchange server.
After I promoted S2003 to a BDC, some of the shares on S2003 are now more restrictive.
Specifically, we have a Ricoh scanner that scans and sends PDF files to the "scans" share on S2003.
After the change from plain server to BDC, the Ricoh fails to deliver the PDFs to the "scans" share.
The Ricoh has a setup where you define a network username and password so that when files are delivered it uses that authorization.
No mater how loose I make the security on "scans" it still fails. The Ricoh has no troble sending PDFs to a share on S2000. The problem is only with shares S2003.

TIA,
Jerry
0
Comment
Question by:jinfeld
  • 6
  • 5
  • 3
15 Comments
 

Author Comment

by:jinfeld
ID: 16874077
I forgot to add:
All XP and 2000 desktops on the network can access "scans".
Only the Ricoh scanner is having problems writing to "scans".
The problem was triggered when S2003 was promoted from plain server to BDC. Prior to that, the Ricoh scanner was writing to "scans" without any issues.
TIA,
Jerry
0
 
LVL 95

Expert Comment

by:Lee W, MVP
ID: 16874386
Have you checked the NTFS and share permissions - these are TWO types of permissions - check them both.  Check your logs on the scanner and the server - you need to find error messages to help resolve this.

Also, you do realize that making an Exchange Server a domain controller is NOT RECOMMENDED.  Yes, you should have two DCs, but not if the second is an Exchange Server.  Also, there is no such thing as a PDC and BDC - they are all just DCs.
0
 

Author Comment

by:jinfeld
ID: 16874459
Which is the lesser evils, 1 domain controller or a second domain controller on the same box as Exchange server?
All the NTFS and share permission have fiull access for the  "everyone" group. Also, this was working before the DC role was turned on.
Can I back down and make S2003 a regualr server again?
Thanks,
Jerry
0
 
LVL 95

Assisted Solution

by:Lee W, MVP
Lee W, MVP earned 125 total points
ID: 16874479
Lesser of two evils?  Not sure... but I wouldn't promote an exchange server to a DC.  I MIGHT install Exchange on a DC if I had no choice.

Also, domain controllers do have enhanced security that may be preventing access (something has to be done to 9x machines and Linux Samba machines to get them to connect to a DC's shares. I don't remember what, but I know it has to be done as I've tried it in the relative distant past.

I would try to demote the server - but BACKUP both servers and exchange first.  Including SYSTEM STATE backups of both servers.
0
 

Author Comment

by:jinfeld
ID: 16874526
I think that what we have here. The scanner is accessing the share like a generic SMB client. I know this is off-topic... what is the downside to the DC on the same box as Exchange? SBSs (Smal Bus. Servers) everwhere having been doing that for 6 years.
Thanks again.

0
 
LVL 95

Expert Comment

by:Lee W, MVP
ID: 16874552
SBS servers are a special case, they are essentially optimized to run everything on one server.
0
 
LVL 95

Expert Comment

by:Lee W, MVP
ID: 16874556
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 51

Accepted Solution

by:
Netman66 earned 125 total points
ID: 16874580
DO NOT demote the 2003 server with Exchange on it.

You cannot change the role of the server that Exchange is installed on or you'll break Exchange.

0
 
LVL 51

Expert Comment

by:Netman66
ID: 16874595
Here it is in B/W:

http://support.microsoft.com/kb/822179/en-us

Quote:

"You can run Exchange Server 2003 on either a member server or on a domain controller. After you install Exchange Server 2003 on a server, do not change the role of the server. For example, if you install Exchange Server 2003 on a member server, do not use the Dcpromo tool to promote the server to a domain controller. Or, if you install Exchange Server 2003 on a domain controller, do not use the Dcpromo tool to demote the server to a member server. Changing the role of a server after you install Exchange Server 2003 may result in loss of some Exchange functionality and is not supported."

As far as the permissions issue, this is expected.  You changed from either a standalone or member and now the DC has more restrictions.
0
 
LVL 95

Expert Comment

by:Lee W, MVP
ID: 16874597
Netman - the problem is, he ALREADY changed the role - it WASN'T a DC until recently.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 16874644
That's not good.

I wonder how ugly Exchange is going to be.

0
 

Author Comment

by:jinfeld
ID: 16875778
Well dang,
Why didn't the dcpromo tool warn that you are not to promote an Exchange server?
Exchange is running fine. The file services on the S2003 are running fine for 30 users. The only problem after 3 days is the scanner's new inability to save files on S2003 shares. OWA is running well. No persistent errors in the logs, yet.

If the DC is more restirctive, how can I open it up. Is there a log that will detail the file sharing refusals?

Thanks,
Jerry
0
 

Author Comment

by:jinfeld
ID: 16878750
All this back-and-forth got my Windows engrams going.
The thing that locked out my scanner when S2003 got promoted to a DC was this Group Policy:
run > gpedit.msc
Disable this...
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Microsoft network server: Digitally sign communications (always)
According to the "help" file...
This policy setting determines whether SMB packet signing must be negotiated before further communication with an SMB client is permitted. If this setting is enabled, the Microsoft network server will not communicate with a Microsoft network client unless that client agrees to perform SMB packet signing. If this setting is disabled, SMB packet signing is negotiated between the client and server.
Default:
Disabled for member servers.
Enabled for domain controllers.

**********
Disable these too (if they enabled):
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Microsoft network client: Digitally sign communications (always)
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Microsoft network client: Digitally sign communications (if server agrees)

The security settings are refreshed every 90 minutes on a workstation or server and every 5 minutes on a domain controller. The settings are also refreshed every 16 hours, whether or not there are any changes.
 
0
 

Author Comment

by:jinfeld
ID: 17084833
I wanted to give you both points for your effort.
Thanks,

I followed up with MS Tech Support and inquired about running AD and Exchange on the same box and they said this was not recommended for two reasons:
1) Performance if the AD is large
2) Recovery after a major hardware failure on a combined AD/Exchange box takes longer because you have to manually rebuild the Exchange / AD account relations where if you only had to rebuild a stand-alone AD box, very little effort would be reuired to re-attach Exchange.

Thanks again,
Jerry
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Join & Write a Comment

Numerous times I have been asked this questions that what is it that makes my machine log on so slow, there have been cases where computers took 23 minute exactly after taking password and getting to the desktop. Interesting thing was the fact th…
Many of us need to configure DHCP server(s) in their environment. We can do that simply via DHCP console on server or using MMC snap-in on each computer with Administrative Tools installed in a network. But what if we have to configure many DHCP ser…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now