After 2003 server converted to BDC (Backup Domain Controller) exisitng shares are now restricted

Office layout:
2000 Server (S2000) PDC AD
2003 Server (S2003) BDC, Exchange

We have been running with S2000 as the only Domain Controller / AD.
S2003 was just a server that hosted shares and Exchange server.
After I promoted S2003 to a BDC, some of the shares on S2003 are now more restrictive.
Specifically, we have a Ricoh scanner that scans and sends PDF files to the "scans" share on S2003.
After the change from plain server to BDC, the Ricoh fails to deliver the PDFs to the "scans" share.
The Ricoh has a setup where you define a network username and password so that when files are delivered it uses that authorization.
No mater how loose I make the security on "scans" it still fails. The Ricoh has no troble sending PDFs to a share on S2000. The problem is only with shares S2003.

TIA,
Jerry
jinfeldPresidentAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
Netman66Connect With a Mentor Commented:
DO NOT demote the 2003 server with Exchange on it.

You cannot change the role of the server that Exchange is installed on or you'll break Exchange.

0
 
jinfeldPresidentAuthor Commented:
I forgot to add:
All XP and 2000 desktops on the network can access "scans".
Only the Ricoh scanner is having problems writing to "scans".
The problem was triggered when S2003 was promoted from plain server to BDC. Prior to that, the Ricoh scanner was writing to "scans" without any issues.
TIA,
Jerry
0
 
Lee W, MVPTechnology and Business Process AdvisorCommented:
Have you checked the NTFS and share permissions - these are TWO types of permissions - check them both.  Check your logs on the scanner and the server - you need to find error messages to help resolve this.

Also, you do realize that making an Exchange Server a domain controller is NOT RECOMMENDED.  Yes, you should have two DCs, but not if the second is an Exchange Server.  Also, there is no such thing as a PDC and BDC - they are all just DCs.
0
Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

 
jinfeldPresidentAuthor Commented:
Which is the lesser evils, 1 domain controller or a second domain controller on the same box as Exchange server?
All the NTFS and share permission have fiull access for the  "everyone" group. Also, this was working before the DC role was turned on.
Can I back down and make S2003 a regualr server again?
Thanks,
Jerry
0
 
Lee W, MVPConnect With a Mentor Technology and Business Process AdvisorCommented:
Lesser of two evils?  Not sure... but I wouldn't promote an exchange server to a DC.  I MIGHT install Exchange on a DC if I had no choice.

Also, domain controllers do have enhanced security that may be preventing access (something has to be done to 9x machines and Linux Samba machines to get them to connect to a DC's shares. I don't remember what, but I know it has to be done as I've tried it in the relative distant past.

I would try to demote the server - but BACKUP both servers and exchange first.  Including SYSTEM STATE backups of both servers.
0
 
jinfeldPresidentAuthor Commented:
I think that what we have here. The scanner is accessing the share like a generic SMB client. I know this is off-topic... what is the downside to the DC on the same box as Exchange? SBSs (Smal Bus. Servers) everwhere having been doing that for 6 years.
Thanks again.

0
 
Lee W, MVPTechnology and Business Process AdvisorCommented:
SBS servers are a special case, they are essentially optimized to run everything on one server.
0
 
Lee W, MVPTechnology and Business Process AdvisorCommented:
0
 
Netman66Commented:
Here it is in B/W:

http://support.microsoft.com/kb/822179/en-us

Quote:

"You can run Exchange Server 2003 on either a member server or on a domain controller. After you install Exchange Server 2003 on a server, do not change the role of the server. For example, if you install Exchange Server 2003 on a member server, do not use the Dcpromo tool to promote the server to a domain controller. Or, if you install Exchange Server 2003 on a domain controller, do not use the Dcpromo tool to demote the server to a member server. Changing the role of a server after you install Exchange Server 2003 may result in loss of some Exchange functionality and is not supported."

As far as the permissions issue, this is expected.  You changed from either a standalone or member and now the DC has more restrictions.
0
 
Lee W, MVPTechnology and Business Process AdvisorCommented:
Netman - the problem is, he ALREADY changed the role - it WASN'T a DC until recently.
0
 
Netman66Commented:
That's not good.

I wonder how ugly Exchange is going to be.

0
 
jinfeldPresidentAuthor Commented:
Well dang,
Why didn't the dcpromo tool warn that you are not to promote an Exchange server?
Exchange is running fine. The file services on the S2003 are running fine for 30 users. The only problem after 3 days is the scanner's new inability to save files on S2003 shares. OWA is running well. No persistent errors in the logs, yet.

If the DC is more restirctive, how can I open it up. Is there a log that will detail the file sharing refusals?

Thanks,
Jerry
0
 
jinfeldPresidentAuthor Commented:
All this back-and-forth got my Windows engrams going.
The thing that locked out my scanner when S2003 got promoted to a DC was this Group Policy:
run > gpedit.msc
Disable this...
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Microsoft network server: Digitally sign communications (always)
According to the "help" file...
This policy setting determines whether SMB packet signing must be negotiated before further communication with an SMB client is permitted. If this setting is enabled, the Microsoft network server will not communicate with a Microsoft network client unless that client agrees to perform SMB packet signing. If this setting is disabled, SMB packet signing is negotiated between the client and server.
Default:
Disabled for member servers.
Enabled for domain controllers.

**********
Disable these too (if they enabled):
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Microsoft network client: Digitally sign communications (always)
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Microsoft network client: Digitally sign communications (if server agrees)

The security settings are refreshed every 90 minutes on a workstation or server and every 5 minutes on a domain controller. The settings are also refreshed every 16 hours, whether or not there are any changes.
 
0
 
jinfeldPresidentAuthor Commented:
I wanted to give you both points for your effort.
Thanks,

I followed up with MS Tech Support and inquired about running AD and Exchange on the same box and they said this was not recommended for two reasons:
1) Performance if the AD is large
2) Recovery after a major hardware failure on a combined AD/Exchange box takes longer because you have to manually rebuild the Exchange / AD account relations where if you only had to rebuild a stand-alone AD box, very little effort would be reuired to re-attach Exchange.

Thanks again,
Jerry
0
All Courses

From novice to tech pro — start learning today.