Link to home
Start Free TrialLog in
Avatar of maryatroasters
maryatroasters

asked on

Users Must Reauthenticate in SBS2003

I have recently set up a Windows SBS2003 server and domain.  All users were running fine.  Last week a few started having to reauthenticate to the SBS server at "random" points during the day when they accessed their e-mail and/or network mapped drives.  This problem has been worsening, with more and more users experiencing it each day.  Now, when some log on, they can't see the network drives at all (mapping applied at logon by a group policy script), yet the mappings to the old server (Windows 2000 Server) are fine, so I know they are running the script.  Once they log on (apparently not authenticating properly?), click on a network resource, they get asked to reauthenticate.  Then, once they do, they can manually run this vbs drive-mapping script and everything is peachy.  Any ideas?
Avatar of Jeffrey Kane - TechSoEasy
Jeffrey Kane - TechSoEasy
Flag of United States of America image

So, you had an old server and domain?  Or was the old server just in a workgroup before?

I'm wondering as well about your drive mapping script... generally you wouldn't do this through group policy... it would be done by adding a CALL line to the SBS_LOGIN_SCRIPT.bat file that calls up a second .bat file in the same directory (which is \\SERVERNAME\NETLOGON).

And THAT makes me wonder if you added your users and computers via the required SBS Add-User and Add-Computer Wizards.  These make sure that a number of things are properly configured, and they ensure that users and computers are placed in the proper default OUs.

Jeff
TechSoEasy
Avatar of maryatroasters
maryatroasters

ASKER

Yes, we had a Windows 2000 Server and different domain.  In fact, that server is still in use, and the same users and passwords are set up on both servers.  The .vbs script I have running maps drives on both servers, and interestingly enough, is always successful in mapping the drives on the older server, but it is the NEW server shares that are not getting mapped (though they USED to).  And this problem is not happening for all users... just a few, but getting worse.

And, yes,  I added the users and computers via the wizards, and all affected clients were migrated using the connectcomputer utility (along with many other users who are NOT experiencing the loss of authentication).  Everyone was running fine until last week, and I can't recall an event that might have triggered this.
So, when users want to access files on the old server you have them log onto that separately??  That doesn't make any sense at all... can you please explain?

Also, can you please post a complete IPCONFIG /ALL from both the SBS as well as the Win2K server?  I'm sure this has to do with the relationship between these two servers... whether it be DNS, NETBIOS/WINS or a combination of the two... because SBS domains do not support trusts and SBS will not tollerate another domain controller on the same subnet, I would suspect that the SBCore service is interfering.

Jeff
TechSoEasy
Thank you for your quick reply, Jeff.

When the users log onto their PC, the authentication takes place on BOTH servers at that time, even though they are logging onto the SBS domain (one logon).  The 2000 domain server has been playing nicely withing the SBS domain that way since day 1.  (Have I been taking advantage of an "undocumented feature?")  The login script maps drives on both servers, and this has worked up to last week.  As I stated earlier, the drive mappings to the 2000 server are solid and there every time.

I have taken printscreens of IPCONFIG /ALL on both servers and will post them promptly (when I figure out how to do that here).

Thanks again.
OK, I'll have to copy/paste, I guess.  :o)

Here is the SBS Server:

Windows IP Configuration

   Host Name . . . . . . . . . . . . : serversbs
   Primary Dns Suffix  . . . . . . . : Diedrich.local
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : Yes
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : Diedrich.local

Ethernet adapter Server LAN:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
   Physical Address. . . . . . . . . : 00-14-22-78-93-13
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 192.168.1.1
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :
   DNS Servers . . . . . . . . . . . : 192.168.1.1
   Primary WINS Server . . . . . . . : 192.168.1.1

Ethernet adapter Internet:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : NETGEAR GA311 Gigabit Adapter
   Physical Address. . . . . . . . . : 00-0F-B5-FE-8F-32
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 192.168.1.253
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.1.254
   DNS Servers . . . . . . . . . . . : 192.168.1.1
   Primary WINS Server . . . . . . . : 192.168.1.1
   NetBIOS over Tcpip. . . . . . . . : Disabled

Here is the Win2K server:

Windows 2000 IP Configuration

      Host Name . . . . . . . . . . . . : server2000
      Primary DNS Suffix  . . . . . . . : diedrichmfg.local
      Node Type . . . . . . . . . . . . : Hybrid
      IP Routing Enabled. . . . . . . . : No
      WINS Proxy Enabled. . . . . . . . : No
      DNS Suffix Search List. . . . . . : diedrichmfg.local

Ethernet adapter Intel Fast Ethernet LAN Controller - onboard:

      Connection-specific DNS Suffix  . :
      Description . . . . . . . . . . . : Intel(R) PRO/100 Network Connection
      Physical Address. . . . . . . . . : 00-06-5B-3F-69-CC
      DHCP Enabled. . . . . . . . . . . : No
      IP Address. . . . . . . . . . . . : 192.168.1.168
      Subnet Mask . . . . . . . . . . . : 255.255.255.0
      Default Gateway . . . . . . . . . : 192.168.1.1
      DNS Servers . . . . . . . . . . . : 192.168.1.1
                                          69.41.131.4

Well, I see how this may be happening... in that you have configured the same subnet on both of the SBS's NICs which essentially makes RRAS a totally ineffective firewall.  But, we'll get back to that...

Can you please explain how  "the authentication takes place on BOTH servers at that time, even though they are logging onto the SBS domain (one logon). "???

Jeff
TechSoEasy
Well... *blush*... perhaps I cannot explain it, and hence one of my problems.  :o)   But for over a month, the users were logging into the SBS domain, and the script was running and authenticating them properly to the WIN2K server when the script called for mapping to the WIN2K server shares.  The application running on the WIN2K server runs properly, too (utilizing one of the 2 mapped drives to the older WIN2K server).  The users never actually authenticate to this WIN2K server explicitly.  But it has always worked.  Again... an undocumented feature that is now biting me in the behind?

- TTT
Perhaps you want to provide the content of the script here?

It's definitely not an undocumented feature... but what I don't understand is why you haven't joined the Win2K server to your SBS domain??

http://sbsurl.com/addserver will explain how.

Jeff
TechSoEasy
Script:

' logon script for all users
' v1.0 (09/13/02)
' v1.1 (10/21/02) added AVG workstation communications
' v1.2 (11/14/02) change location of drive T, add drive U
' v1.3 (11/10/03) change location of drive T
' v1.4 (01/05/04) add drive X for Epicor (Vista)
' v1.5 (01/26/05) add drive W for Schedules
' v1.6 (03/17/05) add drive Y for VSS
' v1.7 (10/24/05) add drive J for Fedex
' v1.8 (05/05/06) clean up for ServerSBS
'
' map drives onlogin, unmap previous mappings
'
option explicit
on error resume next

dim i, d_drv(9), d_map(9)
dim wshnet
dim ofs
dim drive_coll
dim drive_item
' define mapped drives
d_drv(0)="I:" :d_drv(1)="M:" :d_drv(2)="P:" :d_drv(3)="S:"
d_drv(4)="T:" :d_drv(5)="R:" :d_drv(6)="V:" :d_drv(7)="X:"
d_drv(8)="W:" :d_drv(9)="Y:"
' define mappings
d_map(0)="\\serversbs\ups"
d_map(1)="\\serversbs\manage"
d_map(2)="\\serversbs\apps"
d_map(3)="\\serversbs\techsupp"
d_map(4)="\\serversbs\Diedrich_db"
d_map(5)="\\serversbs\pt"
d_map(6)="\\server2000\Vista"
d_map(7)="\\server2000\epicor"
d_map(8)="\\serversbs\Schedules"
d_map(9)="\\serversbs\VSS"
set wshnet=wscript.createobject("wscript.network")
set drive_coll=wshnet.enumnetworkdrives
for i=0 to 9
      for each drive_item in drive_coll
            if drive_item=d_drv(i) then wshnet.removenetworkdrive d_drv(i),true,true
      next
      wshnet.mapnetworkdrive d_drv(i),d_map(i),true
next
set drive_item=nothing
set drive_coll=nothing
set wshnet=nothing
Okay, that looks pretty clean... how about logging onto one of the workstations with an account that's having trouble... run the following at the command prompt and post that as well:

cd c:\
gpresult /z >result.txt

Jeff
TechSoEasy
ASKER CERTIFIED SOLUTION
Avatar of Jeffrey Kane - TechSoEasy
Jeffrey Kane - TechSoEasy
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
What ever happened to this?  Did you resolve your problems?

Jeff
TechSoEasy