Solved

NT4 workstations get access is denied when trying to browse a domain controller

Posted on 2006-06-22
14
375 Views
Last Modified: 2013-12-04
When logged into a Windows NT4 sp6 workstation (as Administrator) and using Network Neighborhood to browse the network, I am unable to browse the domain controllers (all 3 of them).  The domain controllers are Windows2000.  On one of the domain controllers there are printer shares that the XP and 2000 computers can see.  The only ones having issues seeing the printer shares are the NT4 boxes.  

This is what I have seen.

The NT4 boxes can browse all non domain controller boxes at my location.  The reason I say my location is because there are some domain controllers that are located in the UK and I am able to browse thoes servers on the same NT4 box.  I think it has to be a security setting that was changed unknowingly.  I just find it strange it would effect all the controllers here.  The other guy here thinks it has to do with me adding back in the Default group policies for domain and domain controllers.  If that was the case I would think I would have the same issue browsing the UK domain servers as I do here, but I dont want to rule that out as I had to create them from scratch as someone went into the sysvol and deleted them from there and I might have missed a setting or enabled a setting that shouldnt have been done.  But like I said, if it was a group policy that stopped all NT4 boxes from browsing the domain controllers, it would have happened to the UK servers also.

I also did find something on here that sounds like the same issue as mine, but it didnt work out plus the topic ended with something about SMB signing and that isnt the answer for me.

0
Comment
Question by:x30n
14 Comments
 
LVL 7

Expert Comment

by:CharliePete00
Comment Utility
Check the NIC properties on your DCs to see if NetBIOS support is enabled.
0
 
LVL 7

Expert Comment

by:CharliePete00
Comment Utility
Also, look in the event logs of the NT 4 systems for Master Browser election notifications.

If you ping your DCs by computer name so you get name resolution?

If you try to connect the DCs directly through the command-line with "\\<server>" are you able to connect?  If not, how about with "\\<ip address>"?

Try running "ipconfig /all" from the command-line and see if your WINS and DNS server info is correct
0
 
LVL 1

Author Comment

by:x30n
Comment Utility
NetBIOS is enabled
I can ping
WINS isnt installed (I was just hired here so...)
command-line I still get access denied.
found browser election saying:

The browser has forced an election on network \Device\NetBT_EI90x1 because a master browser was stopped.
0
 
LVL 7

Accepted Solution

by:
CharliePete00 earned 168 total points
Comment Utility
Make sure the time is correct on the problem machines and the DCs.  You also may want to try resetting the computer (not user) account passwords.  To do this execute the following from the command-line of the problemed machines:

netdom resetpwd /server:<Server> /userd:<Domain>\<Domain Admin Account> /passwordd:*

Where <Server> = The name of a DC (PDC Emulator is best)
<Domain> = The name of your domain
<Domain Admin Account> = A member of the Domain Admins group

example

netdom resetpwd /server:MyServer /userd:MyDomain\Administrator /passwordd:*
0
 
LVL 1

Author Comment

by:x30n
Comment Utility
I will let you know how that works out tomorrow when I get back in.
0
 
LVL 13

Assisted Solution

by:hstiles
hstiles earned 166 total points
Comment Utility
We have encountered some similar(ish) problems on MAC clients attaching to shares on a DC.  Best way to troubleshoot would be to do the following

Examine your domain security policy and compare it to your domain controller security policy.  It may be that the domain controller security policy is insisting on a much higher level of security.  Check the security log on the DC as well

0
 
LVL 1

Author Comment

by:x30n
Comment Utility
Ok will, netdom isnt in the workstation so I downloaded the support tools and netdom isnt included also.  I tried nltest /bdc_query:(mydomain) and it showed both bdcs  but I got a I_NetLogonControl failed: Status = 5 0x5 ERROR_ACCESS_DENIED


Right now for giggles I am downloading sp6a for it to reinstall it.  Man, before comming here I havnt touched a NT4 box in like 6 years so I am so out of touch with it.  I am also going to google that error to see what I get.


hstiles: I guess if there was something in the group policys that was blocking nt4 from browseing DC's then it would have effected my UK controllers also.  I can browse the UK dc's on the same nt4 box so....

If there is something you need to know that I might not a mentioned ask.
0
Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

 
LVL 1

Author Comment

by:x30n
Comment Utility
Ok I am going to start thowing things out.  Maybe it will help

Workstation:

nt4 sp6a High Encryption insalled.
Disk format: FAT
used to see printer shares on domain controllers but no longer can.
used to be able to browse domain controllers in the US, but not longer can
still able to browse domain controllers in the same domain in the UK and also see the printer shares on the domain controllers.


Domain:

Win2k (upgraded from nt4, not clean install)
RID Operations Master is the 'PDC'
PDC Operation Master (emulates) is the 'PDC'
Infrastructure Master is a 'BDC'
No WINs
DNS is the 'PDC' and I am starting to notice some name resolution issues, but that is something I will tackle later.

If I think of anything or come across anything I will post it.
 
0
 
LVL 1

Author Comment

by:x30n
Comment Utility
Oh, all three DCs here are mulit-homed.  (I remember something about that being an issue, but what I hear is well it worked in the pasted.)
0
 
LVL 12

Assisted Solution

by:gidds99
gidds99 earned 166 total points
Comment Utility
Has there been any changes to the US network or US security policies which may account for this change in behaviour?
0
 
LVL 1

Author Comment

by:x30n
Comment Utility
other then adding in the default domain controller and default domain group policy back in, no.


I even removed them to see if that was the issue, but it wasnt. Also if it was an issue, it should have affected the UK's DC and not allow the workstation to browse them also, but it didnt.
0
 
LVL 1

Author Comment

by:x30n
Comment Utility
Today-

Friday there was an issue with AD and needed to restart the DC and one of the BDCs.  

Now that I am back working on this issue, I am able to connect and browse the DC and the BDC I had to reboot.  However, the BDC I really need to browse for the printer shares I still dont have access too.   So I am thinking a reboot might be in order for that one also, but it will be something I have to take care of after hours and test it.

I hate to have to reboot a server for no reason, so I hope this is all that was needed for the NT boxes to see the printer shares once again.

I will let you know as soon as I get it done.  
0
 
LVL 1

Author Comment

by:x30n
Comment Utility
OK, rebooting it worked.
0
 
LVL 1

Author Comment

by:x30n
Comment Utility
I will split the points up between the three of you for trying to help.
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Join & Write a Comment

Security measures require Windows be logged in using Standard User login (not Administrator).  Yet, sometimes an application has to be run “As Administrator” from a Standard User login.  This paper describes how to create a shortcut icon to launch a…
OfficeMate Freezes on login or does not load after login credentials are input.
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now