Solved

Imported users cant access 2008R2 share via CNAME from Win8

Posted on 2013-01-28
7
914 Views
Last Modified: 2013-02-03
We are currently testing Win8 and have an issue where some users cant access a particular 2008R2 file server.  But only when trying to use a CNAME record.  (from logon script or win explorer)
These same users are fine running Win7-64/XP-32/Vista.  All CNAMEs resolve ok from win8 when using Ping.

Servers: FILE  Win2008R2  bwjobs.domain as CName for Server04.domain (built 2011)
               MAIL win2008R2  bwmail.domain as CName for Server01.domain   (built 2010)
     
Client: Win8 Pro.

1. So when an 'old' user (ie me) log's on to the domain, the drive mapping fails for shares on bwjobs.   When a 'new' user (someone created since the the system was installed 2yrs ago), log's on, all mapping works as currently for XP/Win7 users.  I believe the 'old' users were imported into a new AD forest for the new 2008R2 domain, from an SBS2003 domain. Not migrated.

2. File server access is different....
2.1  For my logon, From explorer, \\bwjobs (the cname) throws a logon dialog. And wont accept credentials.  
2.2   yet typing \\server01 (the real name) shows me the available shares as expected.
2.3. Yet \\bwmail (cname) shows me the std shares for an Exchange server. (from Win8)

4. I cant see how how the user's AD properties are different. (at least through the UI)

Any ideas on how to check the user properties and how the server properties for shares may be different ?  (Note mapping in Win7 works for all users and servers)

The servers both have DisableStrictNameChecking = 1 in Lanman params, DisableLoopbackCheck not set in either, and no items in BackConnectionHostNames.  (both running production so restarts are problemattic with backup windows)
0
Comment
Question by:Robberbaron (robr)
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
7 Comments
 
LVL 37

Expert Comment

by:ArneLovius
ID: 38832512
I might have missed something, but you seem to be comparing xp/7 to 8, can you confirm that a "new" user works on Win 8 ?

I don;t know what you mean by "imported" instead of "migrated".
0
 
LVL 32

Expert Comment

by:Rodney Barnhardt
ID: 38832598
Can any user connect to the share via CNAME? This has been disabled by default since server 2003. There has to be a modification to the server registry for this to work. The link below is for server 2003, but I have found it is applicable to server 2008.

http://support.microsoft.com/default.aspx?scid=kb;en-us;281308
0
 
LVL 32

Author Comment

by:Robberbaron (robr)
ID: 38833182
1. the error is only on Win8.  connections are fine from Win7, etc, for ALL users.
2. "new" users work fine on Win8.
3. the users were bulk imported into a new domain somehow (from CSV or something), rather than a new DC added to use old domain.
4. The DisableStrictNameChecking = 1 has been set for a couple of years, as per the last paragraph of Q.
0
Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 
LVL 37

Expert Comment

by:ArneLovius
ID: 38833227
If users were created with a bulk import from CSV, then its functionally the same as adding them one by one, however it could be that "something else" was done at the same time.

I would suggest following these tests, reboot between each step.

With a clean build of Win 8 (never joined to the domain, see if you can connect to the CNAME share, you will be prompted for a password, but it should be capable of connecting, if it does not, then it is a GPO that is setting something that allows the connection,  if it works reboot and and see if you can connect again.

Join the computer to the domain, but again logon with the local account and again check if you can connect

Logon to the computer with a "broken" account and check that you cannot connect to the CNAME

Again logon with a local account and test

Logon to the computer with a working account and check that you can connect without being prompted for a password

Again logon with a local account and test

I have a feeling that it might be a GPO settings that is being applied that is allowing the CNAME to work.
0
 
LVL 32

Accepted Solution

by:
Robberbaron (robr) earned 0 total points
ID: 38834321
After review of error logs, this server had lost sync with the master AD server.
This server was partially rebuilt over xmas by other IT support to enhance diskspace.

turns out the "old" users were ones that had changed their password after the rebuild (due to our 3 mth password rotation)

So passwords were somehow stale..... Only Win8 had this issue.

We demoted and promoted the FileServer using DCPROMO.  3 reboots later all seems fine.

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/A_2182-Removing-Failed-DC-Data-From-Active-Directory.html#c78629

apologies for wasting your time but hopefully others may benefit.
0
 
LVL 37

Expert Comment

by:ArneLovius
ID: 38834639
The crucial information that this server was also a DC had been missed from the original description...
0
 
LVL 32

Author Closing Comment

by:Robberbaron (robr)
ID: 38848344
Found real problem & solution independently.  Should have be able to do this before posting !
0

Featured Post

Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article shows the method of using the Resultant Set of Policy Tool to locate Group Policy that applies a particular setting.
Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…
This Micro Tutorial will show you how to maximize your wireless card to its maximum capability. This will be demonstrated using Intel(R) Centrino(R) Wireless-N 2230 wireless card on Windows 8 operating system.

729 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question