Solved

Imported users cant access 2008R2 share via CNAME from Win8

Posted on 2013-01-28
7
908 Views
Last Modified: 2013-02-03
We are currently testing Win8 and have an issue where some users cant access a particular 2008R2 file server.  But only when trying to use a CNAME record.  (from logon script or win explorer)
These same users are fine running Win7-64/XP-32/Vista.  All CNAMEs resolve ok from win8 when using Ping.

Servers: FILE  Win2008R2  bwjobs.domain as CName for Server04.domain (built 2011)
               MAIL win2008R2  bwmail.domain as CName for Server01.domain   (built 2010)
     
Client: Win8 Pro.

1. So when an 'old' user (ie me) log's on to the domain, the drive mapping fails for shares on bwjobs.   When a 'new' user (someone created since the the system was installed 2yrs ago), log's on, all mapping works as currently for XP/Win7 users.  I believe the 'old' users were imported into a new AD forest for the new 2008R2 domain, from an SBS2003 domain. Not migrated.

2. File server access is different....
2.1  For my logon, From explorer, \\bwjobs (the cname) throws a logon dialog. And wont accept credentials.  
2.2   yet typing \\server01 (the real name) shows me the available shares as expected.
2.3. Yet \\bwmail (cname) shows me the std shares for an Exchange server. (from Win8)

4. I cant see how how the user's AD properties are different. (at least through the UI)

Any ideas on how to check the user properties and how the server properties for shares may be different ?  (Note mapping in Win7 works for all users and servers)

The servers both have DisableStrictNameChecking = 1 in Lanman params, DisableLoopbackCheck not set in either, and no items in BackConnectionHostNames.  (both running production so restarts are problemattic with backup windows)
0
Comment
Question by:Robberbaron (robr)
  • 3
  • 3
7 Comments
 
LVL 37

Expert Comment

by:ArneLovius
ID: 38832512
I might have missed something, but you seem to be comparing xp/7 to 8, can you confirm that a "new" user works on Win 8 ?

I don;t know what you mean by "imported" instead of "migrated".
0
 
LVL 32

Expert Comment

by:Rodney Barnhardt
ID: 38832598
Can any user connect to the share via CNAME? This has been disabled by default since server 2003. There has to be a modification to the server registry for this to work. The link below is for server 2003, but I have found it is applicable to server 2008.

http://support.microsoft.com/default.aspx?scid=kb;en-us;281308
0
 
LVL 32

Author Comment

by:Robberbaron (robr)
ID: 38833182
1. the error is only on Win8.  connections are fine from Win7, etc, for ALL users.
2. "new" users work fine on Win8.
3. the users were bulk imported into a new domain somehow (from CSV or something), rather than a new DC added to use old domain.
4. The DisableStrictNameChecking = 1 has been set for a couple of years, as per the last paragraph of Q.
0
Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

 
LVL 37

Expert Comment

by:ArneLovius
ID: 38833227
If users were created with a bulk import from CSV, then its functionally the same as adding them one by one, however it could be that "something else" was done at the same time.

I would suggest following these tests, reboot between each step.

With a clean build of Win 8 (never joined to the domain, see if you can connect to the CNAME share, you will be prompted for a password, but it should be capable of connecting, if it does not, then it is a GPO that is setting something that allows the connection,  if it works reboot and and see if you can connect again.

Join the computer to the domain, but again logon with the local account and again check if you can connect

Logon to the computer with a "broken" account and check that you cannot connect to the CNAME

Again logon with a local account and test

Logon to the computer with a working account and check that you can connect without being prompted for a password

Again logon with a local account and test

I have a feeling that it might be a GPO settings that is being applied that is allowing the CNAME to work.
0
 
LVL 32

Accepted Solution

by:
Robberbaron (robr) earned 0 total points
ID: 38834321
After review of error logs, this server had lost sync with the master AD server.
This server was partially rebuilt over xmas by other IT support to enhance diskspace.

turns out the "old" users were ones that had changed their password after the rebuild (due to our 3 mth password rotation)

So passwords were somehow stale..... Only Win8 had this issue.

We demoted and promoted the FileServer using DCPROMO.  3 reboots later all seems fine.

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/A_2182-Removing-Failed-DC-Data-From-Active-Directory.html#c78629

apologies for wasting your time but hopefully others may benefit.
0
 
LVL 37

Expert Comment

by:ArneLovius
ID: 38834639
The crucial information that this server was also a DC had been missed from the original description...
0
 
LVL 32

Author Closing Comment

by:Robberbaron (robr)
ID: 38848344
Found real problem & solution independently.  Should have be able to do this before posting !
0

Featured Post

Free Webinar: AWS Backup & DR

Join our upcoming webinar with experts from AWS, CloudBerry Lab, and the Town of Edgartown IT to discuss best practices for simplifying online backup management and cutting costs.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This script can help you clean up your user profile database by comparing profiles to Active Directory users in a particular OU, and removing the profiles that don't match.
Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html?cid=Gene_Skyport) provided 218 attendees with a step-by-step guide for…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

697 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question