Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Imported users cant access 2008R2 share via CNAME from Win8

Posted on 2013-01-28
7
Medium Priority
?
930 Views
Last Modified: 2013-02-03
We are currently testing Win8 and have an issue where some users cant access a particular 2008R2 file server.  But only when trying to use a CNAME record.  (from logon script or win explorer)
These same users are fine running Win7-64/XP-32/Vista.  All CNAMEs resolve ok from win8 when using Ping.

Servers: FILE  Win2008R2  bwjobs.domain as CName for Server04.domain (built 2011)
               MAIL win2008R2  bwmail.domain as CName for Server01.domain   (built 2010)
     
Client: Win8 Pro.

1. So when an 'old' user (ie me) log's on to the domain, the drive mapping fails for shares on bwjobs.   When a 'new' user (someone created since the the system was installed 2yrs ago), log's on, all mapping works as currently for XP/Win7 users.  I believe the 'old' users were imported into a new AD forest for the new 2008R2 domain, from an SBS2003 domain. Not migrated.

2. File server access is different....
2.1  For my logon, From explorer, \\bwjobs (the cname) throws a logon dialog. And wont accept credentials.  
2.2   yet typing \\server01 (the real name) shows me the available shares as expected.
2.3. Yet \\bwmail (cname) shows me the std shares for an Exchange server. (from Win8)

4. I cant see how how the user's AD properties are different. (at least through the UI)

Any ideas on how to check the user properties and how the server properties for shares may be different ?  (Note mapping in Win7 works for all users and servers)

The servers both have DisableStrictNameChecking = 1 in Lanman params, DisableLoopbackCheck not set in either, and no items in BackConnectionHostNames.  (both running production so restarts are problemattic with backup windows)
0
Comment
Question by:Robberbaron (robr)
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
7 Comments
 
LVL 37

Expert Comment

by:ArneLovius
ID: 38832512
I might have missed something, but you seem to be comparing xp/7 to 8, can you confirm that a "new" user works on Win 8 ?

I don;t know what you mean by "imported" instead of "migrated".
0
 
LVL 32

Expert Comment

by:Rodney Barnhardt
ID: 38832598
Can any user connect to the share via CNAME? This has been disabled by default since server 2003. There has to be a modification to the server registry for this to work. The link below is for server 2003, but I have found it is applicable to server 2008.

http://support.microsoft.com/default.aspx?scid=kb;en-us;281308
0
 
LVL 32

Author Comment

by:Robberbaron (robr)
ID: 38833182
1. the error is only on Win8.  connections are fine from Win7, etc, for ALL users.
2. "new" users work fine on Win8.
3. the users were bulk imported into a new domain somehow (from CSV or something), rather than a new DC added to use old domain.
4. The DisableStrictNameChecking = 1 has been set for a couple of years, as per the last paragraph of Q.
0
Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

 
LVL 37

Expert Comment

by:ArneLovius
ID: 38833227
If users were created with a bulk import from CSV, then its functionally the same as adding them one by one, however it could be that "something else" was done at the same time.

I would suggest following these tests, reboot between each step.

With a clean build of Win 8 (never joined to the domain, see if you can connect to the CNAME share, you will be prompted for a password, but it should be capable of connecting, if it does not, then it is a GPO that is setting something that allows the connection,  if it works reboot and and see if you can connect again.

Join the computer to the domain, but again logon with the local account and again check if you can connect

Logon to the computer with a "broken" account and check that you cannot connect to the CNAME

Again logon with a local account and test

Logon to the computer with a working account and check that you can connect without being prompted for a password

Again logon with a local account and test

I have a feeling that it might be a GPO settings that is being applied that is allowing the CNAME to work.
0
 
LVL 32

Accepted Solution

by:
Robberbaron (robr) earned 0 total points
ID: 38834321
After review of error logs, this server had lost sync with the master AD server.
This server was partially rebuilt over xmas by other IT support to enhance diskspace.

turns out the "old" users were ones that had changed their password after the rebuild (due to our 3 mth password rotation)

So passwords were somehow stale..... Only Win8 had this issue.

We demoted and promoted the FileServer using DCPROMO.  3 reboots later all seems fine.

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/A_2182-Removing-Failed-DC-Data-From-Active-Directory.html#c78629

apologies for wasting your time but hopefully others may benefit.
0
 
LVL 37

Expert Comment

by:ArneLovius
ID: 38834639
The crucial information that this server was also a DC had been missed from the original description...
0
 
LVL 32

Author Closing Comment

by:Robberbaron (robr)
ID: 38848344
Found real problem & solution independently.  Should have be able to do this before posting !
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Here's a look at newsworthy articles and community happenings during the last month.
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
Suggested Courses

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question