No announcement yet.

W2k3 servers with forest authentication problem

  • Filter
  • Time
  • Show
Clear All
new posts

  • W2k3 servers with forest authentication problem

    Problem Desciption:
    I have installed three windows 2003 servers in separated domains. Before the migration to domain server acting as a member server, there wasn't any authentication problem with the primary domain controller. After the migration:
    I can add a user from the primary domain to the local group on the sub domain server and use a mapped file without any problems. However when I want to add a global group created on the sub domain to a local group on the primary domain server, I receive a message with authentication denied.
    On the primary server is also the Active Directory of both sub domains NOT visible and tells me the domain servers aren't connected.
    There is only one DNS server running and is the same as the primary server.
    The ldap sessions are created for both servers.
    I found in the log an error pointing to the "secure channel" and telling me the inbound trust has "insufficient access rights to perform the operation".
    All the trusts are created and setup as a two-way trust.
    However the forest level can’t be set to windows 2003 and is still in the mixed mode. All other servers are running on a windows 2003 level. I found something on the internet about changing the object “msDSBehaviorVersion” and the “class domainDNS, ntDSDSA and ntMixedDomain”.
    The problem is, I don’t understand where I can change these settings using the tool ASSIEDIT.msc.

    All servers are connected to one switch.
    All have the same IP-range and subnet.
    It is also possible to map and use a share from the child domain onto the primary domain controller using an account on the primary controller.

    Please please help me out with this issue.
    Maybe you send me some detailed information or let me know where i can find a step-by-step manual.
    Attached Files

  • #2
    That's quite a good problem description.

    I bet it's a DNS issue. Most likely, your subdomains have not been able to register all their records. For diagnosis, run netdiag and dcdiag on the subdomains and take it from there.

    There might be a chicken/egg problem here, since you have all your DNS in the forest root (unusual and not recommended). You could try to set the zone security for your subdomains to DDNS - allow all updates (not secured), then run 'net stop netlogon & net start netlogon' on the subdomains. If that registers the records, change DDNS back to secure updates.


    • #3
      Thanks for the quick reaction.

      However i've tried the option secure and non secure already without a positive result.
      You are saying, the DNS is configured like it should! What's your advice in this? Configure on all domain servers a DNS server?
      If yes, how do i configure this?

      Thanks in advance,


      • #4
        First, I would confirm that it is a DNS issue by running those commands. And did you do the netlogon thing?

        We can talk about 'correct' configurations later First, let's get it to work!


        • #5
          But I haven't got the time to respond to yourquick responding.
          I will run tomorrow the netdiag and dcdiag and send you the outcome.
          The answer on your question is YES, I changed the DNS security on both the _msdcs.... and _ldpa....
          I found also another error:
          0x0000232B RCODE_NAME_ERROR
          Maybe it's related to each other, because it's pointing to a none resolveble DNS connection.

          Thanks in advance,


          • #6
            1) make sure all the DCs point to the DNS server you have configured in the forest root.
            2) as wksado already told you: restart netlogon service to re-register the SRV records
            3) run dcdiag/netdiag in each domain and look for errorr it spits.

            Later on, if all your DCs are W2K3, you can:
            - configure the existing DNS server to replicate zones to all DCs in the forest
            - setup DNS on each and every DC
            - delegate the child domain DNS zones to corresponding DCs in child domains.

            But again, first sort out the DNS issue. No need to DCPROMO down the box - you can get yourself into some nasty trouble if you are not careful. The current errors can be fixed without DCPROMO-ing down the servers.
            Guy Teverovsky
            "Smith & Wesson - the original point and click interface"


            • #7
              Log files from subdomain

              As promised, i have attached the log file results for netdaig; dcdiag and netsh.

              Attached Files