2003 server in a NT4 Domain.

[Josh Davis]

Hi All.

I have a NT4 Domain at present.

I brought a 2003 Server online and joined the NT4 Domain.
When the 2003 Server logs on it is logging onto the NT4 domain.
This is working but I have a problem.

The 2003 box indended use was as a new print server. When users
try to browse to the the shared printers on the 2003 machine they
are prompted for a user name and password. The only method
that I have found that enables them to see and install the new
printers was to enable the guest account on the 2003 server.

Would I be correct in assuming that 2003 cannot act as a member server
in a NT4 domain, similar to the old BDC method but can only join a
domain.

Thanks for any insight on this.

Josh.

 

[Herb Martin]

Hi All.

I have a NT4 Domain at present.

I brought a 2003 Server online and joined the NT4 Domain.
When the 2003 Server logs on it is logging onto the NT4 domain.

Perfectly fine so far.

This is working but I have a problem.
The 2003 box indended use was as a new print server. When users
try to browse to the the shared printers on the 2003 machine they
are prompted for a user name and password. The only method
that I have found that enables them to see and install the new
printers was to enable the guest account on the 2003 server.

Sounds like the Win2003 server is NOT really in the
NT4 domain. (Or at least not authenticating.)

Win2003 DCs use/require SMB-signing by default but
I do not think that ordinary servers require this -- so you
might double check that (or upgrade all of your legacy
machines with all Service Packs AND the DSClient
upgrade in preparation for one day having a Win2003
domain.

Would I be correct in assuming that 2003 cannot act as a member server
in a NT4 domain, similar to the old BDC method but can only join a
domain.

No it can.

Next most likely problem is name resolution.

You didn't disable NetBIOS did you? You don't
have multiple subnets do you? (If so you need
WINS server.)

 

[Josh Davis]

Herb I am using windows 2003 server standard, from what you indicate
it should be possible for clients to auth against the 2003 server
when it is joined to our NT4 domain.

I agree that it is more than likely not authenticating. Is smb-signing
a service that runs on the 2003 box, can you point me in the right
direction for things to check.

When I go to share a folder for example on the 2003 box I can access
the user list from the NT4 DC without problem.

Any additional help would be most welcome.

Thanks for your time.

Josh.

 

[Ryan Hanisco]

Josh,

As to SMB signing, take a look at
http://support.microsoft.com/default.aspx?scid=kb;en-us;887429

You don't seem to be clear as to whether the 2003 server is a member server
or a DC in your NT4 domain. You mention authenticating against it and you
seem to describe symptoms that sound as though it is running a separate
domain.

With it running as a member with no AD, it should be very simple to share a
print resource with NT permissions against it. SMB shouldn't interfere with
printing, but it sounds like the security token isn't being generated
correctly.

So how did you join this server to the domain? Is it a member or a DC?
What is your DNS like?

 

[Herb Martin]

Josh,

As to SMB signing, take a look at
http://support.microsoft.com/default.aspx?scid=kb;en-us;887429

You don't seem to be clear as to whether the 2003 server is a member server
or a DC in your NT4 domain. You mention authenticating against it and you
seem to describe symptoms that sound as though it is running a separate
domain.

No, he was clear about that -- it is a server in his
NT 4 domain.

I suggested a common problem is the failure of the
machine (or the other clients) to authenticate with
the domain.

Either way, his clients might not get access to it,
but if this is the only 'server' that is giving him
trouble it is likely this machine which is at fault
if authentication is the cause.

With it running as a member with no AD, it should be very simple to share a
print resource with NT permissions against it.

If it has authenticated itself and thus able to accept
authentication from others in the domain.

SMB shouldn't interfere with
printing, but it sounds like the security token isn't being generated
correctly.

Sure it will -- two ways. SMB is the protocol used
for carring both the authentication packets AND the
sharing of Drives and Printers.

So how did you join this server to the domain? Is it a member or a DC?
What is your DNS like?

It's a member according to his initial message.

DNS is a likely cause of his authentication problems,
or perhaps WINS server if he has more than one subnet.

 

[Herb Martin]

Herb I am using windows 2003 server standard, from what you indicate
it should be possible for clients to auth against the 2003 server
when it is joined to our NT4 domain.

Not being a domain controller I don't think it
requires the signing, but if so Ryan (in his post
this thread) suggested an article) about it.

I agree that it is more than likely not authenticating. Is smb-signing
a service that runs on the 2003 box, can you point me in the right
direction for things to check.

SMB signing isn't really a service, just a setting
and capability on the SMB protocol used for
authentication packetes and File/Print sharing.

I think only Win2003 DCs require this but shoot,
maybe regular servers do too.

You can set it on the LGPO (or in the registry).
If you don't find the settings mentioned in the article
Ryan suggested try this Google search and let me know
if you don't find it, Google:

[ site:Microsoft.com SMB signing 2003 ]

When I go to share a folder for example on the 2003 box I can access
the user list from the NT4 DC without problem.

That sounds like it IS authenticating.

What about if you try to access the resource from
the NT DC (we are pretty sure that the server is
authenticating with the DC).

Any additional help would be most welcome.

Which clients give you trouble? What error specifically?

It could be the CLIENT is not authenticating even.

NT with SP6+ should be able to use SMB-signing
so this still might be the difference if you machines
have different SP levels.

What happens when you try these commands
(from the trouble client AND from the PDC if they
don't work):

net use * \\serverName\ShareName

net use * \\serverName\ShareName * /useromain\username

IF the first fails and the second works then you
likely have a CLIENT authentication problem
(where the client machine isn't really authenticating
again the DC but the explicit credentials work.)

If these both fail, try these:

net use * \\serv.IP.Add.ress\ShareName

net use * \\serv.IP.Add.ress\ShareName * /useromain\username

Put in the server address for each of the same commands
from before....

Report exact error messages.

If none of that works. Ping the server and the PDC
and report results.

 

[Josh Davis]

Hi again Herb. I played with this problem for a bit
again today.

To re-cap here is what I did and have discovered.

Have a NT4 DOMAIN with one DC and 3 BDC.

Joined the windows 2003 server to the domain as
follows. Under system network identification I
switched the 2003 server from workgroup mode to
Member of a domain. Passed the correct credentials
to the NT4 DC , DC accepted and said welcome to the domain.
RE-Booted 2003 Server and logged into the domain. The account
on my 2003 server matches the Administrator account on the NT4 DC.

Was able to browse shared objects in the NT4 Domain without problem.

Proceeded to setup shared printers on the 2003 server. I am able
to see these shared printers from the NT4 DC and pdc's without
problem.

Users in the NT4 domain running windows 2000 and xp cannot access
the shared printers on the 2003 server.

Note the xp 2k users do not log into the domain as such.
They are configured for workgroup mode. Their local user accounts
match accounts on the NT4 DC. This way they can use our file server
wihich is the actual NT4 DC and shared printers on the NT4 BDC's

I looked at the security settings that pertain to smb and see that
they are set to default on the 2003 server.

I checked the event viewer on the 2003 server under security. I can
see where users failed to auth on the 2003 server. The event viewer
error code reported that Account did not exist on the 2003 server.

What appears to have happened is that the 2003 server is not
contacting the NT4 Dc to verify users and accounts or these domain
accounts are not getting propgrated to the 2003 server...

Any other insight ... ? tHIS IS BECOMMING WIERDER BY THE MINUTE.

Thanks for the help so far.

Josh..

Herb I am using windows 2003 server standard, from what you indicate
it should be possible for clients to auth against the 2003 server
when it is joined to our NT4 domain.

Not being a domain controller I don't think it
requires the signing, but if so Ryan (in his post
this thread) suggested an article) about it.

I agree that it is more than likely not authenticating. Is smb-signing
a service that runs on the 2003 box, can you point me in the right
direction for things to check.

SMB signing isn't really a service, just a setting
and capability on the SMB protocol used for
authentication packetes and File/Print sharing.

I think only Win2003 DCs require this but shoot,
maybe regular servers do too.

You can set it on the LGPO (or in the registry).
If you don't find the settings mentioned in the article
Ryan suggested try this Google search and let me know
if you don't find it, Google:

[ site:Microsoft.com SMB signing 2003 ]

When I go to share a folder for example on the 2003 box I can access
the user list from the NT4 DC without problem.

That sounds like it IS authenticating.

What about if you try to access the resource from
the NT DC (we are pretty sure that the server is
authenticating with the DC).

Any additional help would be most welcome.

Which clients give you trouble? What error specifically?

It could be the CLIENT is not authenticating even.

NT with SP6+ should be able to use SMB-signing
so this still might be the difference if you machines
have different SP levels.

What happens when you try these commands
(from the trouble client AND from the PDC if they
don't work):

net use * \\serverName\ShareName

net use * \\serverName\ShareName * /useromain\username

IF the first fails and the second works then you
likely have a CLIENT authentication problem
(where the client machine isn't really authenticating
again the DC but the explicit credentials work.)

If these both fail, try these:

net use * \\serv.IP.Add.ress\ShareName

net use * \\serv.IP.Add.ress\ShareName * /useromain\username

Put in the server address for each of the same commands
from before....

Report exact error messages.

If none of that works. Ping the server and the PDC
and report results.

 

[Josh Davis]

BTW the NT4 DC and pdc have got the latest
service packs installed.

Thanks again Josh.

 

[Herb Martin]

Hi again Herb. I played with this problem for a bit
again today.

To re-cap here is what I did and have discovered.

Have a NT4 DOMAIN with one DC and 3 BDC.

That's PDC (and 3 BDCs)

Joined the windows 2003 server to the domain as
follows. Under system network identification I
switched the 2003 server from workgroup mode to
Member of a domain. Passed the correct credentials
to the NT4 DC , DC accepted and said welcome to the domain.
RE-Booted 2003 Server and logged into the domain. The account
on my 2003 server matches the Administrator account on the NT4 DC.

I assume you mean you logged on at the Win2003
Server USING your NT4 domain account...

(Different accounts "matching" would an entirely
different thing and likely not work as expected.)

Was able to browse shared objects in the NT4 Domain without problem.

Implies you used your Domain account (admin.)

Proceeded to setup shared printers on the 2003 server. I am able
to see these shared printers from the NT4 DC and pdc's without
problem.

See meaning "browse" for them?

Users in the NT4 domain running windows 2000 and xp cannot access
the shared printers on the 2003 server.

Cannot access them (explicitly) or cannot "see" them
to try?

So why didn't you run the commands I gave you
to try? (And report explicitly errors/results).

Note the xp 2k users do not log into the domain as such.

Well there is your main problem.

They are configured for workgroup mode. Their local user accounts
match accounts on the NT4 DC.
Irrelevant.

This way they can use our file server
wihich is the actual NT4 DC and shared printers on the NT4 BDC's

That doesn't work as I remember -- (There is a feature
like this for WORKGROUPS (only) no Domain involved.

But it's the wrong way to do it even if it does work.

Also note, you won't be able to browse resource unless
the workgroup name is the same as the Domain name.
(usually).

Make the XP computers domain member and switch
the users to their domain account (take away the local
account so they cannot use it.)

You might want to save their profiles for transfer to
their new account.

I looked at the security settings that pertain to smb and see that
they are set to default on the 2003 server.

It's probably irrelevant. You need the computers
and users in the domain.

I checked the event viewer on the 2003 server under security. I can
see where users failed to auth on the 2003 server. The event viewer
error code reported that Account did not exist on the 2003 server.

What appears to have happened is that the 2003 server is not
contacting the NT4 Dc to verify users and accounts or these domain
accounts are not getting propgrated to the 2003 server...

Any other insight ... ? tHIS IS BECOMMING WIERDER BY THE MINUTE.

--
Herb Martin
What happens when you try these commands
(from the trouble client AND from the PDC if they
don't work):

net use * \\serverName\ShareName

net use * \\serverName\ShareName * /useromain\username

IF the first fails and the second works then you
likely have a CLIENT authentication problem
(where the client machine isn't really authenticating
again the DC but the explicit credentials work.)

If these both fail, try these:

net use * \\serv.IP.Add.ress\ShareName

net use * \\serv.IP.Add.ress\ShareName * /useromain\username

Put in the server address for each of the same commands
from before....

Report exact error messages.

If none of that works. Ping the server and the PDC
and report results.

 

[Josh Davis]

Herb here are the results of the commands you gave me.

I tried these from a xp machine.

net use * \\serverName\ShareName

Reports password or user name is invalid.
Did not give option to enter a user name only a password.

net use * \\serv.IP.Add.ress\ShareName * /useromain\username

Worked.

I passed the user name and password of another account , not admin
account that resides on the NT4 PDC and what looked like a mapped
network drive was created on the client.

Was able to browse the list etc.

It looks like Auth against the PDC is working as the user account used
did not exist on the 2003 server but only on the NT4 PDC.

One more thing. I fired up a old win98 pc that was logged into the nt4
domain and was able to see the shared resources on the 2003 server.

Looks like the problem is only with the win2k, xp based pc's

Any other insight.


Thanks.... Josh.

 

[Herb Martin]

I tried these from a xp machine.

Reports password or user name is invalid.
Did not give option to enter a user name only a password.

Don't give either -- if you give one you must give
both.

Worked.

Ok, user CAN authenticate and use resources, but
in the previous one you didn't prove the user could
or could not do that by default (with CURRENT
logon credentials.)

I passed the user name and password of another account , not admin
account that resides on the NT4 PDC and what looked like a mapped
network drive was created on the client.

Could you access it? Dir, Copy con m:\t.txt, etc. ?

Was able to browse the list etc.

Browsing is a SEPARATE issue (NetBIOS, maybe
even WINS servers and clients) from authentication.

It looks like Auth against the PDC is working as the user account used
did not exist on the 2003 server but only on the NT4 PDC.

Doesn't matter anyway if you give the username the
way I shows you DomainName\Username

This refers ONLY to a domain account.

One more thing. I fired up a old win98 pc that was logged into the nt4
domain and was able to see the shared resources on the 2003 server.

Looks like the problem is only with the win2k, xp based pc's

If it is "seeing shares" then tell me if these are true:

All machines are domain members OR use same workgroup name

All machines are on SAME subnet OR you have a WINS server

(If you have WINS server):
All machines, including SERVERS are WINS clients

Any other insight.

Separate "See" as in browse from Authenticate.

They are unrelated.

 

[Josh Davis]

Herb

Could you access it? Dir, Copy con m:\t.txt, etc. ?

Was able to access the shared resource on the 2003 server.
could access a txt file I had in there. Could write.

Had default permissions set via "Everyone" ... write, read.

When I say browse.. I mean access the shared resource via the gui.

So what u make of it. All pc's on same subnet.. each has wins.

wierd...

Thanks ... Josh...

 

[Josh Davis]

More details

If it is "seeing shares" then tell me if these are true: OK

All machines are domain members OR use same workgroup name

2k XP clients are configured in workgroups. Clients user id and
password match accounts on the PDC. This way they can access
our file server and print servers which are part of the nt4 domain.

The wins & dhcp server are part of a workgroup "win 2000 Server"
not logged into the domain or a domain member.

There are many workgroups, but only one domain.

Clients + servers register with wins without problem.
Wins server info is passed to the clients via DHCP.

All machines are on SAME subnet OR you have a WINS server

Yes all on same subnet. Have a windows 2000 server based wins
server.

(If you have WINS server):
All machines, including SERVERS are WINS clients

Yes they register ok with wins.

One other thing If clients have permissions set on our file server,
which is the NT4 PDC. They can access these shared resources ok.
the clients are win9x, 2k, xp... No problems in accessing
the shares or printers.

Thanks .... Josh

 

[Herb Martin]

--
Herb Martin

More details





2k XP clients are configured in workgroups. Clients user id and
password match accounts on the PDC. This way they can access
our file server and print servers which are part of the nt4 domain.

Join them to the domain.

The wins & dhcp server are part of a workgroup "win 2000 Server"
not logged into the domain or a domain member.

There are many workgroups, but only one domain.

Clients + servers register with wins without problem.
Wins server info is passed to the clients via DHCP.



Yes all on same subnet. Have a windows 2000 server based wins
server.

Then WINS server is mostly irrelevant but since
you HAVE it make EVERY machine a WINS client
(in NIC properties) including servers.

 

[Herb Martin]

Herb


Was able to access the shared resource on the 2003 server.
could access a txt file I had in there. Could write.

Had default permissions set via "Everyone" ... write, read.


When I say browse.. I mean access the shared resource via the gui.

That's not a good test of access -- especially
authentication problems.

I gave you the Net Use commands and you decided
to do them differently and then last message I told
you that the way I gave them was necessary but you
don't report re-trying that.

Log on as Username in Domainname then try:

net use * \\Servername\Sharename

When you said that this works:
net use * \\Servername\Sharename * /useromainname\Username

It the latter works and the first fails you pretty
much know you have an authentication issue.

 

[Josh Davis]

On Wed, 23 Feb 2005 21:52:00 -0600, "Herb Martin"
domain. The users will no longer be in workgroups.They are used to
working in workgroups.

If I am not mistaken when all users are in the domain there computer
names will apear under the domain name via network browsing. With
200 client computers this is not a good solution. The object list
would be too long.

If it was possible to join the clients to the domain and preserve
their actual workgroups I would have done this. Joining all servers
to the domain is no problem. I can add in the dhcp / wins server.

I shall explore some other avenues to try resolve the problem and
let you know what I find.

Thanks for the help and insight.

Josh..

 

[Herb Martin]

On Wed, 23 Feb 2005 21:52:00 -0600, "Herb Martin"
domain. The users will no longer be in workgroups.They are used to
working in workgroups.

It's a poor practice -- it is the source of your
problems.

You can treat the users as a workgroup if you
wish but then there is little point in having a domain.

If I am not mistaken when all users are in the domain there computer
names will apear under the domain name via network browsing. With
200 client computers this is not a good solution. The object list
would be too long.

They will appear IF the machines offer shares.

They but they will also appear if the DOMAIN name
and the WORKGROUP are the same.

There are also registry settings to turn this off.

You could also run it as two domans (you have another
server already) and use explicit (external) trusts.

If it was possible to join the clients to the domain and preserve
their actual workgroups I would have done this. Joining all servers
to the domain is no problem. I can add in the dhcp / wins server.

The domain issue is the source of your problems.

I shall explore some other avenues to try resolve the problem and
let you know what I find.

Ok.

 

[Josh Davis]

Hi Herb I have resolved the problem and all is working
ok.

See inline comments.

if I join all machines to the
domain. The users will no longer be in workgroups.They are used to
working in workgroups.

It's a poor practice -- it is the source of your
problems.

You can treat the users as a workgroup if you
wish but then there is little point in having a domain.

Not really true. This depends on the network setup.
For example if you want preserve what end users
are used to then the workgroup model works well.

In my setup they have both. Local access and domain
access all via one account on the client pc. There
is no need to log onto the domain per say.

All that is needed is permission to access a domain
resource. Since our permissions only allow access
to printing and a file server our solution works
very well.

Now to the browsing issue. The network components have changed
since NT4. In 2k /3k server there is a quirk, MS call it a bug
of sorts on the phone today.

In a Nutshell this is it. To access a a shared resource on
a 2k 3k machine that is Joined to a NT4 domain one needs to
tell the 2k / 3k box that the permission to access the shared resource
is contained on the PDC. The problem is that the 2k 3k server looks
first to local accounts on the respective server but not the domain
controller.

To get around this all a user has to do is as follows. Click on the
shared object under my network places or enter the path \\ to whatever
server.

Once the dialog box pops up they enter their user name like so.

Username domain name\username
password Password.


So if user steveb with a password of 1234 had access permissions on
a NT4 PDC in the domain dc77 and wished to access the shared resource
on a 2003 server that was joined to the NT4 domain they would enter
info in the dialog box as follows.

Username dc77\steveb
Password 1234

Thats how to make it work.

Josh.