Make 2003svr a DC+NT4 Servers=NT4 get denied access!

[burnsl]

Our network is ancient.

We have NT4 servers
windows 2000 servers

and now...

We got a new server and our 2003 exchange enterprise edition
agreement.

I installed 2003 STD server, and made it a domain controller.
Later, I started the process of prepping the AD environment and
reaized that i needed to expand the AD to include some new 2003 server
objects.

I did so, and all seemed fine.

I then took a script that would complete the process of prepping the
AD structure to accept exchange 2003.

however this script also ran, (for some ungodly reason) then GPOFIX
tool!!!!

this reset the GPO to default, but for 2003? or 200? i dunno.

Bottom line is, my NT4 servers cannot authenticate to the PDC_emulator
anymore.

they get access denied if i browse to the server and try to open it
from network neigborhood on a NT4 box.

from the 2000 servers i can freely expand all folders on the NT4
boxes, but not from NT4 to the 2000 PDC_EMU.

Our production mail server runs on one of these NT4 systems and noone
can login to the exchange server.

i cant beleive i did this.

 

[Enkidu]

Our network is ancient.

We have NT4 servers
windows 2000 servers

and now...

We got a new server and our 2003 exchange enterprise edition
agreement.

I installed 2003 STD server, and made it a domain controller.
Later, I started the process of prepping the AD environment and
reaized that i needed to expand the AD to include some new 2003 server
objects.

I did so, and all seemed fine.

I then took a script that would complete the process of prepping the
AD structure to accept exchange 2003.

however this script also ran, (for some ungodly reason) then GPOFIX
tool!!!!

this reset the GPO to default, but for 2003? or 200? i dunno.

Bottom line is, my NT4 servers cannot authenticate to the PDC_emulator
anymore.

they get access denied if i browse to the server and try to open it
from network neigborhood on a NT4 box.

from the 2000 servers i can freely expand all folders on the NT4
boxes, but not from NT4 to the 2000 PDC_EMU.

Our production mail server runs on one of these NT4 systems and noone
can login to the exchange server.

i cant beleive i did this.

Are you saying that you took a member server in an NT Domain
and made it a Windows 2003 DC? If it was NOT the PDC of the
NT4 Domain at the time, then it is no longer part of the
same NT4 Domain.

Cheers,

Cliff

 

[burnsl]

Are you saying that you took a member server in an NT Domain
and made it a Windows 2003 DC? If it was NOT the PDC of the
NT4 Domain at the time, then it is no longer part of the
same NT4 Domain.

Cheers,

Cliff

No...

I installed a new 2003 server and one of the funtions of the script
that i used was to reset the GPO to default for 2003.

Dont ask me why i did that.

As a result at least two things got elevated to a level that made NT4
incompatible.

1) the Policy object: send LM & NTLM responses was set to NTLM only.
2) use a secure encrypted channel (always) was set.

these two elevated the security beyond NT4s abilities.

I have reset these and after a hour regained access to NT4 servers.

Its all working now.