member server authentication

G

gary meyer

I recently demoted a Win2k DC to a member server to run a
specific application and to use for network shares. After
the demotion I noticed that I could no longer access the
shares using domain accounts, I had to actually add the
user accounts to the local server.I still have 2 DC's in
the domain, correct me if I am wrong, but shouldn't the
member server still authenticate using the domain security?

How do I get the member server to authenticate via the
domain user accounts.
 
K

Keith W. McCammon

Is it still a member of the domain? Does it appear in the users and
computers list, and is the computer account active?
 
G

gary meyer

Yes, it is still a memeber and it does show up in the
computers list.

Funny thing is I can logon locally with accounts in the
domain admins group just fine. It seems to only be when I
access via the network. I have this server in the same OU
as the DC's so it is using the same gp and I am not having
the problem on the DC's. This problem only started since I
demoted from a DC to a member server.
 
S

Steven L Umbach

Yes it should. Make sure that it is pointing to another AD domain controller
running dns as it's preferred dns sever, it may have been pointing to itself
when it was a dc and that will not work anymore. Looking in Event Viewer for
any errors and running netdiag on it looking for failed tests or
error/warnings particualry about dc list, dns, and secure channel can also
help figure out the problem. --- Steve
 
K

Keith W. McCammon

That's probably the issue. Try moving the system from the DC OU into the OU
that contains the rest of your member servers. I'm just guessing, but my
money is on a group policy issue. If the server is in the DC OU, then the
domain controller policy applies. And since it's no longer a DC, I suspect
that this is complicating your situation.
 
G

Gary Meyer

Steve,

Ok, I ran the netdiag utility and below is the output, I
xxx the server names just to keep them private, but they
are all the correct servers. FYI the domain I run is a
downlevel domain from the forest. Meaning I am only a user
when it comes to establishing the forest and the domains,
My DC's do not run DNS as that is done by the central ITS
folks I have reserved IP addresses via dhcp and I keep the
tcp/ip setting to dhcp. My domain has 2 DC's plus the one
member server.
Z:\>netdiag

.......................................

Computer Name: xxxxx
DNS Host Name: xxx.xxx.xxx.xxx
System info : Windows 2000 Server (Build 2195)
Processor : x86 Family 6 Model 7 Stepping 3,
GenuineIntel
List of installed hotfixes :
KB329115
KB820888
KB822831
KB823182
KB823559
KB823980
KB824105
KB824141
KB824146
KB825119
KB826232
KB828028
KB828035
KB828749
KB829558
Q147222
Q816093
Q818043
Q828026


Netcard queries test . . . . . . . : Passed



Per interface results:

Adapter : Local Area Connection

Netcard queries test . . . : Passed

Host Name. . . . . . . . . :
IP Address . . . . . . . . :
Subnet Mask. . . . . . . . : 255.255.248.0
Default Gateway. . . . . . :
Dns Servers. . . . . . . . : xxx.xx.xxx.xxx
xxx.xx.xxx.xxx


AutoConfiguration results. . . . . . : Passed

Default gateway test . . . : Passed

NetBT name test. . . . . . : Passed

WINS service test. . . . . : Skipped
There are no WINS servers configured for this
interface.


Global results:


Domain membership test . . . . . . : Passed


NetBT transports test. . . . . . . : Passed
List of NetBt transports currently configured:
NetBT_Tcpip_{BA2B5BA1-B164-4634-8958-B4922293EF9C}
1 NetBt transport currently configured.


Autonet address test . . . . . . . : Passed


IP loopback ping test. . . . . . . : Passed


Default gateway test . . . . . . . : Passed


NetBT name test. . . . . . . . . . : Passed


Winsock test . . . . . . . . . . . : Passed


DNS test . . . . . . . . . . . . . : Passed


Redir and Browser test . . . . . . : Passed
List of NetBt transports currently bound to the Redir
NetBT_Tcpip_{BA2B5BA1-B164-4634-8958-B4922293EF9C}
The redir is bound to 1 NetBt transport.

List of NetBt transports currently bound to the browser
NetBT_Tcpip_{BA2B5BA1-B164-4634-8958-B4922293EF9C}
The browser is bound to 1 NetBt transport.


DC discovery test. . . . . . . . . : Passed


DC list test . . . . . . . . . . . : Passed


Trust relationship test. . . . . . : Passed
Secure channel for domain 'ASHNET' is
to '\\xxxx.xxxx.xxxx.xxxx.


Kerberos test. . . . . . . . . . . : Passed


LDAP test. . . . . . . . . . . . . : Passed
[WARNING] Failed to query SPN registration on
DC 'xxxx.xxxx.xxxx.xxxx
[WARNING] Failed to query SPN registration on
DC 'xxxx.xxxx.xxxx.xxxx


Bindings test. . . . . . . . . . . : Passed


WAN configuration test . . . . . . : Skipped
No active remote access connections.


Modem diagnostics test . . . . . . : Passed

IP Security test . . . . . . . . . : Passed
IPSec policy service is active, but no policy is
assigned.


The command completed successfully

Z:\>
 
G

Guest

Keith

I moved the member server into a different OU and I am still having the problem

Once again very strange that I can log on with a domain account but cannot get to the shares via the network.
 
S

Steven L Umbach

Hi Gary.

Hmm. Everything looks good except for [WARNING] Failed to query SPN registration on
in the ldap test, but I don't know if that would be the problem according to the KB
listed below. What happens when a domain user tries to access a share? Do they get a
credentials box or access denied? Can you access the administrative share while
logged onto another computer as a domain administrator? Check the membership of the
local users group to make sure that the domain users group for your domain is
included and that the shares/ntfs permissions have proper group permissions. I can't
think of much else offhand. You may also want to post in the win2000.active_directory
newsgroup including your netdiag results. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;EN-US;297384

Gary Meyer said:
Steve,

Ok, I ran the netdiag utility and below is the output, I
xxx the server names just to keep them private, but they
are all the correct servers. FYI the domain I run is a
downlevel domain from the forest. Meaning I am only a user
when it comes to establishing the forest and the domains,
My DC's do not run DNS as that is done by the central ITS
folks I have reserved IP addresses via dhcp and I keep the
tcp/ip setting to dhcp. My domain has 2 DC's plus the one
member server.
Z:\>netdiag

......................................

Computer Name: xxxxx
DNS Host Name: xxx.xxx.xxx.xxx
System info : Windows 2000 Server (Build 2195)
Processor : x86 Family 6 Model 7 Stepping 3,
GenuineIntel
List of installed hotfixes :
KB329115
KB820888
KB822831
KB823182
KB823559
KB823980
KB824105
KB824141
KB824146
KB825119
KB826232
KB828028
KB828035
KB828749
KB829558
Q147222
Q816093
Q818043
Q828026


Netcard queries test . . . . . . . : Passed



Per interface results:

Adapter : Local Area Connection

Netcard queries test . . . : Passed

Host Name. . . . . . . . . :
IP Address . . . . . . . . :
Subnet Mask. . . . . . . . : 255.255.248.0
Default Gateway. . . . . . :
Dns Servers. . . . . . . . : xxx.xx.xxx.xxx
xxx.xx.xxx.xxx


AutoConfiguration results. . . . . . : Passed

Default gateway test . . . : Passed

NetBT name test. . . . . . : Passed

WINS service test. . . . . : Skipped
There are no WINS servers configured for this
interface.


Global results:


Domain membership test . . . . . . : Passed


NetBT transports test. . . . . . . : Passed
List of NetBt transports currently configured:
NetBT_Tcpip_{BA2B5BA1-B164-4634-8958-B4922293EF9C}
1 NetBt transport currently configured.


Autonet address test . . . . . . . : Passed


IP loopback ping test. . . . . . . : Passed


Default gateway test . . . . . . . : Passed


NetBT name test. . . . . . . . . . : Passed


Winsock test . . . . . . . . . . . : Passed


DNS test . . . . . . . . . . . . . : Passed


Redir and Browser test . . . . . . : Passed
List of NetBt transports currently bound to the Redir
NetBT_Tcpip_{BA2B5BA1-B164-4634-8958-B4922293EF9C}
The redir is bound to 1 NetBt transport.

List of NetBt transports currently bound to the browser
NetBT_Tcpip_{BA2B5BA1-B164-4634-8958-B4922293EF9C}
The browser is bound to 1 NetBt transport.


DC discovery test. . . . . . . . . : Passed


DC list test . . . . . . . . . . . : Passed


Trust relationship test. . . . . . : Passed
Secure channel for domain 'ASHNET' is
to '\\xxxx.xxxx.xxxx.xxxx.


Kerberos test. . . . . . . . . . . : Passed


LDAP test. . . . . . . . . . . . . : Passed
[WARNING] Failed to query SPN registration on
DC 'xxxx.xxxx.xxxx.xxxx
[WARNING] Failed to query SPN registration on
DC 'xxxx.xxxx.xxxx.xxxx


Bindings test. . . . . . . . . . . : Passed


WAN configuration test . . . . . . : Skipped
No active remote access connections.


Modem diagnostics test . . . . . . : Passed

IP Security test . . . . . . . . . : Passed
IPSec policy service is active, but no policy is
assigned.


The command completed successfully

Z:\>
-----Original Message-----
Yes it should. Make sure that it is pointing to another AD domain controller
running dns as it's preferred dns sever, it may have been pointing to itself
when it was a dc and that will not work anymore. Looking in Event Viewer for
any errors and running netdiag on it looking for failed tests or
error/warnings particualry about dc list, dns, and secure channel can also
help figure out the problem. --- Steve





.
Click to expand...
Click to expand...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Problem with user authentication (2000<->NT) 1
VPN server without domain controller 0
Unable to authenticate to untrusted domain NTLM v2 related issue 16
Should this work? - Folder permissions 1
AD Domain member server not showing SAM names 2
Can a bkup Domain Controller (DC) be demoted to member server? 3
share Permissions problem 1
IPsec policy on DC 2

Top