NT4 Client Win2K3 AD Domain

[Rob Humphrey]

About 6 months ago we upgraded our domain from NT4 to Windows 2003.
Everything went fine and it has been solid. We have only 3 NT4 servers left
and everything else is either Windows 2000 or 2003. We also run Exchange
2003 and we are a single domain in Windows 2003 Native Mode. Yesterday,
a user called and stated they no longer have access to a share on one of our
few remaining NT4 servers. I went a looked at the permissions and the user
account is listed as "Account Unknown" followed by the SID. You can
browse the directory and add permisions to shares, this will also display
correct object names. Once you add a user to the share and close the dialog
box, if you reopen the same dialog box the account name that could be
resolved a few seconds ago immediately shows"Account Unknown". This
share and permission problem happens only on NT clients and servers. No
other OS is affected and every other network service is fine. The event
viewers on all machines do not give any errors and I'm running out of ideas.
All servers reside in one domain and use our internal DNS servers and two
external WINS server. I have verified the secure channel with Netdom and
have removed a machine from the domain and readded it with no change. I
don't know what the problem is, has anyone ever seen this before?

Thanks,

Rob Humphrey

 

[Terry Liu [MSFT]]

Hi Rob,

When you attempt to assign permissions to users in a trusted domain, the
permissions for the user accounts in the trusted domain appear as "account
unknown". This behavior can occur by following reasons:

¡¤ The trust between the domains has been broken.
¡¤ NT servers cannot resolve user account names.
¡¤ SID configuration is corrupted.

I would like to offer you several suggestions below:

¡¤ Install the latest version of Active Directory clients on the NT 4
member servers might be helpful:
http://www.microsoft.com/ntworkstation/downloads/Other/adclient.asp
¡¤ Re-join the NT machines to current domain to check the issue again.
¡¤ Configure the "Network access: Allow anonymous SID/Name translation"
security setting to Enabled under Windows Settings -> Security Settings ->
Local Policies -> Security Options. In Windows Server 2003, configure this
setting on the default domain controller's policy and any other
organizational unit that hosts computers that must have this configuration

If the NT 4 is a BDC, please refer to this Knowledge Base article: 275221
Trusts Are Unavailable on Backup Domain Controllers After Upgrading the --
http://support.microsoft.com/?id=275221

Hope this address your concern!

Best regards,

Terry Liu
MCSE 2K MCSA MCDBA CCNA
Microsoft Online Support Engineer

Get Secure! - <www.microsoft.com/security>
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.