Strange authentication problem on windows 2000 member servers.

[Guest]

I had a problem this morning with three member servers in a domain in my
forrest. They could not authenticate any user account in a diffrent domain in
the forrest but could authenticate there own domain when logging into the
server. the DC's could do so without problem. The servers could also
authenticate if you just wanted to access a file share. I removed them from
the domain and readded them and the problem went away. I am wondering if
anyone has any idea's what might have cuased the problem?

 

[Herb Martin]

I had a problem this morning with three member servers in a domain in my
forrest. They could not authenticate any user account in a diffrent domain in
the forrest but could authenticate there own domain when logging into the
server. the DC's could do so without problem. The servers could also
authenticate if you just wanted to access a file share. I removed them from
the domain and readded them and the problem went away. I am wondering if
anyone has any idea's what might have cuased the problem?

Probably authentication which is...

Most likely is a DNS issue -- either/both the DC or client (your
'server' in this case is the client) side.

DNS for AD
1) Dynamic for the zone supporting AD
2) All internal DNS clients NIC\IP properties must specify SOLELY
that internal, dynamic DNS server (set.)
3) DCs and even DNS servers are DNS clients too -- see #2
4) If you have more than one Domain, every DNS server must
be able to resolve ALL domain (either directly or indirectly)

Restart NetLogon on any DC if you change any of the above that
affects a DC and/or use:

nltest /dsregdns /serverC-ServerNameGoesHere

Ensure that DNS zones/domains are fully replicated to all DNS
servers for that (internal) zone/domain.

Also useful may be running DCDiag on each DC, sending the
output to a text file, and searching for FAIL, ERROR, WARN.

Single Lable domain zone names are a problem Google:
[ "SINGLE LABEL" domain names DNS 2000 | 2003 microsoft: ]