Windows 2000 AD / NT 4.0 Account Operators

J

Jake

We currently have a windows 2000 AD domain. Our parent company is
still on a NT 4.0 domain structure. We have a 2 way external trust
between us. They needed control over AD account administration so we
added them to the Account Operator group. Everything is working, but
every time they create a new user the get the following error:

Windows cannot verify that the user name is unique because the
following error occurred while contacting the global catalog: Logon
Failure: unknown user name or bad password

Windows will create the user account, but the use can log on only after
the user name is verified to be unique. Make sure the global catalog
is available.

We have 2 domain controllers and both have a copy of the GC.

Any ideas?
 
J

Jorge_de_Almeida_Pinto

We currently have a windows 2000 AD domain. Our parent
company is
still on a NT 4.0 domain structure. We have a 2 way external
trust
between us. They needed control over AD account
administration so we
added them to the Account Operator group. Everything is
working, but
every time they create a new user the get the following error:

Windows cannot verify that the user name is unique because the
following error occurred while contacting the global catalog:
Logon
Failure: unknown user name or bad password

Windows will create the user account, but the use can log on
only after
the user name is verified to be unique. Make sure the global
catalog
is available.

We have 2 domain controllers and both have a copy of the GC.

Any ideas?

may sound like a DNS related problem.

Check the event logs of the DCs and run DCDIAG /V on each to what
might wrong
 
J

Jake

All of the DC's on our domain passed (cannot speak for our parent
company's DC's). I'm not sure, but believe that there might be a
problem with the way an account from an externally trusted domain
authenticates to our GC when they create a new user via the MMC. We
created a test account on our domain and tested account creation via
MMC and everything worked fine (no errors). I've also tested doing a
standard delegation (not using the Account Operators - Local group) -
same error. Is there an issue with adding accounts to the Account
Operators group from an externally trusted domain?
 
M

Manny Borges

Are you adding acounts or a global group from the external domain?


--
Manny Borges
MCSE NT4-2003 (+ Security)
MCT, Certified Cheese Master

The pen is mightier than the sword, and considerably easier to write with.
-- Marty Feldman
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top