Thanks for your reply Ace. I was thinking about making the changes to the
default domain controllers gpo when I started but after thinking about what
I was trying to do here I decided to experiment with the settings on the one
box at first and later on I could copy the final results to the domain
controllers gpo. I ended up increasing the security a bit and things are
still working ok. I changed Domain Member: digitally encrypt or sign secure
channel data back to enabled as well as changed the Network Security: LAN
manager authentication level to "lm & ntlm, ntlmv2 if negotiated".
Everything is running fine and I'll make those changes to the default DC
policy now.
-David
"Ace Fekay [MVP]"
<PleaseSubstituteMyActualFirstName&LastNameHere@ho tmail.com> wrote in
message news:uB1K$(E-Mail Removed)...
> In news:(E-Mail Removed),
> David.B <(E-Mail Removed)> posted their thoughts, then I offered
> mine
> > We have a network with a 2000 DC and various clients including 98 up
> > to XP as well as an AS/400 server. When I installed the 2003 server
> > and promoted it to a DC, some 98/ME clients could not log into the
> > domain. If I unplugged the 2003 DC from the network, they were able
> > to log in fine. Since then I have relaxed some of the default
> > security settings in the local group policy.
> >
> > MS NET SVR: digitally sign communications (always) -changed from
> > enabled to disabled but left the (if client agrees) enabled.
> > MS NET CLIENT: digitally sign communications (always) -changed from
> > enabled to disabled but left (if server agrees) enabled.
> > Network Security: LAN manager authentication level -changed from ntlm
> > to "lm and ntlm"
> > Domain Member: digitally encrypt or sign secure channel data
> > (always) -changed from enabled to disabled (left the when possibles
> > enabled).
> >
> > After applying these changes and doing a gpupdate /target:computer, I
> > still couldn't contact computers in the domain, as400, 98, xp, server
> > 2000 ... didn't matter! The ONLY computer I could communicate with
> > from this 2003 server was another DC! (and I used replmon to make
> > sure I was replicating successfully) To further complicate or
> > confuse, any of the 98 clients on up could see the 2003 server and
> > connect to the sysvol or other file shares. During all of this
> > troubleshooting, not one entry showed up in the application, security
> > or system logs on the 2003 or any of the other computers although I
> > was being denied access to network computers with the following
> > message: "<computername> is not accessible. You might not have
> > permission to use this network resource. Contact the administrator of
> > this server to find out if you have access permissions. The account
> > is not authorized to log in from this station."
> >
> > After searching around newsgroups for a while coming up empty handed,
> > I rebooted as a last resort and to my amazement I could connect! I
> > guess a group policy refresh wasn't enough and I was required to
> > reboot.
> >
> > Was this an SMB signing or NTLM v2 issue? Should I reverse some of
> > those security changes I made?
>
>
> To be effective, you'll need to set that setting in the either the Def
> Domain Controller GPO or individually on each DC using Domain Controller
> Security Policy.
>
> --
> Regards,
> Ace
>
> Please direct all replies to the newsgroup so all can benefit.
> This posting is provided "AS-IS" with no warranties and confers no
> rights.
>
> Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
> Microsoft Windows MVP - Active Directory
>
> HAM AND EGGS: A day's work for a chicken; A lifetime commitment for a
> pig. --
> =================================
>
>
Similar Threads
Linear Mode
