NT4 member server suddenly does not recognize Global Groups

We are experiencing new problems with our NT4 member server (an app server).
Suddenly, it does not recognize global groups that are used for forlder
sharing and security permissions.

What could cause this, and how can I get our NT4 member server to recognize
global groups?

Incidentally, although I thought that we had recently upgraded to Windows
2003 interim mode, a recent look at AD Domains and Trusts shows that our
single domain network shows:
Functional Level - Windows 2000 mixed
Domain Level - Windows 2000

We have 2 NT4 BDC's that will be retiring in another month, after which we
will upgrade to the Windows 2003 server mode.

Is there anything that I can do until then to make the NT4 member server
recognize...at least global groups...like it had previously (Global Groups
had been working on the NT4 member server until recently)?

Additionally... To my knowledge, we haven't modified any settings on our
DC's or the NT4 member server over the last weeks (unless you count
performing the typical Windows updates).

Any reason why our NT4 server would have this problem now, when the GG
accounts had been working for the previous 5 months of our upgrade to W2K3
interim mode?

--
pbrill1


=?Utf-8?B?cGJyaWxsMQ==?=

"pbrill1" <(E-Mail Removed)> wrote in message
news:0C2A2696-DB90-4F70-8233-(E-Mail Removed)...
> We are experiencing new problems with our NT4 member server (an app
server).
> Suddenly, it does not recognize global groups that are used for forlder
> sharing and security permissions.

> What could cause this, and how can I get our NT4 member server to
recognize
> global groups?

First guess should be a failure to AUTHENTICATE
by the Server.

If the global groups originate on a trusted domain (not
the NT server's domain) then the first guess would be
a failure of the trust and or failure to authenticat by the
server.

IF it is a member of the domain the global groups are
available, so since it "is a member" it must be failing to
retrieve the lists from it's DCs, therefore failure of the
trust if any (list is wrong) or failure to authenticate
sticks out like a flashing NEON SIGN.

> Incidentally, although I thought that we had recently upgraded to Windows
> 2003 interim mode, a recent look at AD Domains and Trusts shows that our
> single domain network shows:
> Functional Level - Windows 2000 mixed
> Domain Level - Windows 2000
> We have 2 NT4 BDC's that will be retiring in another month, after which we
> will upgrade to the Windows 2003 server mode.

If this is Windows 2000 Native mode+ then the BDCs
are already locked out of the replication. They should
have been removed prior to this change.

Only Interim and Mixed DOMAIN modes support the BDCs.

BTW this is actually a variety of the authentication problem
for the NT server: If it authenticates with a locked out BDC
then it is not really authenticating with the domain any more.

> Is there anything that I can do until then to make the NT4 member server
> recognize...at least global groups...like it had previously (Global Groups
> had been working on the NT4 member server until recently)?

Remove the BDCs at this point. If they authenticate machines
those machines will not see a current picture of the domain.

> Additionally... To my knowledge, we haven't modified any settings on our
> DC's or the NT4 member server over the last weeks (unless you count
> performing the typical Windows updates).

If you went to Native mode you (or someone) did.

> Any reason why our NT4 server would have this problem now, when the GG
> accounts had been working for the previous 5 months of our upgrade to W2K3
> interim mode?

Figure out which DC is authenticating the NT server.

That should point you to the real problem.

I believe that I'm still at the Mixed mode (at least domain.msc says so at
the functional level).

I attempted to look for the NEON SIGNS, the only consistent warning that I
found on the NT4 member server's Application Log was an
EventID-213 - Warning - License Server -
Replication of the License info failed because the license login service on
MY-DC1 could not be contacted"

Is our problem one of the NT4 member server not pointing to the correct
license service? (Incidentally, we have purchased the necessary device CALs)

If so, does this require some form of registry change on the NT4 member
server?

Thank you for the help!

"Herb Martin" wrote:

> "pbrill1" <(E-Mail Removed)> wrote in message
> news:0C2A2696-DB90-4F70-8233-(E-Mail Removed)...
> > We are experiencing new problems with our NT4 member server (an app
> server).
> > Suddenly, it does not recognize global groups that are used for forlder
> > sharing and security permissions.
>
> > What could cause this, and how can I get our NT4 member server to
> recognize
> > global groups?
>
> First guess should be a failure to AUTHENTICATE
> by the Server.
>
> If the global groups originate on a trusted domain (not
> the NT server's domain) then the first guess would be
> a failure of the trust and or failure to authenticat by the
> server.
>
> IF it is a member of the domain the global groups are
> available, so since it "is a member" it must be failing to
> retrieve the lists from it's DCs, therefore failure of the
> trust if any (list is wrong) or failure to authenticate
> sticks out like a flashing NEON SIGN.
>
> > Incidentally, although I thought that we had recently upgraded to Windows
> > 2003 interim mode, a recent look at AD Domains and Trusts shows that our
> > single domain network shows:
> > Functional Level - Windows 2000 mixed
> > Domain Level - Windows 2000
> > We have 2 NT4 BDC's that will be retiring in another month, after which we
> > will upgrade to the Windows 2003 server mode.
>
> If this is Windows 2000 Native mode+ then the BDCs
> are already locked out of the replication. They should
> have been removed prior to this change.
>
> Only Interim and Mixed DOMAIN modes support the BDCs.
>
> BTW this is actually a variety of the authentication problem
> for the NT server: If it authenticates with a locked out BDC
> then it is not really authenticating with the domain any more.
>
> > Is there anything that I can do until then to make the NT4 member server
> > recognize...at least global groups...like it had previously (Global Groups
> > had been working on the NT4 member server until recently)?
>
> Remove the BDCs at this point. If they authenticate machines
> those machines will not see a current picture of the domain.
>
> > Additionally... To my knowledge, we haven't modified any settings on our
> > DC's or the NT4 member server over the last weeks (unless you count
> > performing the typical Windows updates).
>
> If you went to Native mode you (or someone) did.
>
> > Any reason why our NT4 server would have this problem now, when the GG
> > accounts had been working for the previous 5 months of our upgrade to W2K3
> > interim mode?
>
> Figure out which DC is authenticating the NT server.
>
> That should point you to the real problem.
>
>
>

"pbrill1" <(E-Mail Removed)> wrote in message
news:0F8DA8C7-CDAF-41F7-9022-(E-Mail Removed)...
> I believe that I'm still at the Mixed mode (at least domain.msc says so at
> the functional level).

Ok, but in the first post you said you thought yourself to
be in Intermim but then said you were really in Win2000
mode.

Are your BDCs replicating? That's the key for them.

> I attempted to look for the NEON SIGNS, the only consistent warning that I
> found on the NT4 member server's Application Log was an
> EventID-213 - Warning - License Server -
> Replication of the License info failed because the license login service
on
> MY-DC1 could not be contacted"

I already told you that your symptoms were Neon Signs
for authentication and replication failure -- and this is
usually a Name Resolution issue.

Do you have multiple subnets?

If so, do you have WINS Servers?

If so are THEY replicating and do all of your machines
(including DCs and BDCs) clients of the single WINS
database (NIC-->IP-->Advanced-->WINS tab)

The same should also be true for them being DNS clients
except there will be two zones and the NT domain does
not have a critical need for the DNS (it's a good idea and
won't hurt however.)

> Is our problem one of the NT4 member server not pointing to the correct
> license service? (Incidentally, we have purchased the necessary device
CALs)
>
> If so, does this require some form of registry change on the NT4 member
> server?

Probably not. That has to do with using services,
not seeing groups etc.

Herb,

Thanks for your prompt replies - I will admit that I must continue to build
my depth of undertanding with WINS/DNS/AD:

Followup to your responses:
1) Interim mode/Mixed mode: I'm still trying to determine why we are in
mixed mode. I watched a consultant click "interim mode" when we performed
our NT4 - W2K3 migration.

2) I ran REPLMON on our primary DC (the one with the operations masters).
Both NT4 BDC's indicate "ERROR: Server Unreachable". If there were a way to
do it, I'd just demote both to member servers - but what I've read so far
tells me that this cannot be done - within a month, we will be pulling them
from their remote locations and I'll remove them from AD Users/Computers.
(Is there a way to demote them in W2K3?)

3) NEON SIGNS - Herb, I may be blind to them! Obviously, my response in #2
above shows one major problem, but one different from my original NT4 member
server problem.

Multiple Subnets? YES, although the NT4 member server is in the same subnet
as our primary DC.

It may be a question for a different posting, but we have 7 subnets, but are
attempting to have DC's in only 2 of these subnets. The other 5 are small (1
or 2 client) locations that we are attempting to run "DC-less" due to cost
and administrative overhead - we do not have onsite admin at these remote
restaurant locations to ensure security at these sites.

WINS Servers? YES
We have DNS and WINS installed on the DC's at each "major site"; each also
has a global catalog server. Our single domain also exists within a single
zone (our tests have shown that broadband/T1 replication traffic has not been
much of an issue so far).

The WINS and DNS servers ARE replicating properly. The NT4 member server
has active DNS host records; WINS shows active File Server, Messenger, and
Workstation records for the NT4 member server.

Also, the NT4 member server uses a static IP address that has ONLY the WINS
and DNS IP address of the W2K3 DC that is in it's subnet.

I would be very grateful for your continued advice, Herb.

Thanks.

"Herb Martin" wrote:

> "pbrill1" <(E-Mail Removed)> wrote in message
> news:0F8DA8C7-CDAF-41F7-9022-(E-Mail Removed)...
> > I believe that I'm still at the Mixed mode (at least domain.msc says so at
> > the functional level).
>
> Ok, but in the first post you said you thought yourself to
> be in Intermim but then said you were really in Win2000
> mode.
>
> Are your BDCs replicating? That's the key for them.
>
> > I attempted to look for the NEON SIGNS, the only consistent warning that I
> > found on the NT4 member server's Application Log was an
> > EventID-213 - Warning - License Server -
> > Replication of the License info failed because the license login service
> on
> > MY-DC1 could not be contacted"
>
> I already told you that your symptoms were Neon Signs
> for authentication and replication failure -- and this is
> usually a Name Resolution issue.
>
> Do you have multiple subnets?
>
> If so, do you have WINS Servers?
>
> If so are THEY replicating and do all of your machines
> (including DCs and BDCs) clients of the single WINS
> database (NIC-->IP-->Advanced-->WINS tab)
>
> The same should also be true for them being DNS clients
> except there will be two zones and the NT domain does
> not have a critical need for the DNS (it's a good idea and
> won't hurt however.)
>
> > Is our problem one of the NT4 member server not pointing to the correct
> > license service? (Incidentally, we have purchased the necessary device
> CALs)
> >
> > If so, does this require some form of registry change on the NT4 member
> > server?
>
> Probably not. That has to do with using services,
> not seeing groups etc.
>
>
>

"pbrill1" <(E-Mail Removed)> wrote in message
news:48F9D8D6-8184-43B8-8A5D-(E-Mail Removed)...
> Herb,
>
> Thanks for your prompt replies - I will admit that I must continue to
build
> my depth of undertanding with WINS/DNS/AD:

I am betting your problem is mostly a WINS issues.

> Followup to your responses:
> 1) Interim mode/Mixed mode: I'm still trying to determine why we are in
> mixed mode. I watched a consultant click "interim mode" when we performed
> our NT4 - W2K3 migration.
>
> 2) I ran REPLMON on our primary DC (the one with the operations masters).
> Both NT4 BDC's indicate "ERROR: Server Unreachable". If there were a way
to
> do it, I'd just demote both to member servers - but what I've read so far
> tells me that this cannot be done - within a month, we will be pulling
them
> from their remote locations and I'll remove them from AD Users/Computers.
> (Is there a way to demote them in W2K3?)

Right (you can't remove AD from NT P/B DCs.


> 3) NEON SIGNS - Herb, I may be blind to them! Obviously, my response in
#2
> above shows one major problem, but one different from my original NT4
member
> server problem.

I was making a statement, not claiming you can read the
text on those Neon Signs (it might be in a language you
don't yet know) so let's drop this. I am only saying this
is almost certainly a sign of such problems as I indicated.

> Multiple Subnets? YES, although the NT4 member server is in the same
subnet
> as our primary DC.

Where are the PDC other BDCs? Unless ALL
of the xDCs of NT4 can find a DC of the Win2000+
domain (and vice versa) then they will not be able
to find the list of Global Groups.

NetBIOS does this for older domains and external
trusts in general.

NetBIOS broadcasts do not work across routers (i.e.,
multiple subnets) and so you need WINS Server(s).

Usually people put in the WINS server(s) and neglect
to make EVERY machine, including DCs, a client of
the WINS server(s) -- and that includes THE WINS
server itself.

Or they have more than one WINS server and neglect
to make them replicate.

> It may be a question for a different posting, but we have 7 subnets, but
are
> attempting to have DC's in only 2 of these subnets.

2 subnets means at least one internal router.

Which means WINS is a practical necessity.

> The other 5 are small (1
> or 2 client) locations that we are attempting to run "DC-less" due to cost
> and administrative overhead - we do not have onsite admin at these remote
> restaurant locations to ensure security at these sites.
>
> WINS Servers? YES
> We have DNS and WINS installed on the DC's at each "major site"; each also
> has a global catalog server. Our single domain also exists within a
single
> zone (our tests have shown that broadband/T1 replication traffic has not
been
> much of an issue so far).
>
> The WINS and DNS servers ARE replicating properly. The NT4 member server
> has active DNS host records; WINS shows active File Server, Messenger, and
> Workstation records for the NT4 member server.

Are ALL of the DCs also WINS Server clients?

If so and it is replicating to all WINS servers then
we have to look elsewhere.

> Also, the NT4 member server uses a static IP address that has ONLY the
WINS
> and DNS IP address of the W2K3 DC that is in it's subnet.

I am not sure that I fully understand the sentence above, but
it is essentiall that all DCs (W2k, PDC, BDCs) are also
WINS clients.

Then if, as you say, the WINS servers all replicate they
can find each other.

I am fairly certain that your PDC is a WINS client OR
it and the Win2000 DC are on the same subnet.

Why? They found each other for the EXTERNAL TRUST
to be established.

I am reasonably confident that your two BDCs are not WINS
clients or it's not replicating.

Why? Because you said all along (your original problem)
the Groups from the trusted domain are not showing up on
SOME NT client machines (e.g., the server in question.)

> I would be very grateful for your continued advice, Herb.
>

You can even call me if you wish. Phone number is
on my website: www.LearnQuick.Com