Re: NT4 Client in W2K3 AD migrated / SID
From: Joe Wu [MSFT] (joewu_at_online.microsoft.com)
Date: 03/11/04
- Next message: Tim: "naming"
- Previous message: neil: "RE: Integrating wins/dhcp/dns during migraton"
- In reply to: Thorsten Schmitt: "Re: NT4 Client in W2K3 AD migrated / SID"
- Messages sorted by: [ date ] [ thread ]
Date: Thu, 11 Mar 2004 21:22:43 GMT
Hello Thorsten,
Thanks for your updates.
Generally, the Windows shell calls the LookupAccountSid function to contact
the domain controllers and therefore retrieves the account names associated
with the SIDs.
I checked our database but did not find similar issues.
>From your updates, I agree that the problem should be related to a domain
side setting that blocks the account names from been retrieves.
I understand that the reinstallation of domain should be a time-consuming
process. However, I am glad to hear that the problem has been resolved.
Also, I do appreciate that you share the solution here.
Thanks and have a great day!
Regards,
Joe Wu
Product Support Services
Microsoft Corporation
Get Secure! - www.microsoft.com/security
====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
|Content-Class: urn:content-classes:message
|From: "Thorsten Schmitt" <NO_SPAM_thorsten.schmitt@realtech.de>
|Sender: "Thorsten Schmitt" <NO_SPAM_thorsten.schmitt@realtech.de>
|References: <eMx9b$NBEHA.2888@TK2MSFTNGP09.phx.gbl>
<$nLW6JRBEHA.612@cpmsftngxa06.phx.gbl>
<u8iZkBSBEHA.1600@tk2msftngp13.phx.gbl>
<HCnSANeBEHA.660@cpmsftngxa06.phx.gbl>
<a59e01c40683$3d1ed610$a101280a@phx.gbl>
<7f3101c40749$05417740$a601280a@phx.gbl>
|Subject: Re: NT4 Client in W2K3 AD migrated / SID
|Date: Thu, 11 Mar 2004 06:50:30 -0800
|Lines: 356
|Message-ID: <b02d01c40778$33109050$a501280a@phx.gbl>
|MIME-Version: 1.0
|Content-Type: text/plain;
| charset="iso-8859-1"
|Content-Transfer-Encoding: 7bit
|X-Newsreader: Microsoft CDO for Windows 2000
|X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
|Thread-Index: AcQHeDMJNsZ8u5PwS+yO6kCVm/ZtrA==
|Newsgroups: microsoft.public.windows.server.migration
|Path: cpmsftngxa06.phx.gbl
|Xref: cpmsftngxa06.phx.gbl microsoft.public.windows.server.migration:8662
|NNTP-Posting-Host: tk2msftngxa13.phx.gbl 10.40.1.165
|X-Tomcat-NG: microsoft.public.windows.server.migration
|
|Hi,
|
|whatever it was, it is gone with the domain reinstall... I
|think, it could have been a problem with a misconfigured
|policy or anything like that.
|
|Regards
|Thorsten Schmitt
|
|
|>-----Originalnachricht-----
|>Hi,
|>
|>today I've tests again some things. The only thing I've
|>recognized was:
|>Joining a testclient to the administrative root domain, I
|>can resolve all of the SID's belonging to the new
|>productive subdomain. So I think, it's any kind of
|problem
|>with the domain, maybe a misconfiguration of policies or
|>something like that.
|>The new domain is not productive yet, so I decided to
|>delete the domain this evening by runnning dc promo on
|>both domain controllers to demote them DC to a standard
|>server. Tomorrow morning I'm going to recreate the
|domain.
|>The only thing I need to do is to recreate the ou
|>structure, but it's not a problem.
|>So I think this would be the fastest and easiest way to
|>workaround this problem. I hope with this step I find a
|>final solution for that.
|>I'll report here the results.
|>
|>Regards
|>Thorsten Schmitt
|>
|>
|>>-----Originalnachricht-----
|>>Hi,
|>>
|>>
|>>>1. My understanding is that every account's name cannot
|>>be retrieved on all
|>>>of these Windows NT machines? Is it correct? Please
|post
|>>a screen shot so
|>>>that I can better understand the problem.
|>>
|>>
|>>Yes, this is correct. BEFORE Migration:
|>>Client can resolve Accounts from the old domain (NT4),
|>but
|>>not the new domain (W2K3).
|>>AFTER migration:
|>>Client cannot resolve ANY Account from old or new
|domain.
|>>I'll send you the screenshot via email, I cannot contact
|>>the newsserver via a newsreader (firewall at customer
|>site
|>>today), I'm logged in via Web.
|>>
|>>>2. Can you add accounts from the old domain or the new
|>>domain to these
|>>>folder's ACLs? Can they be displayed correctly?
|>>
|>>Adding new accounts is no problems. While adding, they
|>are
|>>display correctly. But the next time I check the ACL
|>>(AFTER closing the ACL dialog with OK and reopen it),
|>they
|>>are display as SID not as account names.
|>>
|>>
|>>>3. How did you migrate the NT workstations to the new
|>>domain? I would like
|>>>to suggest that you pick one problematic Windows NT
|>>machine, disjoin it
|>>>from the new Windows Server 2003 domain and then rejoin
|>>them back to the
|>>>new domain. Let me know if the problem still persists.
|>>
|>>First I migrated the clients with ADMT 2.0, biut I also
|>>testet to join the clients to the new domain manually by
|>>rejoining the new domain the "classic" way.
|>>
|>>Thanks and Regards
|>>Thorsten Schmitt
|>>
|>>
|>>
|>>>-----Originalnachricht-----
|>>>Hello Thorsten,
|>>>
|>>>Thank you for your reply.
|>>>
|>>>The results of the nltest commands indicate that the
|>>trust relationships
|>>>between the two domains are working correctly.
|>>>
|>>>May I know the following?
|>>>
|>>>1. My understanding is that every account's name cannot
|>>be retrieved on all
|>>>of these Windows NT machines? Is it correct? Please
|post
|>>a screen shot so
|>>>that I can better understand the problem.
|>>>
|>>>2. Can you add accounts from the old domain or the new
|>>domain to these
|>>>folder's ACLs? Can they be displayed correctly?
|>>>
|>>>3. How did you migrate the NT workstations to the new
|>>domain? I would like
|>>>to suggest that you pick one problematic Windows NT
|>>machine, disjoin it
|>>>from the new Windows Server 2003 domain and then rejoin
|>>them back to the
|>>>new domain. Let me know if the problem still persists.
|>>>
|>>>Thanks for your time and cooperation!
|>>>
|>>>Regards,
|>>>Joe Wu
|>>>Product Support Services
|>>>Microsoft Corporation
|>>>
|>>>Get Secure! - www.microsoft.com/security
|>>>
|>>>====================================================
|>>>When responding to posts, please "Reply to Group" via
|>>your newsreader so
|>>>that others may learn and benefit from your issue.
|>>>====================================================
|>>>This posting is provided "AS IS" with no warranties,
|and
|>>confers no rights.
|>>>
|>>>--------------------
|>>>|From: "Thorsten Schmitt"
|>><NO_SPAM_thorsten.schmitt@realtech.de>
|>>>|References: <eMx9b$NBEHA.2888@TK2MSFTNGP09.phx.gbl>
|>>><$nLW6JRBEHA.612@cpmsftngxa06.phx.gbl>
|>>>|Subject: Re: NT4 Client in W2K3 AD migrated / SID
|>>>|Date: Mon, 8 Mar 2004 16:16:50 +0100
|>>>|Lines: 136
|>>>|X-Priority: 3
|>>>|X-MSMail-Priority: Normal
|>>>|X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
|>>>|X-MimeOLE: Produced By Microsoft MimeOLE
|V6.00.2800.1165
|>>>|Message-ID: <u8iZkBSBEHA.1600@tk2msftngp13.phx.gbl>
|>>>|Newsgroups: microsoft.public.windows.server.migration
|>>>|NNTP-Posting-Host: rt-lan.realtech.de 195.234.216.68
|>>>|Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!
|>>tk2msftngp13.phx.gbl
|>>>|Xref: cpmsftngxa06.phx.gbl
|>>microsoft.public.windows.server.migration:8576
|>>>|X-Tomcat-NG: microsoft.public.windows.server.migration
|>>>|
|>>>|Hi,
|>>>|
|>>>|thank you for your answer.
|>>>|I try to answer your questions as far as I can, the
|>>problem exist on
|>>>|customer side, I'll get "hands on" on wednesday.
|>>>|
|>>>|> 1. What accounts are there in the ACLs? Are these
|>>accounts of the old
|>>>|> domain?
|>>>|
|>>>|ACL from both domains for soft migration to allow
|Users
|>>from both domains
|>>>to
|>>>|access data.
|>>>|
|>>>|> 2. The old domain's DCs must be available to convert
|>>the SIDs to the
|>>>|> account names. Please verify if the trust is broken
|>by
|>>running the
|>>>|> following command on the DC of the current domain:
|>>>|
|>>>|The old domain is still in high productive
|environment,
|>>the productive
|>>>|migration will be the coming weekend, so the problem
|>>occured on testclients
|>>>|that are configured like the productive clients and
|>>server.
|>>>|
|>>>|> net use
|>>\\DCinOtherDomain\IPC$ /User:OtherDomain\UserAccount *
|>>>|
|>>>|Access to shares in both domain works without problems
|>>with accounts from
|>>>|both accounts, although the acl cannot be displayed,
|>>they work without
|>>>|problems. It only seem to be a problem of the view?!
|>>>|
|>>>|> nltest /SERVER:<ServerName> /SC_QUERY:<DomainName>
|>>>|Will be tested soon.
|>>>|
|>>>|> 3. Can you add another account from the old domain
|to
|>>these folder's
|>>>ACLs?
|>>>|> Can they be displayed correctly?
|>>>|When I add a new group or user, its displaye
|correctly,
|>>until I reopen the
|>>>|ACL dialog box, then I also see only the SID.
|>>>|
|>>>|> 5. How did you migrate the NT workstations to the
|new
|>>domain?
|>>>|With ADMT 2.0 with the option to translate the ACL.
|>>>|
|>>>|
|>>>|
|>>>|Thanks for any help
|>>>|Regards
|>>>|Thorsten Schmitt
|>>>|
|>>>|
|>>>|
|>>>|
|>>>|"Joe Wu [MSFT]" <joewu@online.microsoft.com> wrote in
|>>message
|>>>|news:$nLW6JRBEHA.612@cpmsftngxa06.phx.gbl...
|>>>|> Hello Thorsten,
|>>>|>
|>>>|> Thank you for your post.
|>>>|>
|>>>|> My name is Joe Wu, and it is my pleasure to work
|with
|>>you on this issue.
|>>>|>
|>>>|> May I know the following?
|>>>|>
|>>>|> 1. What accounts are there in the ACLs? Are these
|>>accounts of the old
|>>>|> domain?
|>>>|>
|>>>|> 2. The old domain's DCs must be available to convert
|>>the SIDs to the
|>>>|> account names. Please verify if the trust is broken
|>by
|>>running the
|>>>|> following command on the DC of the current domain:
|>>>|>
|>>>|> net use
|>>\\DCinOtherDomain\IPC$ /User:OtherDomain\UserAccount *
|>>>|>
|>>>|> nltest /SERVER:<ServerName> /SC_QUERY:<DomainName>
|>>>|>
|>>>|> Note: The nltest tool is from Windows Server 2003
|>>Support Tools.
|>>>|>
|>>>|> Please let me know the results.
|>>>|>
|>>>|> 3. Can you add another account from the old domain
|to
|>>these folder's
|>>>ACLs?
|>>>|> Can they be displayed correctly?
|>>>|>
|>>>|> 4. Please check the event logs on DC of each domain
|>to
|>>see if there are
|>>>|> related errors.
|>>>|>
|>>>|> 5. How did you migrate the NT workstations to the
|new
|>>domain?
|>>>|>
|>>>|> If you have any questions or concerns, please do not
|>>hesitate to let me
|>>>|> know. I am standing by to help you. Thank you for
|>your
|>>time and
|>>>|cooperation!
|>>>|>
|>>>|> Regards,
|>>>|> Joe Wu
|>>>|> Product Support Services
|>>>|> Microsoft Corporation
|>>>|>
|>>>|> Get Secure! - www.microsoft.com/security
|>>>|>
|>>>|> ====================================================
|>>>|> When responding to posts, please "Reply to Group"
|via
|>>your newsreader so
|>>>|> that others may learn and benefit from your issue.
|>>>|> ====================================================
|>>>|> This posting is provided "AS IS" with no warranties,
|>>and confers no
|>>>|rights.
|>>>|>
|>>>|> --------------------
|>>>|> |From: "Thorsten Schmitt"
|>><NO_SPAM_thorsten.schmitt@realtech.de>
|>>>|> |Subject: NT4 Client in W2K3 AD migrated / SID
|>>>|> |Date: Mon, 8 Mar 2004 08:34:52 +0100
|>>>|> |Lines: 16
|>>>|> |X-Priority: 3
|>>>|> |X-MSMail-Priority: Normal
|>>>|> |X-Newsreader: Microsoft Outlook Express
|>6.00.2800.1158
|>>>|> |X-MimeOLE: Produced By Microsoft MimeOLE
|>>V6.00.2800.1165
|>>>|> |Message-ID: <eMx9b$NBEHA.2888@TK2MSFTNGP09.phx.gbl>
|>>>|> |Newsgroups:
|microsoft.public.windows.server.migration
|>>>|> |NNTP-Posting-Host: rt-lan.realtech.de 195.234.216.68
|>>>|> |Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!
|>>TK2MSFTNGP09.phx.gbl
|>>>|> |Xref: cpmsftngxa06.phx.gbl
|>>>microsoft.public.windows.server.migration:8565
|>>>|> |X-Tomcat-NG:
|>microsoft.public.windows.server.migration
|>>>|> |
|>>>|> |Hi,
|>>>|> |
|>>>|> |I've migrated some NT4 Workstations and Server into
|>a
|>>new W2k3 Active
|>>>|> |Directory (will soon be productive) for testing
|>>purposes. After the
|>>>|> |migration I cannot resolve any SID in ACL or Share
|>>permissions, neither
|>>>|> from
|>>>|> |the old domain nor the new domain. Networking
|>>settings are all
|>>>correctly,
|>>>|> |domain controllers and clients are in WINS and DNS
|>>withou any problems.
|>>>|> Also
|>>>|> |any name resolution works without problems.
|SID2User
|>>can resolve the SID
|>>>|> |without problems. The problem occurs on any
|migrated
|>>NT4 client, I
|>>>|couldn't
|>>>|> |test it on W2K or XP but it's important to work on
|>>the NT4 clients.
|>>>|> |Any ideas?
|>>>|> |
|>>>|> |Thanks and Regards
|>>>|> |Thorsten Schmitt
|>
|>.
|>
|
- Next message: Tim: "naming"
- Previous message: neil: "RE: Integrating wins/dhcp/dns during migraton"
- In reply to: Thorsten Schmitt: "Re: NT4 Client in W2K3 AD migrated / SID"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
