NT4 Server box fails to logon in upgraded AD Domain
From: Manos Anastasiadis (am_at_isc.tuc.gr)
Date: 08/11/04
- Next message: Bob Qin [MSFT]: "RE: Help-Error in intra-forest migration."
- Previous message: Charles: "RE: Help-Error in intra-forest migration."
- Next in thread: Jerry: "Re: NT4 Server box fails to logon in upgraded AD Domain"
- Reply: Jerry: "Re: NT4 Server box fails to logon in upgraded AD Domain"
- Messages sorted by: [ date ] [ thread ]
Date: Wed, 11 Aug 2004 14:41:57 +0300
Hi all,
We have a plain-old NT4 domain with a PDC/BDC pair
(PDC / BDC1) + an Exchange Server 5.5 (MAIL) that is
still up and running.
We currently are in the middle of the development phase
of upgrading to Windows Server 2003 and Exchange Server
2003.
During the process we decided to make things easier and
perform an upgrade instead of migration and followed
these steps:
- Setup a second BDC (say BDC2).
- Took BDC2 off-line and moved it on a separate network-leg,
independent from the original domain.
- Promoted BDC2 to PDC (NOTE: off-line).
- Upgraded BDC2 to WS2003 and got AD
(Windows-Interim level).
- Formed a net with BDC2 and two brand-new WS2003 servers
(say DC1, DC2); made the latter AD Domain Controllers,
configured DNS.
- Transferred all FSMO roles to DC1 (PDC Emulator too)
and set both DC1 and DC2 to be GCs.
- Took the original BDC2 off.
Up to this point we have a new enivironment for testing
purposes that will finally become the new 'production'
enivironment. Connected a couple of W2K-Pro/SP4
workstations to verify it was working ok
(user logon, GPOs etc).
Our next step would be to migrate Exchange 5.5 to
Ex2003, so we did the following things:
- Setup a new WS2003 server to hold the new
Exchange 2003 mail Server (say ES).
- Installed Exchange Tools (ExAllTools.exe) in order to
run ExDeploy to perform preliminary tests and install
AD Connector.
- Temporarily took our production mail server (MAIL,
NT4.0 Server/SP6, Ex5.5/SP4) off-line,
added it to the network leg formed by DC1, DC2 & ES
and rebooted it.
The problem came along here:
When we tried to logon to the MAIL server using a valid
User account imported from the original NT4 domain, we got
the following error message:
"The system could not log you on to this domain because
the system's computer account in its primary domain is
missing or the password on that account is incorrect."
As a consequence the Exchange services failed to start,
since they are configured to use another valid domain User
account, which also fails to login. So does the ExDeploy tests.
NOTES:
- All hot-fixes have been applied to the machines mentioned,
up to ms04-025.
- Network connecticity works fine (tested using ping).
- The User account used for the failed logon is valid,
so is its password (we've been using it without any problem
to log-in to the WS2003 boxes, DC1, DC2 and ES).
- The MAIL Computer account still exists in AD,
so do the original NT4 domain controllers which are
NOT connected to the test network. I guess that
this should not be an issue, since DC1 or DC2 should
authenticate accounts.
- No firewall or IPSec applied to the test environment yet
- The registry value for anonymous access on DC1, DC2 is:
HKLM\SYSTEM\CurrentControlSet\Control\LSA
RestrictAnonymous = 1
- We checked http://support.microsoft.com/?id=kb;en-us;259736
but the specified registry value exists and has the exact
value as specified in the document:
HKLM\SOFTWARE\Microsoft\RPC\SecurityService
68 = "netlogon.dll"
Any ideas on how to solve this issue?
Sorry for the lengthy e-mail.
TIA
-------------------------
Manos Anastasiadis
Systems Engineer
- Next message: Bob Qin [MSFT]: "RE: Help-Error in intra-forest migration."
- Previous message: Charles: "RE: Help-Error in intra-forest migration."
- Next in thread: Jerry: "Re: NT4 Server box fails to logon in upgraded AD Domain"
- Reply: Jerry: "Re: NT4 Server box fails to logon in upgraded AD Domain"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
