Re: additional 2003 DC in 2000 forest, downlevel client communications problems
From: Ace Fekay [MVP] (PleaseSubstituteMyActualFirstName&LastNameHere_at_hotmail.com)
Date: 06/20/04
- Next message: Ace Fekay [MVP]: "Re: WPAD Configuration"
- Previous message: Ace Fekay [MVP]: "Re: Program installs"
- In reply to: David.B: "additional 2003 DC in 2000 forest, downlevel client communications problems"
- Next in thread: David.B: "Re: additional 2003 DC in 2000 forest, downlevel client communications problems"
- Reply: David.B: "Re: additional 2003 DC in 2000 forest, downlevel client communications problems"
- Messages sorted by: [ date ] [ thread ]
Date: Sun, 20 Jun 2004 16:03:07 -0400
In news:OQV9nLWVEHA.3596@tk2msftngp13.phx.gbl,
David.B <Please.reply@to-group.com> posted their thoughts, then I offered
mine
> We have a network with a 2000 DC and various clients including 98 up
> to XP as well as an AS/400 server. When I installed the 2003 server
> and promoted it to a DC, some 98/ME clients could not log into the
> domain. If I unplugged the 2003 DC from the network, they were able
> to log in fine. Since then I have relaxed some of the default
> security settings in the local group policy.
>
> MS NET SVR: digitally sign communications (always) -changed from
> enabled to disabled but left the (if client agrees) enabled.
> MS NET CLIENT: digitally sign communications (always) -changed from
> enabled to disabled but left (if server agrees) enabled.
> Network Security: LAN manager authentication level -changed from ntlm
> to "lm and ntlm"
> Domain Member: digitally encrypt or sign secure channel data
> (always) -changed from enabled to disabled (left the when possibles
> enabled).
>
> After applying these changes and doing a gpupdate /target:computer, I
> still couldn't contact computers in the domain, as400, 98, xp, server
> 2000 ... didn't matter! The ONLY computer I could communicate with
> from this 2003 server was another DC! (and I used replmon to make
> sure I was replicating successfully) To further complicate or
> confuse, any of the 98 clients on up could see the 2003 server and
> connect to the sysvol or other file shares. During all of this
> troubleshooting, not one entry showed up in the application, security
> or system logs on the 2003 or any of the other computers although I
> was being denied access to network computers with the following
> message: "<computername> is not accessible. You might not have
> permission to use this network resource. Contact the administrator of
> this server to find out if you have access permissions. The account
> is not authorized to log in from this station."
>
> After searching around newsgroups for a while coming up empty handed,
> I rebooted as a last resort and to my amazement I could connect! I
> guess a group policy refresh wasn't enough and I was required to
> reboot.
>
> Was this an SMB signing or NTLM v2 issue? Should I reverse some of
> those security changes I made?
To be effective, you'll need to set that setting in the either the Def
Domain Controller GPO or individually on each DC using Domain Controller
Security Policy.
-- Regards, Ace Please direct all replies to the newsgroup so all can benefit. This posting is provided "AS-IS" with no warranties and confers no rights. Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP Microsoft Windows MVP - Active Directory HAM AND EGGS: A day's work for a chicken; A lifetime commitment for a pig. -- =================================
- Next message: Ace Fekay [MVP]: "Re: WPAD Configuration"
- Previous message: Ace Fekay [MVP]: "Re: Program installs"
- In reply to: David.B: "additional 2003 DC in 2000 forest, downlevel client communications problems"
- Next in thread: David.B: "Re: additional 2003 DC in 2000 forest, downlevel client communications problems"
- Reply: David.B: "Re: additional 2003 DC in 2000 forest, downlevel client communications problems"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
