General discussion

Locked

Access Denied to Domain Controller

By dcassat ·
Scenerio:

We have two Domains.

Domain A is an NT 4.0 PDC domain. A couple of standalone servers in this domain have Windows 2000 server on them.

Domain B is a Windows 2000 AD Domain. It is running in Native mode. A full two-way trust is in place between domains A & B.

All systems in both domains are accessible by people / machines in either domain with a single exception.

Problem:
Servers running NT 4.0 in domain A cannot access one domain controller's resources in Domain B. ie:\\server at start/run yields the error 'Access is Denied.' That same server in Domain B can access any server in Domain A. No other server in either domain have issues. Servers running Windows 2000 in domain A have no issue accessing the same server in domain B.

I have looked at all Domain local permissions on the server in question. I have run nltest and it shows all domain communication is normal. I have spent numerous hours looking for the reason why an NT 4.0 system cannot access resources on a Windows 2000 server in a different domain.

If you have seen this problem and give me the answer, I will give you 1000 points.

This conversation is currently closed to new comments.

9 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

by jschein In reply to Access Denied to Domain C ...

If you have 2k servers, you should have demoted your NT4 Server. An NT4 server cannot and will not function properly as a PDC. You need to downgrade it to a BDC and change it from NATIVE mode to MIXED MODE. 1 NT Server takes away the NATIVE mode functionality.

Collapse -

by dcassat In reply to

Poster rated this answer.
The 2k servers that exist in the NT 4.0 domain(A) are standalone servers, not domain controllers. The 2k DCs reside in Domain B. As stated, there is only one server in Domain B that is unaccessable by the NT 4.0 servers in Domain A.

Collapse -

by CG IT In reply to Access Denied to Domain C ...

You say a full 2 way trust is established between domains yet what you describe says differently. My question is "for what purpose" are servers in Domain A [NT servers] trying to access resources in domain B [W2KAD]? Resources is a very broad term. please narrow down what your trying to accomplish.

Note: Native mode in the W2KAD environment means that on that domain only W2K domain controllers can be present. No NT BDCs. Only in Mixed mode can a NT DC operate in a W2KAD environment and you can switch from Native to Mixed.

Collapse -

by CG IT In reply to

oops darm it, correction you CAN NOT switch from Native to mixed mode. It's one way only as default install is mixed mode and you have to manually change to native mode. But, that doesn't seem to have a bearing on what your problem is. might be that transitive trust on your W2KAD domain between servers has a hickup somewhere are is not propogating down the line to the server in question.

Collapse -

by dcassat In reply to

Poster rated this answer.
In this case, the resources are file shares which by the way are set to everyone full control at this time.

Domain B is a W2k (AD) only domain as you said it must be. Domain A has several NT 4.0 pdcs, several NT 4.0 standalone servers and several w2k standalone servers. There are a total of 20 servers in our organization split into two domains.

Collapse -

by dcassat In reply to Access Denied to Domain C ...

Point value changed by question poster.
Hmmm, maybe I can buy you off? Answer is now worth 3000 points!

Collapse -

by Snow-Rider In reply to Access Denied to Domain C ...

On the Domain controller that cannot be accessed by the NT 4.0 server the Local policy entry for LAN Manager authentication Level is set to Send NTLMv2 response only\refuse LM & NTLM.
The NT 4.0 servers that cannot access the Win2K DC are at a SP level prior to SP4.
NT 4.0 SP4 implemented NTLMv2. Apply SP4 or greater to your NT4 servers and they will be able to access the WIN2KDC.

Collapse -

by dcassat In reply to

Answer number 3 was excellent but did not solve the issue. Thank you for taking time and consideration in your answer.

Collapse -

by dcassat In reply to Access Denied to Domain C ...

This question was closed by the author

Back to Windows Forum
9 total posts (Page 1 of 1)  

Related Discussions

Related Forums