General discussion


Cross Domain Authentication Issues

By mark.parker ·
We have two windows 2000 AD domains with an established trust. Domain A is running in native mode, and domain B is running in mixed mode.

We have introduced a W2003 server into Domain A, and set the appropriate permissions to allow users from Domain B access to its resources.

We are experiencing issues with the 2003Svr authentication users from Domain B. The authentication works successfully for a number of days, and will then suddenly stop authenticating users from Domain B, and generate security events.

No changes are made to the domain or server configurations, and a reboot of the 2003Svr will generally resolve the issue.(On some occasions it takes more than one reboot)

We have checked the system using netdiag, dcpromo and have found no obvious errors.

Below are some symptons we have noticed:

** We are still able to browse to Domain B from the server and access network shares. Net view commands also work find to any DC in the Domain B.

** When modifying security permissions on the 2003Svr we are able to search and select user accounts from domain B, however once we apply the changes the account details are displayed in numeric format(SID).

** EventID 537
Category: Logon/Logoff
Logon failuer:
Reason: an error occurred during logon
Domain: Domain B
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM

Any assistance or thoughts anyone can provide would be grealy appreciated.

Many Thanks

Mark P

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

by Monice In reply to Cross Domain Authenticati ...

Check the time syncronization on both domains and clients. Sometimes a time difference as little as 5 mins. can cause NTLM authentication issues.

Collapse -

by mark.parker In reply to

Thanks Monice.

All 3 elements are in time sync. A net time across the server and domain controllers shows the same time.


Collapse -

by BFilmFan In reply to Cross Domain Authenticati ...

What service packs are on the domain controllers, both Windows 2000 and Windows 2003?

What additional hot fixes have been installed?

What NTLM authentication level is running?

Are the clients which are being rejected Windows 2000-and-up clients? NT? DOS?

What is shown when you run DCDiag with the following specifications? dcdiag /v /e /f:dcdiagLOG.txt /ferr:dcdiagERROR.txt

What level is the forest itself set to?

Is Domain B a sub-domain of A? A peer?

Related Discussions

Related Forums