Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » Mixed forest Authentication issue - Active Directory netbios name
Mixed forest Authentication issue - Active Directory netbios name [message #156058] Tue, 09 June 2009 20:07 Go to next message
Todd  is currently offline Todd
Messages: 39
Registered: June 2009
Member
Hi,

I'm new to newsgroups and thought I'd start by posting a problem that has me
completely stumped.

I work for a company that has 2 forests and multiple domains. Forest A has
only 1 domain and exclusively uses W2K servers. A new W2K8 domain has built
out in forest B to slowly replace forest A. Users in forest A can't access a
fileshare in forest B while using the domain netbios name. They are
promptly to log into a share that has been granted full access to everyone
and they must type in their FQDN\Username in order to get access.

The NETBIOS domain name for Forest A appears to have been corrupted somehow
when the FSMO roles were transfer from one 2000 DC to another. As far as I
can tell, the correct Netbios domainname and servers appear in WINS. The
said, I can no longer ping the NETBIOS domain name and some of the WINS
based directory services are no longer available.

How does one diagnose, recreate or repair the Active Directory Netbios name?
I can find very little information on this.
Re: Mixed forest Authentication issue - Active Directory netbios name [message #156061 is a reply to message #156058] Tue, 09 June 2009 20:34 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"Todd" <tzappa@hotmail.com> wrote in message
news:9A14B55B-658F-455D-B1AC-BFA32757E717@microsoft.com...
> Hi,
>
> I'm new to newsgroups and thought I'd start by posting a problem that has
> me completely stumped.
>
> I work for a company that has 2 forests and multiple domains. Forest A
> has only 1 domain and exclusively uses W2K servers. A new W2K8 domain has
> built out in forest B to slowly replace forest A. Users in forest A can't
> access a fileshare in forest B while using the domain netbios name. They
> are promptly to log into a share that has been granted full access to
> everyone and they must type in their FQDN\Username in order to get access.
>
> The NETBIOS domain name for Forest A appears to have been corrupted
> somehow when the FSMO roles were transfer from one 2000 DC to another. As
> far as I can tell, the correct Netbios domainname and servers appear in
> WINS. The said, I can no longer ping the NETBIOS domain name and some of
> the WINS based directory services are no longer available.
>
> How does one diagnose, recreate or repair the Active Directory Netbios
> name? I can find very little information on this.


Well, there really is no 'repairing' an AD NetBIOS name. And you would not
be able to ping the NetBIOS name anyway. You can however, ping the domain's
FQDN, meaning ping domain.com or domain.local, etc. This is because when you
ping AD's FQDN, you are actually pinging the LdapIpAddress record. Each DC
registers this record. It's the record with no name but denoted by "(same as
parent)." If there are more than one DC, DNS round robin will kick in
rotating the records. This record is also used for the GetGpoList function,
DFS, and other functionality.

AD's NetBIOS name has no server service associated with it such as a
machine's NetBIOS name, which have a number of NetBIOS services associategd
with it, such as the workstation service, the server service, etc, therefore
to ping a NetBIOS domain name, there's really nothing there to respond to a
ping.

Ok, that said, do you have a trust created between the domain in A and the
domain in B? If not, that would be the first order of business.

To insure a trust is setup properly, you will need NetBIOS name resolution
between the two domains. WINS can offer this for you without configuration
overhead, which you're already using. I would suggest to configure a WINS
server on domainB, and create a replication partnership between domainA's
WINS server and domainB's WINS server so they can share each other's NetBIOS
databases. This will assist in NetBIOS name resolution as well as support
browsing.

Once the trust is setup, then you would add the user accounts in A to B's
resources (in B's file share and NTFS permissions). This way there will be
no authentication prompts when they connect because their user accounts will
be in the ACL.

Will you be using ADMT to migrate the users?

Is Exhange involved?

I hope that helps so far.

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
Microsoft Certified Trainer
aceman@mvps.RemoveThisPart.org

For urgent issues, you may want to contact Microsoft PSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

"Efficiency is doing things right; effectiveness is doing the right
things." - Peter F. Drucker
http://twitter.com/acefekay
Re: Mixed forest Authentication issue - Active Directory netbios name [message #156065 is a reply to message #156061] Tue, 09 June 2009 22:22 Go to previous messageGo to next message
Todd  is currently offline Todd
Messages: 39
Registered: June 2009
Member
Thanks for the quick response.

There is an external two-way trust between domain 1 in Forest A and domain 2
Forest B. Domain 2's fileshare is currently configured as Share level:
Everyone Full access, NTFS level: Everyone Full access. Half of the Forest
A users can simply type \\fileserver and get right in. Half are prompted
for a logon and can only log using the FQDN\Username. Another odd occurance
is that users with and without access rotate - like you said - in a round
robin fashion.

I've taken a small group a ginea pigs and manually set the DNS, WINS lookup,
DNS suffixes, etc to look at the same servers. They are all on the same
subnet, computers are joined to the same domain and the users are all
members of the same domain. For this particular domain the netbios domain
name is unrelated to the actual domain name. If the FQDN was
apples.oranges.com, the Netbios name would be something like Fruitbasket.
When a user can't get immediate access as expected, logging in with
"Fruitbasket\username" would result in an "access denied" message while
"apples.oranges.com\username" results in successfull authentication.

The other symptom I've ecountered has to do with NETBIOS in Forest A. Prior
to the FSMO change the computer browser displayed a complete list of all
servers in the domain and it did it pretty fast. After the role change the
Computer Browser only lists a handful a servers. Both DC's live in the same
site in the same subnet, and WINS appears to replicate correctly. The master
browser records appear to have of the correct DC's and IP's. There's
definitely something missing.

---------
With this migration the plan is to recreate the users from scratch in the
new domain and start fresh. Forest A is pretty old and needs a lot of
cleanup. Forest A also hosts an exchange server but it's a seperate issue.
For short term, external accounts will simply be granted access to the old
mailboxes and a proper migration will take place at a later date.



"Ace Fekay [Microsoft Certified Trainer]" <aceman@mvps.RemoveThisPart.org>
wrote in message news:%23cLjvPX6JHA.5932@TK2MSFTNGP03.phx.gbl...
> "Todd" <tzappa@hotmail.com> wrote in message
> news:9A14B55B-658F-455D-B1AC-BFA32757E717@microsoft.com...
>> Hi,
>>
>> I'm new to newsgroups and thought I'd start by posting a problem that has
>> me completely stumped.
>>
>> I work for a company that has 2 forests and multiple domains. Forest A
>> has only 1 domain and exclusively uses W2K servers. A new W2K8 domain has
>> built out in forest B to slowly replace forest A. Users in forest A can't
>> access a fileshare in forest B while using the domain netbios name. They
>> are promptly to log into a share that has been granted full access to
>> everyone and they must type in their FQDN\Username in order to get
>> access.
>>
>> The NETBIOS domain name for Forest A appears to have been corrupted
>> somehow when the FSMO roles were transfer from one 2000 DC to another.
>> As far as I can tell, the correct Netbios domainname and servers appear
>> in WINS. The said, I can no longer ping the NETBIOS domain name and some
>> of the WINS based directory services are no longer available.
>>
>> How does one diagnose, recreate or repair the Active Directory Netbios
>> name? I can find very little information on this.
>
>
> Well, there really is no 'repairing' an AD NetBIOS name. And you would not
> be able to ping the NetBIOS name anyway. You can however, ping the
> domain's FQDN, meaning ping domain.com or domain.local, etc. This is
> because when you ping AD's FQDN, you are actually pinging the
> LdapIpAddress record. Each DC registers this record. It's the record with
> no name but denoted by "(same as parent)." If there are more than one DC,
> DNS round robin will kick in rotating the records. This record is also
> used for the GetGpoList function, DFS, and other functionality.
>
> AD's NetBIOS name has no server service associated with it such as a
> machine's NetBIOS name, which have a number of NetBIOS services
> associategd with it, such as the workstation service, the server service,
> etc, therefore to ping a NetBIOS domain name, there's really nothing there
> to respond to a ping.
>
> Ok, that said, do you have a trust created between the domain in A and the
> domain in B? If not, that would be the first order of business.
>
> To insure a trust is setup properly, you will need NetBIOS name resolution
> between the two domains. WINS can offer this for you without configuration
> overhead, which you're already using. I would suggest to configure a WINS
> server on domainB, and create a replication partnership between domainA's
> WINS server and domainB's WINS server so they can share each other's
> NetBIOS databases. This will assist in NetBIOS name resolution as well as
> support browsing.
>
> Once the trust is setup, then you would add the user accounts in A to B's
> resources (in B's file share and NTFS permissions). This way there will be
> no authentication prompts when they connect because their user accounts
> will be in the ACL.
>
> Will you be using ADMT to migrate the users?
>
> Is Exhange involved?
>
> I hope that helps so far.
>
> --
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
> Microsoft Certified Trainer
> aceman@mvps.RemoveThisPart.org
>
> For urgent issues, you may want to contact Microsoft PSS directly. Please
> check http://support.microsoft.com for regional support phone numbers.
>
> "Efficiency is doing things right; effectiveness is doing the right
> things." - Peter F. Drucker
> http://twitter.com/acefekay
>
>
>
Re: Mixed forest Authentication issue - Active Directory netbios name [message #156069 is a reply to message #156065] Tue, 09 June 2009 22:38 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"Todd" <tzappa@hotmail.com> wrote in message
news:40EA6A2C-B671-4C6D-B116-E9FE9B501421@microsoft.com...
> Thanks for the quick response.
>
> There is an external two-way trust between domain 1 in Forest A and domain
> 2 Forest B. Domain 2's fileshare is currently configured as Share level:
> Everyone Full access, NTFS level: Everyone Full access. Half of the
> Forest A users can simply type \\fileserver and get right in. Half are
> prompted for a logon and can only log using the FQDN\Username. Another
> odd occurance is that users with and without access rotate - like you
> said - in a round robin fashion.
>
> I've taken a small group a ginea pigs and manually set the DNS, WINS
> lookup, DNS suffixes, etc to look at the same servers. They are all on the
> same subnet, computers are joined to the same domain and the users are all
> members of the same domain. For this particular domain the netbios domain
> name is unrelated to the actual domain name. If the FQDN was
> apples.oranges.com, the Netbios name would be something like Fruitbasket.
> When a user can't get immediate access as expected, logging in with
> "Fruitbasket\username" would result in an "access denied" message while
> "apples.oranges.com\username" results in successfull authentication.
>
> The other symptom I've ecountered has to do with NETBIOS in Forest A.
> Prior to the FSMO change the computer browser displayed a complete list of
> all servers in the domain and it did it pretty fast. After the role
> change the Computer Browser only lists a handful a servers. Both DC's live
> in the same site in the same subnet, and WINS appears to replicate
> correctly. The master browser records appear to have of the correct DC's
> and IP's. There's definitely something missing.
>
> ---------
> With this migration the plan is to recreate the users from scratch in the
> new domain and start fresh. Forest A is pretty old and needs a lot of
> cleanup. Forest A also hosts an exchange server but it's a seperate issue.
> For short term, external accounts will simply be granted access to the old
> mailboxes and a proper migration will take place at a later date.
>
>

If you are getting mixed results such as this, then it is telling me name
resolution is amiss.

How is WINS setup? How many WINS servers are in use? Can both halves of
those users all logon on successfully using their UPN
(user@theirOwnDomain.com)?

If after the role transfer did this start occuring, is there possibly a
static entry in WINS for the old servers indicating they are the browse
masters?

Ace
Re: Mixed forest Authentication issue - Active Directory netbios name [message #156096 is a reply to message #156069] Wed, 10 June 2009 08:22 Go to previous message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"Todd" <tzappa@hotmailer.com> wrote in message
news:4949B201-2787-436B-8F76-A038EA481F3B@microsoft.com...
>
> That's what I was thinking.
>
> I solved the immediate fileshare problem and it turned out to be something
> completely unrelated to WINS. In this case, the fileserver was originally
> built out on the 2000 domain for testing and was eventually formatted,
> reinstalled and move over to the new domain. The problem occurred because
> the server retained it's original computer name and the original entry was
> never deleted in the 2000 AD. AD saw the same computer account with a
> different SID, hence the "access denied" error. Deleting the old computer
> account resolved the issue and now everyone can access the share instantly
> with no authentication prompts.
>
> A lot of cleanup was done to WINS, DNS and AD to try and resolve this
> issue. I'm hoping the browser will start behaving better in the near
> future.
>
> Thank for your help.
>
>


You are welcome, and I'm glad you were able to resolve it. The browser can
take a little time to straighten itself out, but it will.

Ace
Re: Mixed forest Authentication issue - Active Directory netbios name [message #156100 is a reply to message #156069] Wed, 10 June 2009 08:07 Go to previous message
Todd  is currently offline Todd
Messages: 39
Registered: June 2009
Member
> If you are getting mixed results such as this, then it is telling me name
> resolution is amiss.
>
> How is WINS setup? How many WINS servers are in use? Can both halves of
> those users all logon on successfully using their UPN
> (user@theirOwnDomain.com)?
>
> If after the role transfer did this start occuring, is there possibly a
> static entry in WINS for the old servers indicating they are the browse
> masters?
>
> Ace
>

That's what I was thinking.

I solved the immediate fileshare problem and it turned out to be something
completely unrelated to WINS. In this case, the fileserver was originally
built out on the 2000 domain for testing and was eventually formatted,
reinstalled and move over to the new domain. The problem occurred because
the server retained it's original computer name and the original entry was
never deleted in the 2000 AD. AD saw the same computer account with a
different SID, hence the "access denied" error. Deleting the old computer
account resolved the issue and now everyone can access the share instantly
with no authentication prompts.

A lot of cleanup was done to WINS, DNS and AD to try and resolve this issue.
I'm hoping the browser will start behaving better in the near future.

Thank for your help.
Previous Topic:DNS Scavenging
Next Topic:Movetree User, local profile issue Windows cannot log you on because your profile cannot be loaded..
Goto Forum:
  


Current Time: Tue Jan 16 04:21:50 MST 2018

Total time taken to generate the page: 0.03789 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software