Strange authentication problem on windows 2000 member serv..

Archived from groups: microsoft.public.win2000.active_directory (More info?)

I had a problem this morning with three member servers in a domain in my
forrest. They could not authenticate any user account in a diffrent domain in
the forrest but could authenticate there own domain when logging into the
server. the DC's could do so without problem. The servers could also
authenticate if you just wanted to access a file share. I removed them from
the domain and readded them and the problem went away. I am wondering if
anyone has any idea's what might have cuased the problem?
1 answer Last reply
More about strange authentication problem windows 2000 member serv
  1. Archived from groups: microsoft.public.win2000.active_directory (More info?)

    "Derek Christensen" <Derek Christensen@discussions.microsoft.com> wrote in
    message news:ABF384DA-AE20-4CF0-AEA8-C2E9C2960996@microsoft.com...
    > I had a problem this morning with three member servers in a domain in my
    > forrest. They could not authenticate any user account in a diffrent domain
    in
    > the forrest but could authenticate there own domain when logging into the
    > server. the DC's could do so without problem. The servers could also
    > authenticate if you just wanted to access a file share. I removed them
    from
    > the domain and readded them and the problem went away. I am wondering if
    > anyone has any idea's what might have cuased the problem?

    Probably authentication which is...

    Most likely is a DNS issue -- either/both the DC or client (your
    'server' in this case is the client) side.

    DNS for AD
    1) Dynamic for the zone supporting AD
    2) All internal DNS clients NIC\IP properties must specify SOLELY
    that internal, dynamic DNS server (set.)
    3) DCs and even DNS servers are DNS clients too -- see #2
    4) If you have more than one Domain, every DNS server must
    be able to resolve ALL domain (either directly or indirectly)

    Restart NetLogon on any DC if you change any of the above that
    affects a DC and/or use:

    nltest /dsregdns /server:DC-ServerNameGoesHere

    Ensure that DNS zones/domains are fully replicated to all DNS
    servers for that (internal) zone/domain.

    Also useful may be running DCDiag on each DC, sending the
    output to a text file, and searching for FAIL, ERROR, WARN.

    Single Lable domain zone names are a problem Google:
    [ "SINGLE LABEL" domain names DNS 2000 | 2003 microsoft: ]

    --
    Herb Martin
Ask a new question

Read More

Domain Windows 2000 Servers Authentication Active Directory Windows