Cannot assign Mac permissions in trusting domain

  • Thread starter Thread starter Byron Kendrick
  • Start date Start date
B

Byron Kendrick

The environment is Windows 2003 Active directory in mixed mode. There are
three domains; lets call them forest_root, domain1 and domain2.
We are running WINNS in the 2child domains. the trust relationship is the
default child trust between each domain and the forest root and there is a
one way trust between the two child domains themselves with domain1 (staff
and Faculty login) being the trusted domain and domain2 (student login) the
trusting. There are no resource domains. There is a shared volume on one
of the domain2 bdc's (NT 4.0 sp6a) that is used for a faculty drop box.
This morning the permissions for the faculty are no longer there.
Everything looks good on the PC side but the Mac side will not recognize the
domain1 users. I can go into the Mac permissions on each folder and set the
owner to the domain1\user account but when I go back in to view the
permissions the ownership is set to <Account Unknown>. I tried to set the
primary group to domain1\domain users but it came back as forest_root\domain
users. Has anyone had this experience before. This is happening on both
both domain2 bdc's (both bdc's are NT 4.0 with sp6a). I have tried removing
WINNS from the serve but that has not helped.

Thanks
Byron
 
Hi,

You don't mention what version of MacOS you are using or whether or not
you are using Dave software or MacOS to make your connections. If you
post a follow-up message it might be easier to offer suggeestions.
Thanks.

-Jim
 
Byron Kendrick said:
The environment is Windows 2003 Active directory in mixed mode. There are
three domains; lets call them forest_root, domain1 and domain2.
We are running WINNS in the 2child domains. the trust relationship is the
default child trust between each domain and the forest root and there is a
one way trust between the two child domains themselves with domain1 (staff
and Faculty login) being the trusted domain and domain2 (student login) the
trusting. There are no resource domains. There is a shared volume on one
of the domain2 bdc's (NT 4.0 sp6a) that is used for a faculty drop box.
This morning the permissions for the faculty are no longer there.
Everything looks good on the PC side but the Mac side will not recognize the
domain1 users. I can go into the Mac permissions on each folder and set the
owner to the domain1\user account but when I go back in to view the
permissions the ownership is set to <Account Unknown>. I tried to set the
primary group to domain1\domain users but it came back as forest_root\domain
users. Has anyone had this experience before. This is happening on both
both domain2 bdc's (both bdc's are NT 4.0 with sp6a). I have tried removing
WINNS from the serve but that has not helped.
Click to expand...

Hi Byron!

Wow, this reads like an MCSE test question!

First WINS should have nothing to do with your permissions but since you
mention WINS I'm guessing you're using a Mac OS X 10.2 or later system.

By your phrasing I'll also guess that this setup was working at some
point and now doesn't. So this would indicate a change on the servers.

Have any passwords changed lately or have any domain name changes been
made anywhere? This feels like there should be more information.

bill
 
William Smith said:
Hi Byron!

Wow, this reads like an MCSE test question!

First WINS should have nothing to do with your permissions but since you
mention WINS I'm guessing you're using a Mac OS X 10.2 or later system.
Click to expand...

It shouldn't but since WINS is the only thing that has been changed It is
still suspect. especially since We have gone to Active directory the summer
and there for the domain name changes that come with it, ie. from just the
servername to servername.domain.organization.edu. But That was earlier in
the summer and was not a problem until now. The problems were not noticed
until Friday. The changes in WINS were made on Thursday evening. We have
Mac's running from OS 7.5 to OS 10.3. They first one to call in was running
7.5 on one and 9.2. It may be isolated to the older Macs isnce they use
Appletalk. I know these don't these don't use WINS but the servers do and
it appears that that is where the problem is. That is why I didn't include
the Mac OS in the first reply.
By your phrasing I'll also guess that this setup was working at some
point and now doesn't. So this would indicate a change on the servers.
Click to expand...

Yes it worked for years without a hitch.
 
First WINS should have nothing to do with your permissions but since you
mention WINS I'm guessing you're using a Mac OS X 10.2 or later system.
Click to expand...

It shouldn't but since WINS is the only thing that has been changed It is
still suspect. especially since We have gone to Active directory the summer
and there for the domain name changes that come with it, ie. from just the
servername to servername.domain.organization.edu. But That was earlier in
the summer and was not a problem until now. The problems were not noticed
until Friday. The changes in WINS were made on Thursday evening. We have
Mac's running from OS 7.5 to OS 10.3. They first one to call in was running
7.5 on one and 9.2. It may be isolated to the older Macs isnce they use
Appletalk. I know these don't these don't use WINS but the servers do and
it appears that that is where the problem is. That is why I didn't include
the Mac OS in the first reply.
By your phrasing I'll also guess that this setup was working at some
point and now doesn't. So this would indicate a change on the servers.
Click to expand...

Yes it worked for years without a hitch.[/QUOTE]


Interesting situation. What changes were made to WINS?

This could be a variety of things but I would start by looking at static
WINS entries for your servers.

Also, were any WINS entries deleted without being tombstoned? Something
may have come back from a replication partner that shouldn't have. If
DNS is performing a WINS lookup against some stale records then one of
your AD servers may be receiving some erroneous information.

bill
 
William Smith said:
----deleted----
Yes it worked for years without a hitch.
Click to expand...


Interesting situation. What changes were made to WINS?[/QUOTE]

Just briefly there are 2 WINS servers on the network. One in each domain.
For some reason the person who set them up tried to make the domain1
(trusted domain) server the primary for both domains. Even the server in
domain2 (trusting domain) was set to use the domain1 WINS server as a
primary instead of itself. All the servers in both domains as well as all
the DHCP scope were set that way. The changed that took place were to set
up the domain2 servers and scopes (VLANS) for the dorms, computer labs and
such to point to the WINS server in their login domain, domain2. I can't
give a lot of detail as I was not involved.in the setup or the changes that
were made on the WINS servers. The changes that were made cleared up some
authentication problems that we were having in Domain2 but that was mostly
adding domain2 PC to the domain.

I have found out today that it appears to be isolated to the older OS's. OS
10.3 systems seem to be OK. I'll check out the static entries on the WINS
servers tomorrow and get back.

Byron
 
WINS settings look OK.

This really looks like an Appletalk issue. When you view the permission
from the PC side everything is correct.
Thursday morning there were some MS patches run. KB873374, KB867801, and
KB833989, but I cannot find anything in MS Knowledge base that indicates
they might be detrimental to Appletalk users. Boy will I be glad to see
Appletalk go away, although it may be gone. There are just too many Macs
out there taht we cannot upgrade just yet.

Byron

Byron Kendrick said:
William Smith said:
Interesting situation. What changes were made to WINS?
Click to expand...

Just briefly there are 2 WINS servers on the network. One in each domain.
For some reason the person who set them up tried to make the domain1
(trusted domain) server the primary for both domains. Even the server in
domain2 (trusting domain) was set to use the domain1 WINS server as a
primary instead of itself. All the servers in both domains as well as all
the DHCP scope were set that way. The changed that took place were to set
up the domain2 servers and scopes (VLANS) for the dorms, computer labs and
such to point to the WINS server in their login domain, domain2. I can't
give a lot of detail as I was not involved.in the setup or the changes
that were made on the WINS servers. The changes that were made cleared up
some authentication problems that we were having in Domain2 but that was
mostly adding domain2 PC to the domain.

I have found out today that it appears to be isolated to the older OS's.
OS 10.3 systems seem to be OK. I'll check out the static entries on the
WINS servers tomorrow and get back.

Byron
Click to expand...
 
OK here it is. Some how the trust have been broken. When you go to the
domain controllers it looks to be right but according to MS KB article
271924 the trust have been broken. Well I don't knwo what to do since they
look right in the User Manager on the NT4.0 BDC's and on in the Domains and
Trust app on the AD PDCE's. Would it be a good thing to try to break the
trust and re-assign it?

Byron

Byron Kendrick said:
WINS settings look OK.

This really looks like an Appletalk issue. When you view the permission
from the PC side everything is correct.
Thursday morning there were some MS patches run. KB873374, KB867801, and
KB833989, but I cannot find anything in MS Knowledge base that indicates
they might be detrimental to Appletalk users. Boy will I be glad to see
Appletalk go away, although it may be gone. There are just too many Macs
out there taht we cannot upgrade just yet.

Byron
Click to expand...
 
Corrupted database on BDC. I used the nltest /sync command to force a full
syncronization and rebooted. All is well.

Thanks for the help.
Byron
 
Byron Kendrick said:
Corrupted database on BDC. I used the nltest /sync command to force a full
syncronization and rebooted. All is well.
Click to expand...

Again, wow!

So when you refer to a corrupted database, would this be the the index
for the Mac volume? How did you determine this?

bill
 
The database may not have been "corrupt" as much as not fully updated. I
did a search on Microsoft Knowledgebase by broadening my search criteria to
just Macintosh and 150 returns instead of 25. Article Q275221 looking very
much like what I was beginning to suspect after we discussed the WINS and
other things. After reading throught the article it looking even more like
my problem so I gave it a shot. The "net account /sync" command didn't help
but using the nltest /sync worked wonderfully well.

Byron.
 
Back
Top