Only directory controllers see new group

  • Thread starter Thread starter Jeremy I. Shannon
  • Start date Start date
J

Jeremy I. Shannon

Windows 2000 SP3 Servers, XP workstations
3 Directory Controllers, all GCs and 2 are in the same site/subnet
Mixed Domain, 1 NT BDC remaining
I am having issues suddenly with seeing newly created groups at
anything other than directory controllers. The groups are replicating
between the servers perfectly. The workstations and other servers see
any old groups perfectly. For organizational reasons the groups are
nested in an OU called Permissions Groups, then another OU called
Eenterprise XML Permissions. Seems like a GC problem to me, but I
don't know where to begin in troubleshooting that. Any help is greatly
appreciated as this isn't affecting me much right now, but I'm sure it
will snowball into something else soon. Please tell me if you need
any more information and I will provide it.
Thank you,
Jeremy
 
In
Jeremy I. Shannon said:
Windows 2000 SP3 Servers, XP workstations
3 Directory Controllers, all GCs and 2 are in the same site/subnet
Mixed Domain, 1 NT BDC remaining
I am having issues suddenly with seeing newly created groups at
anything other than directory controllers. The groups are replicating
between the servers perfectly. The workstations and other servers see
any old groups perfectly. For organizational reasons the groups are
nested in an OU called Permissions Groups, then another OU called
Eenterprise XML Permissions. Seems like a GC problem to me, but I
don't know where to begin in troubleshooting that. Any help is greatly
appreciated as this isn't affecting me much right now, but I'm sure it
will snowball into something else soon. Please tell me if you need
any more information and I will provide it.
Thank you,
Jeremy
Click to expand...

Assuming you mean you can't see the groups in any of your client machines,
since you said you can see them in your DC, then the only thing I can think
of is a DNS issue, provided all things are equal. Are all your machines only
pointing to your internal DNS only (and not the ISP's)?

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
Yes, I can't see the groups from any client workstations or member
servers. But I can see old groups and users, which made me think it
wasn't DNS related. I am using internal DNS running on both the DCs.
All permissions are working perfectly with the old groups too, it is
just with anything newly created. The oddest thing of all is that I
can see new created users from every machine and can successfully
apply permission based on them. I can't see any new groups no matter
what container I put them in. I just created a test group in the
users container and it isn't visible to any of the machines. When I
am assigning the permissions I can even point directly to the OU that
contains the groups and it still doesn't find them even though it sees
the newly created OU. Hope this helps shed some more light one it.
Thanks,
Jer

PS Is this Ace from NH in KoP?
 
Ok, disregard my earlier info. It is actually all domain
local groups that aren't working except for on DCs. I am
unable to see any old or new domain local groups when
trying to add them to permissions. This is a 1 domain
forest, so I don't know how anything is working if Domain
local isn't working. Thanks for any insight.
Jer
 
In
Jeremy said:
Ok, disregard my earlier info. It is actually all domain
local groups that aren't working except for on DCs. I am
unable to see any old or new domain local groups when
trying to add them to permissions. This is a 1 domain
forest, so I don't know how anything is working if Domain
local isn't working. Thanks for any insight.
Jer
Click to expand...

Yes, Jeremy, it is Ace from NH in King of Prussia, PA. How goes it?

Are you trying to add a Domain Local Group to an ACL? Not exactly sure what
you mean here. Normally, following the mixed mode AGDLP rule, you can add a
user to a global group, then add them to a local group. Then add the local
group in the ACL of a resource, and apply permissions to it, then the user
gets that permission by virtue of being in the group nest.

I'm not sure, but is this what you're trying to do?


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
Hey Ace, I've had a few classes with Rob Elder. I work
for Premier Dental, we used to be your neighbor. Yes you
are correct in your assumption, I am trying to add a
domain local group to a folder's ACL, but it can't find
any of the domain local groups in AD. As an example the
domain local group name is Utility RO, if I type in
utility to search when I am adding to the ACL of a Non-DC
folder it can't find anything, but if I do the exact same
search to add it to a folder on a DC it finds it
perfectly. Any searches from global groups or users work
perfectly everywhere. It's almost as if they
workstations and member servers don't understand that
they are part of the local domain, but this is a single
domain forest. Thanks again for any help, and say hi to
Rob for me.
Jeremy
 
In
Jeremy said:
Hey Ace, I've had a few classes with Rob Elder. I work
for Premier Dental, we used to be your neighbor. Yes you
are correct in your assumption, I am trying to add a
domain local group to a folder's ACL, but it can't find
any of the domain local groups in AD. As an example the
domain local group name is Utility RO, if I type in
utility to search when I am adding to the ACL of a Non-DC
folder it can't find anything, but if I do the exact same
search to add it to a folder on a DC it finds it
perfectly. Any searches from global groups or users work
perfectly everywhere. It's almost as if they
workstations and member servers don't understand that
they are part of the local domain, but this is a single
domain forest. Thanks again for any help, and say hi to
Rob for me.
Jeremy
Click to expand...

I will say hi to Rob tomorrow for ya. He's doing a 2126 (Network Admin
course) and I'm doing a 1572 (Ex2k) this week. You were my neighbor? Where
did you live? Email privately if you want. Just change the name in my email
to my first and last name @ hotmail.com.

What mode is your domain in? Those DLGs should show up on any member server
unless you're still in mixed mode, which then they are only limited to DCs:
http://support.microsoft.com/default.aspx?scid=kb;en-us;296369

Change your mode to native and it will work unless you need to keep in mixed
(NT4 BDCs still in the domain?) then you need to stick with Global Groups
for the member servers.

:-)

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
In
Jeremy said:
Well, that makes me feel a little stupid. Tell Rob he
should have engrained that in my head in one of the
courses with him :) Thank you very much for the info.
We are running in Mixed right now, but we will be
switching to native in the next month or so. So
hopefully this will work following that. When I said
about being neighbors, I meant Premier and NH, we used to
be 3600 Horizon, actually we still have the building.
Thanks again for all the help, I'll introduce myself next
time I'm over there for a class.
Jer
Click to expand...


Don;t feel stupid. It's just an oversight. I had to thing back before I
posted that to make absolutely sure myself. :-)

Looking forward to meeting you!

:-)


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
Back
Top