WIN 2000 member servers in an NT 4 domain

  • Thread starter Thread starter S.R.G.
  • Start date Start date
S

S.R.G.

Hi everyone,

Well perhaps I am just tired but I can't seem to figure
out this problem, we are still using old NT4 domains here
with trust relationships.

Here is the issue, I have domain A and Domain B. Domain A
is Trusting domain B.

Now I have always had servers 1-7 running perfectly fine
in Domain A and could be administered from my admin
account in domain B.

For whatever reason I cannot manage servers 8-10 that have
been recently added to domain A using my account from
domain B. I can still however manage the other servers
with complete control that are in Domain A with my Domain
B admin account. The member servers are Windows 2000 SP2-
SP4\same hardware and all have the same problem with just
the core installation. I can still however manage the
other Windows 2000 servers that have existed in that
domain for a while with whatever Domain B Admin account.

Did I just make sense or should I go home and have a
drink:-)

There was recently a problem with the PDC on Domain A
where I was forced to promote the BDC.

S.R.G.
 
Can you provide us with more specific details on how you are trying to
manage the computers remotely, and the error(s) that it gives you??

Chris Szilagyi
Technical Consultant
______________________________________________________
Apex Internet Solutions - http://www.apex-internet.com
Complete Internet Hosting Solutions, Custom Website
 
Sure no problem.

Well if I log on locally to those machines with my account
residing in Domain B, I cannot access the security log. I
can't modify local admin account or connect via Terminal
server.

If I try to run a remote management session with my MMC
snap-in from a desktop in domain b, I experience the same
problem where I can't view the security log or etc..

It seems to allow me PowerUser access however.

When I verify the security log after the access is denied
message when attempting these functions. "with another
user account of course"

Event Type: Failure Audit
Event Source: security
event ID: 578
user: domainb\myadminuser
computer: domainbPC

Privileged object operation:
objecthandle: 0
processID: 268
primary username: domainbPC$
primary domain: domainA
clientusername: myadminuser
clientdomain: domainb

So any ideas?
 
Sorry it took so long for me to reply. I guess I should
of posted this in the NT group and not 2000.

I will try to explain this a little more, forgive my
english if it's not proper. I have for example Domain A
and Domain B. Domain B being only a resource domain with a
one way trust relationship to domain A.

Now until recently my domain admin account from Domain A
was alway able to have admin control to any server in
Domain B. IE access Security logs, change admin usernames
and passwords for local server accounts etc...However
currently any admin account in Domain A no longer has
admin right to Domain B via the trust relationship but
only to newer built servers. I can log in to the other
servers but I don't have admin rights, I am more of a
poweruser equilavent.

We confirmed that WINS is working properly and everything
is being resolved. I broke and re-established the trust
relationship. Still I have no success. For the last 3 days
I have been working with Microsoft Support and have not
yet been able to find an answer.

The intresting thing although is that I still have admin
rights to some of the older servers in my resource domain.
So if I had a Windows 2000 server built 6 months ago I
still have admin rights. It seems to be only servers built
in the last month. I have exactly matched HardWare and
patch levels of the older builds and tried a test to join
it to the resource domain. So I know it's not a new patch
or standard that's being deployed now that was not before.

I am sure the problem lies in Domain A since I am have the
same problem with a similar trust relationship established
with IE Domain C.

The admin accounts however in the resource domains still
have full control.

I have confirmed that my Domain admin global group is in
the local admin group on the DC's of the other domains.

So I am at a loss. I have reset the secure channels,
synch'd, WINS maintenance etc...

If anyone has any suggestions I am open to hear it, I will
post here when I get things resolved so you can see what
the solution was.

Thanks,
 
Back
Top