Strange Trust Permissions Issue
Hi All, Wonder if anyone can shed any light on this one... I have a Server 2008 Domain with an external trust connected to a Server 2000 Domain. On the 2000 Domain I can add users and groups from the 2008 Domain to File/Folder permissions without a problem. On the 2008 Domain, when I'm on a Server 2008 Machine and I try to add a user from the 2000 domain to have access to a file/folder it always asks me to enter a network password. I try a domain admin user from the 2000 domain and I get 'Logon Failure: Unknown user name or bad password' If I go to a 2003 member server on the 2008 domain and try adding a user to have access to the same file/folder and it does it without a hitch... So, why are the 2008 servers prompting me for a user/password when I try to find users in the 2000 domain? Is there any way I can get the 2008 server to stop doing this? Thanks Niels
April 15th, 2009 6:51pm

Hi Niels, Based on the research, the issue could be due to the enhancement of the security settings on Windows Server 2008. To prevent the Windows Server 2008 based computer from prompting up the error, please try disable the following security option in both Local Group policy and Default Domain Controller policy. Steps: 1. Edit both Local Group policy and Default Domain Controller policy on windows server 2008. 2. find and locate Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options Disable the following option: Microsoft network client: Digitally sign communications (always) Network access: Do not allow anonymous enumeration of SAM accounts and shares Network access: Restrict anonymous access to Named Pipes and SharesEnable the following option:Microsoft network server: Digitally sign communications(if client agrees) Microsoft network client: Digitally sign communications(if server agrees) 3. Restart the domain controller to make it take effect.Please also check if you can resolve the resources of the Windows 2000 domain from the Windows Server 2008 domain successfully. This also could be a DNS name resolution issue. Meanwhile, please try set the RestrictAnonymous registry value to 1 on Windows 2000 domain controller 1.This registry value can be found at: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa Value: RestrictAnonymous Value Type: REG_DWORD Value Data: 0x1(Hex) 2. Restart the domain controller. For more reference, please check the KB Client, service, and program incompatibilities that may occur when you modify security settings and user rights assignmentshttp://support.microsoft.com/kb/823659 Hope it helps. This posting is provided "AS IS" with no warranties, and confers no rights.
Free Windows Admin Tool Kit Click here and download it now
April 17th, 2009 12:12pm

Thanks for your help so far David, I tried the above changes but it didn't help. I have noticed however that the problem goes away for a length of time if I re-boot the 2008 DC's. After a while it comes back and I get the 'Logon Failure: Unknown user name or bad password' messages once again... Any other ideas? Regards Niels
May 5th, 2009 6:49pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics