2003 server NAS permissions..HELP! 1

[Tony414]

Hello,

I'm hoping someone can help me with this. It isn't pretty

I currently have an NT domain setup. I have my first 2003 server in place. I'm testing this with my workstation (XP pro). All client machines home directories are located on a NAS that is running 2003 server which is joined to my NT domain. One by one I will be switching the others over to the new domain. Here is where I'm stuck. When their drive gets mapped it's asking for a password. How can I set it up so they can getted mapped to there directory without this? Then once everything is in place I can secure it better. Any help would be greatly appreciated on this!!! I hope I gave enough info....

Thanks,
Tony

 

[djtech2k]

Ok, I am not sure I understand.

So you have an NT domain now. Is the NAS in the NT domain? and you want to move to a new 2003 Domain? What hardware is in that new domain?

 

[Tony414]

The NAS is connected to the NT domain. It's a 2003 server setup as just a file server. I have a new 2003 domain that I need to move all the clients too (they are still connected to the NT domain). I'm practicing with my workstation. I joined the new 2003 domain. Everything went fine except when it tried to connect to my home directory (which is located on the NAS) it ask me for a password. I tried changing the security on the NAS to "Everyone" full control but that didn't work. Once I have this working I can get the others to join the new domain. I'm sorry if it sounds confusing. It's me!! I created a nightmare.

 

[djtech2k]

Ok. If the NAS server is in the OLD domain and a client from the new domain tries to connect, they will get prompted. I would recommend creating a trust between the domains so that the old domain trusts the new domain. Then, you can go into the NTFS permissions on the NAS storage and grant privileges to either domain users.

If you want to do this in an automated fashion, then you could use a tool like the MS ADMT, MS Server Migration Tool, or Quest Domain Migration Wizard.

 

[Tony414]

I thought that too. But Active directory isn't installed on the NAS. So how would I go about setting up the trust? Or are you saying to set the trust on the NT box?

 

[djtech2k]

OK, if the NAS server is a member of the domain, a domain trust will apply to it. So, setup the trust from the NT DC to the AD DC.

 

[Tony414]

Fixed!! Thanks so much for the help with this....

 

[djtech2k]

I am glad to help.

 

[Tony414]

Hi again! Well almost fixed. Here is what I'm running into now. I can map my home drive to my XP machine but when I try to access a file I get an "Access Denied". How doe I go about reseting this? My home drive is located on the NAS box which is 2003 server. I hope I'm clear enough.

Thanks,
Tony

 

[djtech2k]

If I understand correctly, your xp machine/user logs in and can map to the NAS, but it gets access denied when trying to access a file?

That sounds like an NTFS rights issue. Go to the local file storage on the NAS for that user and make sure that the user has correct share and NTFS permissions on that directory/file structure.

 

[Tony414]

Correct! I tried to do what you suggest but I'm also getting an access denied. Just to recap. I am now in the new 2003 domain and my trust on the NT machine to 2003 machine is established (I think)...

 

[djtech2k]

So on your NAS (NT Domain), you have a share setup for this users homedir. You have given this user share and NTFS permissions on this directory. Has this user logged off/logg back on since you granted the permissions? If not try it. Sometimes when granting access to an account, they need a new access token that identifies the new permissions. This happens at logon.

To know if the trust is working, you can look at the NTFS permissions on the NAS share directory. If you see an entry for the "NT_Domain\username" and "AD_Comain\username" then it is working. The names in those entries should be displayed and NOT the SID's.

 

[djtech2k]

You can also test your trust by running this vbscript code from an AD domain member as an admin:

' ------ SCRIPT CONFIGURATION ------
strDomain = "your_domain.local"  ' put in your FQDN
' ------ END CONFIGURATION ---------

set objWMI = GetObject("winmgmts:\\" & strDomain & _
                       "\root\MicrosoftActiveDirectory")
set objTrusts = objWMI.ExecQuery("Select * from Microsoft_DomainTrustStatus")
for each objTrust in objTrusts
    Wscript.Echo objTrust.TrustedDomain
    Wscript.Echo " TrustedAttributes: " & objTrust.TrustAttributes
    Wscript.Echo " TrustedDCName: "     & objTrust.TrustedDCName
    Wscript.Echo " TrustedDirection: "  & objTrust.TrustDirection
    Wscript.Echo " TrustIsOk: "         & objTrust.TrustIsOK
    Wscript.Echo " TrustStatus: "       & objTrust.TrustStatus
    Wscript.Echo " TrustStatusString: " & objTrust.TrustStatusString
    Wscript.Echo " TrustType: "         & objTrust.TrustType
    Wscript.Echo ""
next

 

[Tony414]

Hi djtech2k!
Ok I looked on the NAS and checked out the perms on the user. I can see D1\user and D2\user and not the SID.

I also tried the script out on the AD 2003 server. One question I have. In the spot for "your_domain.local", this is the FQDN of that (local) server, correct? Does the computer name need to be in front of that? My domain is "ci.guilford.ct us". Does it need to be "server1.ci.guilford.ct.us"? What msg's would not be good when I run the script?

Thanks,
Tony

 

[djtech2k]

In place of your_domain.local, put in "ci.guilford.ct.us". You will get a message back with an error if it is bad.

Your trust seems ok from what you've said. It still sounds like an NTFS permissions issue.

 

[Tony414]

Ok. I'm not sure of the correct order for this. As I'm scrolling thru the pop ups, the domain "FINANCE" which is the other domain comes up with "TrustIsOK:False" is that bad?

 

[djtech2k]

run the script from command prompt like this:

c:\>cscript //nologo thescript.vbs

That will put the prompts in the cmd window. The trust results should be true if the trust is truly good.

 

[Tony414]

Here is the result... Disregard the first section. That server is shut down...

yfs.ci.guilford.ct.us
TrustedAttributes: 32
TrustedDCName:
TrustedDirection: 3
TrustIsOk: False
TrustStatus: 1355
TrustStatusString: The specified domain either does not exist or could not be contacted.
TrustType: 2

FINANCE
TrustedAttributes: 4
TrustedDCName:
TrustedDirection: 3
TrustIsOk: False
TrustStatus: 1311
TrustStatusString: There are currently no logon servers available to service the logon request.
TrustType: 1

 

[djtech2k]

In some cases, I have had to have host file entries so name resolution could be done.

Try this:

Go into the hosts file on the DC from the NT domain and from the DC in the AD domain. On each, put in a host file entry for the opposite domain. This way, each DC has a local entry that will point the others domain name to the right DC. This will not hurt and can only help.

After that, you should be able to flush cache and ping.

nbtstat -A

nbtstat -AA

ping NT_Domain

ping AD_Domain

This is all to troubleshoot your trust. Also, have you tried to verify the trust in the AD Trusts panel?

 

[Tony414]

In the host file am I putting in the domain name of each opposite or the computer name? In other words. FINANCE or FINANCENT (computer name)
10.81.0.2 finance
10.81.0.2 financent

Thanks