Upgrade Windows 2003 ADDS to Windows 2008. Clients get access denied

I'm doing a upgrade of a forrest with a singel domain from Windows 2003
Native Mode to Windows 2008 ADDS.

My XP clients can't authenticate against my new Windows 2008 DC:s. They get
access denied when I try nltest /sc_reset:DomainName.

If I check the eventlog on my client they are logging Netlogon id 3210
against my new 2008dc:s.

See:
http://support.microsoft.com/kb/325850

or you could remove the computer from the domain to a workgroup then re add
it back to the domain.

hth
DDS

"paune" <paune@discussions.microsoft.com> wrote in message
news:3CC67C3A-10F4-40B4-B657-0AB072DDC692@microsoft.com...
> I'm doing a upgrade of a forrest with a singel domain from Windows 2003
> Native Mode to Windows 2008 ADDS.
>
> My XP clients can't authenticate against my new Windows 2008 DC:s. They
> get
> access denied when I try nltest /sc_reset:DomainName.
>
> If I check the eventlog on my client they are logging Netlogon id 3210
> against my new 2008dc:s.
>
>

Hello paune,

As the article states that only work for a machine account password reset
on the DC. Clients have to rejoin the domain.

To reset the secure channel you have to use an account with administrative
rights in the domain, so what account are you using?

How did you realize that your clients will not authenticate without using
the command, normally if you add a new DC, everything should still work as
before?

Are all DC's in sync if you run repadmin /showrepl? Any errors when running
dcdiag /v, netdiag /v on the DC's?

Netdiag is not included in 2008, just copy the 2003 netdiag.exe to the 2008
windows\system32 folder, will work.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> See:
> http://support.microsoft.com/kb/325850
> or you could remove the computer from the domain to a workgroup then
> re add it back to the domain.
>
> hth
> DDS
> "paune" <paune@discussions.microsoft.com> wrote in message
> news:3CC67C3A-10F4-40B4-B657-0AB072DDC692@microsoft.com...
>
>> I'm doing a upgrade of a forrest with a singel domain from Windows
>> 2003 Native Mode to Windows 2008 ADDS.
>>
>> My XP clients can't authenticate against my new Windows 2008 DC:s.
>> They
>> get
>> access denied when I try nltest /sc_reset:DomainName.
>> If I check the eventlog on my client they are logging Netlogon id
>> 3210 against my new 2008dc:s.
>>

I noticed my client took long time to start, they stod still applaying
computer policies for 5 minutes. After that I saw in clients event log that i
was logging event Netlogon id 3210 to my new 2008 dc:s. My clients can still
logon to domain an run logon scripts etc. but the startup process i very slow.

I were using NTLMv2 as only authentication method and all server and dc:s
are using Digitally sign communications (always) on dc:s and member server
before I started my upgrade.

So I cant realy see why is has start failing now for my clients.

/paune

"Meinolf Weber [MVP-DS]" wrote:

> Hello paune,
>
> As the article states that only work for a machine account password reset
> on the DC. Clients have to rejoin the domain.
>
> To reset the secure channel you have to use an account with administrative
> rights in the domain, so what account are you using?
>
> How did you realize that your clients will not authenticate without using
> the command, normally if you add a new DC, everything should still work as
> before?
>
> Are all DC's in sync if you run repadmin /showrepl? Any errors when running
> dcdiag /v, netdiag /v on the DC's?
>
> Netdiag is not included in 2008, just copy the 2003 netdiag.exe to the 2008
> windows\system32 folder, will work.
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and confers
> no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>
> > See:
> > http://support.microsoft.com/kb/325850
> > or you could remove the computer from the domain to a workgroup then
> > re add it back to the domain.
> >
> > hth
> > DDS
> > "paune" <paune@discussions.microsoft.com> wrote in message
> > news:3CC67C3A-10F4-40B4-B657-0AB072DDC692@microsoft.com...
> >
> >> I'm doing a upgrade of a forrest with a singel domain from Windows
> >> 2003 Native Mode to Windows 2008 ADDS.
> >>
> >> My XP clients can't authenticate against my new Windows 2008 DC:s.
> >> They
> >> get
> >> access denied when I try nltest /sc_reset:DomainName.
> >> If I check the eventlog on my client they are logging Netlogon id
> >> 3210 against my new 2008dc:s.
> >>
>
>
>

Hello paune,

Slow logons often belong to DNS, please post an uneidted ipconfig /all from
the DC's and the client machine.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> I noticed my client took long time to start, they stod still applaying
> computer policies for 5 minutes. After that I saw in clients event log
> that i was logging event Netlogon id 3210 to my new 2008 dc:s. My
> clients can still logon to domain an run logon scripts etc. but the
> startup process i very slow.
>
> I were using NTLMv2 as only authentication method and all server and
> dc:s are using Digitally sign communications (always) on dc:s and
> member server before I started my upgrade.
>
> So I cant realy see why is has start failing now for my clients.
>
> /paune
>
> "Meinolf Weber [MVP-DS]" wrote:
>
>> Hello paune,
>>
>> As the article states that only work for a machine account password
>> reset on the DC. Clients have to rejoin the domain.
>>
>> To reset the secure channel you have to use an account with
>> administrative rights in the domain, so what account are you using?
>>
>> How did you realize that your clients will not authenticate without
>> using the command, normally if you add a new DC, everything should
>> still work as before?
>>
>> Are all DC's in sync if you run repadmin /showrepl? Any errors when
>> running dcdiag /v, netdiag /v on the DC's?
>>
>> Netdiag is not included in 2008, just copy the 2003 netdiag.exe to
>> the 2008 windows\system32 folder, will work.
>>
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers
>> no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>> See:
>>> http://support.microsoft.com/kb/325850
>>> or you could remove the computer from the domain to a workgroup then
>>> re add it back to the domain.
>>> hth
>>> DDS
>>> "paune" <paune@discussions.microsoft.com> wrote in message
>>> news:3CC67C3A-10F4-40B4-B657-0AB072DDC692@microsoft.com...
>>>> I'm doing a upgrade of a forrest with a singel domain from Windows
>>>> 2003 Native Mode to Windows 2008 ADDS.
>>>>
>>>> My XP clients can't authenticate against my new Windows 2008 DC:s.
>>>> They
>>>> get
>>>> access denied when I try nltest /sc_reset:DomainName.
>>>> If I check the eventlog on my client they are logging Netlogon id
>>>> 3210 against my new 2008dc:s.

I have solved my case, it was related to issues in my firewall between
clients and dc:s.
http://support.microsoft.com/kb/929851

The default dynamic port range for TCP/IP has changed in Windows Vista and
in Windows Server 2008


"Meinolf Weber [MVP-DS]" wrote:

> Hello paune,
>
> Slow logons often belong to DNS, please post an uneidted ipconfig /all from
> the DC's and the client machine.
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and confers
> no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>
> > I noticed my client took long time to start, they stod still applaying
> > computer policies for 5 minutes. After that I saw in clients event log
> > that i was logging event Netlogon id 3210 to my new 2008 dc:s. My
> > clients can still logon to domain an run logon scripts etc. but the
> > startup process i very slow.
> >
> > I were using NTLMv2 as only authentication method and all server and
> > dc:s are using Digitally sign communications (always) on dc:s and
> > member server before I started my upgrade.
> >
> > So I cant realy see why is has start failing now for my clients.
> >
> > /paune
> >
> > "Meinolf Weber [MVP-DS]" wrote:
> >
> >> Hello paune,
> >>
> >> As the article states that only work for a machine account password
> >> reset on the DC. Clients have to rejoin the domain.
> >>
> >> To reset the secure channel you have to use an account with
> >> administrative rights in the domain, so what account are you using?
> >>
> >> How did you realize that your clients will not authenticate without
> >> using the command, normally if you add a new DC, everything should
> >> still work as before?
> >>
> >> Are all DC's in sync if you run repadmin /showrepl? Any errors when
> >> running dcdiag /v, netdiag /v on the DC's?
> >>
> >> Netdiag is not included in 2008, just copy the 2003 netdiag.exe to
> >> the 2008 windows\system32 folder, will work.
> >>
> >> Best regards
> >>
> >> Meinolf Weber
> >> Disclaimer: This posting is provided "AS IS" with no warranties, and
> >> confers
> >> no rights.
> >> ** Please do NOT email, only reply to Newsgroups
> >> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
> >>> See:
> >>> http://support.microsoft.com/kb/325850
> >>> or you could remove the computer from the domain to a workgroup then
> >>> re add it back to the domain.
> >>> hth
> >>> DDS
> >>> "paune" <paune@discussions.microsoft.com> wrote in message
> >>> news:3CC67C3A-10F4-40B4-B657-0AB072DDC692@microsoft.com...
> >>>> I'm doing a upgrade of a forrest with a singel domain from Windows
> >>>> 2003 Native Mode to Windows 2008 ADDS.
> >>>>
> >>>> My XP clients can't authenticate against my new Windows 2008 DC:s.
> >>>> They
> >>>> get
> >>>> access denied when I try nltest /sc_reset:DomainName.
> >>>> If I check the eventlog on my client they are logging Netlogon id
> >>>> 3210 against my new 2008dc:s.
>
>
>

Hello paune,

Nice to hear that you solved it. Thanks for the feedback.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> I have solved my case, it was related to issues in my firewall between
> clients and dc:s.
> http://support.microsoft.com/kb/929851
> The default dynamic port range for TCP/IP has changed in Windows Vista
> and in Windows Server 2008
>
> "Meinolf Weber [MVP-DS]" wrote:
>
>> Hello paune,
>>
>> Slow logons often belong to DNS, please post an uneidted ipconfig
>> /all from the DC's and the client machine.
>>
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers
>> no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>> I noticed my client took long time to start, they stod still
>>> applaying computer policies for 5 minutes. After that I saw in
>>> clients event log that i was logging event Netlogon id 3210 to my
>>> new 2008 dc:s. My clients can still logon to domain an run logon
>>> scripts etc. but the startup process i very slow.
>>>
>>> I were using NTLMv2 as only authentication method and all server and
>>> dc:s are using Digitally sign communications (always) on dc:s and
>>> member server before I started my upgrade.
>>>
>>> So I cant realy see why is has start failing now for my clients.
>>>
>>> /paune
>>>
>>> "Meinolf Weber [MVP-DS]" wrote:
>>>
>>>> Hello paune,
>>>>
>>>> As the article states that only work for a machine account password
>>>> reset on the DC. Clients have to rejoin the domain.
>>>>
>>>> To reset the secure channel you have to use an account with
>>>> administrative rights in the domain, so what account are you using?
>>>>
>>>> How did you realize that your clients will not authenticate without
>>>> using the command, normally if you add a new DC, everything should
>>>> still work as before?
>>>>
>>>> Are all DC's in sync if you run repadmin /showrepl? Any errors when
>>>> running dcdiag /v, netdiag /v on the DC's?
>>>>
>>>> Netdiag is not included in 2008, just copy the 2003 netdiag.exe to
>>>> the 2008 windows\system32 folder, will work.
>>>>
>>>> Best regards
>>>>
>>>> Meinolf Weber
>>>> Disclaimer: This posting is provided "AS IS" with no warranties,
>>>> and
>>>> confers
>>>> no rights.
>>>> ** Please do NOT email, only reply to Newsgroups
>>>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>>>> See:
>>>>> http://support.microsoft.com/kb/325850
>>>>> or you could remove the computer from the domain to a workgroup
>>>>> then
>>>>> re add it back to the domain.
>>>>> hth
>>>>> DDS
>>>>> "paune" <paune@discussions.microsoft.com> wrote in message
>>>>> news:3CC67C3A-10F4-40B4-B657-0AB072DDC692@microsoft.com...
>>>>>> I'm doing a upgrade of a forrest with a singel domain from
>>>>>> Windows 2003 Native Mode to Windows 2008 ADDS.
>>>>>>
>>>>>> My XP clients can't authenticate against my new Windows 2008
>>>>>> DC:s.
>>>>>> They
>>>>>> get
>>>>>> access denied when I try nltest /sc_reset:DomainName.
>>>>>> If I check the eventlog on my client they are logging Netlogon id
>>>>>> 3210 against my new 2008dc:s.