Got another unique question. Have a network with domain controllers - Win2000 and Win2003. The domain account logging into the sole NT server, is able to access the Win2003 unit, but not the Win2000 system. The response given is the user has no rights to access the Win2000 server. But the account has membership in all domain groups. Can't get to the local users and groups on the Win2000 system, as it is now controlled by Active Directory. Have checked group policies and no obvious settings are shown to deny the user from the system. Have logged on as a different domain account with the same results. So it seems the NT computer isn't getting the rights, not the user. It's becoming a real PITN. Anyone have any suggestions?

Thanks much.

I did a quick search on Microsoft's KB and it appears that there could be numerous reasons for the problem.

Since WinNT 4 isn't directly supported by MS you may have a difficult time solving the problem. I vaguely recall back when I got my MCP on Win2k server (about 5 years ago) there was a program that you could install on NT boxes to make them more active directory "friendly". I haven't been able to locate the program as of yet.

I did find a couple of MS KB articles that may be of interest by doing a simple query on MS support website. Here is a link to the results page. The third listed article may be of particular interest.

Link Here (http://support.microsoft.com/search/default.aspx?query=active+directory+WinNT&x=11&y=10&catalog=LCID%3D1033&spid=1131&qryWt=&mode=r&cus=False)

The interface for NT to Active Directory I think I found a comment about it and that said to find it either on the W2k cd or do a down load. It was referenced for Win98/95 and maybe it will work on NT. I'll have to check on it again. We'd upgrade the server, but it is only doing functions as controller for network printers and antivirus manager. The last one is the part I need working again, as the av sig files get put onto the w2k unit for retrieval by the workstations. Could have the NT push, but it was working quite well.

It sounds like your win2k+ machines are running in native mode which doesn't allow nt servers to authenticate because with win2k they started using kerberos authentication when possible giving you the option to run native mode or mixed mode. It's also, if I remember correctly, irreversible. Once you go to native mode you can't switch back. Short of reformating that is or at least you may have to demote and the re dcpromo the newer boxes. There may be other ways around it. I have never worked in a mixed environment so I haven't had to deal with this.

I hope I'm remembering everything correctly. Some nutbags flew planes into the World Trade Center in the middle of my MCSE classes and we were a little distracted for several days.

Very well could be a "Native" vs. "Mixed" mode problem as Patrick pointed out. And he is correct that after choosing a mode it is irreversible. If you demote then re promote your AD controller you will have to reinstall all of your AD objects (users, groups, policies, etc.). I'm not sure if you can reinstall your AD objects from a back-up if you change the network mode.

I wish I could be of more help but its just been too long since I've configured servers on a daily basis and like Patrick I never had a "mixed" (NT and Win2k) network.

You can find out by opening Active Directory Users and Computers, right click the domain in the left pane and select properties.

Under 'Domain Function Level' my says:
Windows 2000 native

I assume it would say mixed if that were the case.

Thanks to Patrick and TheCave.

I checked the AD and yes, it is in Native. Guess that gives a good reason for taking out the NT. Or creating a different way of updating the AV. Need to put in a new version anyhow.

Thanks to all who reviewed and made suggestions. There is a way out of this sticky wicket, just have to view all options.