Windows Server 2000 - Impersonate User Problem

[Swifty]

Hi all,

My first post on the EduGeek forums so firstly hello
Now onto the problem we are having... :twisted:

We currently have 2x RM DC's running Windows 2000 Server and CC3, in a totally seperate domain we have several DC's running Windows Server 2003.
I'm currently in the process of trying to use the Active Directory Migration Tool from MS to migrate users from CC3 to our other domain, but the RM servers dont' want to play ball.
I am receiving "access denied" messages when trying to get anything outside of the RM domain, I can however come in from our other domain onto the RM servers..
I'm logged onto one of the CC3 servers with and identical username with and identical password to a user on the other domain, in both domains the user is part of Domain Admins, Local Admins, etc..
Going TO the RM domain from the other one silently lets me into the Admin C$ share on the RM Servers, going OUT of the RM servers to one of the servers on the other domain prompts me with the username / password dialog, but even when trying username & password, domain\username & password, username@domain & password... none of them let me in. :?

Each domain has its own DNS with the opposing domain setup as a secondary Forward lookup zone, I can ping sucessfully from all sides to the domain and the servers FQDN.
Times on all servers are synced, DCDiag shows good on both domains..

Anyone have any ideas on why this won't work.. do RM tweak any settings to not let me impersonate a user from a different domain ?

Any help appreciated before the sledge hammer comes out :twisted:

[Swifty]

Ok I've managed to sort this problem out now.
For anyone that's interested it was due to Windows Server 2003 having the "Microsoft Network Server: Digitally Sign Communications (always)" policy set to Enabled.
As the CC3 network didn't comply with this setting they didn't want to chat to each other - once the Policy is disabled I can browse the other domain without any problems.
Well there goes about 10 hours of my life wasted figuring that one out!

[bossman]

welcome to our world Swifty and keep up the good work. BTW why are you migrating form CC3 just out of curiosity?

[Swifty]

Hmmm where to start...

Well its; Slow, Unreliable, Inflexible, expensive.. to name just a few

We are currently migrating to a single domain for better managbility and consistency, the use of RM's little applications makes our machine crawl (and they aren't low spec.) For example if I take a look at the package list for a machine I can see;

RM AppACLTool
RM AppAgent
RM AutoExNt
RM CD Burning Helper
RM Default Logon Settings_1_0
RM Default Profile
RM Desktop Agent
RM Desktop Components
RM Explorer
RM Explorer Agent Quiet
RM Explorer Schemes
RM Font Controller
RM Gatekeeper
RM IDChecker
RM KeepList_1_5
RM Location Chooser
RM Location Services
RM Logoff
RM Logon Provider
RM LogSrv
RM Offline
RM Outlook Profile Setup
RM Policy Merger
RM Printer Credits Client Service
RM Printer Credits Framework
RM Printer Wrapper Service
RM Privileged User Policy
RM Privileged User Service
RM Reglock
RM Station Manager
RM Station Rebuild BuildManager Resources
RM Status Reporter
RM StnDeliv
RM User Help
RM Volume Control
RM Web Launch
RM Work Connector

Phew... can you say BLOAT !

All of that junk and half of it doesn't work! The management console decides it won't load on even days of the week and when it does it takes 5 minutes to change a password.
Printers dont allocate correctly and some decide they like a user so much they will follow them around the school.

I think i've said enough

[webman]

It's unfortunate you have the problems you do. We have a fully-functioning CC3 network that does exactly what we want, and we only paid for the original servers and the connect licenses thereafter, not really all that expensive. Have you thought about getting one of their engineers in to sort it out?

The benefits we currently receive with CC3 (for us) far outweigh the costs and mountain of problems associated with a new vanilla network.

[Swifty]

Sounds like your one of the lucky few, others I've spoken to also have similar problems with CC3. To be honest we're too far down the road now to consider staying with them, consider you spend a few grand a year (I think it was 4) on a support contract and one of the disks in your server fails.. ok no biggy just phone up support and get it replaced... WRONG!
It took RM 3 WEEKS! to finally sort the server out, first they brought the wrong disks with them (one of their own servers!) attempt two, wrong disks AGAIN!... third time lucky ? NOPE.. the right disks this time but they can't get the data restored, so they give up and book a 'top dog' engineer to come back.
Fourth visit... manage to get data restored but in the process of fitting the disks leaves DVD drive in server unplugged.
Visit number 5.. to repair the DVD drive they broke..

We have reported numerous issues we see on the network and they very rarely come back with a solution, to be honest the support (for the price we pay) is appauling, so for us the best solution is to move all students to the existing domain and lock them down with group policy etc..

[webman]

Ah right... sorry to hear about those issues, it's very disappointing. I guess we are one of the lucky ones in that case.