Active Directory Nightmare (wits end)

  BBez 20:09 13 May 2003

Hi, set up a network running Active Directory as the Domain Controller for a 3 floor building on 3 subnets through a router. When attempting to assign NTFS permissions or Share permissions I can only see Global Groups and not the "Domain Local Groups" that I have setup for each of the Organisational Units. When i browse the network only the global groups are shown, not the Domain Locals which I need to sucessfully implement the appropriate permissions and rights for user groups.

If I can't find a solution to this problem tonight I'm gonna reinstall Active Directory, my question now is, can it be reinstalled without losing all my users and groups or will I have to start from scratch... all network clients are running Win 2k Pro with 3 departmental fileservers and the Domain controller is there just to authenticate user logins and delegate admin tasks between departments.

any help, suggestions or links greatly appreciated...thanks in advance...

  BBez 20:12 13 May 2003

servers are running 2k server and the DC is running 2k Adv_Server...

  recap 20:17 13 May 2003

If you have done a Back up of everything on the server you can just do a Restore. Remember you have to turn off Active Directory first. This is done when booting up and selecting F8 then option 5 (i think).

How did you set up the groups?

Have you filtered out the information you are looking for in Active Directory? I'm not sat out our server at the moment but, have a look in the file menus for Filters. I may be wrong on this, Andysd is the person for this, he has more experience of W2k servers.

  spikeychris 20:32 13 May 2003

I'm sure this is an NT bug, I came across this a while ago and the one way out I found was to add the users that you want to allow access to whatever, to the global groups on the
domain and add the global groups to the local groups of the machines on the network.


  BBez 22:40 13 May 2003

hi recap, didn't perform a backup as I would've probably backed up corruption if this is the case. I just created 3 OU's, 1 for each department, then added all Global and Domain Local Groups into their respective departments (i've got 01_admin, 02_sales/accounts 03_warehousing/stock_control e.g. all admin staff in admin OU as Admin_staff (global) then Admin_diary_softwareaccess as Domain Local. When I look for Admin_diary_softwareaccess to give this Domain Local permission to access the diary software none of the clients of departmental fileservers can see it. Also tried typing in the Domain Local Group when config'ing the share and selecting "Check Name" but it just give an error that group doesn't exist. If i logon to the DC running Active Directory, i can see the Domain Locals within the respective OU's.

Spikeychris, I thought about that but I have some users from Admin and some users from sales requiring access to the same shared resource so I need the Domain Local groups in their (e.g. 2 members from sales dept and 3 from Admin sharing access to the product file that is a shared resource). tnx anyways,

i'm leaving the post open in case Andy SD or anyone else comes up with a solution, again, thanks for the responses...

  BBez 07:54 14 May 2003


  recap 10:43 14 May 2003

I don't think this is corrupted, it looks like you have added or created something within your groups that does not work.

I will look over our server to see if I can see anything that might relate to your problem and get back to you if I can see anything.

As for backing up, once you have the server running and all OU's and users in those OU's, before creating anything else you should back up everything. Then if like now it all goes pear shaped you don't have to do a clean install. I've been down that road myself and learnt the hard way.

  BBez 21:39 14 May 2003

just for future reference, I had to convert AD to "native mode" where it drops all support for NT 4x. As soon as i converted AD to native mode all the Domain Locals could be seen when applying the NTFS/Shares. I got this reply to a post on another forum at 3am this morn, thanks loads anyway for u'r suggestions...bbez as for u learning the hard way, it's the ONLY way to learn cause u don't do it again...

  spikeychris 21:55 14 May 2003

BBez, glad your sorted, this is an NT bug then.

  BBez 05:10 15 May 2003

no, not a bug. I think when your first promoting the server to a DC, by default, it installs with backwards compatibility for NT servers. When in compatibility mode, AD doesn't support Domain Local Groups, only Globals. When you switch to Native mode, you then lose support for NT but have the functionality of creating Domain Local groups which is what i needed. Once converted over, you can't switch back to support NT which would be a nightmare if you had an NT domain and required connectivity to the 2000 domain if you'd installed AD in native mode. must be a fail safe thing from microsoft to ensure this doesn't happen. anyway, learned a lot about AD basics which will be useful in the future, thanks again for all replies.

  recap 11:52 15 May 2003

Sorry I didn't get back to you yesterday BBez, I was that busy I never saw my desk again until around 4 yesterday afternoon.

Gald to see you have got it sorted. And yes you are correct in your evaluation of Native mode, as long as you do not in the future add any NT4 stuff you will be OK.

Here are a couple of links for AD:

click here

click here

This thread is now locked and can not be replied to.

Elsewhere on IDG sites

AMD Radeon Adrenalin release date, new features, compatible graphics cards

Print designer Kelly Anna on confident mark making & modern femininity

New iMac Pro release date, UK price & specs rumours

Comment créer, utiliser et supprimer son compte Facebook ?