Groups nested in groups

Discussion in 'Active Directory' started by Tom, Jul 14, 2009.

  1. Tom

    Tom Guest

    Hello

    We have 3 domains (1 Production and two test domains) that are set up the
    same way in AD same servers same service packs etc. (Server 2003 SP 2)

    Suddenly we have problems with some of our test users in one of the test
    domains.
    They logon fine on the client computers to the domain, but they can't do
    anything.
    Net time gives error 1265
    They can't log on to the intranet etc. etc

    We have tried to find the error and have found out that this only happens
    when they are in a group that have 16 other groups nested in them. but only
    on this domain. the other domain that have excately the same build up works.

    If i take the user out of the group he works fine.

    How do i go on troubleshooting these Global Security groups?

    Kind regards

    Tom Andersen
     
    Tom, Jul 14, 2009
    #1
    1. Advertisements

  2. Meinolf Weber [MVP-DS], Jul 14, 2009
    #2
    1. Advertisements

  3. Tom

    Tom Guest

    Hello Meinolf

    First of thanks for the answer

    The Error comes when i use a cmd and do a net time, it's the result from
    that. not an event id error.
    the event id is 24, but it's just an implication that the client does not
    have a hold of the DC.

    Further i have an LsaSrv Spnego 40960/40961 in my system log.

    The problem as i see it lies in the nested groups.

    When we remove groups so that we just have 16 he works, over that he does
    not, in this domain.

    On the other domains that have the same setup, he can logg on fine, althou
    there are more that 16 groups nested.

    My theory is that there is something wrong with either one of the security
    groups, or with kerberos. but how do i find the error?

    Kind regards
    Tom
     
    Tom, Jul 15, 2009
    #3
  4. Hello tom,

    Net time error 1265 means:
    The system detected a possible attempt to compromise security. Please ensure
    that you can contact the server that authenticated you.

    So it looks for me that something in your network setup seems to be a problem.
    Please post an unedited ipconfig /all from the problem client and the DC/DNS
    server.

    Best regards

    Meinolf Weber
     
    Meinolf Weber [MVP-DS], Jul 15, 2009
    #4
  5. Tom

    Tom Guest

    Hi Meinolf

    C:\>ipconfig /all

    Windows IP-konfiguration

    Host name. . . . . . . . . . . . . . . . . . : TestPC01
    Primary DNS-suffix. . . . . . . . . . . . . : test.uk
    Node type . . . . . . . . . . . . . . . . . . : Hybrid
    IP Routing Enabled. . . . . . . . . . . . : No
    WINS Proxy Enabled. . . . . . . . . . . . : No
    DNS suffix Search List . . . . . . . . . : test.uk
    test.uk

    Ethernet-netværkskort LAN-forbindelse:

    Connection-specific DNS suffix . . . . . . : test.uk
    Description. . . . . . . . . . . . . . . . . : VMware Accelerated AMD
    PCNet Adapter
    Physical Address . . . . . . . . . . . . . . . : xx-xx-xx-xx-xx-xx
    Dhcp Enabled. . . . . . . . . . . . . . . : Yes
    Autoconfiguration Enabled . . . . . : Yes
    IP Address . . . . . . . . . . . . . . . . . : 195.168.2.78
    Subnet Mask. . . . . . . . . . . . . . . . : 255.255.255.0
    Default Gateway. . . . . . . . . . . . . . . : 192.168.1.10
    DHCP server. . . . . . . . . . . . . . . . . : 192.168.1.217
    DNS servers. . . . . . . . . . . . . . . . . : 10.93.59.11
    10.93.59.12
    Primary WINS server . . . . . . . . . . . . . : 10.93.59.11
    Secondary WINS server . . . . . . . . . . . . : 10.93.59.12
    Right obtained. . . . . . . . . . . . . : 15. juli 2009 12:14:50
    Right expires. . . . . . . . . . . . . : 16. juli 2009 12:14:50

    Same result with the user that can and the user that can't

    Kind Regards
     
    Tom, Jul 15, 2009
    #5
  6. Hello tom,

    You are jumping with ip addresses of machine 195.x.x.x and DG 192.x.x.x and
    DNS is not used in the test domain itself?

    Best regards

    Meinolf Weber
     
    Meinolf Weber [MVP-DS], Jul 15, 2009
    #6

  7. Was this ipconfig edited prior to posting? I presume there are multiple
    typos. The IP is on a totally different subnet than the DG, as Meinolf
    mentioned. Even if the IP were to be 192.168.2.78 instead of 195.168.2.78,
    it would still be on a different subnet than the gate.

    Is there a parent-child DNS delegation, or is the zone replication scope set
    to forest-wide?

    Ace
     
    Ace Fekay [MCT], Jul 16, 2009
    #7
  8. Tom

    Tom Guest

    Hi Ace and Meinolf

    Yes it has been edited, but only from danish to english.

    This has not been an issue before that i come from one ip-adress segment to
    the other.
    Otherwise i would look at router changes, firewall settings, changes to DNS(
    i have actually done that :) but this all works fine.
    As i mentioned before,
    the user and the computer both gets validated proper, when i remove nested
    groups equivalant to a total of 16 nested groups then it works, if i ad one
    more nested group he can logg in to the domain , but he has no access to
    anything on the domain.

    My question is:

    Is there anyway to find out what have gone wrong in active directory?
    I have now runn the following without any luck
    Dcdiag (with various /commands)
    I have checked replmon for errors or inconsistency on both our test
    enviroments ( they are almost identical) but with no errors.

    Kind Regards
    Tom
     
    Tom, Jul 16, 2009
    #8
  9. Hello tom,

    So if i understand you correct that's the correct ipconfig output? Well change
    the client ip address to a fixed correct one and try again. This ip address
    will not wokr together with the rest of the network. x.x.2.x is out of the
    scope from the others of the output.

    Best regards

    Meinolf Weber
     
    Meinolf Weber [MVP-DS], Jul 16, 2009
    #9
  10. I agree with Meinolf that the IP address needs to be corrected for the
    subnet it is on, otherwise how is it supposed to communicate?

    As far as the nesting, I did ask a question about the DNS setup. I didn't
    see a response.

    One thing to look at is the domain levels of each domain and the forest.
    Group nesting is a little different depending on the levels. What levels are
    the domains and forest set to?

    One rudimentary way of figuring out what's up with the groups, depending if
    the FL are set right for the group types you are using, is ff you take the
    user out of the multi nested group, and add the user directly, does it work?
    If so, then add the user to the first group added to the resource, does it
    work? Keep working backwards to find out which group it fails on.

    Ace
     
    Ace Fekay [MCT], Jul 16, 2009
    #10
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.