HPE Community
Operating System - OpenVMS
1753465 Members
4715 Online
108794 Solutions
New Discussion юеВ

Problem with Advanced Server 6.1

 
Robert Manning_2
Valued Contributor

тАО07-27-2006 02:24 AM

тАО07-27-2006 02:24 AM

Problem with Advanced Server 6.1

Hi,

I've had a somewhat sudden problem crop up on an otherwise stable system, and I was wondering whether anyone might have some advice?

I'm running Advanced Server 6.1 on a two-node AlphaCluster with OVMS 6.2-1H3. We have licensing for 50 users.

This morning a user in another site complained of not being able to connect to a share from the Windows 2000 network. When I attempted to connect, I could see both nodes and the cluster alias in Network Neighbourhood, but none would respond. I can ping them by name and by address from Windows and all three respond, but drive mapping will not.

The services BROWSER, EVENTLOG, NETLOGON and SERVER all start when Pathworks is started, although NETLOGON takes a little time.

Thinking perhaps there might have been a corruption in my SAM database, I attempted to rebuild it with a procedure we used to use in Pathworks 6.0, however this encountered a 'serious error' and quit. I replaced the original SAM and restarted the software, but without success.

Looking for the cause of the problem, I ran Admin/Analyze for the previous 36 hours and saw some messages indicating that the software had been restarted, however I can't see anything wrong anywhere.

It's been a while since I had to do any maintenance on Advanced Server, so I'm a little rusty, but if anyone can point me at a solution, I'd appreciate it.

Thanks,

Bob

0 Kudos
2 REPLIES 2
Robert Manning_2
Valued Contributor

тАО07-30-2006 11:38 PM

тАО07-30-2006 11:38 PM

Re: Problem with Advanced Server 6.1

Okay, so it turned out not to be a SAM corruption after all...

What happened was that Pathworks stopped responding after the PDC in our Windows domain changed to another server.

With the installation configured to reference Server A as the PDC, Server B was never going to be accepted, etc., and so on...

The solution, as prescribed by Pathworks Support in Utrecht, Holland, would normally have been to reconfigure Advanced Server with the name of the new PDC.

However, since the new Domain Controller was now a W2K3 server, certain adjustments had to be made to the Domain Controller Security Policy, per Microsoft Article 889030, followed by a reboot of the PDC.

In case anyone finds it useful, here are the relevant settings:
********************
Policy settings from Microsoft article number 889030:

Make sure that the following settings on the Windows 2003 Domain Controlers are configured as shown.


Utility: Domain Controller Security Policy
Security Settings\Local Policies\Security Options


RestrictAnonymous and RestrictAnonymousSam:
Network access: Allow anonymous SID/Name translation ENABLED
Network access: Do not allow anonymous enumeration of SAM accounts DISABLED
Network access: Do not allow anonymous enumeration of SAM accounts and shares DISABLED
Network access: Let Everyone permissions apply to anonymous users ENABLED
Network access: Named pipes can be accessed anonymously ENABLED
Network access: Restrict anonymous access to Named Pipes and shares DISABLED

LM Compatibility:
Network security: LAN Manager authentication level "LM & NTLM responses" or "Send LM & NTLM - use NTLMV2 session security if negotiated"

SMB Signing, SMB Encrypting, or both:
Microsoft network client: Digitally sign communications (always) DISABLED
Microsoft network client: Digitally sign communications (if server agrees) ENABLED
Microsoft network server: Digitally sign communications (always) DISABLED
Microsoft network server: Digitally sign communications (if client agrees) ENABLED
Domain member: Digitally encrypt or sign secure channel data (always) DISABLED
Domain member: Digitally encrypt secure channel data (when it is possible) ENABLED
Domain member: Digitally sign secure channel data (when it is possible) ENABLED
Domain member: Require strong (Windows 2000 or later) session key DISABLED

You need to add everyone to the local group "pre-Windows 2000 Compatible Access" So on the PDC
To do this, you need to execute, on the PDC emulator, in a DOS box the command:

net localgroup "pre-windows 2000 compatible access" everyone /add


After the settings are configured correctly, you must restart your computer. The security settings are not enforced until the computer is restarted.
*********************

After these settings were put into effect, PWCONFIG worked and the Advanced Server environment could be properly reconfigured.

If only everything in life was as straightforward...

Bob

0 Kudos
Robert Manning_2
Valued Contributor

тАО07-30-2006 11:39 PM

тАО07-30-2006 11:39 PM

Re: Problem with Advanced Server 6.1

Actually, in the comments above :-)
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.