Operating System - OpenVMS
1839254 Members
2469 Online
110137 Solutions
New Discussion

Re: Advanced Server V7.3a as Member and Active Directory 2003

 
Robert Walker_8
Valued Contributor

Advanced Server V7.3a as Member and Active Directory 2003

Hi,

I have recently installed Advanced Server V7.3A bld 130A and have joined my AD (Win 2003) domain as a member server.

My thoughts were that as a member server it would act somewhat like a standard windows member server (ie have its own groups and shares etc). However even though the system reports that it is a member server it appears to be acting as a domain controller - ie any groups created appear as Domain Local groups rather than say member server local groups.

Also I get general failure trying to add a share to the server and any work needs to be done logged on as a domain admin.

ADDOMAIN\\VMS1> add share
_share name: fred
_path: disk$a:[fred]
%PWRK-E-ERRGETSRV, error getting server information for "VMS1"
-LM-E-ERROR_GEN_FAILU, general failure

What am I missing? The system added it self nicely to the domain as a workstation/server on the W2003 domain and I can lookup domain groups etc as a domain admin logon via the Advanced Server.

I run OpenVMS V7.2-2 (as these are legacy systems and are not going to be upgraded to V7.3-2 as we would require testing of our historical financial systems which have all moved to SAP).

Any help would ge well regarded,

Robert.
16 REPLIES 16
Karl Rohwedder
Honored Contributor

Re: Advanced Server V7.3a as Member and Active Directory 2003

Robert,

2 remarks:

- there is a newer version V7.3A-Eco4 (-140A)

- did you log into the member server before adding groups (LOGIN ADMINISTRATOR/DOMAIN=\\VMS1) ?

regards Kalle
Robert Walker_8
Valued Contributor

Re: Advanced Server V7.3a as Member and Active Directory 2003

Kalle,

This sort of works, ie can logon however it still appears very much as if VMS1 is a domain even though when logged on as \\VMS1 and one does a show computer

ADDOMAIN\\VMS1> login administrator/domain=\\VMS1
Password:
The server \\VMS1 successfully logged you on as Administrator.
Your privilege level on domain VMS1 is ADMIN.
The last time you logged on was 11/03/05 08:52 AM.

\\VMS1\\VMS1> show computer

Computers in domain "\\VMS1":

Computer Type Description
-------------------- --------------------------- -----------------------------
[SV] VMS1 OpenVMS (NT 4.0) Server Advanced Server V7.3A for
OpenVMS

Total of 1 computer

\\VMS1\\VMS1>

When I am in \\VMS1 I cannot access the ADDOMAIN thus adding users from this domain to some local groups results in:

\\VMS1\\VMS1> mod group agroup /adD_member="addomain\auser"
%PWRK-W-NOADDMEMGRP, unable to add member "addomain\auser" to group "agroup"
-PWRK-E-USRGRPNOTFND, the user or group cannot be found

Robert.
Petr Spisek
Regular Advisor

Re: Advanced Server V7.3a as Member and Active Directory 2003

Robert,
which computer is Primary Domain Controller for domain ADDOMAIN? Computer VMS1 has only member role in the domain [SV]. For manage domain group you must do it on a PDC. Command "Show Computer" must returns list of all computers in the domain including Domain Controllers.
Petr
Petr Spisek
Regular Advisor

Re: Advanced Server V7.3a as Member and Active Directory 2003

Sorry, I omitted you logged to computer VMS1. But when I tried this, I have to issue the domain password for command Show Computers (logged to member computer).
Petr
Edwin Gersbach_2
Valued Contributor

Re: Advanced Server V7.3a as Member and Active Directory 2003

Robert,

When you login to the server using /DOM=VMS1 you can use local stuff only. There is usually a administrator and guest and some 6 default groups. These users and groups are local to the server.

In order to use domain users and groups you need to logon to the domain using a properly privileged account.

Edwin
Karl Rohwedder
Honored Contributor

Re: Advanced Server V7.3a as Member and Active Directory 2003

I logged into a member server, you can mnage local groups only, but you can add user/groups into these local groups from other domains.

regards Kalle
Robert Walker_8
Valued Contributor

Re: Advanced Server V7.3a as Member and Active Directory 2003

Petr,

This is what I get when I run admin and do show computer from the prompt. There is no such thing as a PDC in a Windows 2003 domain so am not sure why it gets the error? This system is supposed to be a member server of a 2003 Windows Active Directory domain and nor a PDC etc.

ADDOMAIN\\VMS1> show computer
%PWRK-E-DCNOTFND, cannot find Primary Domain Controller for "ADDOMAIN"
-PWRK-W-NODOMOPRPOS, domain-wide operations are not possible

Computers in domain "ADDOMAIN":

Computer Type Description
-------------------- --------------------------- -----------------------------
[SV] VMS1 OpenVMS (NT 4.0) Server Advanced Server V7.3A for
OpenVMS
[SV] RHL1 UNIX (NT 4.9) Server Development Linux Server
[SV] SRV120 Windows NT 5.0 Server
[SV] SRV211 Windows NT 5.0 Server
[SV] SRV335 Windows NT 5.0 Server
[SV] SRV338 Windows NT 5.0 Server
[SV] SRV339 Windows NT 5.0 Server
[SV] SRV342 Windows NT 5.0 Server
[SV] SRV554 Windows NT 5.0 Server
[SV] SRV555 Windows NT 5.0 Server
[SV] SRV556 Windows NT 5.2 Server
[SV] SRV558 Windows NT 5.0 Server
[SV] SRV559 Windows NT 5.0 Server

Robert.
Robert Walker_8
Valued Contributor

Re: Advanced Server V7.3a as Member and Active Directory 2003

Kalle,

Can you give me some samples of what you do. I have managed to add some local groups on the VMS1 system and some shares. However they appear to not be visible if from the domain, and then vice versa when logged onto the member server as a local user.

An advanced server member server is similar to a windows member server isnt it? If so being logged onto the member server I should easily add domain groups to the member servers local groups?

i.e.
admin>logon administrator/domain=\\vms1
admin>add group/local group1
admin>logoff
admin>exit admin
$admin
ADDOMAIN\\VMS1> mod group/domain=\\VMS1 GROUP1/adD_members=AUSER
%PWRK-W-NOADDMEMGRP, unable to add member "AUSER" to group "GROUP1"
-PWRK-E-USRGRPNOTFND, the user or group cannot be found

ADDOMAIN\\VMS1> mod group GROUP1/adD_members=AUSER
%PWRK-E-DCNOTFND, cannot find Primary Domain Controller for "ADDOMAIN"

Robert.
Karl Rohwedder
Honored Contributor

Re: Advanced Server V7.3a as Member and Active Directory 2003

Robert,

pls. check the eventlogs, if there are any errors concerning the DC, you can also use the NBSHOW utility to check, if VMS1 has connections to the DC.

regards Kalle
Robert Walker_8
Valued Contributor

Re: Advanced Server V7.3a as Member and Active Directory 2003

Kalle,

It appears to not find the domain controller:

T Date Time Source Category Event User Computer
- -------- ----------- --------- --------------- ------ ---------- -------------
E 11/04/05 04:38:28 PM NETLOGON None 5719 N/A VMS1
No domain controller is available for domain ADDOMAIN for the following reason:
%1311
Data:
0000: 5e 00 00 c0 00 00 00 00 ^..Ã ....

What am I looking for with knbshow?

Robert.
Petr Spisek
Regular Advisor

Re: Advanced Server V7.3a as Member and Active Directory 2003

Robert,
it looks, your problem is in missing DC in the ADDOMAIN. Where is DC for this domain?
Petr
Robert Walker_8
Valued Contributor

Re: Advanced Server V7.3a as Member and Active Directory 2003

Petr,

The DNS environment is a little complex as the DCs are in zones lower down the AdvancedServer. Thus we have the DC say dc.addomain.mysite.com.au and the Advanced Server in mysite.com.au, however translation appears to not be an issue. The Advanced Server is registered (admin/config) with Wins registration for the "main" dc (even though there is supposedly no such thing).

The advanced server has no problem when I login with an ADDOMAIN account and seeing all the groups.

Robert.
Anton van Ruitenbeek
Trusted Contributor

Re: Advanced Server V7.3a as Member and Active Directory 2003

Robert,

If I'm right there must be one machine/server in the 2003 environment pretending its a PDC for the NT4 implementations.

AvR
NL: Meten is weten, maar je moet weten hoe te meten! - UK: Measuremets is knowledge, but you need to know how to measure !
Camiel
Frequent Advisor

Re: Advanced Server V7.3a as Member and Active Directory 2003

Robert,

One of the Active Directory servers should be the PDC Emulator. To find out if this is configured, try this (from one of the 2003 servers):

dsquery server-hasfsmo pdc

Find out if there are any problems with the server that's acting as the PDC. If there are, try transferring the role to another server by seizing it. If there is no pdc fsmo defined, and trying to seize it doesn't work, I'm afraid it's going to get tough, because as far as I remember, NT 4.0 domain compatibility is something to decide on while installing the first Active Directory server in the domain...

Camiel.
Robert Walker_8
Valued Contributor

Re: Advanced Server V7.3a as Member and Active Directory 2003

Camiel,

The dsquery returned a domain controller - the one which I expected to be the PDC.

Any other thoughts?

Robert.
Paul Nunez
Respected Contributor

Re: Advanced Server V7.3a as Member and Active Directory 2003

Hi Robert,

Advanced Server for OpenVMS is basically equivalent to Windows NT v4. So most anything that applies to a Windows NT v4 member server ina Windows 2003 domain also applies to Advanced Server.

If you wish to add users/groups on the local member server, you either need to logon to the member server or explicitly specify th member server as the "domain" you wish to be modified. For example, say my member server name is MBRSRV:

$ admin logon administrator/domain=\\MBRSRV

then you supply the password for the local administrator account (on MBRSRV, not the domain administrator account). Now any user/group commands you execute will execute against the SAM maintained by MBRSRV. Additionally, though you are logged on to the member server, you should still be able to specify the names of global domain user and/or group accounts when adding/removing users to/from local groups, permissions lists, etc.

Or you can logon to the domain as a user who is a member of the local administrators group on the member server (i.e, you personal account is a member of the Domain Admins group and the Domain Admins group is a member of the local Administrators group on the member server). However, since you logged onto the domain, any commands which reference a user or group are, by default, going to be executed against the domain user accounts database (AD in this case). So instead you must specify in the ADMIN command that you want the action to be taken on the member server by including either /DOMAIN=\\MBRSRV or /SERVER=, whichever is appropriate.

Also, the general failure error can mean that, though the server seemed to join the domain correctly, the NETLOGON service on the Advanced Server failed to start. Use $ ADMIN SHOW SERVICES to verify it is started; if not, use $ ADMIN SHOW EVENTS/FULL/SOURCE=NETLOGON/SINCE=