We have a problem with Active Directory and SQL Server 2000 (SP3a).
The problem is the following:
We have 2 different machines which are running a MS SQL Server 2000. Our fir
st server (Windows 2000) is the ActiveDirectory Controler for our organizati
on. The second server (Windows 2003 Enterprise) is just a member of this Ac
tiveDirectory.
In the Active Directory we have created a specific group for users who have
to using these servers. Then we have added this group to the SQL security of
the two servers.
If the users try to connect (through "Enterprise Manager" with the Windows A
uthentication mode), they can only be connected to the SQL Server that is lo
cated on the ActiveDirectory machine. If the users try to connect to the oth
er server, they receive the
following error message :
A Connection could not be established to SERVERNAME
Reason : Login failed for user 'DOMAINNAME\USERNAME'
Please verify SQL Server is running and check your SQL Server registration p
roperties (by right-clicking on the SERVERNAME node) and try again.
I've replaced for test the AD group (in SQL Security) by the AD user of the
user who couldn't connect to the server. After that, the user has been able
to connect successfully.
What's wrong? Why is the group accepted only on the ActiveDirectory machin
e and not on the other one
Any Help would be appreciated to resolve this problem.
Thanks in advance
Best Regards
Vincent Daglia
ABISSA Informatique SA
SwitzerlandYou may want to check the client's ability to resolve the groups on the
server.
netdiag.exe can be used to test client connectivity with the DC and DNS
name resolution.
321708 HOW TO: Use the Network Diagnostics Tool (Netdiag.exe) in Windows
2000
http://support.microsoft.com/?id=321708
Run it with the /v (verbose) flag.
Thanks,
Kevin McDonnell
Microsoft Corporation
This posting is provided AS IS with no warranties, and confers no rights.|||Allready done
In addition we have applied "Windows Server 2003 - Troubleshooting Kerberos
Delegation" documentation.
With Netdiag.exe I get the following error :
Kerberos test. . . . . . . . . . . : Failed
[FATAL] Kerberos does not have a ticket for host/grenache.abissa.ch
For information SPNs entry on our AD server are :
HOST/grenache.abissa.ch
HOST/grenache
MSSQLSvc/grenache.abissa.ch:1433
MSSQLSvc/grenache:1433
Any other ideas?
Vincent Daglia
ABISSA Informatique SA
Switzerland
[vbcol=seagreen]
You may want to check the client's ability to resolve the groups on the
server.
netdiag.exe can be used to test client connectivity with the DC and DNS
name resolution.
321708 HOW TO: Use the Network Diagnostics Tool (Netdiag.exe) in Windows
2000
http://support.microsoft.com/?id=321708
Run it with the /v (verbose) flag.
Thanks,
Kevin McDonnell
Microsoft Corporation
This posting is provided AS IS with no warranties, and confers no rights.
No comments:
Post a Comment