Hi,

I've inherited a SNAP 4100 which I think is running v3.1.626 software. It was previously connected to a now defunct NDS directory. I have now re-created the array and want to make the device available on my Windows 2000 domain. How do I go about doing this? I have followed the instructions in the admin guide regarding NT Domain setup but when I try to assign permissions to the entire disk I get a message saying:

Problem: Cannot view users and groups from the NT domain. Please make sure you have specified a correct domain user name and password using the Use NT domain security security guide.

No users can access the shares on the SNAP either. Is this because the hardware/software I have is not compatible with W2k? If so, is there any way around this?

Many thanks

I was under the primis that you needed v3.4.803 for AD 2000 support.

re3dyb0y and jontz may know more on that subject.

On some of the older units (v3 or <) you need to restart the snap to clear the cache and load the new parameters.

Thanks for the reply.

I've just upgraded to v3.4.803 and restarted (which I notice takes 30 seconds longer) but I'm still getting the same error. It is AD2000 I am trying to authenticate against as well. I also tried using the Domain Admin account when defining Windows Domain Security.

I also tried the workaround of giving the Guest account full control of the disk but I'm still unable to see the share I created on our network (with any user account).

Any further help would be greatly appreciated.

Cheers

Are all of the user names the same through all account?
What os are the clients using?

It should work fine straight from v3 with 2000 AD

Just v4 needed for 2k3 AD

Snap OS v4 may work

Blue68f100, The clients are mostly using XP Pro but I also cannot connect from one of the servers (W2K & W2K3).

Re3dyb0y, From what I've read on this forum the v4 OS is a chargeable upgrade so I'd be loathe to purchase it if my current version should include the functionality. Am I better off starting again from scratch? I get a couple of 'master browser errors in my Snap log, do you think this may have any relevance?

Hmmm...I haven't had the pleasure of using AD with my snap server yet, but I did do a little digging on the net today. The only help I could find that even closely related to your problem was to reset the snap back so factory defaults and re-join it to the domain, now that you have .803 installed. Couldn't hurt to try it at least...

Is this the reason webboy wrote the work around in that was put in the wiki section?
re3dyb0y correct me if im wrong.

I have tried a full factory reset but I am getting exactly the same problem. The error I see in the Snap log is:
SMB : Can't resolve master browser IP address for domain DOMAIN.

I do have the WINS server specifically specified in the IP configuration.

Is this the reason webboy wrote the work around in that was put in the wiki section?
re3dyb0y correct me if im wrong.

Yeah

That didnt work for him

He had the linux box and worked out that work around

Blue68f100, The clients are mostly using XP Pro but I also cannot connect from one of the servers (W2K & W2K3).

Re3dyb0y, From what I've read on this forum the v4 OS is a chargeable upgrade so I'd be loathe to purchase it if my current version should include the functionality. Am I better off starting again from scratch? I get a couple of 'master browser errors in my Snap log, do you think this may have any relevance?

I found this on SnapAppliance server it may help.



Introduction

The Snap OS was designed to interoperate with Windows NT 4.0 domains. While Snap Servers are not Windows NT 4.0 Domain Controllers, the Snap Servers will attach to the Domain Controller and retrieve the Users and Groups from the Domain Controller so that Administrators do not need to re enter their users and groups. In addition, Snap Servers can authenticate a user connection utilizing the Domain Controller. This provides a seamless authentication to the various Windows clients. As of the latest SnapOS release (v4.0), Snap Servers support all Windows clients. In order to support such a wide range of Windows clients, the SnapOS supports only those authentication protocols that are supported across all Windows clients and are consistent with the original NT 4.0 implementation.

It should be pointed out that the SnapOS v4.0 works with all Windows clients in their default configuration. Most client connection / compatibility problems with the SnapOS v4.0 would indicate that either a policy or registry setting has been modified to change the default behavior of the various Windows clients.

Authentication Protocols

SnapOS supports two CIFS authentication protocols. LM and NTLM are both supported which is consistent with the protocols required to support all Windows client platforms, other CIFS clients and even some older DOS / Lan Manager clients. Unfortunately, we do not support NTLMv2 authentication, NTLMv2 Session Security or Kerberosv5 authentication.

Signing

The SnapOS does not support SMB Signing. If this is enabled, the client connections to the Snap Server cannot be successfully authenticated with the domain controller and will result in a failed connection and/or an access denied message.

Registry Settings for Domain Controllers

Windows NT, Windows 2000, Windows XP and Windows 2003

HKEY_LOCAL_MACHINES\System\CurrentControlSet\Contr ol\LSA\LMCompatibilityLevel

must be either a 0 (NT & 2000 default), 1, or 2 (Win2003 default). LMCompatibilityLevel 3-5 are not supported.

HKEY_LOCAL_MACHINES\System\CurrentControlSet\Servi ces\LanManServer\Parameters\EnableSecuritySignatur e

must be 0

HKEY_LOCAL_MACHINES\System\CurrentControlSet\Servi ces\LanManServer\Parametes\RequireSecuritySignatur e

must be 0

Registry Settings for Workstations

Windows NT, Windows 2000, Windows XP and Windows 2003

HKEY_LOCAL_MACHINES\System\CurrentControlSet\Contr ol\LSA\LMCompatibilityLevel

must be either a 0 (NT & 2000 default), 1, or 2 (Win2003 default).

LMCompatibilityLevel 3-5 is not supported.

HKEY_LOCAL_MACHINES\System\CurrentControlSet\Servi ces\Rdr\Parameters\EnableSecuritySignature

must be 0

HKEY_LOCAL_MACHINES\System\CurrentControlSet\Servi ces\Rdr\Paramete\RequireSecuritySignature

must be 0

Windows 95, Windows 98, Windows ME machines

HKEY_LOCAL_MACHINES\System\CurrentControlSet\Contr ol\LSA\LMCompatibility

must be a 0 (default). LMCompatibility 3 is not supported.

HKEY_LOCAL_MACHINES\System\CurrentControlSet\Servi ces\VxD\Vnetsup\EnableSecuritySignature

must be 0

HKEY_LOCAL_MACHINES\System\CurrentControlSet\Servi ces\VxD\Vnetsup\RequireSecuritySignature

must be 0

Looks like you found a winner Blue. Too bad this isn't really a resolution to the problem, but at least we know what is going on...

Perhaps this should be added to the Wiki, the part about not supporting SMB signing.

Im presuming thats *cough* *nudge* re3dyb0y *nudge* *cough*

You can wait till after exams......

I was lucky enough to get on SnapAppliance Knowledge base (adaptec hasn't messed with it yet) and do some searching. Did not show up on the first search.

I did update the info on my 2200 in the wiki.

Im presuming thats *cough* *nudge* re3dyb0y *nudge* *cough*

LOL. We'll give you some reprieve until your aren't so busy. Thanks for all your hard work on the Wiki!

I was lucky enough to get on SnapAppliance Knowledge base (adaptec hasn't messed with it yet) and do some searching. Did not show up on the first search.

I found it as well, it is somewhat buried in there. I might have to go back and do some major cut and paste before Adapwreck destroys all of the useful info there...

Heres the latest then.

Of my 3 DC's (for arguement sake DC1, DC2 and DC3). Registry setting as per below.

HKEY_LOCAL_MACHINES\System\CurrentControlSet\Contr ol\LSA\LMCompatibilityLevel - Set to 0 on DC1. No such value on DC2 and DC3.

HKEY_LOCAL_MACHINES\System\CurrentControlSet\Servi ces\LanManServer\Parameters\EnableSecuritySignatur e - Set to 0 on DC1 and DC2. No such value on DC3.

HKEY_LOCAL_MACHINES\System\CurrentControlSet\Servi ces\LanManServer\Parametes\RequireSecuritySignatur e - Set to 0 on DC1 and DC2. No such value on DC3.

As far as the workstations are concerned I had a look at 2, both XP Pro. Registry results as follows.

HKEY_LOCAL_MACHINES\System\CurrentControlSet\Contr ol\LSA\LMCompatibilityLevel - Set to 0 on both WS1 and WS2.

HKEY_LOCAL_MACHINES\System\CurrentControlSet\Servi ces\Rdr\Parameters\EnableSecuritySignature - There was no Rdr entry under services. Under Lanmanserver the value was 0 on both WS's. Under lanmanworkstation the value was 1 on both WS's.

HKEY_LOCAL_MACHINES\System\CurrentControlSet\Servi ces\Rdr\Paramete\RequireSecuritySignature - Again there was no Rdr entry under services. Under both Lanmanserver and Lanmanworkstation the value was set to 0 for both WS's.

Do I need to add in any of the missing keys and values? Again the only messages I see in thr Snap log are all SMB related. See below.

SMB : WORKSTATION1 not connected to domain controller.
SMB : Can't resolve master browser IP address for domain DOMAIN.

Is there any workaround I can put in place even if it involves duplicating user accounts?

LOL. We'll give you some reprieve until your aren't so busy. Thanks for all your hard work on the Wiki!

You can wait till after exams......

I was lucky enough to get on SnapAppliance Knowledge base (adaptec hasn't messed with it yet) and do some searching. Did not show up on the first search.

I did update the info on my 2200 in the wiki.


Well as of 12.30 GMT today, thats my exams done

Till january at least!

W00!

I dont mind doing it, and you 2 are keeping on top of the forums

Are the 3 DC's all on the same network?

As it may be me, but i thought you could/should only have 1 DC?

Are the 3 DC's all on the same network?

As it may be me, but i thought you could/should only have 1 DC?
Nope, multiple DC's in a Windows 2000 AD environment. Are you referring to whichever DC is setup as the PDC Emulator?

Nope, multiple DC's in a Windows 2000 AD environment. Are you referring to whichever DC is setup as the PDC Emulator?


Must be just 2003 that they fight

Must be just 2003 that they fight
Are you referring to the network wide browser elections (master, etc)?

Are the 3 DC's all on the same network?

As it may be me, but i thought you could/should only have 1 DC?

In Sever2000 you have one primary doman controller and however many backup domain controllers as you like. In 2003 the setup is different, as you noted.

(I'm 17, i dont work in IT (well not full time, only in holidays), i have no IT qualifications)

It was just something i remember, and one of the servers kept getting shut down with something with DC's....

Maybe 2 masters or something

Hey, no problem. We are all just here to help each other learn. :)

Hey, no problem. We are all just here to help each other learn. :)

Lol, Yeah

And it was nearly a year ago for me!

But i get to do it again this year. And if i pass me driving test, i can be outs and abouts

WOOT!!

In Sever2000 you have one primary doman controller and however many backup domain controllers as you like. In 2003 the setup is different, as you noted.
Jontz, Windows 2000 works in exactly the same way as 2003 as far as AD is concerned, mutiple DC's replicating with each other. A particular DC can be specified to act as a PDC emulator when in a mixed NT4/2000 environment but apart from that there is no similarity between NT4 (flat file) directory structure and AD. Microsoft ditched the whole PDC/BDC directory setup when they launched W2K.

Aside from this I am known the wiser as to why my Snap still will not reference the domain (unless I'm seriously missing something). Does anyone know of a workaround whereby I can assign network users full access without authenticating against AD (or using the web front-end)?

Thanks

That'w what I was thinking of, a PDC emulator. That's the way it was set up at the old network I used to administer. I wish I could be of more help, but I am not sure what to tell you. This is one of those things where I would love to be there and play with it. Kinda hard to have any good ideas from this distance...

Looks like I'm going to have to bite the bullet and open a call with adaptec.......

Does anyone know of a workaround whereby I can assign network users full access without authenticating against AD (or using the web front-end)?
If your user names on the snap matches the MS user name. Just do a auto connect on login. Setup a groupe with full access and let them loose.

Snap guest account is good for this.

I think the answer for his domain issue is here...
http://forums.procooling.com/vbb/showthread.php?t=13846

I have a Snap 4100 and out of the blue users weren't able to access the shares.. Whenever I tried it would prompt for username / password.. I had this happen to be before with a Snap 410 and a simple reboot would fix the issue..

However, it's not with this one..

I have "SMB : PCNAME not connected to domain controller." in the logs.. I also *had* "SMB : Can't resolve master browser IP address for domain DOMAINNAME."

I tried adding the host entries and rebooting but I still get "Problem: Cannot view users and groups from the Windows domain. Please make sure you have specified a correct domain user name and password using the Use Windows domain security security guide."

I have tried disabling "Microsoft Networking" and enabling, adding different domain users via the security guide but I still can't get the SOB to work!

One question I do have.. I can't remember if I'm supposed to manually create the computer account or if it's supposed to.. If it's supposed to, it's not.. I try and that still doesn't fix it..

Any ideas?

Thanks much!