Active Directory Loses Connection to Domain

Andrei · Guest

Hello, fellow Admins,
Hoping someone within the great collective brain has seen this before and
might have suggestions:

We have a mixed domain of 2000 and 2003 Servers, 12 in all. Exchange and
the file server are the two DCs, both running 2000 (originally upgraded from
NT4, not fresh installs).

We had an issue which we thought was one of the Administrator account losing
its credentials when logged in for long periods, especially overnight. We
found this odd, because BackUp Exec (9.1) also uses the Administrator account
for all its functions, and that continued to run fine. I have found from my
readings in various forums that this is common in 2000 Servers upgraded from
NT4 as not everything gets ported into Active Directory properly, and that
many links to old NT4 files remain, especially relating to user accounts.
Upgrading to 2003 seems to fix this issue, but that's not going to be an
option for the rest of our servers for a little while.

Upon further investigation, I found that the issue is not so much the
Administrator losing all credentials (I found several admin-level functions
that could still be performed), as it was the Active Directory losing
connectivity to our MII_DOMAIN.LOCAL domain. When Users and Computers is
opened, it is blank and this error comes up. Simply logging out and back in
as Administrator seems to restore the connection, and everything comes up
fine. If the Administrator account stays logged in for any length of time
(sometimes a couple hours, sometimes overnight) the same thing happens. I
have found no correlating errors within the Event Viewer.

My theories are that either the Administrator account has become corrupted,
or didn't upgrade properly from NT4 (I have just created another account with
administrative privileges and have just left it logged in to test this), or
that perhaps the groups that the Administrator is a member of are restricting
the account (I seem to recall that in Windows the lowest policies always take
priority).

Here the groups the Administrator currently belongs to:

Account Operators, Administrators, BackUp Operators, Domain Administrators,
Domain Users, Enterprise Administrators, Exchange Domain Service, Exchange
Service, Group Policy Creator/Owners, Intranet, MAS90, Print Operators,
Replication, SAVFMSF Admins, Scanning, Schema Admins, Server Operators, Users

Do any of these carry built-in login length restrictions (by default, I mean
- as far as I know we have no group policies in place that we've created
ourselves to limit this)? Are any of these redundant and unnecessary because
the Administrator can already do all the tasks without being a member of that
particular group? (I didn't set this up, but have been hesitant to make
changes to a working domain without good reason to do so).

Or... perhaps I'm looking in the completely wrong direction. What else
could cause Active Directory to suddenly stop connecting to its own domain
(and a simple log out and back in again restores it)?

Many thanks in advance...

-=Andrei