We have a very obscure problem relating to Active
Directory.

We have an application server, Silver Stream, which pulls
user names from the domain. If I create a new domain, in a
new forest, and add users, it can retrieve them with no
problems. If I create security groups, it can see them too.

When I perform an upgrade from our NT4.0 PDC to windows
2003, migrating the security database to active directory
using the wizard, the application server can no longer
retrieve the users.

It can retrieve certain security groups though. Groups
which are either Global or Universal it can retrieve, but
not Domain Local ones. I have tried adding a second domain
into this forest, and users which I create in this domain
it can see, so I can rule out any forest specific settings
upsetting it.

The mode that the domain is in also has no bearing on the
results. Currently it is in Windows 2000 mixed, but
regardless the functional level I change it to, I still
receive the same outcome.

My guess is that there are certain domain security
settings that are being put in place during the upgrade,
that are not put in place by default when doing a fresh
run of dcpromo.

Unfortunately we are not in a position to go into Native
mode, so moving users is out of the question.

We have spent several days trying to bug fix this, and can
be sure that this is not a one off, but exactly the issue.

Any ideas?