Add permissions for local workstation client
in [Windows Servers]
|
Prev: new forest domain setup not allowing domain logins
Next: Doesn't file sharing really need "NetBios over TCP" in Win2000/XP?
From: Terry on 7 Mar 2010 07:48 I will re set and configure as you noted. Cannot until Monday and post results Monday night Thanks "Ace Fekay [MVP-DS, MCT]" wrote: > "Terry" <Terry(a)discussions.microsoft.com> wrote in message news:29AE2AD2-476C-4A33-A1FE-B3F184567C66(a)microsoft.com... > > Unfortunately my problem still exists; I still cannot add local rights for a > > domain user. Assuming it was a server problem I re built the server (SBS > > 2003), configured users and an administrator. Logged on to a local > > workstation (XP Pro) as a local administrator and joined the new domain just > > fine. Logged off as administrator and on as a domain user on the workstation > > without problem. I then logged on as the domain administrator and tried to > > add the domain user as a local administrator, I could not, again! Again I > > could not choose users from the domain directory only the local machine. (see > > image) Still logged on as domain admin I could not see the server or shared > > folders on the server unless I searched for the server by name. I could ping > > it by name and IP, all antivirus and firewalls are turned off. > > > > So I brought in a workstation (XP Pro) that worked fine on another domain. > > Joined this problem domain just fine, and added the domain user to the local > > workstation administrators’ just fine. > > > > What can be configured wrong on all these existing workstations that I’m not > > seeing? > > > > You can see images here > > http://eriemetroparks.com/Network/default.html > > > > The ipconfig shows for the workstation > > > > the IP of 192.168.1.21 > > subnet of 255.255.255.0 > > gateway of 192.168.1.1 > > > > DNS of 192.168.1.10 > > 72.240.13.5 > > > > The server is > > > > IP of server 192.168.1.10 > > subnet of 255.255.255.0 > > gateway of 192.168.1.1 > > > > DNS of 72.240.13.5 > > 209.143.0.0 > > > > > Ah, I see the problem. It can't find the domain, that's why. The reason is the workstation is using a DNS IP of 72.240.13.5, which is NOT the SBS server. It is essentially asking the DNS server at 72.240.13.5, "where is my domain controller?" Unfortunately it does not have that answer. > > WIth the SBS using 72.240.13.5 and 209.143.0.0, it can't even find itself! And that IP 209.143.0.0, is not really an IP, rather is it's a subnet ID. I don't know where you got that IP from. > > Recommendations to fix everything: > 1. Remove all references of 72.240.13.5 and 209.143.0.0. If you are using DHCP, in DHCP console, Scope Option 006, remove those addresses and only show 192.168.1.10. > > 2. For DNS address, ONLY use 192.168.1.10 on all machines' interfaces. > > 3. For efficient internet resolution, create a Forwarder. In SBS, DNS console, DNS servername properties, Forwarders Tab, create a Forwarder using 72.240.13.5. If you are not sure how to do this, the following article shows you how. > > HOW TO Configure DNS for Internet Access in Windows Server 2003 (including how to configure a Forwarder) : > http://support.microsoft.com/?id=323380 > > 4. Restart the SBS, then restart your workstations. > > 5. I assume the SBS only has one NIC. If it has two, it's highly suggested to disable the outer NIC and only use one NIC, and rely on your edge router for internet access and NAT translation. > > After restarting everything, try your tasks again and report back, please. > > Ace > > > reconfigure ALL machine > . >
From: Ace Fekay [MVP-DS, MCT] on 8 Mar 2010 01:45 "Terry" <Terry(a)discussions.microsoft.com> wrote in message news:C183502C-243A-4C9D-9C90-AC726C1DBB82(a)microsoft.com... >I will re set and configure as you noted. Cannot until Monday and post > results Monday night > Thanks > You are welcome. When you've completed the tasks, please re-post an updated ipconfig /all. Here's an easier way to do it so it goes into a text file that you can copy and paste: ipconfig /all > c:\ipconfig.txt Open the ipconfig.txt file and copy and paste your results. Thanks, and looking forward to a successful report. Ace
From: Terry on 8 Mar 2010 19:20 Ace, Using your directions I could get a workstation to add a domain user to the administrators group on the workstation. - thanks The problem now is the workstation cannot do anything on the Internet. Could this be the forwarders in the DNS? If I add a external DNS number to the properties of the TCP/IP on the workstation then the Internet works. You can see images of the DNS and Active Directory at: http://eriemetroparks.com/Network/default.html Here is the IPCONFIG for hte Work station when it cannot get to the Interenet: Windows IP Configuration Host Name . . . . . . . . . . . . : Spare Primary Dns Suffix . . . . . . . : EPMapleGrove.local Node Type . . . . . . . . . . . . : Hybrid IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : EPMapleGrove.local Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Intel(R) PRO/1000 CT Network Connection Physical Address. . . . . . . . . : 00-11-11-1D-5A-9A Dhcp Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes IP Address. . . . . . . . . . . . : 192.168.1.11 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.1.1 DHCP Server . . . . . . . . . . . : 192.168.1.1 DNS Servers . . . . . . . . . . . : 192.168.1.10 Lease Obtained. . . . . . . . . . : Monday, March 08, 2010 6:12:22 PM Lease Expires . . . . . . . . . . : Monday, March 08, 2010 7:02:22 PM Here is the IPconfig of the Server: Windows IP Configuration Host Name . . . . . . . . . . . . : EMPSERVER4112 Primary Dns Suffix . . . . . . . : EPMapleGrove.local Node Type . . . . . . . . . . . . : Hybrid IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : EPMapleGrove.local Ethernet adapter Server Local Area Connection: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Intel(R) PRO/1000 EB Network Connection with I/O Acceleration Physical Address. . . . . . . . . : 00-30-48-63-71-52 DHCP Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : 192.168.1.10 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.1.1 Primary WINS Server . . . . . . . : 192.168.8.10 Thanks for your help Terry "Ace Fekay [MVP-DS, MCT]" wrote: > "Terry" <Terry(a)discussions.microsoft.com> wrote in message news:C183502C-243A-4C9D-9C90-AC726C1DBB82(a)microsoft.com... > >I will re set and configure as you noted. Cannot until Monday and post > > results Monday night > > Thanks > > > > You are welcome. When you've completed the tasks, please re-post an updated ipconfig /all. Here's an easier way to do it so it goes into a text file that you can copy and paste: > > ipconfig /all > c:\ipconfig.txt > > Open the ipconfig.txt file and copy and paste your results. > > Thanks, and looking forward to a successful report. > > Ace > > > > . >
From: DaveMills on 9 Mar 2010 00:56 On Mon, 8 Mar 2010 16:20:01 -0800, Terry <Terry(a)discussions.microsoft.com> wrote: >Ace, >Using your directions I could get a workstation to add a domain user to the >administrators group on the workstation. - thanks > >The problem now is the workstation cannot do anything on the Internet. Could >this be the forwarders in the DNS? Probably, having forwarders is efficient but if you do not have these defined the SBS DNS server will simply use the root server hints to start the query. Having forwarders defined that do not actually exist will result in failure. > >If I add a external DNS number to the properties of the TCP/IP on the >workstation then the Internet works. But the workstation will no longer be able to look up AD service records as these are ONLY stored in the SBS DNS data not on the Internet. Thus it will not find a logon server etc. If, as you first did, you have both the SBS DNS and the Internet DNS then it may sometimes work. Bear in mind that a DNS lookup will ask ONE server for the IP address. If it get a reply it does not ask the other DNS server. Even if the reply is "The Hostname does not exist" only the first DNS server will be queried. The only time the second DNS server is used is if the first one does not reply at all. > >You can see images of the DNS and Active Directory at: >http://eriemetroparks.com/Network/default.html > >Here is the IPCONFIG for hte Work station when it cannot get to the Interenet: >Windows IP Configuration > Host Name . . . . . . . . . . . . : Spare > Primary Dns Suffix . . . . . . . : EPMapleGrove.local > Node Type . . . . . . . . . . . . : Hybrid > IP Routing Enabled. . . . . . . . : No > WINS Proxy Enabled. . . . . . . . : No > DNS Suffix Search List. . . . . . : EPMapleGrove.local >Ethernet adapter Local Area Connection: > Connection-specific DNS Suffix . : > Description . . . . . . . . . . . : Intel(R) PRO/1000 CT Network >Connection > Physical Address. . . . . . . . . : 00-11-11-1D-5A-9A > Dhcp Enabled. . . . . . . . . . . : Yes > Autoconfiguration Enabled . . . . : Yes > IP Address. . . . . . . . . . . . : 192.168.1.11 > Subnet Mask . . . . . . . . . . . : 255.255.255.0 > Default Gateway . . . . . . . . . : 192.168.1.1 > DHCP Server . . . . . . . . . . . : 192.168.1.1 > DNS Servers . . . . . . . . . . . : 192.168.1.10 > Lease Obtained. . . . . . . . . . : Monday, March 08, 2010 6:12:22 PM > Lease Expires . . . . . . . . . . : Monday, March 08, 2010 7:02:22 PM > >Here is the IPconfig of the Server: >Windows IP Configuration > Host Name . . . . . . . . . . . . : EMPSERVER4112 > Primary Dns Suffix . . . . . . . : EPMapleGrove.local > Node Type . . . . . . . . . . . . : Hybrid > IP Routing Enabled. . . . . . . . : No > WINS Proxy Enabled. . . . . . . . : No > DNS Suffix Search List. . . . . . : EPMapleGrove.local >Ethernet adapter Server Local Area Connection: > Connection-specific DNS Suffix . : > Description . . . . . . . . . . . : Intel(R) PRO/1000 EB Network >Connection with I/O Acceleration > Physical Address. . . . . . . . . : 00-30-48-63-71-52 > DHCP Enabled. . . . . . . . . . . : No > IP Address. . . . . . . . . . . . : 192.168.1.10 > Subnet Mask . . . . . . . . . . . : 255.255.255.0 > Default Gateway . . . . . . . . . : 192.168.1.1 > Primary WINS Server . . . . . . . : 192.168.8.10 > >Thanks for your help >Terry > > > > > > >"Ace Fekay [MVP-DS, MCT]" wrote: > >> "Terry" <Terry(a)discussions.microsoft.com> wrote in message news:C183502C-243A-4C9D-9C90-AC726C1DBB82(a)microsoft.com... >> >I will re set and configure as you noted. Cannot until Monday and post >> > results Monday night >> > Thanks >> > >> >> You are welcome. When you've completed the tasks, please re-post an updated ipconfig /all. Here's an easier way to do it so it goes into a text file that you can copy and paste: >> >> ipconfig /all > c:\ipconfig.txt >> >> Open the ipconfig.txt file and copy and paste your results. >> >> Thanks, and looking forward to a successful report. >> >> Ace >> >> >> >> . >> -- Dave Mills There are 10 types of people, those that understand binary and those that don't.
From: Ace Fekay [MVP-DS, MCT] on 9 Mar 2010 03:55 "Terry" <Terry(a)discussions.microsoft.com> wrote in message news:47CFFB4C-9243-4E20-8E28-C5619108A31B(a)microsoft.com... > Ace, > Using your directions I could get a workstation to add a domain user to the > administrators group on the workstation. - thanks > > The problem now is the workstation cannot do anything on the Internet. Could > this be the forwarders in the DNS? > > If I add a external DNS number to the properties of the TCP/IP on the > workstation then the Internet works. > > You can see images of the DNS and Active Directory at: > http://eriemetroparks.com/Network/default.html > > Here is the IPCONFIG for hte Work station when it cannot get to the Interenet: > Windows IP Configuration > Host Name . . . . . . . . . . . . : Spare > Primary Dns Suffix . . . . . . . : EPMapleGrove.local > Node Type . . . . . . . . . . . . : Hybrid > IP Routing Enabled. . . . . . . . : No > WINS Proxy Enabled. . . . . . . . : No > DNS Suffix Search List. . . . . . : EPMapleGrove.local > Ethernet adapter Local Area Connection: > Connection-specific DNS Suffix . : > Description . . . . . . . . . . . : Intel(R) PRO/1000 CT Network > Connection > Physical Address. . . . . . . . . : 00-11-11-1D-5A-9A > Dhcp Enabled. . . . . . . . . . . : Yes > Autoconfiguration Enabled . . . . : Yes > IP Address. . . . . . . . . . . . : 192.168.1.11 > Subnet Mask . . . . . . . . . . . : 255.255.255.0 > Default Gateway . . . . . . . . . : 192.168.1.1 > DHCP Server . . . . . . . . . . . : 192.168.1.1 > DNS Servers . . . . . . . . . . . : 192.168.1.10 > Lease Obtained. . . . . . . . . . : Monday, March 08, 2010 6:12:22 PM > Lease Expires . . . . . . . . . . : Monday, March 08, 2010 7:02:22 PM > > Here is the IPconfig of the Server: > Windows IP Configuration > Host Name . . . . . . . . . . . . : EMPSERVER4112 > Primary Dns Suffix . . . . . . . : EPMapleGrove.local > Node Type . . . . . . . . . . . . : Hybrid > IP Routing Enabled. . . . . . . . : No > WINS Proxy Enabled. . . . . . . . : No > DNS Suffix Search List. . . . . . : EPMapleGrove.local > Ethernet adapter Server Local Area Connection: > Connection-specific DNS Suffix . : > Description . . . . . . . . . . . : Intel(R) PRO/1000 EB Network > Connection with I/O Acceleration > Physical Address. . . . . . . . . : 00-30-48-63-71-52 > DHCP Enabled. . . . . . . . . . . : No > IP Address. . . . . . . . . . . . : 192.168.1.10 > Subnet Mask . . . . . . . . . . . : 255.255.255.0 > Default Gateway . . . . . . . . . : 192.168.1.1 > Primary WINS Server . . . . . . . : 192.168.8.10 > > Thanks for your help > Terry > > > > > Terry, As Dave said, DO NOT put the ISP's DNS on any machines' IP properties. What I do see is you have way too many Forwarders. The resolver service algorithm will time out after two of them, so the additional two are superfluous. I also see that you are using WINS, yet it is not specified on the workstation. I also see you are using the router as a DHCP server. Router DHCP services do not support many of the functions that Windows DHCP supports regarding DNS registration, WINS settings including Hybrid node type, and basically Option 081. I highly recommend disabling the router's DHCP service and use your Windows server DHCP and set the following options: 003 192.168.1.1 006 192.168.1.10 015 EPMapleGrove.local 044 192.168.1.10 (this is the WINS server) 046 0x8 (this is the WINS node type) As for the fowarders you have listed, jot the list down on paper, then remove them, and try the following: 4.2.2.2 4.2.2.3 Then flush the DNS cache. To do that, right click the server name in DNS, and click clear cache. Then go to the workstation, in a CMD prompt, clear the local resolver cache by running: ipconfig /flushdns Test your internet access. Test it with at least five different domain names, please. If it still doesn't work, post the domain names. My feeling is the router may not be allowing EDNS0. Is it a firewall? What brand and model router do you have? To test if EDNS0 is allowed or note: You can test it too and see how large the response is. Use nslookup with the vc option, which forces TCP only. This will also tell you if the response goes thru as TCP and not UDP. Try an nslookup for Yahoo's MX records before you make the changes and you can see how large the response is. If you count each line, (each line is 80 bytes), it's more than 512 bytes. Keep in mind, EDNS0 uses UDP packets sizes up to 1280 bytes. Non-EDNS0 is limited to UDP packets of 512 bytes. Nslookup and queries in general, default to UDP, and Windows 2003 defaults to using UDP & EDNS0. nslookup > set q=mx (this forces it to search for mail records) >microsoft.com Does a response return or does it error out? If it errors out, try yahoo.com. If that errors out too, try the following commands: > set vc (this forces TCP) > yahoo.com Server: london.nwtraders.msft Address: 192.168.5.200 Non-authoritative answer: yahoo.com MX preference = 1, mail exchanger = mx2.mail.yahoo yahoo.com MX preference = 1, mail exchanger = mx3.mail.yahoo yahoo.com MX preference = 5, mail exchanger = mx4.mail.yahoo yahoo.com MX preference = 1, mail exchanger = mx1.mail.yahoo yahoo.com nameserver = ns5.yahoo.com yahoo.com nameserver = ns1.yahoo.com yahoo.com nameserver = ns2.yahoo.com yahoo.com nameserver = ns3.yahoo.com yahoo.com nameserver = ns4.yahoo.com mx2.mail.yahoo.com internet address = 67.28.114.35 mx2.mail.yahoo.com internet address = 67.28.114.36 mx2.mail.yahoo.com internet address = 4.79.181.13 mx2.mail.yahoo.com internet address = 64.156.215.8 mx3.mail.yahoo.com internet address = 64.156.215.5 mx3.mail.yahoo.com internet address = 64.156.215.6 mx3.mail.yahoo.com internet address = 4.79.181.12 mx3.mail.yahoo.com internet address = 64.156.215.18 mx4.mail.yahoo.com internet address = 66.218.86.156 mx4.mail.yahoo.com internet address = 67.28.113.19 mx4.mail.yahoo.com internet address = 68.142.202.11 mx4.mail.yahoo.com internet address = 68.142.202.12 mx1.mail.yahoo.com internet address = 67.28.113.11 mx1.mail.yahoo.com internet address = 4.79.181.14 mx1.mail.yahoo.com internet address = 4.79.181.15 mx1.mail.yahoo.com internet address = 67.28.113.10 ns5.yahoo.com internet address = 216.109.116.17 ns1.yahoo.com internet address = 66.218.71.63 ns2.yahoo.com internet address = 66.163.169.170 ns3.yahoo.com internet address = 217.12.4.104 ns4.yahoo.com internet address = 63.250.206.138 > If you see the above response with the set vc and not before it or only a partial set before using the vc switch, then it is clearly an EDNS0 issue on the router. The set vc switch tells it to use TCP instead of UDP. If it works with the vc switch, and not without it, then it is an EDNS0 block. I provided hotmail.com as an example because it's response is definitely greater than 512 bytes. You can also not set it to 'mx' and leave it default when you invoke nslookup, and then try aol.com, microsoft.com, yahoo.com, as some examples with large responses. Ace
First
|
Prev
|
Next
|
Last
Pages: 1 2 3 4 Prev: new forest domain setup not allowing domain logins Next: Doesn't file sharing really need "NetBios over TCP" in Win2000/XP? |