RE: [ActiveDir] WAN outage caused issues...

[Bernard, Aric]

I agree with Ken.  DCDiag looks great
below because the WAN is up and available. As soon as the WAN goes down the
local DC in the site cannot access the _msdcs sub-domain of the root zone (or
delegated zone if you have configured it as such) and therefore is missing some
of the information required for the clients to properly resolve all the names required.

 

See the Windows 2000 Branch Office Guide
for more information.  You will find that MS recommends create a zone for
the _msdcs DNS information and using Secondary zones and transfers for this
zone onto all branch office DCs.

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Rutherford
Sent: Tuesday, October 05, 2004
2:31 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN
outage caused issues...



 





Hmmm not a simple one then.





 





Can you see the correct SRV records for the server in DNS
and also under the correct site?







 







From:
[EMAIL PROTECTED] on behalf of Rimmerman, Russ
Sent: Tue 05/10/2004 22:06
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WAN
outage caused issues...







DCDiag:






Domain Controller Diagnosis





 





Performing initial setup:
   Done gathering initial info.





 





Doing initial required tests
   
   Testing server: CCV-VPL\CCVVPLDC01
  Starting test: Connectivity
 .
CCVVPLDC01 passed test Connectivity





 





Doing primary tests
   
   Testing server: CCV-VPL\CCVVPLDC01
  Starting test: Replications
 .
CCVVPLDC01 passed test Replications
  Starting test: NCSecDesc
 .
CCVVPLDC01 passed test NCSecDesc
  Starting test: NetLogons
 .
CCVVPLDC01 passed test NetLogons
  Starting test: Advertising
 .
CCVVPLDC01 passed test Advertising
  Starting test: KnowsOfRoleHolders
 .
CCVVPLDC01 passed test KnowsOfRoleHolders
  Starting test: RidManager
 .
CCVVPLDC01 passed test RidManager
  Starting test: MachineAccount
 .
CCVVPLDC01 passed test MachineAccount
  Starting test: Services
 .
CCVVPLDC01 passed test Services
  Starting test: ObjectsReplicated
 .
CCVVPLDC01 passed test ObjectsReplicated
  Starting test: frssysvol
 There are errors after the
SYSVOL has been shared.
 The SYSVOL can prevent the AD
from starting.
 .
CCVVPLDC01 passed test frssysvol
  Starting test: kccevent
 .
CCVVPLDC01 passed test kccevent
  Starting test: systemlog
 An Error Event occured. 
EventID: 0x0457
    Time
Generated: 10/05/2004   15:42:26
    Event
String: Driver TOSHIBA e-STUDIO350-450 PSL3 required for





 






An Error Event occured.  EventID: 0x0452
    Time
Generated: 10/05/2004   15:42:26
    Event
String: The printer could not be installed. 
 An Error Event occured. 
EventID: 0x0457
    Time
Generated: 10/05/2004   15:42:27
    Event
String: Driver HP Business Inkjet 2600 PCL 5C required





 






An Error Event occured.  EventID: 0x0452
    Time
Generated: 10/05/2004   15:42:27
    Event
String: The printer could not be installed. 
 .
CCVVPLDC01 failed test systemlog
   
   Running enterprise tests on : ourcompany.com
  Starting test: Intersite

. ouprcompany.com passed test Intersite
  Starting test: FsmoCheck

. ourcompany.com passed test FsmoCheck





 





NETDIAG Output:





 






..





 





    Computer Name: CCVVPLDC01
    DNS Host Name: ccvvpldc01.ccc.ourcompany.com
    System info : Windows 2000 Server (Build 2195)
    Processor : x86 Family 15 Model 2 Stepping 9, GenuineIntel
    List of installed hotfixes : 
    KB811370
    KB819696
    KB823182
    KB824146
    KB825119
    KB826232
    KB828035
    KB828741
    KB828749
    KB835732
    KB837001
    KB840315
    KB841873
    Q147222





 






Netcard queries test . . . . . . . : Passed





 





 





 





Per interface results:





 





    Adapter : Local Area
Connection 2





 





   
Netcard queries test . . . : Passed





 





   
Host Name. . . . . . . . . : ccvvpldc01
    IP Address . . . . . . . . :
10.2.192.223
    Subnet Mask. . . . . . . . :
255.255.255.0
    Default Gateway. . . . . . :
10.2.192.240
    Primary WINS Server. . . . :
10.4.223.119
    Secondary WINS Server. . . :
10.4.223.120
    Dns Servers. . . . . . . . :
10.4.223.31

RE: [ActiveDir] Ghost in the system

[Robert Rutherford]

Also check your DHCP box to see if you can see the info in there.
 
If I remember I have seen the same behaviour years ago when the IP was already in the 
WINS database not sure. I'd have a look and tombstone any entries for that IP, if 
not delete.



From: [EMAIL PROTECTED] on behalf of Robert Rutherford
Sent: Tue 05/10/2004 22:04
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Ghost in the system


have u got a router on your local LAN? Have a look in the arp cache and see if you can 
see listings for that IP



From: [EMAIL PROTECTED] on behalf of John Parker
Sent: Tue 05/10/2004 16:10
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Ghost in the system



Hey all

I have a box that suddenly went offline becasue of a "Duplicate IP" on the network.
unable to find this "Duplicate IP", I was forced to change the IP of the box.

I have tried ping, nbtstat, ipscanners.  I cannot find this ghost IP.
I know it is not the machine because I tried it on another with the IP in question and 
achieved the same result.

We are running Win2K fully spacked.

Any help would be appreciated.

JP
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

===
  Scanned for virus infection by Messagelabs
===


<>

RE: [ActiveDir] WAN outage caused issues...

[Robert Rutherford]

Also, is it both the W2K and XP clients which are having the issue?



From: [EMAIL PROTECTED] on behalf of Rimmerman, Russ
Sent: Tue 05/10/2004 22:10
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WAN outage caused issues...


Yes, single forest.  One empty root domain and one child domain.

-Original Message-
From: Robert Rutherford [mailto:[EMAIL PROTECTED] Behalf Of Robert Rutherford
Sent: Tuesday, October 05, 2004 3:51 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...


They are AD integrated though they should have all they need to logon to 
the local dc.
 
I cant remember if u said u had a single forest Russ?



From: [EMAIL PROTECTED] on behalf of Ken Cornetet
Sent: Tue 05/10/2004 21:40
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...



Well, there ya go!

I'm assuming that there are no root domain DCs in the remote sites.
Clients need to be able to do DNS lookups on various things in the "_"
subdomains of the root. If your child domain's DCs are set to forward to
the root DCs, and the WAN is down, they can't find things.

For 2000, my advice is to simply add the root domain as secondaries on
the remote DCs DNS.

If you are running 2003 on your DCs, you can configure your zones to
show up on all DCs in the forest.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Tuesday, October 05, 2004 3:28 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WAN outage caused issues...



The domain in question is a child of a root domain yes.  Our child
domain DNS servers don't point to our root domain for DNS resolution at
all.  They just forward requests up to the root domain DNS servers if
they dont have an answer.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Ken Cornetet
Sent: Tuesday, October 05, 2004 3:19 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...


Is the domain in question a child of another domain? Do your remote DCs
have secondary zones for the root domain's DNS?

For example, if your parent domain is acme.com, and your user domain is
coyote.acme.com, do the coyote.acme.com DC's have a secondary for
acme.com (or at least the "_" subdomains of acme.com)?


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Tuesday, October 05, 2004 2:24 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WAN outage caused issues...



Yes, they're using their own site's DC for DNS resolution and there is a
reverse DNS zone there.   DNS is active directory integrated.  The DC
itself
is pointed at HQ for dns lookups on its tcp/ip properties (although I
dont think that matters?)

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Mulnick, Al
Sent: Tuesday, October 05, 2004 1:45 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WAN outage caused issues...


So I have to ask for more information:
Are your clients using their own site's DC for DNS resolution?  And is
there a reverse DNS zone setup there?



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Tuesday, October 05, 2004 2:35 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...


OK I got more info.  Here's whats in the eventlogs of the workstations
during the time they were broken:

10/4/2004   1:53:42 PM  LSASRV  Warning SPNEGO (Negotiator)
40961   N/A CAE12350828 The Security System could not establish
a
secured connection with the server cifs/cae123fs01.ourdomain.com.  No
authentication protocol was available.
10/4/2004   1:53:42 PM  LSASRV  Warning SPNEGO (Negotiator)
40960   N/A CAE12350828 "The Security System detected an
attempted
downgrade attack for server cifs/cae123fs01.ourdomain.com.  The failure
code from authentication protocol Kerberos was ""There are currently no
logon servers available to service the 

RE: [ActiveDir] WAN outage caused issues...

[Robert Rutherford]

Hmmm not a simple one then.
 
Can you see the correct SRV records for the server in DNS and also under the correct 
site?



From: [EMAIL PROTECTED] on behalf of Rimmerman, Russ
Sent: Tue 05/10/2004 22:06
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WAN outage caused issues...


DCDiag:

Domain Controller Diagnosis
 
Performing initial setup:
   Done gathering initial info.
 
Doing initial required tests
   
   Testing server: CCV-VPL\CCVVPLDC01
  Starting test: Connectivity
 . CCVVPLDC01 passed test Connectivity
 
Doing primary tests
   
   Testing server: CCV-VPL\CCVVPLDC01
  Starting test: Replications
 . CCVVPLDC01 passed test Replications
  Starting test: NCSecDesc
 . CCVVPLDC01 passed test NCSecDesc
  Starting test: NetLogons
 . CCVVPLDC01 passed test NetLogons
  Starting test: Advertising
 . CCVVPLDC01 passed test Advertising
  Starting test: KnowsOfRoleHolders
 . CCVVPLDC01 passed test KnowsOfRoleHolders
  Starting test: RidManager
 . CCVVPLDC01 passed test RidManager
  Starting test: MachineAccount
 . CCVVPLDC01 passed test MachineAccount
  Starting test: Services
 . CCVVPLDC01 passed test Services
  Starting test: ObjectsReplicated
 . CCVVPLDC01 passed test ObjectsReplicated
  Starting test: frssysvol
 There are errors after the SYSVOL has been shared.
 The SYSVOL can prevent the AD from starting.
 . CCVVPLDC01 passed test frssysvol
  Starting test: kccevent
 . CCVVPLDC01 passed test kccevent
  Starting test: systemlog
 An Error Event occured.  EventID: 0x0457
Time Generated: 10/05/2004   15:42:26
Event String: Driver TOSHIBA e-STUDIO350-450 PSL3 required for
 
 An Error Event occured.  EventID: 0x0452
Time Generated: 10/05/2004   15:42:26
Event String: The printer could not be installed. 
 An Error Event occured.  EventID: 0x0457
Time Generated: 10/05/2004   15:42:27
Event String: Driver HP Business Inkjet 2600 PCL 5C required
 
 An Error Event occured.  EventID: 0x0452
Time Generated: 10/05/2004   15:42:27
Event String: The printer could not be installed. 
 . CCVVPLDC01 failed test systemlog
   
   Running enterprise tests on : ourcompany.com
  Starting test: Intersite
 . ouprcompany.com passed test Intersite
  Starting test: FsmoCheck
 . ourcompany.com passed test FsmoCheck
 
NETDIAG Output:
 

..
 
Computer Name: CCVVPLDC01
DNS Host Name: ccvvpldc01.ccc.ourcompany.com
System info : Windows 2000 Server (Build 2195)
Processor : x86 Family 15 Model 2 Stepping 9, GenuineIntel
List of installed hotfixes : 
KB811370
KB819696
KB823182
KB824146
KB825119
KB826232
KB828035
KB828741
KB828749
KB835732
KB837001
KB840315
KB841873
Q147222
 

Netcard queries test . . . . . . . : Passed
 
 
 
Per interface results:
 
Adapter : Local Area Connection 2
 
Netcard queries test . . . : Passed
 
Host Name. . . . . . . . . : ccvvpldc01
IP Address . . . . . . . . : 10.2.192.223
Subnet Mask. . . . . . . . : 255.255.255.0
Default Gateway. . . . . . : 10.2.192.240
Primary WINS Server. . . . : 10.4.223.119
Secondary WINS Server. . . : 10.4.223.120
Dns Servers. . . . . . . . : 10.4.223.31
 10.4.223.32
 

AutoConfiguration results. . . . . . : Passed
 
Default gateway test . . . : Passed
 
NetBT name test. . . . . . : Passed
 
WINS service test. . . . . : Passed
 

Global results:
 

Domain membership test . . . . . . : Passed
 

NetBT transports test. . . . . . . : Passed
List of NetBt transports currently configured:
NetBT_Tcpip_{D6CF41A0-700A-4C55-9CC2-FBEDC88DBC4C}
1 NetBt transport currently configured.
 

Autonet address test . . . . . . . : Passed
 

IP loopback ping test. . . . . . . : Passed
 

Default gateway test . . . . . . . : Passed
 

NetBT name test. . . . . . . . . . : Passed
 

Winsock test . . . . . . . . . . . : Passed
 

DNS test . . . . . . . . . . . . . : Passed
PASS - All the DNS entries for DC are registered on DNS server '10.4.223.31' and 
other DCs also have some of the names registered.
PASS - All the DNS entries for DC are registered on DNS se

RE: [ActiveDir] WAN outage caused issues...

[Ken Cornetet]

Title: Message



No, 
they don't have all they need.
 
Clients should be able to resolve at least the "_" subdomains of the root 
domain. That's all covered in the AD design books.
 
GC 
location (among other things) is done via DNS lookups into the "_msdcs" 
subdomain of the root domain.

  
  -Original Message-From: Robert 
  Rutherford [mailto:[EMAIL PROTECTED] On Behalf Of 
  Robert RutherfordSent: Tuesday, October 05, 2004 3:51 
  PMTo: [EMAIL PROTECTED]Subject: RE: 
  [ActiveDir] WAN outage caused issues...
  
  They are AD integrated 
  though they should have all they need to logon to the local 
  dc.
   
  I cant remember if u said u had a single 
  forest Russ?
  
  
  From: [EMAIL PROTECTED] on 
  behalf of Ken CornetetSent: Tue 05/10/2004 21:40To: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] WAN outage 
  caused issues...
  
  Well, there ya go!I'm assuming that there are no root 
  domain DCs in the remote sites.Clients need to be able to do DNS lookups 
  on various things in the "_"subdomains of the root. If your child domain's 
  DCs are set to forward tothe root DCs, and the WAN is down, they can't 
  find things.For 2000, my advice is to simply add the root domain as 
  secondaries onthe remote DCs DNS.If you are running 2003 on your 
  DCs, you can configure your zones toshow up on all DCs in the 
  forest.-Original Message-From: 
  [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] 
  On Behalf Of Rimmerman, RussSent: Tuesday, October 05, 2004 3:28 PMTo: 
  '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] WAN outage caused 
  issues...The domain in question is a child of a root domain 
  yes.  Our childdomain DNS servers don't point to our root domain for 
  DNS resolution atall.  They just forward requests up to the root 
  domain DNS servers ifthey dont have an answer.-Original 
  Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]]On 
  Behalf Of Ken CornetetSent: Tuesday, October 05, 2004 3:19 PMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] WAN outage caused 
  issues...Is the domain in question a child of another domain? Do 
  your remote DCshave secondary zones for the root domain's DNS?For 
  example, if your parent domain is acme.com, and your user domain 
  iscoyote.acme.com, do the coyote.acme.com DC's have a secondary 
  foracme.com (or at least the "_" subdomains of 
  acme.com)?-Original Message-From: 
  [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] 
  On Behalf Of Rimmerman, RussSent: Tuesday, October 05, 2004 2:24 PMTo: 
  '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] WAN outage caused 
  issues...Yes, they're using their own site's DC for DNS 
  resolution and there is areverse DNS zone there.   DNS is active 
  directory integrated.  The DCitselfis pointed at HQ for dns 
  lookups on its tcp/ip properties (although Idont think that 
  matters?)-Original Message-From: 
  [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]]On 
  Behalf Of Mulnick, AlSent: Tuesday, October 05, 2004 1:45 PMTo: 
  '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] WAN outage caused 
  issues...So I have to ask for more information:Are your 
  clients using their own site's DC for DNS resolution?  And isthere a 
  reverse DNS zone setup there?-Original 
  Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] 
  On Behalf Of Rimmerman, RussSent: Tuesday, October 05, 2004 2:35 PMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] WAN outage caused 
  issues...OK I got more info.  Here's whats in the eventlogs 
  of the workstationsduring the time they were 
  broken:10/4/2004   1:53:42 
  PM  LSASRV  Warning SPNEGO 
  (Negotiator)40961   N/A 
  CAE12350828 The Security System could not 
  establishasecured connection with the server 
  cifs/cae123fs01.ourdomain.com.  Noauthentication protocol was 
  available.10/4/2004   1:53:42 
  PM  LSASRV  Warning SPNEGO 
  (Negotiator)40960   N/A 
  CAE12350828 "The Security System detected 
  anattempteddowngrade attack for server 
  cifs/cae123fs01.ourdomain.com.  The failurecode from authentication 
  protocol Kerberos was ""There are currently nologon servers available to 
  service the logon request.  (0xc05e)""."-Original 
  Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] 
  On Behalf Of Burkes, Jeremy[Contractor]Sent: Tuesday, October 05, 2004 
  12:00 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] WAN 
  outage caused issues...I believe Windows 2000 and Windows XP will 
  attach their own domain namesuffix to search for the host in DNS.  
  For example if you give hostnameand the workstation's domain name is 
  domain.com it will tryhostname.domain.com to see if it can resolve it in 
  DNS.  The searchorder for Windows 2000 and XP clients I believe 
  is:DNS CacheLocal Hosts File (host file)DNS ServerLMHost 
  FileWINSJeremy-Jeremy 
  BurkesSSPMIS Department[EMAIL PROTECTED]PH: 
  202-764-1270-Original Message

RE: [ActiveDir] WAN outage caused issues...

[Ken Cornetet]

Yes, effectively. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Tuesday, October 05, 2004 3:49 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WAN outage caused issues...



Correct, no root domain DCs at the remote sites, but if the WAN link is
down, what good are the root domain as secondaries on the remote DCs DNS
going to do?  Will it be cached or something?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Ken Cornetet
Sent: Tuesday, October 05, 2004 3:40 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...


Well, there ya go!

I'm assuming that there are no root domain DCs in the remote sites.
Clients need to be able to do DNS lookups on various things in the "_"
subdomains of the root. If your child domain's DCs are set to forward to
the root DCs, and the WAN is down, they can't find things.

For 2000, my advice is to simply add the root domain as secondaries on
the remote DCs DNS. 

If you are running 2003 on your DCs, you can configure your zones to
show up on all DCs in the forest.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Tuesday, October 05, 2004 3:28 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WAN outage caused issues...



The domain in question is a child of a root domain yes.  Our child
domain DNS servers don't point to our root domain for DNS resolution at
all.  They just forward requests up to the root domain DNS servers if
they dont have an answer.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Ken Cornetet
Sent: Tuesday, October 05, 2004 3:19 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...


Is the domain in question a child of another domain? Do your remote DCs
have secondary zones for the root domain's DNS? 

For example, if your parent domain is acme.com, and your user domain is
coyote.acme.com, do the coyote.acme.com DC's have a secondary for
acme.com (or at least the "_" subdomains of acme.com)?


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Tuesday, October 05, 2004 2:24 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WAN outage caused issues...



Yes, they're using their own site's DC for DNS resolution and there is a
reverse DNS zone there.   DNS is active directory integrated.  The DC
itself
is pointed at HQ for dns lookups on its tcp/ip properties (although I
dont think that matters?)

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Mulnick, Al
Sent: Tuesday, October 05, 2004 1:45 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WAN outage caused issues...


So I have to ask for more information:
Are your clients using their own site's DC for DNS resolution?  And is
there a reverse DNS zone setup there?

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Tuesday, October 05, 2004 2:35 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...


OK I got more info.  Here's whats in the eventlogs of the workstations
during the time they were broken:

10/4/2004   1:53:42 PM  LSASRV  Warning SPNEGO (Negotiator)
40961   N/A CAE12350828 The Security System could not establish
a
secured connection with the server cifs/cae123fs01.ourdomain.com.  No
authentication protocol was available.
10/4/2004   1:53:42 PM  LSASRV  Warning SPNEGO (Negotiator)
40960   N/A CAE12350828 "The Security System detected an
attempted
downgrade attack for server cifs/cae123fs01.ourdomain.com.  The failure
code from authentication protocol Kerberos was ""There are currently no
logon servers available to service the logon request.  (0xc05e)""." 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Burkes, Jeremy
[Contractor]
Sent: Tuesday, October 05, 2004 12:00 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...

I believe Windows 2000 and Windows XP will attach their own domain name
suffix to search for the host in DNS.  For example if you give hostname
and the workstation's domain name is domain.com it will try
hostname.domain.com to see if it can resolve it in DNS.  The search
order for Windows 2000 and XP clients I believe is:

DNS Cache
Local Hosts File (host file)
DNS Server
LMHost File
WINS

Jeremy

-
Jeremy Burkes
SSP
MIS Department
[EMAIL PROTECTED]
PH: 202-764-1270


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Renouf, Phil
Sent: Tuesday, October 05, 2004 12:43 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...


If the client is specifying \\hostname and there is no DNS search suffix
set then I believe it wi

RE: [ActiveDir] WAN outage caused issues...

[Rimmerman, Russ]

Title: RE: [ActiveDir] WAN outage caused issues...



Yes, 
single forest.  One empty root domain and one child 
domain.

  -Original Message-From: Robert Rutherford 
  [mailto:[EMAIL PROTECTED]On Behalf Of Robert 
  RutherfordSent: Tuesday, October 05, 2004 3:51 PMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] WAN outage 
  caused issues...
  
  They are AD integrated 
  though they should have all they need to logon to the local 
  dc.
   
  I cant remember if u said u had a single 
  forest Russ?
  
  
  From: [EMAIL PROTECTED] on 
  behalf of Ken CornetetSent: Tue 05/10/2004 21:40To: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] WAN outage 
  caused issues...
  
  Well, there ya go!I'm assuming that there are no root 
  domain DCs in the remote sites.Clients need to be able to do DNS lookups 
  on various things in the "_"subdomains of the root. If your child domain's 
  DCs are set to forward tothe root DCs, and the WAN is down, they can't 
  find things.For 2000, my advice is to simply add the root domain as 
  secondaries onthe remote DCs DNS.If you are running 2003 on your 
  DCs, you can configure your zones toshow up on all DCs in the 
  forest.-Original Message-From: 
  [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] 
  On Behalf Of Rimmerman, RussSent: Tuesday, October 05, 2004 3:28 PMTo: 
  '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] WAN outage caused 
  issues...The domain in question is a child of a root domain 
  yes.  Our childdomain DNS servers don't point to our root domain for 
  DNS resolution atall.  They just forward requests up to the root 
  domain DNS servers ifthey dont have an answer.-Original 
  Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]]On 
  Behalf Of Ken CornetetSent: Tuesday, October 05, 2004 3:19 PMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] WAN outage caused 
  issues...Is the domain in question a child of another domain? Do 
  your remote DCshave secondary zones for the root domain's DNS?For 
  example, if your parent domain is acme.com, and your user domain 
  iscoyote.acme.com, do the coyote.acme.com DC's have a secondary 
  foracme.com (or at least the "_" subdomains of 
  acme.com)?-Original Message-From: 
  [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] 
  On Behalf Of Rimmerman, RussSent: Tuesday, October 05, 2004 2:24 PMTo: 
  '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] WAN outage caused 
  issues...Yes, they're using their own site's DC for DNS 
  resolution and there is areverse DNS zone there.   DNS is active 
  directory integrated.  The DCitselfis pointed at HQ for dns 
  lookups on its tcp/ip properties (although Idont think that 
  matters?)-Original Message-From: 
  [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]]On 
  Behalf Of Mulnick, AlSent: Tuesday, October 05, 2004 1:45 PMTo: 
  '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] WAN outage caused 
  issues...So I have to ask for more information:Are your 
  clients using their own site's DC for DNS resolution?  And isthere a 
  reverse DNS zone setup there?-Original 
  Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] 
  On Behalf Of Rimmerman, RussSent: Tuesday, October 05, 2004 2:35 PMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] WAN outage caused 
  issues...OK I got more info.  Here's whats in the eventlogs 
  of the workstationsduring the time they were 
  broken:10/4/2004   1:53:42 
  PM  LSASRV  Warning SPNEGO 
  (Negotiator)40961   N/A 
  CAE12350828 The Security System could not 
  establishasecured connection with the server 
  cifs/cae123fs01.ourdomain.com.  Noauthentication protocol was 
  available.10/4/2004   1:53:42 
  PM  LSASRV  Warning SPNEGO 
  (Negotiator)40960   N/A 
  CAE12350828 "The Security System detected 
  anattempteddowngrade attack for server 
  cifs/cae123fs01.ourdomain.com.  The failurecode from authentication 
  protocol Kerberos was ""There are currently nologon servers available to 
  service the logon request.  (0xc05e)""."-Original 
  Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] 
  On Behalf Of Burkes, Jeremy[Contractor]Sent: Tuesday, October 05, 2004 
  12:00 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] WAN 
  outage caused issues...I believe Windows 2000 and Windows XP will 
  attach their own domain namesuffix to search for the host in DNS.  
  For example if you give hostnameand the workstation's domain name is 
  domain.com it will tryhostname.domain.com to see if it can resolve it in 
  DNS.  The searchorder for Windows 2000 and XP clients I believe 
  is:DNS CacheLocal Hosts File (host file)DNS ServerLMHost 
  FileWINSJeremy-Jeremy 
  BurkesSSPMIS Department[EMAIL PROTECTED]PH: 
  202-764-1270-Original Message-From: 
  [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]]On 
  Behalf Of Renouf, PhilSent: Tuesday, October 05, 2004 12:43 PMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] 

RE: [ActiveDir] WAN outage caused issues...

[Rimmerman, Russ]

These are two DNS servers back at our HQ.  They aren't domain controllers,
just DNS servers on Win2k.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Mulnick, Al
Sent: Tuesday, October 05, 2004 4:02 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WAN outage caused issues...


What hosts are these? 
DNS Servers . . . . . . . . . . . : 10.4.223.31
10.4.223.32

I'm assuming that these are dc's in another site across the WAN correct?
Does your local DC host all the zones that are in the Active Directory? If
not, why?



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Tuesday, October 05, 2004 4:51 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WAN outage caused issues...


IPconfig info from the DC in that site:

Windows 2000 IP Configuration

Host Name . . . . . . . . . . . . : ccvvpldc01
Primary DNS Suffix  . . . . . . . : ccc.ourcompany.com
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : ccc.ourcompany.com
ourcompany.com

Ethernet adapter Local Area Connection 2:

Connection-specific DNS Suffix  . :
Description . . . . . . . . . . . : HP NC7781 Gigabit Server Adapter
#2
Physical Address. . . . . . . . . : 00-0E-7F-B4-97-B8
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 10.2.192.223
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.2.192.240
DNS Servers . . . . . . . . . . . : 10.4.223.31
10.4.223.32
Primary WINS Server . . . . . . . : 10.4.223.119
Secondary WINS Server . . . . . . : 10.4.223.120

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Mulnick, Al
Sent: Tuesday, October 05, 2004 3:38 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WAN outage caused issues...


Always a point of disagreement.  Once the DC has functioning replication and
integrated DNS, unless you built your DC's on roller skates this should not
be a problem. 

I hear what you're saying though, and as a best practice it's useful to have
the primary dns as an alternate DC.  In this case, that would mean that
things would break.  

Russ, can you post the IPCONFIG information for the DC in that site?  I
suspect we're getting confused by your posts and how it's really configured.
SPNEGO errors are often associated with name resolution issues, so it's
worthwhile to check.  It'd be good to get the same information from the file
server that refused the request and a workstation that had the error just
for continuity.

Al
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet
Sent: Tuesday, October 05, 2004 4:28 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...

2000 DCs should point to another DC as their primary DNS server. They should
point to themselves as secondary.

A 2000 DC pointing to himself for primary DNS is subject to "islanding".
If his IP address changes, he'll update himself, then cease replicating with
the rest of the world (because AD replication is "pull" and the other DCs
will never see the new IP address).

I think 2003 has logic to avoid this problem so that a DC can be his own DNS
server.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
Sent: Tuesday, October 05, 2004 3:15 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WAN outage caused issues...


Wouldn't it make more sense to have the server use itself for DNS
resolution?  I mean, if the wan link goes down, it wouldn't be able to
resolve names right?  

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Tuesday, October 05, 2004 4:07 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WAN outage caused issues...


No, the sites DC is using HQ as its primary and secondary DNS servers.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Robert N. Leali
Sent: Tuesday, October 05, 2004 3:02 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...


Do you have the site DC/DNS box using itself as the alternate DNS server and
the HQ as primary?  just a thought.
http://support.microsoft.com/default.aspx?scid=kb;en-us;291382



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Tuesday, October 05, 2004 2:24 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WAN outage caused issues...


Yes, they're using their own site's DC for DNS resolution and there is a
reverse DNS zo

RE: [ActiveDir] WAN outage caused issues...

[Robert Rutherford]

Sorry, I see its not from previous postings



From: [EMAIL PROTECTED] on behalf of Robert Rutherford
Sent: Tue 05/10/2004 21:50
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...


They are AD integrated though they should have all they need to logon to the local 
dc.
 
I cant remember if u said u had a single forest Russ?



From: [EMAIL PROTECTED] on behalf of Ken Cornetet
Sent: Tue 05/10/2004 21:40
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...



Well, there ya go!

I'm assuming that there are no root domain DCs in the remote sites.
Clients need to be able to do DNS lookups on various things in the "_"
subdomains of the root. If your child domain's DCs are set to forward to
the root DCs, and the WAN is down, they can't find things.

For 2000, my advice is to simply add the root domain as secondaries on
the remote DCs DNS.

If you are running 2003 on your DCs, you can configure your zones to
show up on all DCs in the forest.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Tuesday, October 05, 2004 3:28 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WAN outage caused issues...



The domain in question is a child of a root domain yes.  Our child
domain DNS servers don't point to our root domain for DNS resolution at
all.  They just forward requests up to the root domain DNS servers if
they dont have an answer.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Ken Cornetet
Sent: Tuesday, October 05, 2004 3:19 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...


Is the domain in question a child of another domain? Do your remote DCs
have secondary zones for the root domain's DNS?

For example, if your parent domain is acme.com, and your user domain is
coyote.acme.com, do the coyote.acme.com DC's have a secondary for
acme.com (or at least the "_" subdomains of acme.com)?


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Tuesday, October 05, 2004 2:24 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WAN outage caused issues...



Yes, they're using their own site's DC for DNS resolution and there is a
reverse DNS zone there.   DNS is active directory integrated.  The DC
itself
is pointed at HQ for dns lookups on its tcp/ip properties (although I
dont think that matters?)

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Mulnick, Al
Sent: Tuesday, October 05, 2004 1:45 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WAN outage caused issues...


So I have to ask for more information:
Are your clients using their own site's DC for DNS resolution?  And is
there a reverse DNS zone setup there?



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Tuesday, October 05, 2004 2:35 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...


OK I got more info.  Here's whats in the eventlogs of the workstations
during the time they were broken:

10/4/2004   1:53:42 PM  LSASRV  Warning SPNEGO (Negotiator)
40961   N/A CAE12350828 The Security System could not establish
a
secured connection with the server cifs/cae123fs01.ourdomain.com.  No
authentication protocol was available.
10/4/2004   1:53:42 PM  LSASRV  Warning SPNEGO (Negotiator)
40960   N/A CAE12350828 "The Security System detected an
attempted
downgrade attack for server cifs/cae123fs01.ourdomain.com.  The failure
code from authentication protocol Kerberos was ""There are currently no
logon servers available to service the logon request.  (0xc05e)""."

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Burkes, Jeremy
[Contractor]
Sent: Tuesday, October 05, 2004 12:00 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...

I believe Windows 2000 and Windows XP will attach their own domain name
suffix to search for the host in DNS.  For example if you give hostname
and the workstation's domain name is domain.com it will try
hostname.domain.com to see if it can resolve it in DNS.  The search
order for Windows 2000 and XP clients I believe is:

DNS Cache
Local Hosts File (host file)
DNS Server
LMHost File
WINS

Jeremy

-
Jeremy Burkes
SSP
MIS Department
[EMAIL PROTECTED]
PH: 202-764-1270


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Renouf, Phil
Sent: Tuesday, October 05, 2004 12:43 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...


If the client is specifying \\hostname and there is no DNS search suffix
set then I believe it will use WINS for name resolution. I could be
wrong, but that's my understanding.

Ph

RE: [ActiveDir] WAN outage caused issues...

[Rimmerman, Russ]

DCDiag:
Domain Controller 
Diagnosis
 
Performing initial 
setup:   Done gathering initial info.
 
Doing initial required 
tests      Testing server: 
CCV-VPL\CCVVPLDC01  Starting test: 
Connectivity 
. CCVVPLDC01 passed test Connectivity
 
Doing primary tests   
   Testing server: 
CCV-VPL\CCVVPLDC01  Starting test: 
Replications 
. CCVVPLDC01 passed test 
Replications  Starting test: 
NCSecDesc 
. CCVVPLDC01 passed test 
NCSecDesc  Starting test: 
NetLogons 
. CCVVPLDC01 passed test 
NetLogons  Starting test: 
Advertising 
. CCVVPLDC01 passed test 
Advertising  Starting test: 
KnowsOfRoleHolders 
. CCVVPLDC01 passed test 
KnowsOfRoleHolders  Starting test: 
RidManager 
. CCVVPLDC01 passed test 
RidManager  Starting test: 
MachineAccount 
. CCVVPLDC01 passed test 
MachineAccount  Starting test: 
Services 
. CCVVPLDC01 passed test 
Services  Starting test: 
ObjectsReplicated 
. CCVVPLDC01 passed test 
ObjectsReplicated  Starting test: 
frssysvol There are errors 
after the SYSVOL has been 
shared. The SYSVOL can 
prevent the AD from 
starting. 
. CCVVPLDC01 passed test 
frssysvol  Starting test: 
kccevent 
. CCVVPLDC01 passed test 
kccevent  Starting test: 
systemlog An Error Event 
occured.  EventID: 
0x0457    
Time Generated: 10/05/2004   
15:42:26    
Event String: Driver TOSHIBA e-STUDIO350-450 PSL3 required for
 
 An Error Event 
occured.  EventID: 
0x0452    
Time Generated: 10/05/2004   
15:42:26    
Event String: The printer could not be installed. 
 An Error Event 
occured.  EventID: 
0x0457    
Time Generated: 10/05/2004   
15:42:27    
Event String: Driver HP Business Inkjet 2600 PCL 5C required
 
 An Error Event 
occured.  EventID: 
0x0452    
Time Generated: 10/05/2004   
15:42:27    
Event String: The printer could not be installed. 
 . 
CCVVPLDC01 failed test systemlog      Running 
enterprise tests on : ourcompany.com  
Starting test: Intersite 
. ouprcompany.com passed test 
Intersite  Starting test: 
FsmoCheck 
. ourcompany.com passed test 
FsmoCheck
 
NETDIAG Output:
 
..
 
    Computer Name: CCVVPLDC01    DNS Host 
Name: ccvvpldc01.ccc.ourcompany.com    System info : Windows 
2000 Server (Build 2195)    Processor : x86 Family 15 Model 2 
Stepping 9, GenuineIntel    List of installed hotfixes : 
    
KB811370    
KB819696    
KB823182    
KB824146    
KB825119    
KB826232    
KB828035    
KB828741    
KB828749    
KB835732    
KB837001    
KB840315    
KB841873    Q147222
 
Netcard queries test . . . . . . . : Passed
 
 
 
Per interface results:
 
    Adapter : Local Area Connection 2
 
    Netcard queries test . . . : 
Passed
 
    Host Name. . . . . . . . . : 
ccvvpldc01    IP Address . . . . . . 
. . : 10.2.192.223    Subnet Mask. . 
. . . . . . : 255.255.255.0    
Default Gateway. . . . . . : 
10.2.192.240    Primary WINS Server. 
. . . : 10.4.223.119    Secondary 
WINS Server. . . : 10.4.223.120    
Dns Servers. . . . . . . . : 
10.4.223.31 
10.4.223.32
 
    AutoConfiguration results. . 
. . . . : Passed
 
    Default gateway test . . . : 
Passed
 
    NetBT name test. . . . . . : 
Passed
 
    WINS service test. . . . . : 
Passed
 
Global results:
 
Domain membership test . . . . . . : Passed
 
NetBT transports test. . . . . . . : Passed    List 
of NetBt transports currently 
configured:    
NetBT_Tcpip_{D6CF41A0-700A-4C55-9CC2-FBEDC88DBC4C}    1 NetBt 
transport currently configured.
 
Autonet address test . . . . . . . : Passed
 
IP loopback ping test. . . . . . . : Passed
 
Default gateway test . . . . . . . : Passed
 
NetBT name test. . . . . . . . . . : Passed
 
Winsock test . . . . . . . . . . . : Passed
 
DNS test . . . . . . . . . . . . . : Passed    PASS 
- All the DNS entries for DC are registered on DNS server '10.4.223.31' and 
other DCs also have some of the names registered.    PASS - 
All the DNS entries for DC are registered on DNS server '10.4.223.32' and other 
DCs also have some of the names registered.
 
Redir and Browser test . . . . . . : Passed    List 
of NetBt transports currently bound to the 
Redir    
NetBT_Tcpip_{D6CF41A0-700A-4C55-9CC2-FBEDC88DBC4C}    The 
redir is bound to 1 NetBt transport.
 
    List o

RE: [ActiveDir] Ghost in the system

[Robert Rutherford]

have u got a router on your local LAN? Have a look in the arp cache and see if you can 
see listings for that IP



From: [EMAIL PROTECTED] on behalf of John Parker
Sent: Tue 05/10/2004 16:10
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Ghost in the system



Hey all

I have a box that suddenly went offline becasue of a "Duplicate IP" on the network.
unable to find this "Duplicate IP", I was forced to change the IP of the box.

I have tried ping, nbtstat, ipscanners.  I cannot find this ghost IP.
I know it is not the machine because I tried it on another with the IP in question and 
achieved the same result.

We are running Win2K fully spacked.

Any help would be appreciated.

JP
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

===
  Scanned for virus infection by Messagelabs
===


<>

RE: [ActiveDir] WAN outage caused issues...

[Mulnick, Al]

What hosts are these? 
DNS Servers . . . . . . . . . . . : 10.4.223.31
10.4.223.32

I'm assuming that these are dc's in another site across the WAN correct?
Does your local DC host all the zones that are in the Active Directory? If
not, why?



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Tuesday, October 05, 2004 4:51 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WAN outage caused issues...


IPconfig info from the DC in that site:

Windows 2000 IP Configuration

Host Name . . . . . . . . . . . . : ccvvpldc01
Primary DNS Suffix  . . . . . . . : ccc.ourcompany.com
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : ccc.ourcompany.com
ourcompany.com

Ethernet adapter Local Area Connection 2:

Connection-specific DNS Suffix  . :
Description . . . . . . . . . . . : HP NC7781 Gigabit Server Adapter
#2
Physical Address. . . . . . . . . : 00-0E-7F-B4-97-B8
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 10.2.192.223
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.2.192.240
DNS Servers . . . . . . . . . . . : 10.4.223.31
10.4.223.32
Primary WINS Server . . . . . . . : 10.4.223.119
Secondary WINS Server . . . . . . : 10.4.223.120

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Mulnick, Al
Sent: Tuesday, October 05, 2004 3:38 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WAN outage caused issues...


Always a point of disagreement.  Once the DC has functioning replication and
integrated DNS, unless you built your DC's on roller skates this should not
be a problem. 

I hear what you're saying though, and as a best practice it's useful to have
the primary dns as an alternate DC.  In this case, that would mean that
things would break.  

Russ, can you post the IPCONFIG information for the DC in that site?  I
suspect we're getting confused by your posts and how it's really configured.
SPNEGO errors are often associated with name resolution issues, so it's
worthwhile to check.  It'd be good to get the same information from the file
server that refused the request and a workstation that had the error just
for continuity.

Al
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet
Sent: Tuesday, October 05, 2004 4:28 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...

2000 DCs should point to another DC as their primary DNS server. They should
point to themselves as secondary.

A 2000 DC pointing to himself for primary DNS is subject to "islanding".
If his IP address changes, he'll update himself, then cease replicating with
the rest of the world (because AD replication is "pull" and the other DCs
will never see the new IP address).

I think 2003 has logic to avoid this problem so that a DC can be his own DNS
server.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
Sent: Tuesday, October 05, 2004 3:15 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WAN outage caused issues...


Wouldn't it make more sense to have the server use itself for DNS
resolution?  I mean, if the wan link goes down, it wouldn't be able to
resolve names right?  

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Tuesday, October 05, 2004 4:07 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WAN outage caused issues...


No, the sites DC is using HQ as its primary and secondary DNS servers.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Robert N. Leali
Sent: Tuesday, October 05, 2004 3:02 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...


Do you have the site DC/DNS box using itself as the alternate DNS server and
the HQ as primary?  just a thought.
http://support.microsoft.com/default.aspx?scid=kb;en-us;291382



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Tuesday, October 05, 2004 2:24 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WAN outage caused issues...


Yes, they're using their own site's DC for DNS resolution and there is a
reverse DNS zone there.   DNS is active directory integrated.  The DC
itself
is pointed at HQ for dns lookups on its tcp/ip properties (although I dont
think that matters?)

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Mulnick, Al
Sent: Tuesday, October 05, 2004 1:45 PM
To: '[EMAIL PROTECTED]'

RE: [ActiveDir] WAN outage caused issues...

[Robert Rutherford]

They are AD integrated though they should have all they need to logon to the local 
dc.
 
I cant remember if u said u had a single forest Russ?



From: [EMAIL PROTECTED] on behalf of Ken Cornetet
Sent: Tue 05/10/2004 21:40
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...



Well, there ya go!

I'm assuming that there are no root domain DCs in the remote sites.
Clients need to be able to do DNS lookups on various things in the "_"
subdomains of the root. If your child domain's DCs are set to forward to
the root DCs, and the WAN is down, they can't find things.

For 2000, my advice is to simply add the root domain as secondaries on
the remote DCs DNS.

If you are running 2003 on your DCs, you can configure your zones to
show up on all DCs in the forest.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Tuesday, October 05, 2004 3:28 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WAN outage caused issues...



The domain in question is a child of a root domain yes.  Our child
domain DNS servers don't point to our root domain for DNS resolution at
all.  They just forward requests up to the root domain DNS servers if
they dont have an answer.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Ken Cornetet
Sent: Tuesday, October 05, 2004 3:19 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...


Is the domain in question a child of another domain? Do your remote DCs
have secondary zones for the root domain's DNS?

For example, if your parent domain is acme.com, and your user domain is
coyote.acme.com, do the coyote.acme.com DC's have a secondary for
acme.com (or at least the "_" subdomains of acme.com)?


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Tuesday, October 05, 2004 2:24 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WAN outage caused issues...



Yes, they're using their own site's DC for DNS resolution and there is a
reverse DNS zone there.   DNS is active directory integrated.  The DC
itself
is pointed at HQ for dns lookups on its tcp/ip properties (although I
dont think that matters?)

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Mulnick, Al
Sent: Tuesday, October 05, 2004 1:45 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WAN outage caused issues...


So I have to ask for more information:
Are your clients using their own site's DC for DNS resolution?  And is
there a reverse DNS zone setup there?



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Tuesday, October 05, 2004 2:35 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...


OK I got more info.  Here's whats in the eventlogs of the workstations
during the time they were broken:

10/4/2004   1:53:42 PM  LSASRV  Warning SPNEGO (Negotiator)
40961   N/A CAE12350828 The Security System could not establish
a
secured connection with the server cifs/cae123fs01.ourdomain.com.  No
authentication protocol was available.
10/4/2004   1:53:42 PM  LSASRV  Warning SPNEGO (Negotiator)
40960   N/A CAE12350828 "The Security System detected an
attempted
downgrade attack for server cifs/cae123fs01.ourdomain.com.  The failure
code from authentication protocol Kerberos was ""There are currently no
logon servers available to service the logon request.  (0xc05e)""."

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Burkes, Jeremy
[Contractor]
Sent: Tuesday, October 05, 2004 12:00 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...

I believe Windows 2000 and Windows XP will attach their own domain name
suffix to search for the host in DNS.  For example if you give hostname
and the workstation's domain name is domain.com it will try
hostname.domain.com to see if it can resolve it in DNS.  The search
order for Windows 2000 and XP clients I believe is:

DNS Cache
Local Hosts File (host file)
DNS Server
LMHost File
WINS

Jeremy

-
Jeremy Burkes
SSP
MIS Department
[EMAIL PROTECTED]
PH: 202-764-1270


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Renouf, Phil
Sent: Tuesday, October 05, 2004 12:43 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...


If the client is specifying \\hostname and there is no DNS search suffix
set then I believe it will use WINS for name resolution. I could be
wrong, but that's my understanding.

Phil

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet
Sent: Tuesday, October 05, 2004 12:29 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...

2k and XP clie

RE: [ActiveDir] WAN outage caused issues...

[Rimmerman, Russ]

IPconfig info from the DC in that site:

Windows 2000 IP Configuration

Host Name . . . . . . . . . . . . : ccvvpldc01
Primary DNS Suffix  . . . . . . . : ccc.ourcompany.com
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : ccc.ourcompany.com
ourcompany.com

Ethernet adapter Local Area Connection 2:

Connection-specific DNS Suffix  . :
Description . . . . . . . . . . . : HP NC7781 Gigabit Server Adapter
#2
Physical Address. . . . . . . . . : 00-0E-7F-B4-97-B8
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 10.2.192.223
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.2.192.240
DNS Servers . . . . . . . . . . . : 10.4.223.31
10.4.223.32
Primary WINS Server . . . . . . . : 10.4.223.119
Secondary WINS Server . . . . . . : 10.4.223.120

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Mulnick, Al
Sent: Tuesday, October 05, 2004 3:38 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WAN outage caused issues...


Always a point of disagreement.  Once the DC has functioning replication and
integrated DNS, unless you built your DC's on roller skates this should not
be a problem. 

I hear what you're saying though, and as a best practice it's useful to have
the primary dns as an alternate DC.  In this case, that would mean that
things would break.  

Russ, can you post the IPCONFIG information for the DC in that site?  I
suspect we're getting confused by your posts and how it's really configured.
SPNEGO errors are often associated with name resolution issues, so it's
worthwhile to check.  It'd be good to get the same information from the file
server that refused the request and a workstation that had the error just
for continuity.

Al
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet
Sent: Tuesday, October 05, 2004 4:28 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...

2000 DCs should point to another DC as their primary DNS server. They should
point to themselves as secondary.

A 2000 DC pointing to himself for primary DNS is subject to "islanding".
If his IP address changes, he'll update himself, then cease replicating with
the rest of the world (because AD replication is "pull" and the other DCs
will never see the new IP address).

I think 2003 has logic to avoid this problem so that a DC can be his own DNS
server.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
Sent: Tuesday, October 05, 2004 3:15 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WAN outage caused issues...


Wouldn't it make more sense to have the server use itself for DNS
resolution?  I mean, if the wan link goes down, it wouldn't be able to
resolve names right?  

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Tuesday, October 05, 2004 4:07 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WAN outage caused issues...


No, the sites DC is using HQ as its primary and secondary DNS servers.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Robert N. Leali
Sent: Tuesday, October 05, 2004 3:02 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...


Do you have the site DC/DNS box using itself as the alternate DNS server and
the HQ as primary?  just a thought.
http://support.microsoft.com/default.aspx?scid=kb;en-us;291382



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Tuesday, October 05, 2004 2:24 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WAN outage caused issues...


Yes, they're using their own site's DC for DNS resolution and there is a
reverse DNS zone there.   DNS is active directory integrated.  The DC
itself
is pointed at HQ for dns lookups on its tcp/ip properties (although I dont
think that matters?)

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Mulnick, Al
Sent: Tuesday, October 05, 2004 1:45 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WAN outage caused issues...


So I have to ask for more information:
Are your clients using their own site's DC for DNS resolution?  And is there
a reverse DNS zone setup there?

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Tuesday, October 05, 2004 2:35 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...


OK I got more info.  Here's whats in the eventlogs of the workstations
during the time the

RE: [ActiveDir] WAN outage caused issues...

[Rimmerman, Russ]

Correct, no root domain DCs at the remote sites, but if the WAN link is
down, what good are the root domain as secondaries on the remote DCs DNS
going to do?  Will it be cached or something?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Ken Cornetet
Sent: Tuesday, October 05, 2004 3:40 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...


Well, there ya go!

I'm assuming that there are no root domain DCs in the remote sites.
Clients need to be able to do DNS lookups on various things in the "_"
subdomains of the root. If your child domain's DCs are set to forward to
the root DCs, and the WAN is down, they can't find things.

For 2000, my advice is to simply add the root domain as secondaries on
the remote DCs DNS. 

If you are running 2003 on your DCs, you can configure your zones to
show up on all DCs in the forest.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Tuesday, October 05, 2004 3:28 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WAN outage caused issues...



The domain in question is a child of a root domain yes.  Our child
domain DNS servers don't point to our root domain for DNS resolution at
all.  They just forward requests up to the root domain DNS servers if
they dont have an answer.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Ken Cornetet
Sent: Tuesday, October 05, 2004 3:19 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...


Is the domain in question a child of another domain? Do your remote DCs
have secondary zones for the root domain's DNS? 

For example, if your parent domain is acme.com, and your user domain is
coyote.acme.com, do the coyote.acme.com DC's have a secondary for
acme.com (or at least the "_" subdomains of acme.com)?


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Tuesday, October 05, 2004 2:24 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WAN outage caused issues...



Yes, they're using their own site's DC for DNS resolution and there is a
reverse DNS zone there.   DNS is active directory integrated.  The DC
itself
is pointed at HQ for dns lookups on its tcp/ip properties (although I
dont think that matters?)

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Mulnick, Al
Sent: Tuesday, October 05, 2004 1:45 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WAN outage caused issues...


So I have to ask for more information:
Are your clients using their own site's DC for DNS resolution?  And is
there a reverse DNS zone setup there?

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Tuesday, October 05, 2004 2:35 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...


OK I got more info.  Here's whats in the eventlogs of the workstations
during the time they were broken:

10/4/2004   1:53:42 PM  LSASRV  Warning SPNEGO (Negotiator)
40961   N/A CAE12350828 The Security System could not establish
a
secured connection with the server cifs/cae123fs01.ourdomain.com.  No
authentication protocol was available.
10/4/2004   1:53:42 PM  LSASRV  Warning SPNEGO (Negotiator)
40960   N/A CAE12350828 "The Security System detected an
attempted
downgrade attack for server cifs/cae123fs01.ourdomain.com.  The failure
code from authentication protocol Kerberos was ""There are currently no
logon servers available to service the logon request.  (0xc05e)""." 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Burkes, Jeremy
[Contractor]
Sent: Tuesday, October 05, 2004 12:00 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...

I believe Windows 2000 and Windows XP will attach their own domain name
suffix to search for the host in DNS.  For example if you give hostname
and the workstation's domain name is domain.com it will try
hostname.domain.com to see if it can resolve it in DNS.  The search
order for Windows 2000 and XP clients I believe is:

DNS Cache
Local Hosts File (host file)
DNS Server
LMHost File
WINS

Jeremy

-
Jeremy Burkes
SSP
MIS Department
[EMAIL PROTECTED]
PH: 202-764-1270


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Renouf, Phil
Sent: Tuesday, October 05, 2004 12:43 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...


If the client is specifying \\hostname and there is no DNS search suffix
set then I believe it will use WINS for name resolution. I could be
wrong, but that's my understanding.

Phil 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet
Sent: Tuesday, October 05, 2004 12:29 PM
To: [EMAIL PR

RE: [ActiveDir] WAN outage caused issues...

[Ken Cornetet]

Well, there ya go!

I'm assuming that there are no root domain DCs in the remote sites.
Clients need to be able to do DNS lookups on various things in the "_"
subdomains of the root. If your child domain's DCs are set to forward to
the root DCs, and the WAN is down, they can't find things.

For 2000, my advice is to simply add the root domain as secondaries on
the remote DCs DNS. 

If you are running 2003 on your DCs, you can configure your zones to
show up on all DCs in the forest.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Tuesday, October 05, 2004 3:28 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WAN outage caused issues...



The domain in question is a child of a root domain yes.  Our child
domain DNS servers don't point to our root domain for DNS resolution at
all.  They just forward requests up to the root domain DNS servers if
they dont have an answer.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Ken Cornetet
Sent: Tuesday, October 05, 2004 3:19 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...


Is the domain in question a child of another domain? Do your remote DCs
have secondary zones for the root domain's DNS? 

For example, if your parent domain is acme.com, and your user domain is
coyote.acme.com, do the coyote.acme.com DC's have a secondary for
acme.com (or at least the "_" subdomains of acme.com)?


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Tuesday, October 05, 2004 2:24 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WAN outage caused issues...



Yes, they're using their own site's DC for DNS resolution and there is a
reverse DNS zone there.   DNS is active directory integrated.  The DC
itself
is pointed at HQ for dns lookups on its tcp/ip properties (although I
dont think that matters?)

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Mulnick, Al
Sent: Tuesday, October 05, 2004 1:45 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WAN outage caused issues...


So I have to ask for more information:
Are your clients using their own site's DC for DNS resolution?  And is
there a reverse DNS zone setup there?

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Tuesday, October 05, 2004 2:35 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...


OK I got more info.  Here's whats in the eventlogs of the workstations
during the time they were broken:

10/4/2004   1:53:42 PM  LSASRV  Warning SPNEGO (Negotiator)
40961   N/A CAE12350828 The Security System could not establish
a
secured connection with the server cifs/cae123fs01.ourdomain.com.  No
authentication protocol was available.
10/4/2004   1:53:42 PM  LSASRV  Warning SPNEGO (Negotiator)
40960   N/A CAE12350828 "The Security System detected an
attempted
downgrade attack for server cifs/cae123fs01.ourdomain.com.  The failure
code from authentication protocol Kerberos was ""There are currently no
logon servers available to service the logon request.  (0xc05e)""." 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Burkes, Jeremy
[Contractor]
Sent: Tuesday, October 05, 2004 12:00 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...

I believe Windows 2000 and Windows XP will attach their own domain name
suffix to search for the host in DNS.  For example if you give hostname
and the workstation's domain name is domain.com it will try
hostname.domain.com to see if it can resolve it in DNS.  The search
order for Windows 2000 and XP clients I believe is:

DNS Cache
Local Hosts File (host file)
DNS Server
LMHost File
WINS

Jeremy

-
Jeremy Burkes
SSP
MIS Department
[EMAIL PROTECTED]
PH: 202-764-1270


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Renouf, Phil
Sent: Tuesday, October 05, 2004 12:43 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...


If the client is specifying \\hostname and there is no DNS search suffix
set then I believe it will use WINS for name resolution. I could be
wrong, but that's my understanding.

Phil 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet
Sent: Tuesday, October 05, 2004 12:29 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...

2k and XP clients will attempt to use DNS first. There is no way (that I
know of) where they would try WINS first.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Tuesday, October 05, 2004 11:25 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WAN outage caused issues...



How 

RE: [ActiveDir] WAN outage caused issues...

[Mulnick, Al]

Always a point of disagreement.  Once the DC has functioning replication and
integrated DNS, unless you built your DC's on roller skates this should not
be a problem. 

I hear what you're saying though, and as a best practice it's useful to have
the primary dns as an alternate DC.  In this case, that would mean that
things would break.  

Russ, can you post the IPCONFIG information for the DC in that site?  I
suspect we're getting confused by your posts and how it's really configured.
SPNEGO errors are often associated with name resolution issues, so it's
worthwhile to check.  It'd be good to get the same information from the file
server that refused the request and a workstation that had the error just
for continuity.

Al
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet
Sent: Tuesday, October 05, 2004 4:28 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...

2000 DCs should point to another DC as their primary DNS server. They should
point to themselves as secondary.

A 2000 DC pointing to himself for primary DNS is subject to "islanding".
If his IP address changes, he'll update himself, then cease replicating with
the rest of the world (because AD replication is "pull" and the other DCs
will never see the new IP address).

I think 2003 has logic to avoid this problem so that a DC can be his own DNS
server.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
Sent: Tuesday, October 05, 2004 3:15 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WAN outage caused issues...


Wouldn't it make more sense to have the server use itself for DNS
resolution?  I mean, if the wan link goes down, it wouldn't be able to
resolve names right?  

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Tuesday, October 05, 2004 4:07 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WAN outage caused issues...


No, the sites DC is using HQ as its primary and secondary DNS servers.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Robert N. Leali
Sent: Tuesday, October 05, 2004 3:02 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...


Do you have the site DC/DNS box using itself as the alternate DNS server and
the HQ as primary?  just a thought.
http://support.microsoft.com/default.aspx?scid=kb;en-us;291382



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Tuesday, October 05, 2004 2:24 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WAN outage caused issues...


Yes, they're using their own site's DC for DNS resolution and there is a
reverse DNS zone there.   DNS is active directory integrated.  The DC
itself
is pointed at HQ for dns lookups on its tcp/ip properties (although I dont
think that matters?)

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Mulnick, Al
Sent: Tuesday, October 05, 2004 1:45 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WAN outage caused issues...


So I have to ask for more information:
Are your clients using their own site's DC for DNS resolution?  And is there
a reverse DNS zone setup there?

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Tuesday, October 05, 2004 2:35 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...


OK I got more info.  Here's whats in the eventlogs of the workstations
during the time they were broken:

10/4/2004   1:53:42 PM  LSASRV  Warning SPNEGO (Negotiator)
40961   N/A CAE12350828 The Security System could not establish
a
secured connection with the server cifs/cae123fs01.ourdomain.com.  No
authentication protocol was available.
10/4/2004   1:53:42 PM  LSASRV  Warning SPNEGO (Negotiator)
40960   N/A CAE12350828 "The Security System detected an
attempted
downgrade attack for server cifs/cae123fs01.ourdomain.com.  The failure code
from authentication protocol Kerberos was ""There are currently no logon
servers available to service the logon request.  (0xc05e)""." 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Burkes, Jeremy
[Contractor]
Sent: Tuesday, October 05, 2004 12:00 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...

I believe Windows 2000 and Windows XP will attach their own domain name
suffix to search for the host in DNS.  For example if you give hostname and
the workstation's domain name is domain.com it will try hostname.domain.com
to see if it can resolve it in DNS.  The search order for Windows 2000 and
XP clients I believe is:

DNS Cache
Local Hosts File (host file)
DNS Server
LMHost File
WINS

Jeremy

-
Jeremy Burkes
SSP
MIS Department
[

RE: [ActiveDir] WAN outage caused issues...

[Robert Rutherford]

Russ, as I stated earlier.. is your remote DC running clean on dcdiag and netdiag? If 
not then please post results here
<>

RE: [ActiveDir] WAN outage caused issues...

[Rimmerman, Russ]

The domain in question is a child of a root domain yes.  Our child domain
DNS servers don't point to our root domain for DNS resolution at all.  They
just forward requests up to the root domain DNS servers if they dont have an
answer.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Ken Cornetet
Sent: Tuesday, October 05, 2004 3:19 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...


Is the domain in question a child of another domain? Do your remote DCs
have secondary zones for the root domain's DNS? 

For example, if your parent domain is acme.com, and your user domain is
coyote.acme.com, do the coyote.acme.com DC's have a secondary for
acme.com (or at least the "_" subdomains of acme.com)?


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Tuesday, October 05, 2004 2:24 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WAN outage caused issues...



Yes, they're using their own site's DC for DNS resolution and there is a
reverse DNS zone there.   DNS is active directory integrated.  The DC
itself
is pointed at HQ for dns lookups on its tcp/ip properties (although I
dont think that matters?)

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Mulnick, Al
Sent: Tuesday, October 05, 2004 1:45 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WAN outage caused issues...


So I have to ask for more information:
Are your clients using their own site's DC for DNS resolution?  And is
there a reverse DNS zone setup there?

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Tuesday, October 05, 2004 2:35 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...


OK I got more info.  Here's whats in the eventlogs of the workstations
during the time they were broken:

10/4/2004   1:53:42 PM  LSASRV  Warning SPNEGO (Negotiator)
40961   N/A CAE12350828 The Security System could not establish
a
secured connection with the server cifs/cae123fs01.ourdomain.com.  No
authentication protocol was available.
10/4/2004   1:53:42 PM  LSASRV  Warning SPNEGO (Negotiator)
40960   N/A CAE12350828 "The Security System detected an
attempted
downgrade attack for server cifs/cae123fs01.ourdomain.com.  The failure
code from authentication protocol Kerberos was ""There are currently no
logon servers available to service the logon request.  (0xc05e)""." 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Burkes, Jeremy
[Contractor]
Sent: Tuesday, October 05, 2004 12:00 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...

I believe Windows 2000 and Windows XP will attach their own domain name
suffix to search for the host in DNS.  For example if you give hostname
and the workstation's domain name is domain.com it will try
hostname.domain.com to see if it can resolve it in DNS.  The search
order for Windows 2000 and XP clients I believe is:

DNS Cache
Local Hosts File (host file)
DNS Server
LMHost File
WINS

Jeremy

-
Jeremy Burkes
SSP
MIS Department
[EMAIL PROTECTED]
PH: 202-764-1270


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Renouf, Phil
Sent: Tuesday, October 05, 2004 12:43 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...


If the client is specifying \\hostname and there is no DNS search suffix
set then I believe it will use WINS for name resolution. I could be
wrong, but that's my understanding.

Phil 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet
Sent: Tuesday, October 05, 2004 12:29 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...

2k and XP clients will attempt to use DNS first. There is no way (that I
know of) where they would try WINS first.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Tuesday, October 05, 2004 11:25 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WAN outage caused issues...



How would I know if their drive mappings are using WINS names and not
DNS names?  \\hostname vs \\hostname.domain.com?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Renouf, Phil
Sent: Tuesday, October 05, 2004 10:51 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...


If they are using WINS for resolution then yes it could be their issue.
If their drive mappings are using WINS names and not DNS names then that
would make sense as to why they couldn't map them.

I assume they were still able to log on an resolve the DC?

Phil 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Tues

RE: [ActiveDir] WAN outage caused issues...

[Ken Cornetet]

2000 DCs should point to another DC as their primary DNS server. They
should point to themselves as secondary.

A 2000 DC pointing to himself for primary DNS is subject to "islanding".
If his IP address changes, he'll update himself, then cease replicating
with the rest of the world (because AD replication is "pull" and the
other DCs will never see the new IP address).

I think 2003 has logic to avoid this problem so that a DC can be his own
DNS server.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
Sent: Tuesday, October 05, 2004 3:15 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WAN outage caused issues...


Wouldn't it make more sense to have the server use itself for DNS
resolution?  I mean, if the wan link goes down, it wouldn't be able to
resolve names right?  

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Tuesday, October 05, 2004 4:07 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WAN outage caused issues...


No, the sites DC is using HQ as its primary and secondary DNS servers.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Robert N. Leali
Sent: Tuesday, October 05, 2004 3:02 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...


Do you have the site DC/DNS box using itself as the alternate DNS server
and the HQ as primary?  just a thought.
http://support.microsoft.com/default.aspx?scid=kb;en-us;291382



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Tuesday, October 05, 2004 2:24 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WAN outage caused issues...


Yes, they're using their own site's DC for DNS resolution and there is a
reverse DNS zone there.   DNS is active directory integrated.  The DC
itself
is pointed at HQ for dns lookups on its tcp/ip properties (although I
dont think that matters?)

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Mulnick, Al
Sent: Tuesday, October 05, 2004 1:45 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WAN outage caused issues...


So I have to ask for more information:
Are your clients using their own site's DC for DNS resolution?  And is
there a reverse DNS zone setup there?

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Tuesday, October 05, 2004 2:35 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...


OK I got more info.  Here's whats in the eventlogs of the workstations
during the time they were broken:

10/4/2004   1:53:42 PM  LSASRV  Warning SPNEGO (Negotiator)
40961   N/A CAE12350828 The Security System could not establish
a
secured connection with the server cifs/cae123fs01.ourdomain.com.  No
authentication protocol was available.
10/4/2004   1:53:42 PM  LSASRV  Warning SPNEGO (Negotiator)
40960   N/A CAE12350828 "The Security System detected an
attempted
downgrade attack for server cifs/cae123fs01.ourdomain.com.  The failure
code from authentication protocol Kerberos was ""There are currently no
logon servers available to service the logon request.  (0xc05e)""." 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Burkes, Jeremy
[Contractor]
Sent: Tuesday, October 05, 2004 12:00 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...

I believe Windows 2000 and Windows XP will attach their own domain name
suffix to search for the host in DNS.  For example if you give hostname
and the workstation's domain name is domain.com it will try
hostname.domain.com to see if it can resolve it in DNS.  The search
order for Windows 2000 and XP clients I believe is:

DNS Cache
Local Hosts File (host file)
DNS Server
LMHost File
WINS

Jeremy

-
Jeremy Burkes
SSP
MIS Department
[EMAIL PROTECTED]
PH: 202-764-1270


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Renouf, Phil
Sent: Tuesday, October 05, 2004 12:43 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...


If the client is specifying \\hostname and there is no DNS search suffix
set then I believe it will use WINS for name resolution. I could be
wrong, but that's my understanding.

Phil 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet
Sent: Tuesday, October 05, 2004 12:29 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...

2k and XP clients will attempt to use DNS first. There is no way (that I
know of) where they would try WINS first.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Tuesday, October 05, 2004 11:25 AM
To: '[EMAIL PROTECTED]'
Subject: 

RE: [ActiveDir] WAN outage caused issues...

[Rimmerman, Russ]

Wouldn't that create a DNS "island" though?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Mulnick, Al
Sent: Tuesday, October 05, 2004 3:15 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WAN outage caused issues...


Wouldn't it make more sense to have the server use itself for DNS
resolution?  I mean, if the wan link goes down, it wouldn't be able to
resolve names right?  

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Tuesday, October 05, 2004 4:07 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WAN outage caused issues...


No, the sites DC is using HQ as its primary and secondary DNS servers.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Robert N. Leali
Sent: Tuesday, October 05, 2004 3:02 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...


Do you have the site DC/DNS box using itself as the alternate DNS server and
the HQ as primary?  just a thought.
http://support.microsoft.com/default.aspx?scid=kb;en-us;291382



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Tuesday, October 05, 2004 2:24 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WAN outage caused issues...


Yes, they're using their own site's DC for DNS resolution and there is a
reverse DNS zone there.   DNS is active directory integrated.  The DC
itself
is pointed at HQ for dns lookups on its tcp/ip properties (although I dont
think that matters?)

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Mulnick, Al
Sent: Tuesday, October 05, 2004 1:45 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WAN outage caused issues...


So I have to ask for more information:
Are your clients using their own site's DC for DNS resolution?  And is there
a reverse DNS zone setup there?

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Tuesday, October 05, 2004 2:35 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...


OK I got more info.  Here's whats in the eventlogs of the workstations
during the time they were broken:

10/4/2004   1:53:42 PM  LSASRV  Warning SPNEGO (Negotiator)
40961   N/A CAE12350828 The Security System could not establish
a
secured connection with the server cifs/cae123fs01.ourdomain.com.  No
authentication protocol was available.
10/4/2004   1:53:42 PM  LSASRV  Warning SPNEGO (Negotiator)
40960   N/A CAE12350828 "The Security System detected an
attempted
downgrade attack for server cifs/cae123fs01.ourdomain.com.  The failure code
from authentication protocol Kerberos was ""There are currently no logon
servers available to service the logon request.
 (0xc05e)""." 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Burkes, Jeremy
[Contractor]
Sent: Tuesday, October 05, 2004 12:00 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...

I believe Windows 2000 and Windows XP will attach their own domain name
suffix to search for the host in DNS.  For example if you give hostname and
the workstation's domain name is domain.com it will try hostname.domain.com
to see if it can resolve it in DNS.  The search order for Windows 2000 and
XP clients I believe is:

DNS Cache
Local Hosts File (host file)
DNS Server
LMHost File
WINS

Jeremy

-
Jeremy Burkes
SSP
MIS Department
[EMAIL PROTECTED]
PH: 202-764-1270


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Renouf, Phil
Sent: Tuesday, October 05, 2004 12:43 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...


If the client is specifying \\hostname and there is no DNS search suffix set
then I believe it will use WINS for name resolution. I could be wrong, but
that's my understanding.

Phil 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet
Sent: Tuesday, October 05, 2004 12:29 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...

2k and XP clients will attempt to use DNS first. There is no way (that I
know of) where they would try WINS first.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Tuesday, October 05, 2004 11:25 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WAN outage caused issues...



How would I know if their drive mappings are using WINS names and not DNS
names?  \\hostname vs \\hostname.domain.com?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Renouf, Phil
Sent: Tuesday, October 05, 2004 10:51 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...


If they are using WINS for reso

RE: [ActiveDir] WAN outage caused issues...

[Ken Cornetet]

Is the domain in question a child of another domain? Do your remote DCs
have secondary zones for the root domain's DNS? 

For example, if your parent domain is acme.com, and your user domain is
coyote.acme.com, do the coyote.acme.com DC's have a secondary for
acme.com (or at least the "_" subdomains of acme.com)?


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Tuesday, October 05, 2004 2:24 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WAN outage caused issues...



Yes, they're using their own site's DC for DNS resolution and there is a
reverse DNS zone there.   DNS is active directory integrated.  The DC
itself
is pointed at HQ for dns lookups on its tcp/ip properties (although I
dont think that matters?)

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Mulnick, Al
Sent: Tuesday, October 05, 2004 1:45 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WAN outage caused issues...


So I have to ask for more information:
Are your clients using their own site's DC for DNS resolution?  And is
there a reverse DNS zone setup there?

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Tuesday, October 05, 2004 2:35 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...


OK I got more info.  Here's whats in the eventlogs of the workstations
during the time they were broken:

10/4/2004   1:53:42 PM  LSASRV  Warning SPNEGO (Negotiator)
40961   N/A CAE12350828 The Security System could not establish
a
secured connection with the server cifs/cae123fs01.ourdomain.com.  No
authentication protocol was available.
10/4/2004   1:53:42 PM  LSASRV  Warning SPNEGO (Negotiator)
40960   N/A CAE12350828 "The Security System detected an
attempted
downgrade attack for server cifs/cae123fs01.ourdomain.com.  The failure
code from authentication protocol Kerberos was ""There are currently no
logon servers available to service the logon request.  (0xc05e)""." 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Burkes, Jeremy
[Contractor]
Sent: Tuesday, October 05, 2004 12:00 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...

I believe Windows 2000 and Windows XP will attach their own domain name
suffix to search for the host in DNS.  For example if you give hostname
and the workstation's domain name is domain.com it will try
hostname.domain.com to see if it can resolve it in DNS.  The search
order for Windows 2000 and XP clients I believe is:

DNS Cache
Local Hosts File (host file)
DNS Server
LMHost File
WINS

Jeremy

-
Jeremy Burkes
SSP
MIS Department
[EMAIL PROTECTED]
PH: 202-764-1270


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Renouf, Phil
Sent: Tuesday, October 05, 2004 12:43 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...


If the client is specifying \\hostname and there is no DNS search suffix
set then I believe it will use WINS for name resolution. I could be
wrong, but that's my understanding.

Phil 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet
Sent: Tuesday, October 05, 2004 12:29 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...

2k and XP clients will attempt to use DNS first. There is no way (that I
know of) where they would try WINS first.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Tuesday, October 05, 2004 11:25 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WAN outage caused issues...



How would I know if their drive mappings are using WINS names and not
DNS names?  \\hostname vs \\hostname.domain.com?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Renouf, Phil
Sent: Tuesday, October 05, 2004 10:51 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...


If they are using WINS for resolution then yes it could be their issue.
If their drive mappings are using WINS names and not DNS names then that
would make sense as to why they couldn't map them.

I assume they were still able to log on an resolve the DC?

Phil 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Tuesday, October 05, 2004 11:46 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WAN outage caused issues...


No, the site and subnet is defined properly, they're all using their
local DC.  All users at the remote site had issues.  They're using their
DC for DNS, and going back to HeadQuarters for WINS.  Could the WINS be
the issue? They couldn't contact WINS because the WAN link outage,
that's for sure.

-Original Message-
From: [EMAIL PROTE

RE: [ActiveDir] WAN outage caused issues...

[Mulnick, Al]

Wouldn't it make more sense to have the server use itself for DNS
resolution?  I mean, if the wan link goes down, it wouldn't be able to
resolve names right?  

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Tuesday, October 05, 2004 4:07 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WAN outage caused issues...


No, the sites DC is using HQ as its primary and secondary DNS servers.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Robert N. Leali
Sent: Tuesday, October 05, 2004 3:02 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...


Do you have the site DC/DNS box using itself as the alternate DNS server and
the HQ as primary?  just a thought.
http://support.microsoft.com/default.aspx?scid=kb;en-us;291382



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Tuesday, October 05, 2004 2:24 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WAN outage caused issues...


Yes, they're using their own site's DC for DNS resolution and there is a
reverse DNS zone there.   DNS is active directory integrated.  The DC
itself
is pointed at HQ for dns lookups on its tcp/ip properties (although I dont
think that matters?)

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Mulnick, Al
Sent: Tuesday, October 05, 2004 1:45 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WAN outage caused issues...


So I have to ask for more information:
Are your clients using their own site's DC for DNS resolution?  And is there
a reverse DNS zone setup there?

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Tuesday, October 05, 2004 2:35 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...


OK I got more info.  Here's whats in the eventlogs of the workstations
during the time they were broken:

10/4/2004   1:53:42 PM  LSASRV  Warning SPNEGO (Negotiator)
40961   N/A CAE12350828 The Security System could not establish
a
secured connection with the server cifs/cae123fs01.ourdomain.com.  No
authentication protocol was available.
10/4/2004   1:53:42 PM  LSASRV  Warning SPNEGO (Negotiator)
40960   N/A CAE12350828 "The Security System detected an
attempted
downgrade attack for server cifs/cae123fs01.ourdomain.com.  The failure code
from authentication protocol Kerberos was ""There are currently no logon
servers available to service the logon request.
 (0xc05e)""." 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Burkes, Jeremy
[Contractor]
Sent: Tuesday, October 05, 2004 12:00 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...

I believe Windows 2000 and Windows XP will attach their own domain name
suffix to search for the host in DNS.  For example if you give hostname and
the workstation's domain name is domain.com it will try hostname.domain.com
to see if it can resolve it in DNS.  The search order for Windows 2000 and
XP clients I believe is:

DNS Cache
Local Hosts File (host file)
DNS Server
LMHost File
WINS

Jeremy

-
Jeremy Burkes
SSP
MIS Department
[EMAIL PROTECTED]
PH: 202-764-1270


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Renouf, Phil
Sent: Tuesday, October 05, 2004 12:43 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...


If the client is specifying \\hostname and there is no DNS search suffix set
then I believe it will use WINS for name resolution. I could be wrong, but
that's my understanding.

Phil 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet
Sent: Tuesday, October 05, 2004 12:29 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...

2k and XP clients will attempt to use DNS first. There is no way (that I
know of) where they would try WINS first.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Tuesday, October 05, 2004 11:25 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WAN outage caused issues...



How would I know if their drive mappings are using WINS names and not DNS
names?  \\hostname vs \\hostname.domain.com?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Renouf, Phil
Sent: Tuesday, October 05, 2004 10:51 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...


If they are using WINS for resolution then yes it could be their issue.
If their drive mappings are using WINS names and not DNS names then that
would make sense as to why they couldn't map them.

I assume they were still able to log on an resolve the DC?

Phil 

-Original Message-
From

RE: [ActiveDir] WAN outage caused issues...

[Rimmerman, Russ]

No, the sites DC is using HQ as its primary and secondary DNS servers.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Robert N. Leali
Sent: Tuesday, October 05, 2004 3:02 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...


Do you have the site DC/DNS box using itself as the alternate DNS server
and the HQ as primary?  just a thought.
http://support.microsoft.com/default.aspx?scid=kb;en-us;291382



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Tuesday, October 05, 2004 2:24 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WAN outage caused issues...


Yes, they're using their own site's DC for DNS resolution and there is a
reverse DNS zone there.   DNS is active directory integrated.  The DC
itself
is pointed at HQ for dns lookups on its tcp/ip properties (although I
dont think that matters?)

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Mulnick, Al
Sent: Tuesday, October 05, 2004 1:45 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WAN outage caused issues...


So I have to ask for more information:
Are your clients using their own site's DC for DNS resolution?  And is
there a reverse DNS zone setup there?

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Tuesday, October 05, 2004 2:35 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...


OK I got more info.  Here's whats in the eventlogs of the workstations
during the time they were broken:

10/4/2004   1:53:42 PM  LSASRV  Warning SPNEGO (Negotiator)
40961   N/A CAE12350828 The Security System could not establish
a
secured connection with the server cifs/cae123fs01.ourdomain.com.  No
authentication protocol was available.
10/4/2004   1:53:42 PM  LSASRV  Warning SPNEGO (Negotiator)
40960   N/A CAE12350828 "The Security System detected an
attempted
downgrade attack for server cifs/cae123fs01.ourdomain.com.  The failure
code from authentication protocol Kerberos was ""There are currently no
logon servers available to service the logon request.
 (0xc05e)""." 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Burkes, Jeremy
[Contractor]
Sent: Tuesday, October 05, 2004 12:00 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...

I believe Windows 2000 and Windows XP will attach their own domain name
suffix to search for the host in DNS.  For example if you give hostname
and the workstation's domain name is domain.com it will try
hostname.domain.com to see if it can resolve it in DNS.  The search
order for Windows 2000 and XP clients I believe is:

DNS Cache
Local Hosts File (host file)
DNS Server
LMHost File
WINS

Jeremy

-
Jeremy Burkes
SSP
MIS Department
[EMAIL PROTECTED]
PH: 202-764-1270


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Renouf, Phil
Sent: Tuesday, October 05, 2004 12:43 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...


If the client is specifying \\hostname and there is no DNS search suffix
set then I believe it will use WINS for name resolution. I could be
wrong, but that's my understanding.

Phil 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet
Sent: Tuesday, October 05, 2004 12:29 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...

2k and XP clients will attempt to use DNS first. There is no way (that I
know of) where they would try WINS first.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Tuesday, October 05, 2004 11:25 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WAN outage caused issues...



How would I know if their drive mappings are using WINS names and not
DNS names?  \\hostname vs \\hostname.domain.com?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Renouf, Phil
Sent: Tuesday, October 05, 2004 10:51 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...


If they are using WINS for resolution then yes it could be their issue.
If their drive mappings are using WINS names and not DNS names then that
would make sense as to why they couldn't map them.

I assume they were still able to log on an resolve the DC?

Phil 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Tuesday, October 05, 2004 11:46 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WAN outage caused issues...


No, the site and subnet is defined properly, they're all using their
local DC.  All users at the remote site had issues.  They're using their
DC for DNS, and going back to HeadQuarters for W

RE: [ActiveDir] WAN outage caused issues...

[Robert N. Leali]

Do you have the site DC/DNS box using itself as the alternate DNS server
and the HQ as primary?  just a thought.
http://support.microsoft.com/default.aspx?scid=kb;en-us;291382



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Tuesday, October 05, 2004 2:24 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WAN outage caused issues...


Yes, they're using their own site's DC for DNS resolution and there is a
reverse DNS zone there.   DNS is active directory integrated.  The DC
itself
is pointed at HQ for dns lookups on its tcp/ip properties (although I
dont think that matters?)

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Mulnick, Al
Sent: Tuesday, October 05, 2004 1:45 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WAN outage caused issues...


So I have to ask for more information:
Are your clients using their own site's DC for DNS resolution?  And is
there a reverse DNS zone setup there?

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Tuesday, October 05, 2004 2:35 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...


OK I got more info.  Here's whats in the eventlogs of the workstations
during the time they were broken:

10/4/2004   1:53:42 PM  LSASRV  Warning SPNEGO (Negotiator)
40961   N/A CAE12350828 The Security System could not establish
a
secured connection with the server cifs/cae123fs01.ourdomain.com.  No
authentication protocol was available.
10/4/2004   1:53:42 PM  LSASRV  Warning SPNEGO (Negotiator)
40960   N/A CAE12350828 "The Security System detected an
attempted
downgrade attack for server cifs/cae123fs01.ourdomain.com.  The failure
code from authentication protocol Kerberos was ""There are currently no
logon servers available to service the logon request.
 (0xc05e)""." 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Burkes, Jeremy
[Contractor]
Sent: Tuesday, October 05, 2004 12:00 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...

I believe Windows 2000 and Windows XP will attach their own domain name
suffix to search for the host in DNS.  For example if you give hostname
and the workstation's domain name is domain.com it will try
hostname.domain.com to see if it can resolve it in DNS.  The search
order for Windows 2000 and XP clients I believe is:

DNS Cache
Local Hosts File (host file)
DNS Server
LMHost File
WINS

Jeremy

-
Jeremy Burkes
SSP
MIS Department
[EMAIL PROTECTED]
PH: 202-764-1270


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Renouf, Phil
Sent: Tuesday, October 05, 2004 12:43 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...


If the client is specifying \\hostname and there is no DNS search suffix
set then I believe it will use WINS for name resolution. I could be
wrong, but that's my understanding.

Phil 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet
Sent: Tuesday, October 05, 2004 12:29 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...

2k and XP clients will attempt to use DNS first. There is no way (that I
know of) where they would try WINS first.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Tuesday, October 05, 2004 11:25 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WAN outage caused issues...



How would I know if their drive mappings are using WINS names and not
DNS names?  \\hostname vs \\hostname.domain.com?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Renouf, Phil
Sent: Tuesday, October 05, 2004 10:51 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...


If they are using WINS for resolution then yes it could be their issue.
If their drive mappings are using WINS names and not DNS names then that
would make sense as to why they couldn't map them.

I assume they were still able to log on an resolve the DC?

Phil 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Tuesday, October 05, 2004 11:46 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WAN outage caused issues...


No, the site and subnet is defined properly, they're all using their
local DC.  All users at the remote site had issues.  They're using their
DC for DNS, and going back to HeadQuarters for WINS.  Could the WINS be
the issue?
They couldn't contact WINS because the WAN link outage, that's for sure.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Mulnick, Al
Sent: Tuesday, October 05, 2004 10:37 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [Active

RE: [ActiveDir] Accept backupuser logon

[Douglas M. Long]

Ah ha, I was wondering if that was it, but it took an expert to convince me to try 
it:) Thanks, it is fixed now

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric
Sent: Tuesday, October 05, 2004 3:13 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Accept backupuser logon

Below you stated that your configuration included:

Allow log on through Terminal Services: BUILTIN\administrators

Have you tried giving BUILTIN\backup operators this right as well?



Aric 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long
Sent: Tuesday, October 05, 2004 11:56 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Accept backupuser logon

Right, I have allowed the user in remote desktop settings. Still no luck



-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
Sent: Tuesday, October 05, 2004 2:30 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Accept backupuser logon

That's correct.
http://support.microsoft.com/default.aspx?scid=kb;en-us;289289&Product=winsv
r2003 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Tuesday, October 05, 2004 2:23 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Accept backupuser logon

Don't they have to be in the remote desktop users group on the DC?

John




   
 "Douglas M. Long" 
 <[EMAIL PROTECTED] 
 u> To 
 Sent by:  <[EMAIL PROTECTED]>  
 [EMAIL PROTECTED]  cc 
 ail.activedir.org 
   Subject 
   RE: [ActiveDir] Accept backupuser   
 10/05/2004 01:03  logon   
 PM
   
   
 Please respond to 
 [EMAIL PROTECTED] 
tivedir.org
   
   




I was jus using the mstsc client, but tried with /console and get the same
message:   âThe local policy of this system does not permit you to
log on interactivelyâ


From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
Sent: Tuesday, October 05, 2004 12:28 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Accept backupuser logon

What happens when you try to logon?  Are you using mstsc client with the
/console switch?


From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long
Sent: Tuesday, October 05, 2004 9:56 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Accept backupuser logon OK, I have created a user and
added it to the backup operators in built-in.
Now I want to be able to logon (through remote desktop) to my DCs with this
user to setup my backups. I have two template policies from Hardening
Windows Server 2003 in place, with the following Settings:

Top policy in list:Allow
log on locally: BUILTIN\administrators, BUILTIN\backup operators,
BUILTIN\account operators, BUILTIN\server operators, BUILTIN\print operators

Deny log on locally: DOMAIN\support_388945a0


Bottom policy in list:  Allow log
on locally: BUILTIN\backup operators, BUILTIN\administrators

Allow log on through Terminal Services: BUILTIN\administrators
No
deny log on locally settings

Now shouldn't these settings allow me to logon as a member of the
BUILTIN\backup operators group? What am I missing? Is there a better way to
set up backups without logging in to the DC (which would be much better)?
Any help is much appreciated.

.+-wi0-+YbmPi0-+bÚf.+-j!
0j!orØyØIV+v*
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

.+-wi0-+YbmPi0-+bÚf.+-j!
0j!orØyØIV+v*
.+wYØP×.+j
joryIV+v*
.+-Šwè†Ûiÿü0Á-Š÷+ƒùšŠYb²Øm˜¸¬´P†Ûiÿü0Á-Š÷+ƒùb²×Úf.+-j·!Š÷¡¶Úÿ
0™¨¥j·!Š÷œ¢oÚrØyØãIšŠVœ¶+Þv*è®

RE: [ActiveDir] WAN outage caused issues...

[Rimmerman, Russ]

Yes, they're using their own site's DC for DNS resolution and there is a
reverse DNS zone there.   DNS is active directory integrated.  The DC itself
is pointed at HQ for dns lookups on its tcp/ip properties (although I dont
think that matters?)

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Mulnick, Al
Sent: Tuesday, October 05, 2004 1:45 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WAN outage caused issues...


So I have to ask for more information:
Are your clients using their own site's DC for DNS resolution?  And is there
a reverse DNS zone setup there?

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Tuesday, October 05, 2004 2:35 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...


OK I got more info.  Here's whats in the eventlogs of the workstations
during the time they were broken:

10/4/2004   1:53:42 PM  LSASRV  Warning SPNEGO (Negotiator)
40961   N/A CAE12350828 The Security System could not establish a
secured connection with the server cifs/cae123fs01.ourdomain.com.  No
authentication protocol was available.
10/4/2004   1:53:42 PM  LSASRV  Warning SPNEGO (Negotiator)
40960   N/A CAE12350828 "The Security System detected an attempted
downgrade attack for server cifs/cae123fs01.ourdomain.com.  The failure code
from authentication protocol Kerberos was ""There are currently no logon
servers available to service the logon request.
 (0xc05e)""." 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Burkes, Jeremy
[Contractor]
Sent: Tuesday, October 05, 2004 12:00 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...

I believe Windows 2000 and Windows XP will attach their own domain name
suffix to search for the host in DNS.  For example if you give hostname and
the workstation's domain name is domain.com it will try hostname.domain.com
to see if it can resolve it in DNS.  The search order for Windows 2000 and
XP clients I believe is:

DNS Cache
Local Hosts File (host file)
DNS Server
LMHost File
WINS

Jeremy

-
Jeremy Burkes
SSP
MIS Department
[EMAIL PROTECTED]
PH: 202-764-1270


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Renouf, Phil
Sent: Tuesday, October 05, 2004 12:43 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...


If the client is specifying \\hostname and there is no DNS search suffix set
then I believe it will use WINS for name resolution. I could be wrong, but
that's my understanding.

Phil 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet
Sent: Tuesday, October 05, 2004 12:29 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...

2k and XP clients will attempt to use DNS first. There is no way (that I
know of) where they would try WINS first.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Tuesday, October 05, 2004 11:25 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WAN outage caused issues...



How would I know if their drive mappings are using WINS names and not DNS
names?  \\hostname vs \\hostname.domain.com?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Renouf, Phil
Sent: Tuesday, October 05, 2004 10:51 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...


If they are using WINS for resolution then yes it could be their issue.
If their drive mappings are using WINS names and not DNS names then that
would make sense as to why they couldn't map them.

I assume they were still able to log on an resolve the DC?

Phil 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Tuesday, October 05, 2004 11:46 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WAN outage caused issues...


No, the site and subnet is defined properly, they're all using their local
DC.  All users at the remote site had issues.  They're using their DC for
DNS, and going back to HeadQuarters for WINS.  Could the WINS be the issue?
They couldn't contact WINS because the WAN link outage, that's for sure.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Mulnick, Al
Sent: Tuesday, October 05, 2004 10:37 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WAN outage caused issues...


Were the clients trying to use the remote DCs when they shouldn't be?
What was the scope of the problem? Was it all users or just a few users in
the site? 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Tuesday, October 05, 2004 11:34 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WAN outage caus

RE: [ActiveDir] Accept backupuser logon

[Bernard, Aric]

Below you stated that your configuration included:

Allow log on through Terminal Services: BUILTIN\administrators

Have you tried giving BUILTIN\backup operators this right as well?



Aric 

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long
Sent: Tuesday, October 05, 2004 11:56 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Accept backupuser logon

Right, I have allowed the user in remote desktop settings. Still no luck



-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
Sent: Tuesday, October 05, 2004 2:30 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Accept backupuser logon

That's correct.
http://support.microsoft.com/default.aspx?scid=kb;en-us;289289&Product=winsv
r2003 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Tuesday, October 05, 2004 2:23 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Accept backupuser logon

Don't they have to be in the remote desktop users group on the DC?

John




   
 "Douglas M. Long" 
 <[EMAIL PROTECTED] 
 u> To 
 Sent by:  <[EMAIL PROTECTED]>  
 [EMAIL PROTECTED]  cc 
 ail.activedir.org 
   Subject 
   RE: [ActiveDir] Accept backupuser   
 10/05/2004 01:03  logon   
 PM
   
   
 Please respond to 
 [EMAIL PROTECTED] 
tivedir.org
   
   




I was jus using the mstsc client, but tried with /console and get the same
message:   âThe local policy of this system does not permit you to
log on interactivelyâ


From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
Sent: Tuesday, October 05, 2004 12:28 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Accept backupuser logon

What happens when you try to logon?  Are you using mstsc client with the
/console switch?


From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long
Sent: Tuesday, October 05, 2004 9:56 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Accept backupuser logon OK, I have created a user and
added it to the backup operators in built-in.
Now I want to be able to logon (through remote desktop) to my DCs with this
user to setup my backups. I have two template policies from Hardening
Windows Server 2003 in place, with the following Settings:

Top policy in list:Allow
log on locally: BUILTIN\administrators, BUILTIN\backup operators,
BUILTIN\account operators, BUILTIN\server operators, BUILTIN\print operators

Deny log on locally: DOMAIN\support_388945a0


Bottom policy in list:  Allow log
on locally: BUILTIN\backup operators, BUILTIN\administrators

Allow log on through Terminal Services: BUILTIN\administrators
No
deny log on locally settings

Now shouldn't these settings allow me to logon as a member of the
BUILTIN\backup operators group? What am I missing? Is there a better way to
set up backups without logging in to the DC (which would be much better)?
Any help is much appreciated.

.+-wi0-+YbmPi0-+bÚf.+-j!
0j!orØyØIV+v*
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

.+-wi0-+YbmPi0-+bÚf.+-j!
0j!orØyØIV+v*

RE: [ActiveDir] Accept backupuser logon

[jpsalemi]

Maybe you need to add builtin\backup operators to this one:

Allow log on through Terminal Services: BUILTIN\administrators

John



   
 "Douglas M. Long" 
 <[EMAIL PROTECTED] 
 u> To 
 Sent by:  <[EMAIL PROTECTED]>  
 [EMAIL PROTECTED]  cc 
 ail.activedir.org 
   Subject 
   RE: [ActiveDir] Accept backupuser   
 10/05/2004 01:56  logon   
 PM
   
   
 Please respond to 
 [EMAIL PROTECTED] 
tivedir.org
   
   




Right, I have allowed the user in remote desktop settings. Still no luck



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
Sent: Tuesday, October 05, 2004 2:30 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Accept backupuser logon

That's correct.
http://support.microsoft.com/default.aspx?scid=kb;en-us;289289&Product=winsv

r2003

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Tuesday, October 05, 2004 2:23 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Accept backupuser logon

Don't they have to be in the remote desktop users group on the DC?

John





 "Douglas M. Long"
 <[EMAIL PROTECTED]
 u> To
 Sent by:  <[EMAIL PROTECTED]>
 [EMAIL PROTECTED]  cc
 ail.activedir.org
   Subject
   RE: [ActiveDir] Accept backupuser
 10/05/2004 01:03  logon
 PM


 Please respond to
 [EMAIL PROTECTED]
tivedir.org






I was jus using the mstsc client, but tried with /console and get the same
message:   âThe local policy of this system does not permit you to
log on interactivelyâ


From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
Sent: Tuesday, October 05, 2004 12:28 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Accept backupuser logon

What happens when you try to logon?  Are you using mstsc client with the
/console switch?


From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long
Sent: Tuesday, October 05, 2004 9:56 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Accept backupuser logon OK, I have created a user and
added it to the backup operators in built-in.
Now I want to be able to logon (through remote desktop) to my DCs with this
user to setup my backups. I have two template policies from Hardening
Windows Server 2003 in place, with the following Settings:

Top policy in list:Allow
log on locally: BUILTIN\administrators, BUILTIN\backup operators,
BUILTIN\account operators, BUILTIN\server operators, BUILTIN\print
operators

Deny log on locally: DOMAIN\support_388945a0


Bottom policy in list:  Allow log
on locally: BUILTIN\backup operators, BUILTIN\administrators

Allow log on through Terminal Services: BUILTIN\administrators
No
deny log on locally settings

Now shouldn't these settings allow me to logon as a member of the
BUILTIN\backup operators group? What am I missing? Is there a better way to
set up backups without logging in to the DC (which would be much better)?
Any help is much appreciated.

.+-wi0-+YbmPi0-+bÚf.+-j!
0j!orØyØIV+v*
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

.+-?w.+-Šwè†Ûiÿü0Á-Š÷+ƒùšŠYb²Øm˜¸¬´P†Ûiÿü0Á-Š÷+ƒùb²×Úf.+-j·!Š÷¡¶Úÿ
0™¨¥j·!Š÷œ¢oÚrØyØãIšŠVœ¶+Þv*è®

RE: [ActiveDir] Accept backupuser logon

[Douglas M. Long]

Right, I have allowed the user in remote desktop settings. Still no luck



-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
Sent: Tuesday, October 05, 2004 2:30 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Accept backupuser logon

That's correct.
http://support.microsoft.com/default.aspx?scid=kb;en-us;289289&Product=winsv
r2003 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Tuesday, October 05, 2004 2:23 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Accept backupuser logon

Don't they have to be in the remote desktop users group on the DC?

John




   
 "Douglas M. Long" 
 <[EMAIL PROTECTED] 
 u> To 
 Sent by:  <[EMAIL PROTECTED]>  
 [EMAIL PROTECTED]  cc 
 ail.activedir.org 
   Subject 
   RE: [ActiveDir] Accept backupuser   
 10/05/2004 01:03  logon   
 PM
   
   
 Please respond to 
 [EMAIL PROTECTED] 
tivedir.org
   
   




I was jus using the mstsc client, but tried with /console and get the same
message:   âThe local policy of this system does not permit you to
log on interactivelyâ


From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
Sent: Tuesday, October 05, 2004 12:28 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Accept backupuser logon

What happens when you try to logon?  Are you using mstsc client with the
/console switch?


From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long
Sent: Tuesday, October 05, 2004 9:56 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Accept backupuser logon OK, I have created a user and
added it to the backup operators in built-in.
Now I want to be able to logon (through remote desktop) to my DCs with this
user to setup my backups. I have two template policies from Hardening
Windows Server 2003 in place, with the following Settings:

Top policy in list:Allow
log on locally: BUILTIN\administrators, BUILTIN\backup operators,
BUILTIN\account operators, BUILTIN\server operators, BUILTIN\print operators

Deny log on locally: DOMAIN\support_388945a0


Bottom policy in list:  Allow log
on locally: BUILTIN\backup operators, BUILTIN\administrators

Allow log on through Terminal Services: BUILTIN\administrators
No
deny log on locally settings

Now shouldn't these settings allow me to logon as a member of the
BUILTIN\backup operators group? What am I missing? Is there a better way to
set up backups without logging in to the DC (which would be much better)?
Any help is much appreciated.

.+-wi0-+YbmPi0-+bÚf.+-j!
0j!orØyØIV+v*
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

.+-Šwè†Ûiÿü0Á-Š÷+ƒùšŠYb²Øm˜¸¬´P†Ûiÿü0Á-Š÷+ƒùb²×Úf.+-j·!Š÷¡¶Úÿ
0™¨¥j·!Š÷œ¢oÚrØyØãIšŠVœ¶+Þv*è®

RE: [ActiveDir] WAN outage caused issues...

[Mulnick, Al]

So I have to ask for more information:
Are your clients using their own site's DC for DNS resolution?  And is there
a reverse DNS zone setup there?

 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Tuesday, October 05, 2004 2:35 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...


OK I got more info.  Here's whats in the eventlogs of the workstations
during the time they were broken:

10/4/2004   1:53:42 PM  LSASRV  Warning SPNEGO (Negotiator)
40961   N/A CAE12350828 The Security System could not establish a
secured connection with the server cifs/cae123fs01.ourdomain.com.  No
authentication protocol was available.
10/4/2004   1:53:42 PM  LSASRV  Warning SPNEGO (Negotiator)
40960   N/A CAE12350828 "The Security System detected an attempted
downgrade attack for server cifs/cae123fs01.ourdomain.com.  The failure code
from authentication protocol Kerberos was ""There are currently no logon
servers available to service the logon request.
 (0xc05e)""." 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Burkes, Jeremy
[Contractor]
Sent: Tuesday, October 05, 2004 12:00 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...

I believe Windows 2000 and Windows XP will attach their own domain name
suffix to search for the host in DNS.  For example if you give hostname and
the workstation's domain name is domain.com it will try hostname.domain.com
to see if it can resolve it in DNS.  The search order for Windows 2000 and
XP clients I believe is:

DNS Cache
Local Hosts File (host file)
DNS Server
LMHost File
WINS

Jeremy

-
Jeremy Burkes
SSP
MIS Department
[EMAIL PROTECTED]
PH: 202-764-1270


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Renouf, Phil
Sent: Tuesday, October 05, 2004 12:43 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...


If the client is specifying \\hostname and there is no DNS search suffix set
then I believe it will use WINS for name resolution. I could be wrong, but
that's my understanding.

Phil 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet
Sent: Tuesday, October 05, 2004 12:29 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...

2k and XP clients will attempt to use DNS first. There is no way (that I
know of) where they would try WINS first.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Tuesday, October 05, 2004 11:25 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WAN outage caused issues...



How would I know if their drive mappings are using WINS names and not DNS
names?  \\hostname vs \\hostname.domain.com?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Renouf, Phil
Sent: Tuesday, October 05, 2004 10:51 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...


If they are using WINS for resolution then yes it could be their issue.
If their drive mappings are using WINS names and not DNS names then that
would make sense as to why they couldn't map them.

I assume they were still able to log on an resolve the DC?

Phil 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Tuesday, October 05, 2004 11:46 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WAN outage caused issues...


No, the site and subnet is defined properly, they're all using their local
DC.  All users at the remote site had issues.  They're using their DC for
DNS, and going back to HeadQuarters for WINS.  Could the WINS be the issue?
They couldn't contact WINS because the WAN link outage, that's for sure.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Mulnick, Al
Sent: Tuesday, October 05, 2004 10:37 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WAN outage caused issues...


Were the clients trying to use the remote DCs when they shouldn't be?
What was the scope of the problem? Was it all users or just a few users in
the site? 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Tuesday, October 05, 2004 11:34 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WAN outage caused issues...


Yes, all our domain controllers are also DNS servers.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Robert Rutherford
Sent: Tuesday, October 05, 2004 10:30 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...


Has the remote site got its own DNS server?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: 05 October 2004 

RE: [ActiveDir] WAN outage caused issues...

[Rimmerman, Russ]

OK I got more info.  Here's whats in the eventlogs of the workstations
during the time they were broken:

10/4/2004   1:53:42 PM  LSASRV  Warning SPNEGO (Negotiator)
40961   N/A CAE12350828 The Security System could not establish a
secured connection with the server cifs/cae123fs01.ourdomain.com.  No
authentication protocol was available.
10/4/2004   1:53:42 PM  LSASRV  Warning SPNEGO (Negotiator)
40960   N/A CAE12350828 "The Security System detected an attempted
downgrade attack for server cifs/cae123fs01.ourdomain.com.  The failure code
from authentication protocol Kerberos was ""There are currently no logon
servers available to service the logon request.
 (0xc05e)""." 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Burkes, Jeremy
[Contractor]
Sent: Tuesday, October 05, 2004 12:00 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...

I believe Windows 2000 and Windows XP will attach their own domain name
suffix to search for the host in DNS.  For example if you give hostname and
the workstation's domain name is domain.com it will try hostname.domain.com
to see if it can resolve it in DNS.  The search order for Windows 2000 and
XP clients I believe is:

DNS Cache
Local Hosts File (host file)
DNS Server
LMHost File
WINS

Jeremy

-
Jeremy Burkes
SSP
MIS Department
[EMAIL PROTECTED]
PH: 202-764-1270


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Renouf, Phil
Sent: Tuesday, October 05, 2004 12:43 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...


If the client is specifying \\hostname and there is no DNS search suffix set
then I believe it will use WINS for name resolution. I could be wrong, but
that's my understanding.

Phil 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet
Sent: Tuesday, October 05, 2004 12:29 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...

2k and XP clients will attempt to use DNS first. There is no way (that I
know of) where they would try WINS first.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Tuesday, October 05, 2004 11:25 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WAN outage caused issues...



How would I know if their drive mappings are using WINS names and not DNS
names?  \\hostname vs \\hostname.domain.com?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Renouf, Phil
Sent: Tuesday, October 05, 2004 10:51 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...


If they are using WINS for resolution then yes it could be their issue.
If their drive mappings are using WINS names and not DNS names then that
would make sense as to why they couldn't map them.

I assume they were still able to log on an resolve the DC?

Phil 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Tuesday, October 05, 2004 11:46 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WAN outage caused issues...


No, the site and subnet is defined properly, they're all using their local
DC.  All users at the remote site had issues.  They're using their DC for
DNS, and going back to HeadQuarters for WINS.  Could the WINS be the issue?
They couldn't contact WINS because the WAN link outage, that's for sure.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Mulnick, Al
Sent: Tuesday, October 05, 2004 10:37 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WAN outage caused issues...


Were the clients trying to use the remote DCs when they shouldn't be?
What was the scope of the problem? Was it all users or just a few users in
the site? 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Tuesday, October 05, 2004 11:34 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WAN outage caused issues...


Yes, all our domain controllers are also DNS servers.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Robert Rutherford
Sent: Tuesday, October 05, 2004 10:30 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...


Has the remote site got its own DNS server?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: 05 October 2004 16:27
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] WAN outage caused issues...


What's the deal on WAN links going down between AD sites?  As long as each
site has a Global Catalog, they should be fine, correct?  We had a remote
site's WAN link go down the other day, and users eventually could not access
any network drives (on the local file server even).  They rebooted 

RE: [ActiveDir] WAN outage caused issues...

[Mulnick, Al]

Depends on too many variables.  Have you checked the local event logs of the
workstations affected?  What did you find?

Can you post a scrubbed version of ipconfig /all from a local affected
workstation? 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Tuesday, October 05, 2004 1:19 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WAN outage caused issues...


So we shouldn't have run into this issue..  

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Ken Cornetet
Sent: Tuesday, October 05, 2004 11:29 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...


2k and XP clients will attempt to use DNS first. There is no way (that I
know of) where they would try WINS first.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Tuesday, October 05, 2004 11:25 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WAN outage caused issues...



How would I know if their drive mappings are using WINS names and not DNS
names?  \\hostname vs \\hostname.domain.com?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Renouf, Phil
Sent: Tuesday, October 05, 2004 10:51 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...


If they are using WINS for resolution then yes it could be their issue.
If their drive mappings are using WINS names and not DNS names then that
would make sense as to why they couldn't map them.

I assume they were still able to log on an resolve the DC?

Phil 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Tuesday, October 05, 2004 11:46 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WAN outage caused issues...


No, the site and subnet is defined properly, they're all using their local
DC.  All users at the remote site had issues.  They're using their DC for
DNS, and going back to HeadQuarters for WINS.  Could the WINS be the issue?
They couldn't contact WINS because the WAN link outage, that's for sure.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Mulnick, Al
Sent: Tuesday, October 05, 2004 10:37 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WAN outage caused issues...


Were the clients trying to use the remote DCs when they shouldn't be?
What was the scope of the problem? Was it all users or just a few users in
the site? 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Tuesday, October 05, 2004 11:34 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WAN outage caused issues...


Yes, all our domain controllers are also DNS servers.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Robert Rutherford
Sent: Tuesday, October 05, 2004 10:30 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...


Has the remote site got its own DNS server?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: 05 October 2004 16:27
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] WAN outage caused issues...


What's the deal on WAN links going down between AD sites?  As long as each
site has a Global Catalog, they should be fine, correct?  We had a remote
site's WAN link go down the other day, and users eventually could not access
any network drives (on the local file server even).  They rebooted and it
took forever to get the ctrl-alt-del logon box too. They couldn't get any
network resources at all, just local drives and printers.  We're in an Win2k
AD domain with SP4.

Most of the clients are XP and some are Win2k.

Thanks

~~
This e-mail is confidential, may contain proprietary information of the
Cooper Cameron Corporation and its operating Divisions and may be
confidential or privileged.

This e-mail should be read, copied, disseminated and/or used only by the
addressee. If you have received this message in error please delete it,
together with any attachments, from your system.
~~
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

===
  Scanned for virus infection by Messagelabs
===


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

~~
This e-mail is confidential, may contain proprietary information of the
Cooper Cameron Corpora

RE: [ActiveDir] Accept backupuser logon

[Mulnick, Al]

That's correct.
http://support.microsoft.com/default.aspx?scid=kb;en-us;289289&Product=winsv
r2003 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Tuesday, October 05, 2004 2:23 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Accept backupuser logon

Don't they have to be in the remote desktop users group on the DC?

John




   
 "Douglas M. Long" 
 <[EMAIL PROTECTED] 
 u> To 
 Sent by:  <[EMAIL PROTECTED]>  
 [EMAIL PROTECTED]  cc 
 ail.activedir.org 
   Subject 
   RE: [ActiveDir] Accept backupuser   
 10/05/2004 01:03  logon   
 PM
   
   
 Please respond to 
 [EMAIL PROTECTED] 
tivedir.org
   
   




I was jus using the mstsc client, but tried with /console and get the same
message:   âThe local policy of this system does not permit you to
log on interactivelyâ


From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
Sent: Tuesday, October 05, 2004 12:28 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Accept backupuser logon

What happens when you try to logon?  Are you using mstsc client with the
/console switch?


From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long
Sent: Tuesday, October 05, 2004 9:56 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Accept backupuser logon OK, I have created a user and
added it to the backup operators in built-in.
Now I want to be able to logon (through remote desktop) to my DCs with this
user to setup my backups. I have two template policies from Hardening
Windows Server 2003 in place, with the following Settings:

Top policy in list:Allow
log on locally: BUILTIN\administrators, BUILTIN\backup operators,
BUILTIN\account operators, BUILTIN\server operators, BUILTIN\print operators

Deny log on locally: DOMAIN\support_388945a0


Bottom policy in list:  Allow log
on locally: BUILTIN\backup operators, BUILTIN\administrators

Allow log on through Terminal Services: BUILTIN\administrators
No
deny log on locally settings

Now shouldn't these settings allow me to logon as a member of the
BUILTIN\backup operators group? What am I missing? Is there a better way to
set up backups without logging in to the DC (which would be much better)?
Any help is much appreciated.

.+-wi0-+YbmPi0-+bÚf.+-j!0j!orØyØIV+v*
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Accept backupuser logon

[jpsalemi]

Don't they have to be in the remote desktop users group on the DC?

John




   
 "Douglas M. Long" 
 <[EMAIL PROTECTED] 
 u> To 
 Sent by:  <[EMAIL PROTECTED]>  
 [EMAIL PROTECTED]  cc 
 ail.activedir.org 
   Subject 
   RE: [ActiveDir] Accept backupuser   
 10/05/2004 01:03  logon   
 PM
   
   
 Please respond to 
 [EMAIL PROTECTED] 
tivedir.org
   
   




I was jus using the mstsc client, but tried with /console and get the same
message:   âThe local policy of this system does not permit you to
log on interactivelyâ


From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
Sent: Tuesday, October 05, 2004 12:28 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Accept backupuser logon

What happens when you try to logon?  Are you using mstsc client with the
/console switch?


From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long
Sent: Tuesday, October 05, 2004 9:56 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Accept backupuser logon
OK, I have created a user and added it to the backup operators in built-in.
Now I want to be able to logon (through remote desktop) to my DCs with this
user to setup my backups. I have two template policies from Hardening
Windows Server 2003 in place, with the following Settings:

Top policy in list:Allow
log on locally: BUILTIN\administrators, BUILTIN\backup operators,
BUILTIN\account operators, BUILTIN\server operators, BUILTIN\print
operators

Deny log on locally: DOMAIN\support_388945a0


Bottom policy in list:  Allow log
on locally: BUILTIN\backup operators, BUILTIN\administrators

Allow log on through Terminal Services: BUILTIN\administrators
No
deny log on locally settings

Now shouldn't these settings allow me to logon as a member of the
BUILTIN\backup operators group? What am I missing? Is there a better way to
set up backups without logging in to the DC (which would be much better)?
Any help is much appreciated.

RE: [ActiveDir] Accept backupuser logon

[Douglas M. Long]

Title: root domain alias








I was jus using the mstsc client, but
tried with /console and get the same message:   “The local policy
of this system does not permit you to log on interactively”

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
Sent: Tuesday, October 05, 2004
12:28 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Accept
backupuser logon



 

What happens when you try to logon? 
Are you using mstsc client with the /console switch?  

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long
Sent: Tuesday, October 05, 2004
9:56 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Accept
backupuser logon

OK, I have created a user and added it to
the backup operators in built-in. Now I want to be able to logon (through
remote desktop) to my DCs with this user to setup my backups. I have two
template policies from Hardening Windows Server 2003 in place, with the
following Settings:

 

   
Top policy in list:   
Allow log on locally: BUILTIN\administrators, BUILTIN\backup operators,
BUILTIN\account operators, BUILTIN\server operators, BUILTIN\print operators

   
Deny log on locally: DOMAIN\support_388945a0

 

   


   
Bottom policy in list:  Allow log on locally:
BUILTIN\backup operators, BUILTIN\administrators

   
Allow log on through Terminal Services: BUILTIN\administrators

   
No deny log on locally settings

 

Now shouldn't these settings allow me to
logon as a member of the BUILTIN\backup operators group? What am I missing? Is
there a better way to set up backups without logging in to the DC (which would
be much better)? Any help is much appreciated. 

 

 

RE: [ActiveDir] WAN outage caused issues...

[Rimmerman, Russ]

Yes, in a login script.  Basically net use x: \\server\share using Kixstart.
Shouldn't they be using DNS and not WINS to map these?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Renouf, Phil
Sent: Tuesday, October 05, 2004 11:31 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...


Are they mapping their drives in a logon script? If so just check there.
If not then you'd have to look on their desktop and see how they have
manually mapped the drive.

Phil 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Tuesday, October 05, 2004 12:25 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WAN outage caused issues...


How would I know if their drive mappings are using WINS names and not
DNS names?  \\hostname vs \\hostname.domain.com?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Renouf, Phil
Sent: Tuesday, October 05, 2004 10:51 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...


If they are using WINS for resolution then yes it could be their issue.
If their drive mappings are using WINS names and not DNS names then that
would make sense as to why they couldn't map them.

I assume they were still able to log on an resolve the DC?

Phil 
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

~~
This e-mail is confidential, may contain proprietary information
of the Cooper Cameron Corporation and its operating Divisions
and may be confidential or privileged.

This e-mail should be read, copied, disseminated and/or used only
by the addressee. If you have received this message in error please
delete it, together with any attachments, from your system.
~~
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] WAN outage caused issues...

[Rimmerman, Russ]

So we shouldn't have run into this issue..  

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Ken Cornetet
Sent: Tuesday, October 05, 2004 11:29 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...


2k and XP clients will attempt to use DNS first. There is no way (that I
know of) where they would try WINS first.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Tuesday, October 05, 2004 11:25 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WAN outage caused issues...



How would I know if their drive mappings are using WINS names and not
DNS names?  \\hostname vs \\hostname.domain.com?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Renouf, Phil
Sent: Tuesday, October 05, 2004 10:51 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...


If they are using WINS for resolution then yes it could be their issue.
If their drive mappings are using WINS names and not DNS names then that
would make sense as to why they couldn't map them.

I assume they were still able to log on an resolve the DC?

Phil 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Tuesday, October 05, 2004 11:46 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WAN outage caused issues...


No, the site and subnet is defined properly, they're all using their
local DC.  All users at the remote site had issues.  They're using their
DC for DNS, and going back to HeadQuarters for WINS.  Could the WINS be
the issue? They couldn't contact WINS because the WAN link outage,
that's for sure.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Mulnick, Al
Sent: Tuesday, October 05, 2004 10:37 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WAN outage caused issues...


Were the clients trying to use the remote DCs when they shouldn't be?
What was the scope of the problem? Was it all users or just a few users
in the site? 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Tuesday, October 05, 2004 11:34 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WAN outage caused issues...


Yes, all our domain controllers are also DNS servers.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Robert
Rutherford
Sent: Tuesday, October 05, 2004 10:30 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...


Has the remote site got its own DNS server?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: 05 October 2004 16:27
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] WAN outage caused issues...


What's the deal on WAN links going down between AD sites?  As long as
each site has a Global Catalog, they should be fine, correct?  We had a
remote site's WAN link go down the other day, and users eventually could
not access any network drives (on the local file server even).  They
rebooted and it took forever to get the ctrl-alt-del logon box too. They
couldn't get any network resources at all, just local drives and
printers.  We're in an Win2k AD domain with SP4.

Most of the clients are XP and some are Win2k.

Thanks

~~
This e-mail is confidential, may contain proprietary information of the
Cooper Cameron Corporation and its operating Divisions and may be
confidential or privileged.

This e-mail should be read, copied, disseminated and/or used only by the
addressee. If you have received this message in error please delete it,
together with any attachments, from your system.
~~
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

===
  Scanned for virus infection by Messagelabs
===


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

~~
This e-mail is confidential, may contain proprietary information of the
Cooper Cameron Corporation and its operating Divisions and may be
confidential or privileged.

This e-mail should be read, copied, disseminated and/or used only by the
addressee. If you have received this message in error please delete it,
together with any attachments, from your system.
~~
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List arc

RE: [ActiveDir] WAN outage caused issues...

[Bernard, Aric]

There is a nice web cast related to this available for download from
http://support.microsoft.com/default.aspx?scid=kb;en-us;325509


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Burkes, Jeremy
[Contractor]
Sent: Tuesday, October 05, 2004 10:00 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...

I believe Windows 2000 and Windows XP will attach their own domain name
suffix to search for the host in DNS.  For example if you give hostname
and the workstation's domain name is domain.com it will try
hostname.domain.com to see if it can resolve it in DNS.  The search
order for Windows 2000 and XP clients I believe is:

DNS Cache
Local Hosts File (host file)
DNS Server
LMHost File
WINS

Jeremy

-
Jeremy Burkes
SSP
MIS Department
[EMAIL PROTECTED]
PH: 202-764-1270


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Renouf, Phil
Sent: Tuesday, October 05, 2004 12:43 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...


If the client is specifying \\hostname and there is no DNS search suffix
set then I believe it will use WINS for name resolution. I could be
wrong, but that's my understanding.

Phil 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet
Sent: Tuesday, October 05, 2004 12:29 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...

2k and XP clients will attempt to use DNS first. There is no way (that I
know of) where they would try WINS first.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Tuesday, October 05, 2004 11:25 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WAN outage caused issues...



How would I know if their drive mappings are using WINS names and not
DNS names?  \\hostname vs \\hostname.domain.com?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Renouf, Phil
Sent: Tuesday, October 05, 2004 10:51 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...


If they are using WINS for resolution then yes it could be their issue.
If their drive mappings are using WINS names and not DNS names then that
would make sense as to why they couldn't map them.

I assume they were still able to log on an resolve the DC?

Phil 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Tuesday, October 05, 2004 11:46 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WAN outage caused issues...


No, the site and subnet is defined properly, they're all using their
local DC.  All users at the remote site had issues.  They're using their
DC for DNS, and going back to HeadQuarters for WINS.  Could the WINS be
the issue? They couldn't contact WINS because the WAN link outage,
that's for sure.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Mulnick, Al
Sent: Tuesday, October 05, 2004 10:37 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WAN outage caused issues...


Were the clients trying to use the remote DCs when they shouldn't be?
What was the scope of the problem? Was it all users or just a few users
in the site? 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Tuesday, October 05, 2004 11:34 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WAN outage caused issues...


Yes, all our domain controllers are also DNS servers.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Robert
Rutherford
Sent: Tuesday, October 05, 2004 10:30 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...


Has the remote site got its own DNS server?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: 05 October 2004 16:27
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] WAN outage caused issues...


What's the deal on WAN links going down between AD sites?  As long as
each site has a Global Catalog, they should be fine, correct?  We had a
remote site's WAN link go down the other day, and users eventually could
not access any network drives (on the local file server even).  They
rebooted and it took forever to get the ctrl-alt-del logon box too. They
couldn't get any network resources at all, just local drives and
printers.  We're in an Win2k AD domain with SP4.

Most of the clients are XP and some are Win2k.

Thanks

~~
This e-mail is confidential, may contain proprietary information of the
Cooper Cameron Corporation and its operating Divisions and may be
confidential or privileged.

This e-mail should be read, copied, disseminated and/or used only by the
addressee. If you have received this message in error pleas

RE: [ActiveDir] WAN outage caused issues...

[Burkes, Jeremy [Contractor]]

I believe Windows 2000 and Windows XP will attach their own domain name suffix to 
search for the host in DNS.  For example if you give hostname and the workstation's 
domain name is domain.com it will try hostname.domain.com to see if it can resolve it 
in DNS.  The search order for Windows 2000 and XP clients I believe is:

DNS Cache
Local Hosts File (host file)
DNS Server
LMHost File
WINS

Jeremy

-
Jeremy Burkes
SSP
MIS Department
[EMAIL PROTECTED]
PH: 202-764-1270


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Renouf, Phil
Sent: Tuesday, October 05, 2004 12:43 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...


If the client is specifying \\hostname and there is no DNS search suffix
set then I believe it will use WINS for name resolution. I could be
wrong, but that's my understanding.

Phil 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet
Sent: Tuesday, October 05, 2004 12:29 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...

2k and XP clients will attempt to use DNS first. There is no way (that I
know of) where they would try WINS first.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Tuesday, October 05, 2004 11:25 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WAN outage caused issues...



How would I know if their drive mappings are using WINS names and not
DNS names?  \\hostname vs \\hostname.domain.com?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Renouf, Phil
Sent: Tuesday, October 05, 2004 10:51 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...


If they are using WINS for resolution then yes it could be their issue.
If their drive mappings are using WINS names and not DNS names then that
would make sense as to why they couldn't map them.

I assume they were still able to log on an resolve the DC?

Phil 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Tuesday, October 05, 2004 11:46 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WAN outage caused issues...


No, the site and subnet is defined properly, they're all using their
local DC.  All users at the remote site had issues.  They're using their
DC for DNS, and going back to HeadQuarters for WINS.  Could the WINS be
the issue? They couldn't contact WINS because the WAN link outage,
that's for sure.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Mulnick, Al
Sent: Tuesday, October 05, 2004 10:37 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WAN outage caused issues...


Were the clients trying to use the remote DCs when they shouldn't be?
What was the scope of the problem? Was it all users or just a few users
in the site? 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Tuesday, October 05, 2004 11:34 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WAN outage caused issues...


Yes, all our domain controllers are also DNS servers.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Robert
Rutherford
Sent: Tuesday, October 05, 2004 10:30 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...


Has the remote site got its own DNS server?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: 05 October 2004 16:27
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] WAN outage caused issues...


What's the deal on WAN links going down between AD sites?  As long as
each site has a Global Catalog, they should be fine, correct?  We had a
remote site's WAN link go down the other day, and users eventually could
not access any network drives (on the local file server even).  They
rebooted and it took forever to get the ctrl-alt-del logon box too. They
couldn't get any network resources at all, just local drives and
printers.  We're in an Win2k AD domain with SP4.

Most of the clients are XP and some are Win2k.

Thanks

~~
This e-mail is confidential, may contain proprietary information of the
Cooper Cameron Corporation and its operating Divisions and may be
confidential or privileged.

This e-mail should be read, copied, disseminated and/or used only by the
addressee. If you have received this message in error please delete it,
together with any attachments, from your system.
~~
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

===
 

RE: [ActiveDir] WAN outage caused issues...

[Renouf, Phil]

If the client is specifying \\hostname and there is no DNS search suffix
set then I believe it will use WINS for name resolution. I could be
wrong, but that's my understanding.

Phil 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet
Sent: Tuesday, October 05, 2004 12:29 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...

2k and XP clients will attempt to use DNS first. There is no way (that I
know of) where they would try WINS first.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Tuesday, October 05, 2004 11:25 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WAN outage caused issues...



How would I know if their drive mappings are using WINS names and not
DNS names?  \\hostname vs \\hostname.domain.com?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Renouf, Phil
Sent: Tuesday, October 05, 2004 10:51 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...


If they are using WINS for resolution then yes it could be their issue.
If their drive mappings are using WINS names and not DNS names then that
would make sense as to why they couldn't map them.

I assume they were still able to log on an resolve the DC?

Phil 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Tuesday, October 05, 2004 11:46 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WAN outage caused issues...


No, the site and subnet is defined properly, they're all using their
local DC.  All users at the remote site had issues.  They're using their
DC for DNS, and going back to HeadQuarters for WINS.  Could the WINS be
the issue? They couldn't contact WINS because the WAN link outage,
that's for sure.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Mulnick, Al
Sent: Tuesday, October 05, 2004 10:37 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WAN outage caused issues...


Were the clients trying to use the remote DCs when they shouldn't be?
What was the scope of the problem? Was it all users or just a few users
in the site? 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Tuesday, October 05, 2004 11:34 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WAN outage caused issues...


Yes, all our domain controllers are also DNS servers.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Robert
Rutherford
Sent: Tuesday, October 05, 2004 10:30 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...


Has the remote site got its own DNS server?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: 05 October 2004 16:27
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] WAN outage caused issues...


What's the deal on WAN links going down between AD sites?  As long as
each site has a Global Catalog, they should be fine, correct?  We had a
remote site's WAN link go down the other day, and users eventually could
not access any network drives (on the local file server even).  They
rebooted and it took forever to get the ctrl-alt-del logon box too. They
couldn't get any network resources at all, just local drives and
printers.  We're in an Win2k AD domain with SP4.

Most of the clients are XP and some are Win2k.

Thanks

~~
This e-mail is confidential, may contain proprietary information of the
Cooper Cameron Corporation and its operating Divisions and may be
confidential or privileged.

This e-mail should be read, copied, disseminated and/or used only by the
addressee. If you have received this message in error please delete it,
together with any attachments, from your system.
~~
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

===
  Scanned for virus infection by Messagelabs
===


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

~~
This e-mail is confidential, may contain proprietary information of the
Cooper Cameron Corporation and its operating Divisions and may be
confidential or privileged.

This e-mail should be read, copied, disseminated and/or used only by the
addressee. If you have received this message in error please delete it,
together with any attachments, from your system.

RE: [ActiveDir] WAN outage caused issues...

[Renouf, Phil]

Are they mapping their drives in a logon script? If so just check there.
If not then you'd have to look on their desktop and see how they have
manually mapped the drive.

Phil 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Tuesday, October 05, 2004 12:25 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WAN outage caused issues...


How would I know if their drive mappings are using WINS names and not
DNS names?  \\hostname vs \\hostname.domain.com?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Renouf, Phil
Sent: Tuesday, October 05, 2004 10:51 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...


If they are using WINS for resolution then yes it could be their issue.
If their drive mappings are using WINS names and not DNS names then that
would make sense as to why they couldn't map them.

I assume they were still able to log on an resolve the DC?

Phil 
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Accept backupuser logon

[Mulnick, Al]

Title: root domain alias



What happens when you try to logon?  Are you 
using mstsc client with the /console switch?  


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. 
LongSent: Tuesday, October 05, 2004 9:56 AMTo: 
[EMAIL PROTECTED]Subject: [ActiveDir] Accept backupuser 
logon


OK, I have created a 
user and added it to the backup operators in built-in. Now I want to be able to 
logon (through remote desktop) to my DCs with this user to setup my backups. I 
have two template policies from Hardening Windows Server 2003 in place, with the 
following Settings:
 
    
Top policy in 
list:    Allow 
log on locally: BUILTIN\administrators, BUILTIN\backup operators, 
BUILTIN\account operators, BUILTIN\server operators, BUILTIN\print 
operators
    
Deny log on locally: DOMAIN\support_388945a0
 
    

    
Bottom policy in list:  Allow log on locally: 
BUILTIN\backup operators, BUILTIN\administrators
    
Allow log on through Terminal Services: 
BUILTIN\administrators
    
No deny log on locally 
settings
 
Now shouldn't these 
settings allow me to logon as a member of the BUILTIN\backup operators group? 
What am I missing? Is there a better way to set up backups without logging in to 
the DC (which would be much better)? Any help is much appreciated. 

 
 

RE: [ActiveDir] WAN outage caused issues...

[Ken Cornetet]

2k and XP clients will attempt to use DNS first. There is no way (that I
know of) where they would try WINS first.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Tuesday, October 05, 2004 11:25 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WAN outage caused issues...



How would I know if their drive mappings are using WINS names and not
DNS names?  \\hostname vs \\hostname.domain.com?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Renouf, Phil
Sent: Tuesday, October 05, 2004 10:51 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...


If they are using WINS for resolution then yes it could be their issue.
If their drive mappings are using WINS names and not DNS names then that
would make sense as to why they couldn't map them.

I assume they were still able to log on an resolve the DC?

Phil 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Tuesday, October 05, 2004 11:46 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WAN outage caused issues...


No, the site and subnet is defined properly, they're all using their
local DC.  All users at the remote site had issues.  They're using their
DC for DNS, and going back to HeadQuarters for WINS.  Could the WINS be
the issue? They couldn't contact WINS because the WAN link outage,
that's for sure.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Mulnick, Al
Sent: Tuesday, October 05, 2004 10:37 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WAN outage caused issues...


Were the clients trying to use the remote DCs when they shouldn't be?
What was the scope of the problem? Was it all users or just a few users
in the site? 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Tuesday, October 05, 2004 11:34 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WAN outage caused issues...


Yes, all our domain controllers are also DNS servers.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Robert
Rutherford
Sent: Tuesday, October 05, 2004 10:30 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...


Has the remote site got its own DNS server?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: 05 October 2004 16:27
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] WAN outage caused issues...


What's the deal on WAN links going down between AD sites?  As long as
each site has a Global Catalog, they should be fine, correct?  We had a
remote site's WAN link go down the other day, and users eventually could
not access any network drives (on the local file server even).  They
rebooted and it took forever to get the ctrl-alt-del logon box too. They
couldn't get any network resources at all, just local drives and
printers.  We're in an Win2k AD domain with SP4.

Most of the clients are XP and some are Win2k.

Thanks

~~
This e-mail is confidential, may contain proprietary information of the
Cooper Cameron Corporation and its operating Divisions and may be
confidential or privileged.

This e-mail should be read, copied, disseminated and/or used only by the
addressee. If you have received this message in error please delete it,
together with any attachments, from your system.
~~
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

===
  Scanned for virus infection by Messagelabs
===


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

~~
This e-mail is confidential, may contain proprietary information of the
Cooper Cameron Corporation and its operating Divisions and may be
confidential or privileged.

This e-mail should be read, copied, disseminated and/or used only by the
addressee. If you have received this message in error please delete it,
together with any attachments, from your system.
~~
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

~~~

RE: [ActiveDir] WAN outage caused issues...

[Rimmerman, Russ]

How would I know if their drive mappings are using WINS names and not DNS
names?  \\hostname vs \\hostname.domain.com?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Renouf, Phil
Sent: Tuesday, October 05, 2004 10:51 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...


If they are using WINS for resolution then yes it could be their issue.
If their drive mappings are using WINS names and not DNS names then that
would make sense as to why they couldn't map them.

I assume they were still able to log on an resolve the DC?

Phil 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Tuesday, October 05, 2004 11:46 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WAN outage caused issues...


No, the site and subnet is defined properly, they're all using their
local DC.  All users at the remote site had issues.  They're using their
DC for DNS, and going back to HeadQuarters for WINS.  Could the WINS be
the issue?
They couldn't contact WINS because the WAN link outage, that's for sure.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Mulnick, Al
Sent: Tuesday, October 05, 2004 10:37 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WAN outage caused issues...


Were the clients trying to use the remote DCs when they shouldn't be?
What was the scope of the problem? Was it all users or just a few users
in the site? 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Tuesday, October 05, 2004 11:34 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WAN outage caused issues...


Yes, all our domain controllers are also DNS servers.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Robert
Rutherford
Sent: Tuesday, October 05, 2004 10:30 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...


Has the remote site got its own DNS server?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: 05 October 2004 16:27
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] WAN outage caused issues...


What's the deal on WAN links going down between AD sites?  As long as
each site has a Global Catalog, they should be fine, correct?  We had a
remote site's WAN link go down the other day, and users eventually could
not access any network drives (on the local file server even).  They
rebooted and it took forever to get the ctrl-alt-del logon box too.
They couldn't get any network resources at all, just local drives and
printers.  We're in an Win2k AD domain with SP4.

Most of the clients are XP and some are Win2k.

Thanks

~~
This e-mail is confidential, may contain proprietary information of the
Cooper Cameron Corporation and its operating Divisions and may be
confidential or privileged.

This e-mail should be read, copied, disseminated and/or used only by the
addressee. If you have received this message in error please delete it,
together with any attachments, from your system.
~~
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

===
  Scanned for virus infection by Messagelabs
===


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

~~
This e-mail is confidential, may contain proprietary information of the
Cooper Cameron Corporation and its operating Divisions and may be
confidential or privileged.

This e-mail should be read, copied, disseminated and/or used only by the
addressee. If you have received this message in error please delete it,
together with any attachments, from your system.
~~
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

~~
This e-mail is confidential, may contain proprietary information of the
Cooper Cameron Corporation and its operating Divisions and may be
confidential or privileged.

This e-mail should be read, copied, disseminated and/or used only by the
addressee. If you have received this message in error please delete it

RE: [ActiveDir] WAN outage caused issues...

[Robert Rutherford]

Are you getting anything in the eventlogs of the local machines?

May also be worth dropping a network sniffer onto a hub with an
offending PC to see what traffic its pumping out and to where.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: 05 October 2004 16:46
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WAN outage caused issues...


No, the site and subnet is defined properly, they're all using their
local
DC.  All users at the remote site had issues.  They're using their DC
for
DNS, and going back to HeadQuarters for WINS.  Could the WINS be the
issue?
They couldn't contact WINS because the WAN link outage, that's for sure.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Mulnick, Al
Sent: Tuesday, October 05, 2004 10:37 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WAN outage caused issues...


Were the clients trying to use the remote DCs when they shouldn't be?
What
was the scope of the problem? Was it all users or just a few users in
the
site? 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Tuesday, October 05, 2004 11:34 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WAN outage caused issues...


Yes, all our domain controllers are also DNS servers.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Robert
Rutherford
Sent: Tuesday, October 05, 2004 10:30 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...


Has the remote site got its own DNS server?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: 05 October 2004 16:27
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] WAN outage caused issues...


What's the deal on WAN links going down between AD sites?  As long as
each
site has a Global Catalog, they should be fine, correct?  We had a
remote
site's WAN link go down the other day, and users eventually could not
access
any network drives (on the local file server even).  They rebooted and
it
took forever to get the ctrl-alt-del logon box too.  They couldn't get
any
network resources at all, just local drives and printers.  We're in an
Win2k
AD domain with SP4.

Most of the clients are XP and some are Win2k.

Thanks

~~
This e-mail is confidential, may contain proprietary information of the
Cooper Cameron Corporation and its operating Divisions and may be
confidential or privileged.

This e-mail should be read, copied, disseminated and/or used only by the
addressee. If you have received this message in error please delete it,
together with any attachments, from your system.
~~
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

===
  Scanned for virus infection by Messagelabs
===


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

~~
This e-mail is confidential, may contain proprietary information of the
Cooper Cameron Corporation and its operating Divisions and may be
confidential or privileged.

This e-mail should be read, copied, disseminated and/or used only by the
addressee. If you have received this message in error please delete it,
together with any attachments, from your system.
~~
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

~~
This e-mail is confidential, may contain proprietary information
of the Cooper Cameron Corporation and its operating Divisions
and may be confidential or privileged.

This e-mail should be read, copied, disseminated and/or used only
by the addressee. If you have received this message in error please
delete it, together with any attachments, from your system.
~~
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

===
  Scanned for virus infection by Messagelabs
==

RE: [ActiveDir] WAN outage caused issues...

[Renouf, Phil]

If they are using WINS for resolution then yes it could be their issue.
If their drive mappings are using WINS names and not DNS names then that
would make sense as to why they couldn't map them.

I assume they were still able to log on an resolve the DC?

Phil 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Tuesday, October 05, 2004 11:46 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WAN outage caused issues...


No, the site and subnet is defined properly, they're all using their
local DC.  All users at the remote site had issues.  They're using their
DC for DNS, and going back to HeadQuarters for WINS.  Could the WINS be
the issue?
They couldn't contact WINS because the WAN link outage, that's for sure.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Mulnick, Al
Sent: Tuesday, October 05, 2004 10:37 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WAN outage caused issues...


Were the clients trying to use the remote DCs when they shouldn't be?
What was the scope of the problem? Was it all users or just a few users
in the site? 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Tuesday, October 05, 2004 11:34 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WAN outage caused issues...


Yes, all our domain controllers are also DNS servers.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Robert
Rutherford
Sent: Tuesday, October 05, 2004 10:30 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...


Has the remote site got its own DNS server?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: 05 October 2004 16:27
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] WAN outage caused issues...


What's the deal on WAN links going down between AD sites?  As long as
each site has a Global Catalog, they should be fine, correct?  We had a
remote site's WAN link go down the other day, and users eventually could
not access any network drives (on the local file server even).  They
rebooted and it took forever to get the ctrl-alt-del logon box too.
They couldn't get any network resources at all, just local drives and
printers.  We're in an Win2k AD domain with SP4.

Most of the clients are XP and some are Win2k.

Thanks

~~
This e-mail is confidential, may contain proprietary information of the
Cooper Cameron Corporation and its operating Divisions and may be
confidential or privileged.

This e-mail should be read, copied, disseminated and/or used only by the
addressee. If you have received this message in error please delete it,
together with any attachments, from your system.
~~
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

===
  Scanned for virus infection by Messagelabs
===


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

~~
This e-mail is confidential, may contain proprietary information of the
Cooper Cameron Corporation and its operating Divisions and may be
confidential or privileged.

This e-mail should be read, copied, disseminated and/or used only by the
addressee. If you have received this message in error please delete it,
together with any attachments, from your system.
~~
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

~~
This e-mail is confidential, may contain proprietary information of the
Cooper Cameron Corporation and its operating Divisions and may be
confidential or privileged.

This e-mail should be read, copied, disseminated and/or used only by the
addressee. If you have received this message in error please delete it,
together with any attachments, from your system.
~~
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List 

RE: [ActiveDir] WAN outage caused issues...

[Rimmerman, Russ]

No, the site and subnet is defined properly, they're all using their local
DC.  All users at the remote site had issues.  They're using their DC for
DNS, and going back to HeadQuarters for WINS.  Could the WINS be the issue?
They couldn't contact WINS because the WAN link outage, that's for sure.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Mulnick, Al
Sent: Tuesday, October 05, 2004 10:37 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WAN outage caused issues...


Were the clients trying to use the remote DCs when they shouldn't be?  What
was the scope of the problem? Was it all users or just a few users in the
site? 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Tuesday, October 05, 2004 11:34 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WAN outage caused issues...


Yes, all our domain controllers are also DNS servers.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Robert Rutherford
Sent: Tuesday, October 05, 2004 10:30 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...


Has the remote site got its own DNS server?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: 05 October 2004 16:27
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] WAN outage caused issues...


What's the deal on WAN links going down between AD sites?  As long as each
site has a Global Catalog, they should be fine, correct?  We had a remote
site's WAN link go down the other day, and users eventually could not access
any network drives (on the local file server even).  They rebooted and it
took forever to get the ctrl-alt-del logon box too.  They couldn't get any
network resources at all, just local drives and printers.  We're in an Win2k
AD domain with SP4.

Most of the clients are XP and some are Win2k.

Thanks

~~
This e-mail is confidential, may contain proprietary information of the
Cooper Cameron Corporation and its operating Divisions and may be
confidential or privileged.

This e-mail should be read, copied, disseminated and/or used only by the
addressee. If you have received this message in error please delete it,
together with any attachments, from your system.
~~
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

===
  Scanned for virus infection by Messagelabs
===


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

~~
This e-mail is confidential, may contain proprietary information of the
Cooper Cameron Corporation and its operating Divisions and may be
confidential or privileged.

This e-mail should be read, copied, disseminated and/or used only by the
addressee. If you have received this message in error please delete it,
together with any attachments, from your system.
~~
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

~~
This e-mail is confidential, may contain proprietary information
of the Cooper Cameron Corporation and its operating Divisions
and may be confidential or privileged.

This e-mail should be read, copied, disseminated and/or used only
by the addressee. If you have received this message in error please
delete it, together with any attachments, from your system.
~~
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] WAN outage caused issues...

[Robert Rutherford]

Sounds like DNS to me is some way or another... can you run dcdiag and
netdiag and look for obvious errors.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: 05 October 2004 16:34
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WAN outage caused issues...


Yes, all our domain controllers are also DNS servers.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Robert
Rutherford
Sent: Tuesday, October 05, 2004 10:30 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...


Has the remote site got its own DNS server?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: 05 October 2004 16:27
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] WAN outage caused issues...


What's the deal on WAN links going down between AD sites?  As long as
each
site has a Global Catalog, they should be fine, correct?  We had a
remote
site's WAN link go down the other day, and users eventually could not
access
any network drives (on the local file server even).  They rebooted and
it
took forever to get the ctrl-alt-del logon box too.  They couldn't get
any
network resources at all, just local drives and printers.  We're in an
Win2k
AD domain with SP4.

Most of the clients are XP and some are Win2k.

Thanks

~~
This e-mail is confidential, may contain proprietary information
of the Cooper Cameron Corporation and its operating Divisions
and may be confidential or privileged.

This e-mail should be read, copied, disseminated and/or used only
by the addressee. If you have received this message in error please
delete it, together with any attachments, from your system.
~~
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

===
  Scanned for virus infection by Messagelabs
===


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

~~
This e-mail is confidential, may contain proprietary information
of the Cooper Cameron Corporation and its operating Divisions
and may be confidential or privileged.

This e-mail should be read, copied, disseminated and/or used only
by the addressee. If you have received this message in error please
delete it, together with any attachments, from your system.
~~
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

===
  Scanned for virus infection by Messagelabs
===


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] WAN outage caused issues...

[Mulnick, Al]

Were the clients trying to use the remote DCs when they shouldn't be?  What
was the scope of the problem? Was it all users or just a few users in the
site? 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Tuesday, October 05, 2004 11:34 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] WAN outage caused issues...


Yes, all our domain controllers are also DNS servers.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Robert Rutherford
Sent: Tuesday, October 05, 2004 10:30 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...


Has the remote site got its own DNS server?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: 05 October 2004 16:27
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] WAN outage caused issues...


What's the deal on WAN links going down between AD sites?  As long as each
site has a Global Catalog, they should be fine, correct?  We had a remote
site's WAN link go down the other day, and users eventually could not access
any network drives (on the local file server even).  They rebooted and it
took forever to get the ctrl-alt-del logon box too.  They couldn't get any
network resources at all, just local drives and printers.  We're in an Win2k
AD domain with SP4.

Most of the clients are XP and some are Win2k.

Thanks

~~
This e-mail is confidential, may contain proprietary information of the
Cooper Cameron Corporation and its operating Divisions and may be
confidential or privileged.

This e-mail should be read, copied, disseminated and/or used only by the
addressee. If you have received this message in error please delete it,
together with any attachments, from your system.
~~
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

===
  Scanned for virus infection by Messagelabs
===


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

~~
This e-mail is confidential, may contain proprietary information of the
Cooper Cameron Corporation and its operating Divisions and may be
confidential or privileged.

This e-mail should be read, copied, disseminated and/or used only by the
addressee. If you have received this message in error please delete it,
together with any attachments, from your system.
~~
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] WAN outage caused issues...

[Rimmerman, Russ]

Yes, all our domain controllers are also DNS servers.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Robert
Rutherford
Sent: Tuesday, October 05, 2004 10:30 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] WAN outage caused issues...


Has the remote site got its own DNS server?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: 05 October 2004 16:27
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] WAN outage caused issues...


What's the deal on WAN links going down between AD sites?  As long as
each
site has a Global Catalog, they should be fine, correct?  We had a
remote
site's WAN link go down the other day, and users eventually could not
access
any network drives (on the local file server even).  They rebooted and
it
took forever to get the ctrl-alt-del logon box too.  They couldn't get
any
network resources at all, just local drives and printers.  We're in an
Win2k
AD domain with SP4.

Most of the clients are XP and some are Win2k.

Thanks

~~
This e-mail is confidential, may contain proprietary information
of the Cooper Cameron Corporation and its operating Divisions
and may be confidential or privileged.

This e-mail should be read, copied, disseminated and/or used only
by the addressee. If you have received this message in error please
delete it, together with any attachments, from your system.
~~
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

===
  Scanned for virus infection by Messagelabs
===


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

~~
This e-mail is confidential, may contain proprietary information
of the Cooper Cameron Corporation and its operating Divisions
and may be confidential or privileged.

This e-mail should be read, copied, disseminated and/or used only
by the addressee. If you have received this message in error please
delete it, together with any attachments, from your system.
~~
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] WAN outage caused issues...

[Robert Rutherford]

Has the remote site got its own DNS server?

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: 05 October 2004 16:27
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] WAN outage caused issues...


What's the deal on WAN links going down between AD sites?  As long as
each
site has a Global Catalog, they should be fine, correct?  We had a
remote
site's WAN link go down the other day, and users eventually could not
access
any network drives (on the local file server even).  They rebooted and
it
took forever to get the ctrl-alt-del logon box too.  They couldn't get
any
network resources at all, just local drives and printers.  We're in an
Win2k
AD domain with SP4.

Most of the clients are XP and some are Win2k.

Thanks

~~
This e-mail is confidential, may contain proprietary information
of the Cooper Cameron Corporation and its operating Divisions
and may be confidential or privileged.

This e-mail should be read, copied, disseminated and/or used only
by the addressee. If you have received this message in error please
delete it, together with any attachments, from your system.
~~
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

===
  Scanned for virus infection by Messagelabs
===


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Definately OT for Collabrative Calendar

[O'Brien, Cathy]

If you have someone who can modify some code you might want to look at Tom
Howes' "Enterprise Calendar" sample application. There's a link to it at
http://www.slipstick.com/calendar/scheduleall.htm under the Live Group
Calendar Tools. 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D.
Team EITC
Sent: Monday, October 04, 2004 3:30 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Definately OT for Collabrative Calendar

I am trying to find some good software to ease some issues we are having.
Currently we have a system in place that thru macros mainly I believe.  A
section leaders exchange calendar is updated with a meeting.
That is then created on a Collaborative calendar that shows when that person
will be unavailable etc.  Basically we need to have one calendar that people
can look at to see when all the important people are available or not
without the important peoples secretaries having to open up multiple
calendars to  do it.  Does any one know of some software that does this and
will work with exchange?

Sorry bout the OT.  But you guys seem to know so much useful information I
can find other places.

Jeff


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] WAN outage caused issues...

[Rimmerman, Russ]

What's the deal on WAN links going down between AD sites?  As long as each
site has a Global Catalog, they should be fine, correct?  We had a remote
site's WAN link go down the other day, and users eventually could not access
any network drives (on the local file server even).  They rebooted and it
took forever to get the ctrl-alt-del logon box too.  They couldn't get any
network resources at all, just local drives and printers.  We're in an Win2k
AD domain with SP4.

Most of the clients are XP and some are Win2k.

Thanks

~~
This e-mail is confidential, may contain proprietary information
of the Cooper Cameron Corporation and its operating Divisions
and may be confidential or privileged.

This e-mail should be read, copied, disseminated and/or used only
by the addressee. If you have received this message in error please
delete it, together with any attachments, from your system.
~~
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Directory Service event

[Mulnick, Al]

Can you check the backup logs to see what time the backup event should have
started and then check with the domain controller?   

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Nathan Casey
Sent: Tuesday, October 05, 2004 11:07 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Directory Service event

I not sure if this event is expected or not. If it was expected as a result
of the daily backup I would expect to see it on all of the DC's, that's the
concern.

>>> [EMAIL PROTECTED] 10/5/2004 6:27:50 AM >>>
So is this expected then?  
Or are you concerned that the other DC's don't show the same events even
though your backup program says they are being backed up?

Al 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Nathan Casey
Sent: Monday, October 04, 2004 5:14 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Directory Service event

All DC are being backed up, Netbackup 5.1 client. The event does appear at
the same time of day every day starting pretty much when I installed the
Netbackup client. 

>>> [EMAIL PROTECTED] 10/4/2004 2:00:12 PM >>>
Is this the only DC that you're running backups?  Does it occur at the same
time every day as if it's a scheduled event?

Al 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Nathan Casey
Sent: Monday, October 04, 2004 4:54 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Directory Service event

On one of my domain controllers I am getting the following events once a day
in the Directory Service event log: (in order listed)

Category: Logging/Recovery
Event ID: 210
Description: NTDS (796) NTDSA: A full backup is starting.

Category: Logging/Recovery
Event ID: 220
Description: NTDS (796) NTDSA: Beginning the backup of the file
S:\NTDS\ntds.dit (size 24 Mb).

Category: Logging/Recovery
Event ID: 221
Description: NTDS (796) NTDSA: Ending the backup of the file
S:\NTDS\ntds.dit.

Category: Logging/Recovery
Event ID: 223
Description: NTDS (796) NTDSA: Starting the backup of log files (range
T:\NTDS\edb0004C.log - T:\NTDS\edb0004C.log).

Category: Logging/Recovery
Event ID: 213
Description: NTDS (796) NTDSA: The backup procedure has been successfully
completed.

This is the only DC that I am getting this Directory Service event. I can't
find much info on the event ID's.
Any ideas about this event or why they only appear on one of
5 DC's (2 for root, 3 for sub) would be greatly appreciated.
Thanks
Nathan

List info   : http://www.activedir.org/mail_list.htm 
List FAQ: http://www.activedir.org/list_faq.htm 
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm 
List FAQ: http://www.activedir.org/list_faq.htm 
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm 
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm 
List FAQ: http://www.activedir.org/list_faq.htm 
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] Ghost in the system

[John Parker]

Hey all

I have a box that suddenly went offline becasue of a "Duplicate IP" on the network.
unable to find this "Duplicate IP", I was forced to change the IP of the box.

I have tried ping, nbtstat, ipscanners.  I cannot find this ghost IP.
I know it is not the machine because I tried it on another with the IP in question and 
achieved the same result.

We are running Win2K fully spacked.

Any help would be appreciated.

JP
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Directory Service event

[Nathan Casey]

I not sure if this event is expected or not. If it was
expected as a result of the daily backup I would expect to
see it on all of the DC's, that's the concern.

>>> [EMAIL PROTECTED] 10/5/2004 6:27:50 AM >>>
So is this expected then?  
Or are you concerned that the other DC's don't show the
same events even
though your backup program says they are being backed up?

Al 

-Original Message-
From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of
Nathan Casey
Sent: Monday, October 04, 2004 5:14 PM
To: [EMAIL PROTECTED] 
Subject: RE: [ActiveDir] Directory Service event

All DC are being backed up, Netbackup 5.1 client. The event
does appear at
the same time of day every day starting pretty much when I
installed the
Netbackup client. 

>>> [EMAIL PROTECTED] 10/4/2004 2:00:12 PM >>>
Is this the only DC that you're running backups?  Does it
occur at the same
time every day as if it's a scheduled event?

Al 

-Original Message-
From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of
Nathan Casey
Sent: Monday, October 04, 2004 4:54 PM
To: [EMAIL PROTECTED] 
Subject: [ActiveDir] Directory Service event

On one of my domain controllers I am getting the following
events once a day
in the Directory Service event log: (in order listed)

Category: Logging/Recovery
Event ID: 210
Description: NTDS (796) NTDSA: A full backup is starting.

Category: Logging/Recovery
Event ID: 220
Description: NTDS (796) NTDSA: Beginning the backup of the
file
S:\NTDS\ntds.dit (size 24 Mb).

Category: Logging/Recovery
Event ID: 221
Description: NTDS (796) NTDSA: Ending the backup of the
file
S:\NTDS\ntds.dit.

Category: Logging/Recovery
Event ID: 223
Description: NTDS (796) NTDSA: Starting the backup of log
files (range
T:\NTDS\edb0004C.log - T:\NTDS\edb0004C.log).

Category: Logging/Recovery
Event ID: 213
Description: NTDS (796) NTDSA: The backup procedure has
been successfully
completed.

This is the only DC that I am getting this Directory
Service event. I can't
find much info on the event ID's.
Any ideas about this event or why they only appear on one
of
5 DC's (2 for root, 3 for sub) would be greatly
appreciated.
Thanks
Nathan

List info   : http://www.activedir.org/mail_list.htm 
List FAQ: http://www.activedir.org/list_faq.htm 
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm 
List FAQ: http://www.activedir.org/list_faq.htm 
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm 
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm 
List FAQ: http://www.activedir.org/list_faq.htm 
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] Unauthorized Java Applets

[Edwin]

Is there a way via GPO to disable only certain Java
Applets?  Or better yet, only approve specific ones?  I know that I can disable
Java within IE but certain every tasks depend on Java Applets, specifically the
time clock.

 

We have several people here that are using, for example, the
Java based version of AOL instant messenger.  Of course management shouldn’t
have to tell them this but as we all know, some people learn things the hard
way.

 

Thank you for your replies,

Edwin

[ActiveDir] Accept backupuser logon

[Douglas M. Long]

Title: root domain alias








OK, I have created a user and added it to
the backup operators in built-in. Now I want to be able to logon (through
remote desktop) to my DCs with this user to setup my backups. I have two
template policies from Hardening Windows Server 2003 in place, with the
following Settings:

 

    Top
policy in list:    Allow
log on locally: BUILTIN\administrators, BUILTIN\backup operators, BUILTIN\account
operators, BUILTIN\server operators, BUILTIN\print operators

    Deny
log on locally: DOMAIN\support_388945a0

 

    

    Bottom
policy in list:  Allow log on locally: BUILTIN\backup
operators, BUILTIN\administrators

    Allow
log on through Terminal Services: BUILTIN\administrators

    No deny log on locally settings

 

Now shouldn’t these settings allow
me to logon as a member of the BUILTIN\backup operators group? What am I
missing? Is there a better way to set up backups without logging in to the DC
(which would be much better)? Any help is much appreciated. 

 

 

RE: [ActiveDir] Directory Service event

[Mulnick, Al]

So is this expected then?  
Or are you concerned that the other DC's don't show the same events even
though your backup program says they are being backed up?

Al 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Nathan Casey
Sent: Monday, October 04, 2004 5:14 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Directory Service event

All DC are being backed up, Netbackup 5.1 client. The event does appear at
the same time of day every day starting pretty much when I installed the
Netbackup client. 

>>> [EMAIL PROTECTED] 10/4/2004 2:00:12 PM >>>
Is this the only DC that you're running backups?  Does it occur at the same
time every day as if it's a scheduled event?

Al 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Nathan Casey
Sent: Monday, October 04, 2004 4:54 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Directory Service event

On one of my domain controllers I am getting the following events once a day
in the Directory Service event log: (in order listed)

Category: Logging/Recovery
Event ID: 210
Description: NTDS (796) NTDSA: A full backup is starting.

Category: Logging/Recovery
Event ID: 220
Description: NTDS (796) NTDSA: Beginning the backup of the file
S:\NTDS\ntds.dit (size 24 Mb).

Category: Logging/Recovery
Event ID: 221
Description: NTDS (796) NTDSA: Ending the backup of the file
S:\NTDS\ntds.dit.

Category: Logging/Recovery
Event ID: 223
Description: NTDS (796) NTDSA: Starting the backup of log files (range
T:\NTDS\edb0004C.log - T:\NTDS\edb0004C.log).

Category: Logging/Recovery
Event ID: 213
Description: NTDS (796) NTDSA: The backup procedure has been successfully
completed.

This is the only DC that I am getting this Directory Service event. I can't
find much info on the event ID's.
Any ideas about this event or why they only appear on one of
5 DC's (2 for root, 3 for sub) would be greatly appreciated.
Thanks
Nathan

List info   : http://www.activedir.org/mail_list.htm 
List FAQ: http://www.activedir.org/list_faq.htm 
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm 
List FAQ: http://www.activedir.org/list_faq.htm 
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Definately OT for Collabrative Calendar

[Mulnick, Al]

Are you looking for something other than f/b schedule times?  Can you expand
on what you're after? 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D.
Team EITC
Sent: Monday, October 04, 2004 6:30 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Definately OT for Collabrative Calendar

I am trying to find some good software to ease some issues we are having.
Currently we have a system in place that thru macros mainly I believe.  A
section leaders exchange calendar is updated with a meeting.
That is then created on a Collaborative calendar that shows when that person
will be unavailable etc.  Basically we need to have one calendar that people
can look at to see when all the important people are available or not
without the important peoples secretaries having to open up multiple
calendars to  do it.  Does any one know of some software that does this and
will work with exchange?

Sorry bout the OT.  But you guys seem to know so much useful information I
can find other places.

Jeff


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] slow communication

[Mulnick, Al]

If the problem is opening recordsets then you should have a look at the
server itself after verifying that you get the same results with some other
application.  What you would be looking for is verification that it's not
the program that is using a poorly written query.

If the query is optimized, and you still have the problem then look at the
server configuration (hardware) to verify that the problem is not there.

Al 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of cyrus
Sent: Tuesday, October 05, 2004 7:15 AM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] slow communication

greetings paul,
i think my problem regards timeout is only related to SQL Server, to test
this  i wrote a vb6 app not to use SQL as backend instead it uses access, my
app resides in the server so workstation user could run it on any computer
available, and this does not cause any timeout. 

and also i found out that the timeout does not occur when connecting to the
server, it is when it starts to open the recordsets.(now I'm a little lost)
even it opens only 1 recordset.\ timeout occurs 

rgds
cyrus 


Paul van Geldrop writes: 

> Cyrus,
> 
> Are there any specific error messages appearing on the SQL Server ?
> Perhaps using a packetsniffer to have a look at the network traffic 
> might also give some insight into why the connection times out.
> Has anything recently changed in the network/server/database, no 
> matter how insignificant ? Even the addition of a network card with a 
> faulty NIC might cause enough disruptions on the network to cause 
> timeouts.
> I'd give the packet sniffer a definite go, as that can often help with 
> tracing down communications problem.
> Have any others problem shown themselves ? Long waiting for share 
> connections, for example, high ping times, etc ?
> 
> Regards,
> 
> Paul. 
> 
> PS: As to my previous remark regarding the domain, please ignore it. 
> ;)
> 
> - Original Message - From: <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Wednesday, September 29, 2004 7:55 AM
> Subject: Re: [ActiveDir] slow communication
> 
> 
>> greetings paul,
>> first it my first time to send message to this site, need ur guidance 
>> to how i can send porperly.
>> were doing app vb6 as front end and sql as backend, workstation r 
>> connected tru hubs, when we run the app it takes long to connect to 
>> the sql server database, thus we r receiving msg relating to "TIMEOUT 
>> EXPIRED"
>> my real problem is knowing were the prob is, is it the window 2000 
>> server, sql 2000 server or the vb6 app designer or even the hubs were 
>> using. but it was not like this b4...with this i dont have any idea 
>> how to solve or what to reconfigure.
>> thanks
>> cyrus
>> 
>>  
>> 
>> Paul writes:
>>> Some more information on the systems might be handy (service packs, 
>>> hotfixes, etc) and what kind of application.. and how are they 
>>> connected ?
>>> And, perhaps somewhat offtopic, but.. how come you're mailing from 
>>> our domainname.. ? (am-ende.net) Regards, Paul van Geldrop. - 
>>> Original Message -
>>> From: <[EMAIL PROTECTED]>
>>> To: <[EMAIL PROTECTED]>
>>> Sent: Tuesday, September 28, 2004 12:18 PM
>>> Subject: [ActiveDir] slow communication
 
 greetings,
 first of all i'm not sure were problem is, we have window2000 
 server and SqlServer 2000, when we execute vb6 application to 
 access sql server its very frequent that we r receiving TIMEOUT 
 EXPIRED, I m not sure if
>>> SQLServer
 or window2000 server or VB6 is causing the problem. coz i dont have 
 any
>>> idea
 on how or if any , a way to test and identify the problem. any 
 suggestion
>>> ?
 
 thnks
 cyrus
 List info   : http://www.activedir.org/mail_list.htm
 List FAQ: http://www.activedir.org/list_faq.htm
 List archive: 
 http://www.mail-archive.com/activedir%40mail.activedir.org/
>>> 
>>> List info   : http://www.activedir.org/mail_list.htm
>>> List FAQ: http://www.activedir.org/list_faq.htm
>>> List archive: 
>>> http://www.mail-archive.com/activedir%40mail.activedir.org/
>>  
>> 
>> List info   : http://www.activedir.org/mail_list.htm
>> List FAQ: http://www.activedir.org/list_faq.htm
>> List archive: 
>> http://www.mail-archive.com/activedir%40mail.activedir.org/
> 
> List info   : http://www.activedir.org/mail_list.htm
> List FAQ: http://www.activedir.org/list_faq.htm
> List archive: 
> http://www.mail-archive.com/activedir%40mail.activedir.org/
 

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Screensaver GPO not applying?

[Michael Wassell]

Hmm.. Good point
 
That might be the case, I'll take a 
look.
 
Thanks for your suggestion!


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Mark 
WoodsSent: Tuesday, October 05, 2004 3:14 AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Screensaver GPO 
not applying?

I had a issue very similar to this, it was caused by the 
power settings within the Display Properties, by default this is set to 'Turn 
off monitor' after 20 minutes, setting this to Never made the screen saver kick 
in, I had to set this manually on each build as I couldn't find a way to 
script it.
 
-mark


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Michael 
WassellSent: 04 October 2004 18:43To: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Screensaver GPO 
not applying?

That's what I thought as 
well.

The value is the correct type (REG_SZ) and the 
GPO is enforced, but I am still having the same 
issue.

The weirdest part is that RSoP shows that the 
settings are applying, but does not actually 
apply.

Does anyone else have an 
idea?


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Darren 
Mar-EliaSent: Monday, October 04, 2004 1:26 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Screensaver GPO 
not applying?

The GPO doesn't have to look at the path. All 
the GPO does is punch in a registry value and its up to Windows to find the 
file. It will work fine if you just enter in the .scr file name and don't put a 
path. I've tested this and it works as expected. So I suspect you have another 
problem. Also note that this registry value is not of type REG_EXPAND_SZ, which 
means if you put something like %systemroot% in there, Windows will not expand 
that value correctly when the screensaver path is resolved. You would 
have to put in C:\windows explicitly.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin 
A.Sent: Monday, October 04, 2004 10:00 AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Screensaver GPO 
not applying?


The GPO does not look 
at the PATH variable on each PC, it processes what it is told only, it does not 
make assumptions.

-Original 
Message-From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of 
Michael WassellSent: Monday, October 04, 2004 
12:47 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] 
Screensaver GPO not applying?

Hmm.. I thought if the 
files were located in that location the path did not need to be 
specified.

I'll give it a 
shot...

Thanks!




From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin 
A.Sent: 
Monday, October 04, 2004 12:24 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] 
Screensaver GPO not applying?
You must have in the 
GPO %systemroot%\system32\logon.scr for this to work correctly.  Just 
having the file name will not work.  This is how I do it and I have no 
problems.

-Original 
Message-From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of 
Michael WassellSent: Monday, October 04, 2004 
12:12 PMTo: 
[EMAIL PROTECTED]Subject: [ActiveDir] Screensaver 
GPO not applying?


I posted 
this elsewhere but have gotten no responses yet.  Thought I would post it 
here also to try to gather some opinions.




Workstations 
are mixed 2000 / XP professional.  DC's are Windows 2003 and domain is 
running in Windows 2003 native mode.



Desired 
screensaver is logon.scr.  Default installation path for logon.scr is 
%SYSTEMROOT%\System32\.  Path is not specified in GPO, only 
filename.



RSoP shows 
that the policies are processing properly.  The setting seems to apply 
properly to XP machines but not to 2000 
machines.



Has anyone 
else seen or heard of this problem before?



I did find a 
MSKB article regarding the symptom, but it only mentions that the symptom 
occurs in Windows 2000 domains, and pre-SP3 Windows 2000 machines, neither of 
which are the case.  For anyone curious here is a 
link:



http://support.microsoft.com/?kbid=305357


Michael 
Wassell
Network 
Administrator
PT Marketing 
Group
Pittsburgh, 
Pennsylvania 15222
Phone:  
412-471-8995  /  Fax: 412-471-8695





**This e-mail has been scanned for viruses by Edwin Coe at the mail gateway** 




This email and any attachments are confidential, legally privileged and 
protected by copyright. If you are not the intended recipient, then the 
dissemination or copying of this email is prohibited.If you have 
received this in error, please notify the sender by replying by email and then 
delete the email completely from your system.This email and any 
attachments have been scanned for viruses, but it is the responsibility of 
recipients to conduct their own security measures. No responsibility is accepted 
by Edwin Coe for loss or damage arising from the receipt or use of this email, 
nor for personal emails, or emails unconnected with the firm's or clients' 
business.A list of the names of the partners of Edwin Coe, can be 
inspected at 2 Stone Buildings, Lincolns Inn, Lon

Re: [ActiveDir] slow communication

[cyrus]

greetings paul,
i think my problem regards timeout is only related to SQL Server, to test 
this  i wrote a vb6 app not to use SQL as backend instead it uses access,  
my app resides in the server so workstation user could run it on any 
computer available, and this does not cause any timeout. 

and also i found out that the timeout does not occur when connecting to the 
server, it is when it starts to open the recordsets.(now I'm a little lost) 
even it opens only 1 recordset.\ timeout occurs 

rgds
cyrus 

Paul van Geldrop writes: 

Cyrus, 

Are there any specific error messages appearing on the SQL Server ?
Perhaps using a packetsniffer to have a look at the network traffic might 
also give some insight into why the connection times out.
Has anything recently changed in the network/server/database, no matter 
how insignificant ? Even the addition of a network card with a faulty NIC 
might
cause enough disruptions on the network to cause timeouts.
I'd give the packet sniffer a definite go, as that can often help with 
tracing down communications problem.
Have any others problem shown themselves ? Long waiting for share 
connections, for example, high ping times, etc ? 

Regards, 

Paul. 

PS: As to my previous remark regarding the domain, please ignore it. ;) 

- Original Message - From: <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, September 29, 2004 7:55 AM
Subject: Re: [ActiveDir] slow communication 


greetings paul,
first it my first time to send message to this site, need ur guidance to 
how i can send porperly.
were doing app vb6 as front end and sql as backend, workstation r 
connected tru hubs, when we run the app it takes long to connect to the 
sql server database, thus we r receiving msg relating to "TIMEOUT 
EXPIRED"
my real problem is knowing were the prob is, is it the window 2000 
server, sql 2000 server or the vb6 app designer or even the hubs were  
using. but it was not like this b4...with this i dont have any idea how 
to solve or what to reconfigure.
thanks
cyrus 

 

Paul writes:
Some more information on the systems might be handy (service packs,
hotfixes, etc) and what kind of application.. and how are they connected 
?
And, perhaps somewhat offtopic, but.. how come you're mailing from our
domainname.. ? (am-ende.net) Regards, Paul van Geldrop. - Original 
Message -
From: <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, September 28, 2004 12:18 PM
Subject: [ActiveDir] slow communication
greetings,
first of all i'm not sure were problem is, we have window2000 server 
and
SqlServer 2000, when we execute vb6 application to access sql server 
its
very frequent that we r receiving TIMEOUT EXPIRED, I m not sure if
SQLServer
or window2000 server or VB6 is causing the problem. coz i dont have any
idea
on how or if any , a way to test and identify the problem. any 
suggestion
?
thnks
cyrus
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: 
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: 
http://www.mail-archive.com/activedir%40mail.activedir.org/
 

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] [ActiveDir Digest]

[Ruston, Neil]

In the past, I have simply enabled 'user must change password at next logon'
as part of the user creation process.

The user will then be *forced* to change his/her password at next (i.e. first)
logon and cannot continue to work until that pw change has been actioned.


Thanks,
Neil
PS I am assuming that you did *not* set the above flag when creating users.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] 
Sent: 05 October 2004 04:12
Subject: [ActiveDir Digest]


-

Subject: [ActiveDir] Minimum Password Age
Date: Mon, 4 Oct 2004 08:54:27 -0600
From: "Travis Riddle" <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Our password policy is set up as follows:

Minimum 8 characters
Remember 6 passwords
Maximium Password Age 90 days
Minimum Password Age 15 days
Require Complex passwords

Windows 2003
3 Sites
GC at each site

So we just created approximatly 50 new users and assigned them a semi-generic
passowrd that they need to change upon login.  The problem is they cannot
change their password upon login because it hasn't been 15 days since the
password was created (I assume).  Is this by design? If so how do you get
around it?  How am I suppose to create new users in the future if this is the
case (besides creating them 15 days in
advance)

My first guess at a solution to this problem is to change the minimum password
age to 0, allowing users to change their password immediately. I tried this
and forced a refresh on the machine policy with no luck. Does anyone have any
ideas of what to do?

I now have 50 users that were suppose to be able to be working today not able
to log in unless we change their password to NOT change upon login (so they
all have the same easy to use password).  Am I missing something simple?  Any
idea's are appreciated.

Thanks,

Travis
-

Subject: RE: [ActiveDir] Minimum Password Age
Date: Mon, 4 Oct 2004 11:33:01 -0400
From: "Rick Boza" <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
This is a multi-part message in MIME format.

--_=_NextPart_001_01C4AA27.CA1C8B32
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Nope, it shouldn't work like that.  I just tested it in fact with your =
settings and the result I get is what I expected - they are prompted = with a
message that "they are required to change their password at first = login."
The password change then works fine. =20 What error are they getting? Any
events on the DCs?



From: [EMAIL PROTECTED] on behalf of Travis Riddle
Sent: Mon 10/4/2004 10:54 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Minimum Password Age



Our password policy is set up as follows:

Minimum 8 characters
Remember 6 passwords
Maximium Password Age 90 days
Minimum Password Age 15 days
Require Complex passwords

Windows 2003
3 Sites
GC at each site

So we just created approximatly 50 new users and assigned them a semi-generic
passowrd that they need to change upon login.  The problem is they cannot
change their password upon login because it hasn't been 15 days since the
password was created (I assume).  Is this by design? If so how do you get
around it?  How am I suppose to create new users in the future if this is the
case (besides creating them 15 days in
advance)

My first guess at a solution to this problem is to change the minimum password
age to 0, allowing users to change their password immediately. I tried this
and forced a refresh on the machine policy with no luck. Does anyone have any
ideas of what to do?

I now have 50 users that were suppose to be able to be working today not able
to log in unless we change their password to NOT change upon login (so they
all have the same easy to use password).  Am I missing something simple?  Any
idea's are appreciated.

Thanks,

Travis
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: = http://www.mail-archive.com/activedir%40mail.activedir.org/


==
This message is for the sole use of the intended recipient. If you received
this message in error please delete it and notify us. If this message was
misdirected, CSFB does not waive any confidentiality or privilege. CSFB
retains and monitors electronic communications sent through its network.
Instructions transmitted over this system are not binding on CSFB until they
are confirmed by us. Message transmission is not guaranteed to be secure.
==

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Definately OT for Collabrative Calendar

[Jacqui Hurst]

Have a look at AgendaX.  It uses a web interface and does IIS and a number
of other components.  I can't remember if a separate database is required or
if it supports its own. I know you can use it with Oracle and SQL.  This is
based on CDO and I believe works with 5.5 and 2003.

Jacqui

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D.
Team EITC
Sent: 04 October 2004 23:30
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Definately OT for Collabrative Calendar

I am trying to find some good software to ease some issues we are
having.  Currently we have a system in place that thru macros mainly I
believe.  A section leaders exchange calendar is updated with a meeting.
That is then created on a Collaborative calendar that shows when that
person will be unavailable etc.  Basically we need to have one calendar
that people can look at to see when all the important people are
available or not without the important peoples secretaries having to
open up multiple calendars to  do it.  Does any one know of some
software that does this and will work with exchange?

Sorry bout the OT.  But you guys seem to know so much useful information
I can find other places.

Jeff


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Screensaver GPO not applying?

[Mark Woods]

I had a issue very similar to this, it was caused by the 
power settings within the Display Properties, by default this is set to 'Turn 
off monitor' after 20 minutes, setting this to Never made the screen saver kick 
in, I had to set this manually on each build as I couldn't find a way to 
script it.
 
-mark


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Michael 
WassellSent: 04 October 2004 18:43To: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Screensaver GPO 
not applying?

That's what I thought as 
well.

The value is the correct type (REG_SZ) and the 
GPO is enforced, but I am still having the same 
issue.

The weirdest part is that RSoP shows that the 
settings are applying, but does not actually 
apply.

Does anyone else have an 
idea?


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Darren 
Mar-EliaSent: Monday, October 04, 2004 1:26 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Screensaver GPO 
not applying?

The GPO doesn't have to look at the path. All 
the GPO does is punch in a registry value and its up to Windows to find the 
file. It will work fine if you just enter in the .scr file name and don't put a 
path. I've tested this and it works as expected. So I suspect you have another 
problem. Also note that this registry value is not of type REG_EXPAND_SZ, which 
means if you put something like %systemroot% in there, Windows will not expand 
that value correctly when the screensaver path is resolved. You would 
have to put in C:\windows explicitly.


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin 
A.Sent: Monday, October 04, 2004 10:00 AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Screensaver GPO 
not applying?


The GPO does not look 
at the PATH variable on each PC, it processes what it is told only, it does not 
make assumptions.

-Original 
Message-From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of 
Michael WassellSent: Monday, October 04, 2004 
12:47 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] 
Screensaver GPO not applying?

Hmm.. I thought if the 
files were located in that location the path did not need to be 
specified.

I'll give it a 
shot...

Thanks!




From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin 
A.Sent: 
Monday, October 04, 2004 12:24 PMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] 
Screensaver GPO not applying?
You must have in the 
GPO %systemroot%\system32\logon.scr for this to work correctly.  Just 
having the file name will not work.  This is how I do it and I have no 
problems.

-Original 
Message-From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
On Behalf Of 
Michael WassellSent: Monday, October 04, 2004 
12:12 PMTo: 
[EMAIL PROTECTED]Subject: [ActiveDir] Screensaver 
GPO not applying?


I posted 
this elsewhere but have gotten no responses yet.  Thought I would post it 
here also to try to gather some opinions.




Workstations 
are mixed 2000 / XP professional.  DC's are Windows 2003 and domain is 
running in Windows 2003 native mode.



Desired 
screensaver is logon.scr.  Default installation path for logon.scr is 
%SYSTEMROOT%\System32\.  Path is not specified in GPO, only 
filename.



RSoP shows 
that the policies are processing properly.  The setting seems to apply 
properly to XP machines but not to 2000 
machines.



Has anyone 
else seen or heard of this problem before?



I did find a 
MSKB article regarding the symptom, but it only mentions that the symptom 
occurs in Windows 2000 domains, and pre-SP3 Windows 2000 machines, neither of 
which are the case.  For anyone curious here is a 
link:



http://support.microsoft.com/?kbid=305357


Michael 
Wassell
Network 
Administrator
PT Marketing 
Group
Pittsburgh, 
Pennsylvania 15222
Phone:  
412-471-8995  /  Fax: 412-471-8695





**This e-mail has been scanned for viruses by Edwin Coe at the mail gateway** 


This email and any attachments are confidential, legally privileged and protected by copyright.  If you are not the intended recipient, then the dissemination or copying of this email is prohibited.

If you have received this in error, please notify the sender by replying by email and then delete the email completely from your system.

This email and any attachments have been scanned for viruses, but it is the responsibility of recipients to conduct their own security measures.  No responsibility is accepted by Edwin Coe for loss or damage arising from the receipt or use of this email, nor for personal emails, or emails unconnected with the firm's or clients' business.

A list of the names of the partners of Edwin Coe, can be inspected at 2 Stone Buildings, Lincolns Inn, London WC2A 3TH