RE: [ActiveDir] WAN outage caused issues...
I agree with Ken. DCDiag looks great below because the WAN is up and available. As soon as the WAN goes down the local DC in the site cannot access the _msdcs sub-domain of the root zone (or delegated zone if you have configured it as such) and therefore is missing some of the information required for the clients to properly resolve all the names required. See the Windows 2000 Branch Office Guide for more information. You will find that MS recommends create a zone for the _msdcs DNS information and using Secondary zones and transfers for this zone onto all branch office DCs. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robert Rutherford Sent: Tuesday, October 05, 2004 2:31 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... Hmmm not a simple one then. Can you see the correct SRV records for the server in DNS and also under the correct site? From: [EMAIL PROTECTED] on behalf of Rimmerman, Russ Sent: Tue 05/10/2004 22:06 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... DCDiag: Domain Controller Diagnosis Performing initial setup: Done gathering initial info. Doing initial required tests Testing server: CCV-VPL\CCVVPLDC01 Starting test: Connectivity . CCVVPLDC01 passed test Connectivity Doing primary tests Testing server: CCV-VPL\CCVVPLDC01 Starting test: Replications . CCVVPLDC01 passed test Replications Starting test: NCSecDesc . CCVVPLDC01 passed test NCSecDesc Starting test: NetLogons . CCVVPLDC01 passed test NetLogons Starting test: Advertising . CCVVPLDC01 passed test Advertising Starting test: KnowsOfRoleHolders . CCVVPLDC01 passed test KnowsOfRoleHolders Starting test: RidManager . CCVVPLDC01 passed test RidManager Starting test: MachineAccount . CCVVPLDC01 passed test MachineAccount Starting test: Services . CCVVPLDC01 passed test Services Starting test: ObjectsReplicated . CCVVPLDC01 passed test ObjectsReplicated Starting test: frssysvol There are errors after the SYSVOL has been shared. The SYSVOL can prevent the AD from starting. . CCVVPLDC01 passed test frssysvol Starting test: kccevent . CCVVPLDC01 passed test kccevent Starting test: systemlog An Error Event occured. EventID: 0x0457 Time Generated: 10/05/2004 15:42:26 Event String: Driver TOSHIBA e-STUDIO350-450 PSL3 required for An Error Event occured. EventID: 0x0452 Time Generated: 10/05/2004 15:42:26 Event String: The printer could not be installed. An Error Event occured. EventID: 0x0457 Time Generated: 10/05/2004 15:42:27 Event String: Driver HP Business Inkjet 2600 PCL 5C required An Error Event occured. EventID: 0x0452 Time Generated: 10/05/2004 15:42:27 Event String: The printer could not be installed. . CCVVPLDC01 failed test systemlog Running enterprise tests on : ourcompany.com Starting test: Intersite . ouprcompany.com passed test Intersite Starting test: FsmoCheck . ourcompany.com passed test FsmoCheck NETDIAG Output: .. Computer Name: CCVVPLDC01 DNS Host Name: ccvvpldc01.ccc.ourcompany.com System info : Windows 2000 Server (Build 2195) Processor : x86 Family 15 Model 2 Stepping 9, GenuineIntel List of installed hotfixes : KB811370 KB819696 KB823182 KB824146 KB825119 KB826232 KB828035 KB828741 KB828749 KB835732 KB837001 KB840315 KB841873 Q147222 Netcard queries test . . . . . . . : Passed Per interface results: Adapter : Local Area Connection 2 Netcard queries test . . . : Passed Host Name. . . . . . . . . : ccvvpldc01 IP Address . . . . . . . . : 10.2.192.223 Subnet Mask. . . . . . . . : 255.255.255.0 Default Gateway. . . . . . : 10.2.192.240 Primary WINS Server. . . . : 10.4.223.119 Secondary WINS Server. . . : 10.4.223.120 Dns Servers. . . . . . . . : 10.4.223.31
RE: [ActiveDir] Ghost in the system
Also check your DHCP box to see if you can see the info in there. If I remember I have seen the same behaviour years ago when the IP was already in the WINS database not sure. I'd have a look and tombstone any entries for that IP, if not delete. From: [EMAIL PROTECTED] on behalf of Robert Rutherford Sent: Tue 05/10/2004 22:04 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Ghost in the system have u got a router on your local LAN? Have a look in the arp cache and see if you can see listings for that IP From: [EMAIL PROTECTED] on behalf of John Parker Sent: Tue 05/10/2004 16:10 To: [EMAIL PROTECTED] Subject: [ActiveDir] Ghost in the system Hey all I have a box that suddenly went offline becasue of a "Duplicate IP" on the network. unable to find this "Duplicate IP", I was forced to change the IP of the box. I have tried ping, nbtstat, ipscanners. I cannot find this ghost IP. I know it is not the machine because I tried it on another with the IP in question and achieved the same result. We are running Win2K fully spacked. Any help would be appreciated. JP List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ === Scanned for virus infection by Messagelabs === <>
RE: [ActiveDir] WAN outage caused issues...
Also, is it both the W2K and XP clients which are having the issue? From: [EMAIL PROTECTED] on behalf of Rimmerman, Russ Sent: Tue 05/10/2004 22:10 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... Yes, single forest. One empty root domain and one child domain. -Original Message- From: Robert Rutherford [mailto:[EMAIL PROTECTED] Behalf Of Robert Rutherford Sent: Tuesday, October 05, 2004 3:51 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... They are AD integrated though they should have all they need to logon to the local dc. I cant remember if u said u had a single forest Russ? From: [EMAIL PROTECTED] on behalf of Ken Cornetet Sent: Tue 05/10/2004 21:40 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... Well, there ya go! I'm assuming that there are no root domain DCs in the remote sites. Clients need to be able to do DNS lookups on various things in the "_" subdomains of the root. If your child domain's DCs are set to forward to the root DCs, and the WAN is down, they can't find things. For 2000, my advice is to simply add the root domain as secondaries on the remote DCs DNS. If you are running 2003 on your DCs, you can configure your zones to show up on all DCs in the forest. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 05, 2004 3:28 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... The domain in question is a child of a root domain yes. Our child domain DNS servers don't point to our root domain for DNS resolution at all. They just forward requests up to the root domain DNS servers if they dont have an answer. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Ken Cornetet Sent: Tuesday, October 05, 2004 3:19 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... Is the domain in question a child of another domain? Do your remote DCs have secondary zones for the root domain's DNS? For example, if your parent domain is acme.com, and your user domain is coyote.acme.com, do the coyote.acme.com DC's have a secondary for acme.com (or at least the "_" subdomains of acme.com)? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 05, 2004 2:24 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... Yes, they're using their own site's DC for DNS resolution and there is a reverse DNS zone there. DNS is active directory integrated. The DC itself is pointed at HQ for dns lookups on its tcp/ip properties (although I dont think that matters?) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Mulnick, Al Sent: Tuesday, October 05, 2004 1:45 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... So I have to ask for more information: Are your clients using their own site's DC for DNS resolution? And is there a reverse DNS zone setup there? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 05, 2004 2:35 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... OK I got more info. Here's whats in the eventlogs of the workstations during the time they were broken: 10/4/2004 1:53:42 PM LSASRV Warning SPNEGO (Negotiator) 40961 N/A CAE12350828 The Security System could not establish a secured connection with the server cifs/cae123fs01.ourdomain.com. No authentication protocol was available. 10/4/2004 1:53:42 PM LSASRV Warning SPNEGO (Negotiator) 40960 N/A CAE12350828 "The Security System detected an attempted downgrade attack for server cifs/cae123fs01.ourdomain.com. The failure code from authentication protocol Kerberos was ""There are currently no logon servers available to service the
RE: [ActiveDir] WAN outage caused issues...
Hmmm not a simple one then. Can you see the correct SRV records for the server in DNS and also under the correct site? From: [EMAIL PROTECTED] on behalf of Rimmerman, Russ Sent: Tue 05/10/2004 22:06 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... DCDiag: Domain Controller Diagnosis Performing initial setup: Done gathering initial info. Doing initial required tests Testing server: CCV-VPL\CCVVPLDC01 Starting test: Connectivity . CCVVPLDC01 passed test Connectivity Doing primary tests Testing server: CCV-VPL\CCVVPLDC01 Starting test: Replications . CCVVPLDC01 passed test Replications Starting test: NCSecDesc . CCVVPLDC01 passed test NCSecDesc Starting test: NetLogons . CCVVPLDC01 passed test NetLogons Starting test: Advertising . CCVVPLDC01 passed test Advertising Starting test: KnowsOfRoleHolders . CCVVPLDC01 passed test KnowsOfRoleHolders Starting test: RidManager . CCVVPLDC01 passed test RidManager Starting test: MachineAccount . CCVVPLDC01 passed test MachineAccount Starting test: Services . CCVVPLDC01 passed test Services Starting test: ObjectsReplicated . CCVVPLDC01 passed test ObjectsReplicated Starting test: frssysvol There are errors after the SYSVOL has been shared. The SYSVOL can prevent the AD from starting. . CCVVPLDC01 passed test frssysvol Starting test: kccevent . CCVVPLDC01 passed test kccevent Starting test: systemlog An Error Event occured. EventID: 0x0457 Time Generated: 10/05/2004 15:42:26 Event String: Driver TOSHIBA e-STUDIO350-450 PSL3 required for An Error Event occured. EventID: 0x0452 Time Generated: 10/05/2004 15:42:26 Event String: The printer could not be installed. An Error Event occured. EventID: 0x0457 Time Generated: 10/05/2004 15:42:27 Event String: Driver HP Business Inkjet 2600 PCL 5C required An Error Event occured. EventID: 0x0452 Time Generated: 10/05/2004 15:42:27 Event String: The printer could not be installed. . CCVVPLDC01 failed test systemlog Running enterprise tests on : ourcompany.com Starting test: Intersite . ouprcompany.com passed test Intersite Starting test: FsmoCheck . ourcompany.com passed test FsmoCheck NETDIAG Output: .. Computer Name: CCVVPLDC01 DNS Host Name: ccvvpldc01.ccc.ourcompany.com System info : Windows 2000 Server (Build 2195) Processor : x86 Family 15 Model 2 Stepping 9, GenuineIntel List of installed hotfixes : KB811370 KB819696 KB823182 KB824146 KB825119 KB826232 KB828035 KB828741 KB828749 KB835732 KB837001 KB840315 KB841873 Q147222 Netcard queries test . . . . . . . : Passed Per interface results: Adapter : Local Area Connection 2 Netcard queries test . . . : Passed Host Name. . . . . . . . . : ccvvpldc01 IP Address . . . . . . . . : 10.2.192.223 Subnet Mask. . . . . . . . : 255.255.255.0 Default Gateway. . . . . . : 10.2.192.240 Primary WINS Server. . . . : 10.4.223.119 Secondary WINS Server. . . : 10.4.223.120 Dns Servers. . . . . . . . : 10.4.223.31 10.4.223.32 AutoConfiguration results. . . . . . : Passed Default gateway test . . . : Passed NetBT name test. . . . . . : Passed WINS service test. . . . . : Passed Global results: Domain membership test . . . . . . : Passed NetBT transports test. . . . . . . : Passed List of NetBt transports currently configured: NetBT_Tcpip_{D6CF41A0-700A-4C55-9CC2-FBEDC88DBC4C} 1 NetBt transport currently configured. Autonet address test . . . . . . . : Passed IP loopback ping test. . . . . . . : Passed Default gateway test . . . . . . . : Passed NetBT name test. . . . . . . . . . : Passed Winsock test . . . . . . . . . . . : Passed DNS test . . . . . . . . . . . . . : Passed PASS - All the DNS entries for DC are registered on DNS server '10.4.223.31' and other DCs also have some of the names registered. PASS - All the DNS entries for DC are registered on DNS se
RE: [ActiveDir] WAN outage caused issues...
Title: Message No, they don't have all they need. Clients should be able to resolve at least the "_" subdomains of the root domain. That's all covered in the AD design books. GC location (among other things) is done via DNS lookups into the "_msdcs" subdomain of the root domain. -Original Message-From: Robert Rutherford [mailto:[EMAIL PROTECTED] On Behalf Of Robert RutherfordSent: Tuesday, October 05, 2004 3:51 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] WAN outage caused issues... They are AD integrated though they should have all they need to logon to the local dc. I cant remember if u said u had a single forest Russ? From: [EMAIL PROTECTED] on behalf of Ken CornetetSent: Tue 05/10/2004 21:40To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] WAN outage caused issues... Well, there ya go!I'm assuming that there are no root domain DCs in the remote sites.Clients need to be able to do DNS lookups on various things in the "_"subdomains of the root. If your child domain's DCs are set to forward tothe root DCs, and the WAN is down, they can't find things.For 2000, my advice is to simply add the root domain as secondaries onthe remote DCs DNS.If you are running 2003 on your DCs, you can configure your zones toshow up on all DCs in the forest.-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Rimmerman, RussSent: Tuesday, October 05, 2004 3:28 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] WAN outage caused issues...The domain in question is a child of a root domain yes. Our childdomain DNS servers don't point to our root domain for DNS resolution atall. They just forward requests up to the root domain DNS servers ifthey dont have an answer.-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]]On Behalf Of Ken CornetetSent: Tuesday, October 05, 2004 3:19 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] WAN outage caused issues...Is the domain in question a child of another domain? Do your remote DCshave secondary zones for the root domain's DNS?For example, if your parent domain is acme.com, and your user domain iscoyote.acme.com, do the coyote.acme.com DC's have a secondary foracme.com (or at least the "_" subdomains of acme.com)?-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Rimmerman, RussSent: Tuesday, October 05, 2004 2:24 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] WAN outage caused issues...Yes, they're using their own site's DC for DNS resolution and there is areverse DNS zone there. DNS is active directory integrated. The DCitselfis pointed at HQ for dns lookups on its tcp/ip properties (although Idont think that matters?)-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]]On Behalf Of Mulnick, AlSent: Tuesday, October 05, 2004 1:45 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] WAN outage caused issues...So I have to ask for more information:Are your clients using their own site's DC for DNS resolution? And isthere a reverse DNS zone setup there?-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Rimmerman, RussSent: Tuesday, October 05, 2004 2:35 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] WAN outage caused issues...OK I got more info. Here's whats in the eventlogs of the workstationsduring the time they were broken:10/4/2004 1:53:42 PM LSASRV Warning SPNEGO (Negotiator)40961 N/A CAE12350828 The Security System could not establishasecured connection with the server cifs/cae123fs01.ourdomain.com. Noauthentication protocol was available.10/4/2004 1:53:42 PM LSASRV Warning SPNEGO (Negotiator)40960 N/A CAE12350828 "The Security System detected anattempteddowngrade attack for server cifs/cae123fs01.ourdomain.com. The failurecode from authentication protocol Kerberos was ""There are currently nologon servers available to service the logon request. (0xc05e)""."-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Burkes, Jeremy[Contractor]Sent: Tuesday, October 05, 2004 12:00 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] WAN outage caused issues...I believe Windows 2000 and Windows XP will attach their own domain namesuffix to search for the host in DNS. For example if you give hostnameand the workstation's domain name is domain.com it will tryhostname.domain.com to see if it can resolve it in DNS. The searchorder for Windows 2000 and XP clients I believe is:DNS CacheLocal Hosts File (host file)DNS ServerLMHost FileWINSJeremy-Jeremy BurkesSSPMIS Department[EMAIL PROTECTED]PH: 202-764-1270-Original Message
RE: [ActiveDir] WAN outage caused issues...
Yes, effectively. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 05, 2004 3:49 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... Correct, no root domain DCs at the remote sites, but if the WAN link is down, what good are the root domain as secondaries on the remote DCs DNS going to do? Will it be cached or something? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Ken Cornetet Sent: Tuesday, October 05, 2004 3:40 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... Well, there ya go! I'm assuming that there are no root domain DCs in the remote sites. Clients need to be able to do DNS lookups on various things in the "_" subdomains of the root. If your child domain's DCs are set to forward to the root DCs, and the WAN is down, they can't find things. For 2000, my advice is to simply add the root domain as secondaries on the remote DCs DNS. If you are running 2003 on your DCs, you can configure your zones to show up on all DCs in the forest. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 05, 2004 3:28 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... The domain in question is a child of a root domain yes. Our child domain DNS servers don't point to our root domain for DNS resolution at all. They just forward requests up to the root domain DNS servers if they dont have an answer. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Ken Cornetet Sent: Tuesday, October 05, 2004 3:19 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... Is the domain in question a child of another domain? Do your remote DCs have secondary zones for the root domain's DNS? For example, if your parent domain is acme.com, and your user domain is coyote.acme.com, do the coyote.acme.com DC's have a secondary for acme.com (or at least the "_" subdomains of acme.com)? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 05, 2004 2:24 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... Yes, they're using their own site's DC for DNS resolution and there is a reverse DNS zone there. DNS is active directory integrated. The DC itself is pointed at HQ for dns lookups on its tcp/ip properties (although I dont think that matters?) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Mulnick, Al Sent: Tuesday, October 05, 2004 1:45 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... So I have to ask for more information: Are your clients using their own site's DC for DNS resolution? And is there a reverse DNS zone setup there? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 05, 2004 2:35 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... OK I got more info. Here's whats in the eventlogs of the workstations during the time they were broken: 10/4/2004 1:53:42 PM LSASRV Warning SPNEGO (Negotiator) 40961 N/A CAE12350828 The Security System could not establish a secured connection with the server cifs/cae123fs01.ourdomain.com. No authentication protocol was available. 10/4/2004 1:53:42 PM LSASRV Warning SPNEGO (Negotiator) 40960 N/A CAE12350828 "The Security System detected an attempted downgrade attack for server cifs/cae123fs01.ourdomain.com. The failure code from authentication protocol Kerberos was ""There are currently no logon servers available to service the logon request. (0xc05e)""." -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Burkes, Jeremy [Contractor] Sent: Tuesday, October 05, 2004 12:00 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... I believe Windows 2000 and Windows XP will attach their own domain name suffix to search for the host in DNS. For example if you give hostname and the workstation's domain name is domain.com it will try hostname.domain.com to see if it can resolve it in DNS. The search order for Windows 2000 and XP clients I believe is: DNS Cache Local Hosts File (host file) DNS Server LMHost File WINS Jeremy - Jeremy Burkes SSP MIS Department [EMAIL PROTECTED] PH: 202-764-1270 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Renouf, Phil Sent: Tuesday, October 05, 2004 12:43 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... If the client is specifying \\hostname and there is no DNS search suffix set then I believe it wi
RE: [ActiveDir] WAN outage caused issues...
Title: RE: [ActiveDir] WAN outage caused issues... Yes, single forest. One empty root domain and one child domain. -Original Message-From: Robert Rutherford [mailto:[EMAIL PROTECTED]On Behalf Of Robert RutherfordSent: Tuesday, October 05, 2004 3:51 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] WAN outage caused issues... They are AD integrated though they should have all they need to logon to the local dc. I cant remember if u said u had a single forest Russ? From: [EMAIL PROTECTED] on behalf of Ken CornetetSent: Tue 05/10/2004 21:40To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] WAN outage caused issues... Well, there ya go!I'm assuming that there are no root domain DCs in the remote sites.Clients need to be able to do DNS lookups on various things in the "_"subdomains of the root. If your child domain's DCs are set to forward tothe root DCs, and the WAN is down, they can't find things.For 2000, my advice is to simply add the root domain as secondaries onthe remote DCs DNS.If you are running 2003 on your DCs, you can configure your zones toshow up on all DCs in the forest.-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Rimmerman, RussSent: Tuesday, October 05, 2004 3:28 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] WAN outage caused issues...The domain in question is a child of a root domain yes. Our childdomain DNS servers don't point to our root domain for DNS resolution atall. They just forward requests up to the root domain DNS servers ifthey dont have an answer.-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]]On Behalf Of Ken CornetetSent: Tuesday, October 05, 2004 3:19 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] WAN outage caused issues...Is the domain in question a child of another domain? Do your remote DCshave secondary zones for the root domain's DNS?For example, if your parent domain is acme.com, and your user domain iscoyote.acme.com, do the coyote.acme.com DC's have a secondary foracme.com (or at least the "_" subdomains of acme.com)?-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Rimmerman, RussSent: Tuesday, October 05, 2004 2:24 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] WAN outage caused issues...Yes, they're using their own site's DC for DNS resolution and there is areverse DNS zone there. DNS is active directory integrated. The DCitselfis pointed at HQ for dns lookups on its tcp/ip properties (although Idont think that matters?)-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]]On Behalf Of Mulnick, AlSent: Tuesday, October 05, 2004 1:45 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] WAN outage caused issues...So I have to ask for more information:Are your clients using their own site's DC for DNS resolution? And isthere a reverse DNS zone setup there?-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Rimmerman, RussSent: Tuesday, October 05, 2004 2:35 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] WAN outage caused issues...OK I got more info. Here's whats in the eventlogs of the workstationsduring the time they were broken:10/4/2004 1:53:42 PM LSASRV Warning SPNEGO (Negotiator)40961 N/A CAE12350828 The Security System could not establishasecured connection with the server cifs/cae123fs01.ourdomain.com. Noauthentication protocol was available.10/4/2004 1:53:42 PM LSASRV Warning SPNEGO (Negotiator)40960 N/A CAE12350828 "The Security System detected anattempteddowngrade attack for server cifs/cae123fs01.ourdomain.com. The failurecode from authentication protocol Kerberos was ""There are currently nologon servers available to service the logon request. (0xc05e)""."-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]] On Behalf Of Burkes, Jeremy[Contractor]Sent: Tuesday, October 05, 2004 12:00 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] WAN outage caused issues...I believe Windows 2000 and Windows XP will attach their own domain namesuffix to search for the host in DNS. For example if you give hostnameand the workstation's domain name is domain.com it will tryhostname.domain.com to see if it can resolve it in DNS. The searchorder for Windows 2000 and XP clients I believe is:DNS CacheLocal Hosts File (host file)DNS ServerLMHost FileWINSJeremy-Jeremy BurkesSSPMIS Department[EMAIL PROTECTED]PH: 202-764-1270-Original Message-From: [EMAIL PROTECTED][mailto:[EMAIL PROTECTED]]On Behalf Of Renouf, PhilSent: Tuesday, October 05, 2004 12:43 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir]
RE: [ActiveDir] WAN outage caused issues...
These are two DNS servers back at our HQ. They aren't domain controllers, just DNS servers on Win2k. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Mulnick, Al Sent: Tuesday, October 05, 2004 4:02 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... What hosts are these? DNS Servers . . . . . . . . . . . : 10.4.223.31 10.4.223.32 I'm assuming that these are dc's in another site across the WAN correct? Does your local DC host all the zones that are in the Active Directory? If not, why? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 05, 2004 4:51 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... IPconfig info from the DC in that site: Windows 2000 IP Configuration Host Name . . . . . . . . . . . . : ccvvpldc01 Primary DNS Suffix . . . . . . . : ccc.ourcompany.com Node Type . . . . . . . . . . . . : Hybrid IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : ccc.ourcompany.com ourcompany.com Ethernet adapter Local Area Connection 2: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : HP NC7781 Gigabit Server Adapter #2 Physical Address. . . . . . . . . : 00-0E-7F-B4-97-B8 DHCP Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : 10.2.192.223 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 10.2.192.240 DNS Servers . . . . . . . . . . . : 10.4.223.31 10.4.223.32 Primary WINS Server . . . . . . . : 10.4.223.119 Secondary WINS Server . . . . . . : 10.4.223.120 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Mulnick, Al Sent: Tuesday, October 05, 2004 3:38 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... Always a point of disagreement. Once the DC has functioning replication and integrated DNS, unless you built your DC's on roller skates this should not be a problem. I hear what you're saying though, and as a best practice it's useful to have the primary dns as an alternate DC. In this case, that would mean that things would break. Russ, can you post the IPCONFIG information for the DC in that site? I suspect we're getting confused by your posts and how it's really configured. SPNEGO errors are often associated with name resolution issues, so it's worthwhile to check. It'd be good to get the same information from the file server that refused the request and a workstation that had the error just for continuity. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet Sent: Tuesday, October 05, 2004 4:28 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... 2000 DCs should point to another DC as their primary DNS server. They should point to themselves as secondary. A 2000 DC pointing to himself for primary DNS is subject to "islanding". If his IP address changes, he'll update himself, then cease replicating with the rest of the world (because AD replication is "pull" and the other DCs will never see the new IP address). I think 2003 has logic to avoid this problem so that a DC can be his own DNS server. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Tuesday, October 05, 2004 3:15 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... Wouldn't it make more sense to have the server use itself for DNS resolution? I mean, if the wan link goes down, it wouldn't be able to resolve names right? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 05, 2004 4:07 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... No, the sites DC is using HQ as its primary and secondary DNS servers. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Robert N. Leali Sent: Tuesday, October 05, 2004 3:02 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... Do you have the site DC/DNS box using itself as the alternate DNS server and the HQ as primary? just a thought. http://support.microsoft.com/default.aspx?scid=kb;en-us;291382 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 05, 2004 2:24 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... Yes, they're using their own site's DC for DNS resolution and there is a reverse DNS zo
RE: [ActiveDir] WAN outage caused issues...
Sorry, I see its not from previous postings From: [EMAIL PROTECTED] on behalf of Robert Rutherford Sent: Tue 05/10/2004 21:50 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... They are AD integrated though they should have all they need to logon to the local dc. I cant remember if u said u had a single forest Russ? From: [EMAIL PROTECTED] on behalf of Ken Cornetet Sent: Tue 05/10/2004 21:40 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... Well, there ya go! I'm assuming that there are no root domain DCs in the remote sites. Clients need to be able to do DNS lookups on various things in the "_" subdomains of the root. If your child domain's DCs are set to forward to the root DCs, and the WAN is down, they can't find things. For 2000, my advice is to simply add the root domain as secondaries on the remote DCs DNS. If you are running 2003 on your DCs, you can configure your zones to show up on all DCs in the forest. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 05, 2004 3:28 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... The domain in question is a child of a root domain yes. Our child domain DNS servers don't point to our root domain for DNS resolution at all. They just forward requests up to the root domain DNS servers if they dont have an answer. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Ken Cornetet Sent: Tuesday, October 05, 2004 3:19 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... Is the domain in question a child of another domain? Do your remote DCs have secondary zones for the root domain's DNS? For example, if your parent domain is acme.com, and your user domain is coyote.acme.com, do the coyote.acme.com DC's have a secondary for acme.com (or at least the "_" subdomains of acme.com)? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 05, 2004 2:24 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... Yes, they're using their own site's DC for DNS resolution and there is a reverse DNS zone there. DNS is active directory integrated. The DC itself is pointed at HQ for dns lookups on its tcp/ip properties (although I dont think that matters?) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Mulnick, Al Sent: Tuesday, October 05, 2004 1:45 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... So I have to ask for more information: Are your clients using their own site's DC for DNS resolution? And is there a reverse DNS zone setup there? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 05, 2004 2:35 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... OK I got more info. Here's whats in the eventlogs of the workstations during the time they were broken: 10/4/2004 1:53:42 PM LSASRV Warning SPNEGO (Negotiator) 40961 N/A CAE12350828 The Security System could not establish a secured connection with the server cifs/cae123fs01.ourdomain.com. No authentication protocol was available. 10/4/2004 1:53:42 PM LSASRV Warning SPNEGO (Negotiator) 40960 N/A CAE12350828 "The Security System detected an attempted downgrade attack for server cifs/cae123fs01.ourdomain.com. The failure code from authentication protocol Kerberos was ""There are currently no logon servers available to service the logon request. (0xc05e)""." -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Burkes, Jeremy [Contractor] Sent: Tuesday, October 05, 2004 12:00 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... I believe Windows 2000 and Windows XP will attach their own domain name suffix to search for the host in DNS. For example if you give hostname and the workstation's domain name is domain.com it will try hostname.domain.com to see if it can resolve it in DNS. The search order for Windows 2000 and XP clients I believe is: DNS Cache Local Hosts File (host file) DNS Server LMHost File WINS Jeremy - Jeremy Burkes SSP MIS Department [EMAIL PROTECTED] PH: 202-764-1270 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Renouf, Phil Sent: Tuesday, October 05, 2004 12:43 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... If the client is specifying \\hostname and there is no DNS search suffix set then I believe it will use WINS for name resolution. I could be wrong, but that's my understanding. Ph
RE: [ActiveDir] WAN outage caused issues...
DCDiag: Domain Controller Diagnosis Performing initial setup: Done gathering initial info. Doing initial required tests Testing server: CCV-VPL\CCVVPLDC01 Starting test: Connectivity . CCVVPLDC01 passed test Connectivity Doing primary tests Testing server: CCV-VPL\CCVVPLDC01 Starting test: Replications . CCVVPLDC01 passed test Replications Starting test: NCSecDesc . CCVVPLDC01 passed test NCSecDesc Starting test: NetLogons . CCVVPLDC01 passed test NetLogons Starting test: Advertising . CCVVPLDC01 passed test Advertising Starting test: KnowsOfRoleHolders . CCVVPLDC01 passed test KnowsOfRoleHolders Starting test: RidManager . CCVVPLDC01 passed test RidManager Starting test: MachineAccount . CCVVPLDC01 passed test MachineAccount Starting test: Services . CCVVPLDC01 passed test Services Starting test: ObjectsReplicated . CCVVPLDC01 passed test ObjectsReplicated Starting test: frssysvol There are errors after the SYSVOL has been shared. The SYSVOL can prevent the AD from starting. . CCVVPLDC01 passed test frssysvol Starting test: kccevent . CCVVPLDC01 passed test kccevent Starting test: systemlog An Error Event occured. EventID: 0x0457 Time Generated: 10/05/2004 15:42:26 Event String: Driver TOSHIBA e-STUDIO350-450 PSL3 required for An Error Event occured. EventID: 0x0452 Time Generated: 10/05/2004 15:42:26 Event String: The printer could not be installed. An Error Event occured. EventID: 0x0457 Time Generated: 10/05/2004 15:42:27 Event String: Driver HP Business Inkjet 2600 PCL 5C required An Error Event occured. EventID: 0x0452 Time Generated: 10/05/2004 15:42:27 Event String: The printer could not be installed. . CCVVPLDC01 failed test systemlog Running enterprise tests on : ourcompany.com Starting test: Intersite . ouprcompany.com passed test Intersite Starting test: FsmoCheck . ourcompany.com passed test FsmoCheck NETDIAG Output: .. Computer Name: CCVVPLDC01 DNS Host Name: ccvvpldc01.ccc.ourcompany.com System info : Windows 2000 Server (Build 2195) Processor : x86 Family 15 Model 2 Stepping 9, GenuineIntel List of installed hotfixes : KB811370 KB819696 KB823182 KB824146 KB825119 KB826232 KB828035 KB828741 KB828749 KB835732 KB837001 KB840315 KB841873 Q147222 Netcard queries test . . . . . . . : Passed Per interface results: Adapter : Local Area Connection 2 Netcard queries test . . . : Passed Host Name. . . . . . . . . : ccvvpldc01 IP Address . . . . . . . . : 10.2.192.223 Subnet Mask. . . . . . . . : 255.255.255.0 Default Gateway. . . . . . : 10.2.192.240 Primary WINS Server. . . . : 10.4.223.119 Secondary WINS Server. . . : 10.4.223.120 Dns Servers. . . . . . . . : 10.4.223.31 10.4.223.32 AutoConfiguration results. . . . . . : Passed Default gateway test . . . : Passed NetBT name test. . . . . . : Passed WINS service test. . . . . : Passed Global results: Domain membership test . . . . . . : Passed NetBT transports test. . . . . . . : Passed List of NetBt transports currently configured: NetBT_Tcpip_{D6CF41A0-700A-4C55-9CC2-FBEDC88DBC4C} 1 NetBt transport currently configured. Autonet address test . . . . . . . : Passed IP loopback ping test. . . . . . . : Passed Default gateway test . . . . . . . : Passed NetBT name test. . . . . . . . . . : Passed Winsock test . . . . . . . . . . . : Passed DNS test . . . . . . . . . . . . . : Passed PASS - All the DNS entries for DC are registered on DNS server '10.4.223.31' and other DCs also have some of the names registered. PASS - All the DNS entries for DC are registered on DNS server '10.4.223.32' and other DCs also have some of the names registered. Redir and Browser test . . . . . . : Passed List of NetBt transports currently bound to the Redir NetBT_Tcpip_{D6CF41A0-700A-4C55-9CC2-FBEDC88DBC4C} The redir is bound to 1 NetBt transport. List o
RE: [ActiveDir] Ghost in the system
have u got a router on your local LAN? Have a look in the arp cache and see if you can see listings for that IP From: [EMAIL PROTECTED] on behalf of John Parker Sent: Tue 05/10/2004 16:10 To: [EMAIL PROTECTED] Subject: [ActiveDir] Ghost in the system Hey all I have a box that suddenly went offline becasue of a "Duplicate IP" on the network. unable to find this "Duplicate IP", I was forced to change the IP of the box. I have tried ping, nbtstat, ipscanners. I cannot find this ghost IP. I know it is not the machine because I tried it on another with the IP in question and achieved the same result. We are running Win2K fully spacked. Any help would be appreciated. JP List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ === Scanned for virus infection by Messagelabs === <>
RE: [ActiveDir] WAN outage caused issues...
What hosts are these? DNS Servers . . . . . . . . . . . : 10.4.223.31 10.4.223.32 I'm assuming that these are dc's in another site across the WAN correct? Does your local DC host all the zones that are in the Active Directory? If not, why? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 05, 2004 4:51 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... IPconfig info from the DC in that site: Windows 2000 IP Configuration Host Name . . . . . . . . . . . . : ccvvpldc01 Primary DNS Suffix . . . . . . . : ccc.ourcompany.com Node Type . . . . . . . . . . . . : Hybrid IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : ccc.ourcompany.com ourcompany.com Ethernet adapter Local Area Connection 2: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : HP NC7781 Gigabit Server Adapter #2 Physical Address. . . . . . . . . : 00-0E-7F-B4-97-B8 DHCP Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : 10.2.192.223 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 10.2.192.240 DNS Servers . . . . . . . . . . . : 10.4.223.31 10.4.223.32 Primary WINS Server . . . . . . . : 10.4.223.119 Secondary WINS Server . . . . . . : 10.4.223.120 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Mulnick, Al Sent: Tuesday, October 05, 2004 3:38 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... Always a point of disagreement. Once the DC has functioning replication and integrated DNS, unless you built your DC's on roller skates this should not be a problem. I hear what you're saying though, and as a best practice it's useful to have the primary dns as an alternate DC. In this case, that would mean that things would break. Russ, can you post the IPCONFIG information for the DC in that site? I suspect we're getting confused by your posts and how it's really configured. SPNEGO errors are often associated with name resolution issues, so it's worthwhile to check. It'd be good to get the same information from the file server that refused the request and a workstation that had the error just for continuity. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet Sent: Tuesday, October 05, 2004 4:28 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... 2000 DCs should point to another DC as their primary DNS server. They should point to themselves as secondary. A 2000 DC pointing to himself for primary DNS is subject to "islanding". If his IP address changes, he'll update himself, then cease replicating with the rest of the world (because AD replication is "pull" and the other DCs will never see the new IP address). I think 2003 has logic to avoid this problem so that a DC can be his own DNS server. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Tuesday, October 05, 2004 3:15 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... Wouldn't it make more sense to have the server use itself for DNS resolution? I mean, if the wan link goes down, it wouldn't be able to resolve names right? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 05, 2004 4:07 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... No, the sites DC is using HQ as its primary and secondary DNS servers. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Robert N. Leali Sent: Tuesday, October 05, 2004 3:02 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... Do you have the site DC/DNS box using itself as the alternate DNS server and the HQ as primary? just a thought. http://support.microsoft.com/default.aspx?scid=kb;en-us;291382 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 05, 2004 2:24 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... Yes, they're using their own site's DC for DNS resolution and there is a reverse DNS zone there. DNS is active directory integrated. The DC itself is pointed at HQ for dns lookups on its tcp/ip properties (although I dont think that matters?) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Mulnick, Al Sent: Tuesday, October 05, 2004 1:45 PM To: '[EMAIL PROTECTED]'
RE: [ActiveDir] WAN outage caused issues...
They are AD integrated though they should have all they need to logon to the local dc. I cant remember if u said u had a single forest Russ? From: [EMAIL PROTECTED] on behalf of Ken Cornetet Sent: Tue 05/10/2004 21:40 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... Well, there ya go! I'm assuming that there are no root domain DCs in the remote sites. Clients need to be able to do DNS lookups on various things in the "_" subdomains of the root. If your child domain's DCs are set to forward to the root DCs, and the WAN is down, they can't find things. For 2000, my advice is to simply add the root domain as secondaries on the remote DCs DNS. If you are running 2003 on your DCs, you can configure your zones to show up on all DCs in the forest. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 05, 2004 3:28 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... The domain in question is a child of a root domain yes. Our child domain DNS servers don't point to our root domain for DNS resolution at all. They just forward requests up to the root domain DNS servers if they dont have an answer. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Ken Cornetet Sent: Tuesday, October 05, 2004 3:19 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... Is the domain in question a child of another domain? Do your remote DCs have secondary zones for the root domain's DNS? For example, if your parent domain is acme.com, and your user domain is coyote.acme.com, do the coyote.acme.com DC's have a secondary for acme.com (or at least the "_" subdomains of acme.com)? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 05, 2004 2:24 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... Yes, they're using their own site's DC for DNS resolution and there is a reverse DNS zone there. DNS is active directory integrated. The DC itself is pointed at HQ for dns lookups on its tcp/ip properties (although I dont think that matters?) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Mulnick, Al Sent: Tuesday, October 05, 2004 1:45 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... So I have to ask for more information: Are your clients using their own site's DC for DNS resolution? And is there a reverse DNS zone setup there? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 05, 2004 2:35 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... OK I got more info. Here's whats in the eventlogs of the workstations during the time they were broken: 10/4/2004 1:53:42 PM LSASRV Warning SPNEGO (Negotiator) 40961 N/A CAE12350828 The Security System could not establish a secured connection with the server cifs/cae123fs01.ourdomain.com. No authentication protocol was available. 10/4/2004 1:53:42 PM LSASRV Warning SPNEGO (Negotiator) 40960 N/A CAE12350828 "The Security System detected an attempted downgrade attack for server cifs/cae123fs01.ourdomain.com. The failure code from authentication protocol Kerberos was ""There are currently no logon servers available to service the logon request. (0xc05e)""." -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Burkes, Jeremy [Contractor] Sent: Tuesday, October 05, 2004 12:00 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... I believe Windows 2000 and Windows XP will attach their own domain name suffix to search for the host in DNS. For example if you give hostname and the workstation's domain name is domain.com it will try hostname.domain.com to see if it can resolve it in DNS. The search order for Windows 2000 and XP clients I believe is: DNS Cache Local Hosts File (host file) DNS Server LMHost File WINS Jeremy - Jeremy Burkes SSP MIS Department [EMAIL PROTECTED] PH: 202-764-1270 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Renouf, Phil Sent: Tuesday, October 05, 2004 12:43 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... If the client is specifying \\hostname and there is no DNS search suffix set then I believe it will use WINS for name resolution. I could be wrong, but that's my understanding. Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet Sent: Tuesday, October 05, 2004 12:29 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... 2k and XP clie
RE: [ActiveDir] WAN outage caused issues...
IPconfig info from the DC in that site: Windows 2000 IP Configuration Host Name . . . . . . . . . . . . : ccvvpldc01 Primary DNS Suffix . . . . . . . : ccc.ourcompany.com Node Type . . . . . . . . . . . . : Hybrid IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : ccc.ourcompany.com ourcompany.com Ethernet adapter Local Area Connection 2: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : HP NC7781 Gigabit Server Adapter #2 Physical Address. . . . . . . . . : 00-0E-7F-B4-97-B8 DHCP Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : 10.2.192.223 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 10.2.192.240 DNS Servers . . . . . . . . . . . : 10.4.223.31 10.4.223.32 Primary WINS Server . . . . . . . : 10.4.223.119 Secondary WINS Server . . . . . . : 10.4.223.120 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Mulnick, Al Sent: Tuesday, October 05, 2004 3:38 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... Always a point of disagreement. Once the DC has functioning replication and integrated DNS, unless you built your DC's on roller skates this should not be a problem. I hear what you're saying though, and as a best practice it's useful to have the primary dns as an alternate DC. In this case, that would mean that things would break. Russ, can you post the IPCONFIG information for the DC in that site? I suspect we're getting confused by your posts and how it's really configured. SPNEGO errors are often associated with name resolution issues, so it's worthwhile to check. It'd be good to get the same information from the file server that refused the request and a workstation that had the error just for continuity. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet Sent: Tuesday, October 05, 2004 4:28 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... 2000 DCs should point to another DC as their primary DNS server. They should point to themselves as secondary. A 2000 DC pointing to himself for primary DNS is subject to "islanding". If his IP address changes, he'll update himself, then cease replicating with the rest of the world (because AD replication is "pull" and the other DCs will never see the new IP address). I think 2003 has logic to avoid this problem so that a DC can be his own DNS server. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Tuesday, October 05, 2004 3:15 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... Wouldn't it make more sense to have the server use itself for DNS resolution? I mean, if the wan link goes down, it wouldn't be able to resolve names right? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 05, 2004 4:07 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... No, the sites DC is using HQ as its primary and secondary DNS servers. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Robert N. Leali Sent: Tuesday, October 05, 2004 3:02 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... Do you have the site DC/DNS box using itself as the alternate DNS server and the HQ as primary? just a thought. http://support.microsoft.com/default.aspx?scid=kb;en-us;291382 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 05, 2004 2:24 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... Yes, they're using their own site's DC for DNS resolution and there is a reverse DNS zone there. DNS is active directory integrated. The DC itself is pointed at HQ for dns lookups on its tcp/ip properties (although I dont think that matters?) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Mulnick, Al Sent: Tuesday, October 05, 2004 1:45 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... So I have to ask for more information: Are your clients using their own site's DC for DNS resolution? And is there a reverse DNS zone setup there? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 05, 2004 2:35 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... OK I got more info. Here's whats in the eventlogs of the workstations during the time the
RE: [ActiveDir] WAN outage caused issues...
Correct, no root domain DCs at the remote sites, but if the WAN link is down, what good are the root domain as secondaries on the remote DCs DNS going to do? Will it be cached or something? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Ken Cornetet Sent: Tuesday, October 05, 2004 3:40 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... Well, there ya go! I'm assuming that there are no root domain DCs in the remote sites. Clients need to be able to do DNS lookups on various things in the "_" subdomains of the root. If your child domain's DCs are set to forward to the root DCs, and the WAN is down, they can't find things. For 2000, my advice is to simply add the root domain as secondaries on the remote DCs DNS. If you are running 2003 on your DCs, you can configure your zones to show up on all DCs in the forest. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 05, 2004 3:28 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... The domain in question is a child of a root domain yes. Our child domain DNS servers don't point to our root domain for DNS resolution at all. They just forward requests up to the root domain DNS servers if they dont have an answer. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Ken Cornetet Sent: Tuesday, October 05, 2004 3:19 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... Is the domain in question a child of another domain? Do your remote DCs have secondary zones for the root domain's DNS? For example, if your parent domain is acme.com, and your user domain is coyote.acme.com, do the coyote.acme.com DC's have a secondary for acme.com (or at least the "_" subdomains of acme.com)? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 05, 2004 2:24 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... Yes, they're using their own site's DC for DNS resolution and there is a reverse DNS zone there. DNS is active directory integrated. The DC itself is pointed at HQ for dns lookups on its tcp/ip properties (although I dont think that matters?) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Mulnick, Al Sent: Tuesday, October 05, 2004 1:45 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... So I have to ask for more information: Are your clients using their own site's DC for DNS resolution? And is there a reverse DNS zone setup there? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 05, 2004 2:35 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... OK I got more info. Here's whats in the eventlogs of the workstations during the time they were broken: 10/4/2004 1:53:42 PM LSASRV Warning SPNEGO (Negotiator) 40961 N/A CAE12350828 The Security System could not establish a secured connection with the server cifs/cae123fs01.ourdomain.com. No authentication protocol was available. 10/4/2004 1:53:42 PM LSASRV Warning SPNEGO (Negotiator) 40960 N/A CAE12350828 "The Security System detected an attempted downgrade attack for server cifs/cae123fs01.ourdomain.com. The failure code from authentication protocol Kerberos was ""There are currently no logon servers available to service the logon request. (0xc05e)""." -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Burkes, Jeremy [Contractor] Sent: Tuesday, October 05, 2004 12:00 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... I believe Windows 2000 and Windows XP will attach their own domain name suffix to search for the host in DNS. For example if you give hostname and the workstation's domain name is domain.com it will try hostname.domain.com to see if it can resolve it in DNS. The search order for Windows 2000 and XP clients I believe is: DNS Cache Local Hosts File (host file) DNS Server LMHost File WINS Jeremy - Jeremy Burkes SSP MIS Department [EMAIL PROTECTED] PH: 202-764-1270 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Renouf, Phil Sent: Tuesday, October 05, 2004 12:43 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... If the client is specifying \\hostname and there is no DNS search suffix set then I believe it will use WINS for name resolution. I could be wrong, but that's my understanding. Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet Sent: Tuesday, October 05, 2004 12:29 PM To: [EMAIL PR
RE: [ActiveDir] WAN outage caused issues...
Well, there ya go! I'm assuming that there are no root domain DCs in the remote sites. Clients need to be able to do DNS lookups on various things in the "_" subdomains of the root. If your child domain's DCs are set to forward to the root DCs, and the WAN is down, they can't find things. For 2000, my advice is to simply add the root domain as secondaries on the remote DCs DNS. If you are running 2003 on your DCs, you can configure your zones to show up on all DCs in the forest. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 05, 2004 3:28 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... The domain in question is a child of a root domain yes. Our child domain DNS servers don't point to our root domain for DNS resolution at all. They just forward requests up to the root domain DNS servers if they dont have an answer. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Ken Cornetet Sent: Tuesday, October 05, 2004 3:19 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... Is the domain in question a child of another domain? Do your remote DCs have secondary zones for the root domain's DNS? For example, if your parent domain is acme.com, and your user domain is coyote.acme.com, do the coyote.acme.com DC's have a secondary for acme.com (or at least the "_" subdomains of acme.com)? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 05, 2004 2:24 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... Yes, they're using their own site's DC for DNS resolution and there is a reverse DNS zone there. DNS is active directory integrated. The DC itself is pointed at HQ for dns lookups on its tcp/ip properties (although I dont think that matters?) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Mulnick, Al Sent: Tuesday, October 05, 2004 1:45 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... So I have to ask for more information: Are your clients using their own site's DC for DNS resolution? And is there a reverse DNS zone setup there? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 05, 2004 2:35 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... OK I got more info. Here's whats in the eventlogs of the workstations during the time they were broken: 10/4/2004 1:53:42 PM LSASRV Warning SPNEGO (Negotiator) 40961 N/A CAE12350828 The Security System could not establish a secured connection with the server cifs/cae123fs01.ourdomain.com. No authentication protocol was available. 10/4/2004 1:53:42 PM LSASRV Warning SPNEGO (Negotiator) 40960 N/A CAE12350828 "The Security System detected an attempted downgrade attack for server cifs/cae123fs01.ourdomain.com. The failure code from authentication protocol Kerberos was ""There are currently no logon servers available to service the logon request. (0xc05e)""." -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Burkes, Jeremy [Contractor] Sent: Tuesday, October 05, 2004 12:00 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... I believe Windows 2000 and Windows XP will attach their own domain name suffix to search for the host in DNS. For example if you give hostname and the workstation's domain name is domain.com it will try hostname.domain.com to see if it can resolve it in DNS. The search order for Windows 2000 and XP clients I believe is: DNS Cache Local Hosts File (host file) DNS Server LMHost File WINS Jeremy - Jeremy Burkes SSP MIS Department [EMAIL PROTECTED] PH: 202-764-1270 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Renouf, Phil Sent: Tuesday, October 05, 2004 12:43 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... If the client is specifying \\hostname and there is no DNS search suffix set then I believe it will use WINS for name resolution. I could be wrong, but that's my understanding. Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet Sent: Tuesday, October 05, 2004 12:29 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... 2k and XP clients will attempt to use DNS first. There is no way (that I know of) where they would try WINS first. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 05, 2004 11:25 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... How
RE: [ActiveDir] WAN outage caused issues...
Always a point of disagreement. Once the DC has functioning replication and integrated DNS, unless you built your DC's on roller skates this should not be a problem. I hear what you're saying though, and as a best practice it's useful to have the primary dns as an alternate DC. In this case, that would mean that things would break. Russ, can you post the IPCONFIG information for the DC in that site? I suspect we're getting confused by your posts and how it's really configured. SPNEGO errors are often associated with name resolution issues, so it's worthwhile to check. It'd be good to get the same information from the file server that refused the request and a workstation that had the error just for continuity. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet Sent: Tuesday, October 05, 2004 4:28 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... 2000 DCs should point to another DC as their primary DNS server. They should point to themselves as secondary. A 2000 DC pointing to himself for primary DNS is subject to "islanding". If his IP address changes, he'll update himself, then cease replicating with the rest of the world (because AD replication is "pull" and the other DCs will never see the new IP address). I think 2003 has logic to avoid this problem so that a DC can be his own DNS server. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Tuesday, October 05, 2004 3:15 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... Wouldn't it make more sense to have the server use itself for DNS resolution? I mean, if the wan link goes down, it wouldn't be able to resolve names right? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 05, 2004 4:07 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... No, the sites DC is using HQ as its primary and secondary DNS servers. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Robert N. Leali Sent: Tuesday, October 05, 2004 3:02 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... Do you have the site DC/DNS box using itself as the alternate DNS server and the HQ as primary? just a thought. http://support.microsoft.com/default.aspx?scid=kb;en-us;291382 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 05, 2004 2:24 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... Yes, they're using their own site's DC for DNS resolution and there is a reverse DNS zone there. DNS is active directory integrated. The DC itself is pointed at HQ for dns lookups on its tcp/ip properties (although I dont think that matters?) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Mulnick, Al Sent: Tuesday, October 05, 2004 1:45 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... So I have to ask for more information: Are your clients using their own site's DC for DNS resolution? And is there a reverse DNS zone setup there? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 05, 2004 2:35 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... OK I got more info. Here's whats in the eventlogs of the workstations during the time they were broken: 10/4/2004 1:53:42 PM LSASRV Warning SPNEGO (Negotiator) 40961 N/A CAE12350828 The Security System could not establish a secured connection with the server cifs/cae123fs01.ourdomain.com. No authentication protocol was available. 10/4/2004 1:53:42 PM LSASRV Warning SPNEGO (Negotiator) 40960 N/A CAE12350828 "The Security System detected an attempted downgrade attack for server cifs/cae123fs01.ourdomain.com. The failure code from authentication protocol Kerberos was ""There are currently no logon servers available to service the logon request. (0xc05e)""." -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Burkes, Jeremy [Contractor] Sent: Tuesday, October 05, 2004 12:00 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... I believe Windows 2000 and Windows XP will attach their own domain name suffix to search for the host in DNS. For example if you give hostname and the workstation's domain name is domain.com it will try hostname.domain.com to see if it can resolve it in DNS. The search order for Windows 2000 and XP clients I believe is: DNS Cache Local Hosts File (host file) DNS Server LMHost File WINS Jeremy - Jeremy Burkes SSP MIS Department [
RE: [ActiveDir] WAN outage caused issues...
Russ, as I stated earlier.. is your remote DC running clean on dcdiag and netdiag? If not then please post results here <>
RE: [ActiveDir] WAN outage caused issues...
The domain in question is a child of a root domain yes. Our child domain DNS servers don't point to our root domain for DNS resolution at all. They just forward requests up to the root domain DNS servers if they dont have an answer. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Ken Cornetet Sent: Tuesday, October 05, 2004 3:19 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... Is the domain in question a child of another domain? Do your remote DCs have secondary zones for the root domain's DNS? For example, if your parent domain is acme.com, and your user domain is coyote.acme.com, do the coyote.acme.com DC's have a secondary for acme.com (or at least the "_" subdomains of acme.com)? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 05, 2004 2:24 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... Yes, they're using their own site's DC for DNS resolution and there is a reverse DNS zone there. DNS is active directory integrated. The DC itself is pointed at HQ for dns lookups on its tcp/ip properties (although I dont think that matters?) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Mulnick, Al Sent: Tuesday, October 05, 2004 1:45 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... So I have to ask for more information: Are your clients using their own site's DC for DNS resolution? And is there a reverse DNS zone setup there? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 05, 2004 2:35 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... OK I got more info. Here's whats in the eventlogs of the workstations during the time they were broken: 10/4/2004 1:53:42 PM LSASRV Warning SPNEGO (Negotiator) 40961 N/A CAE12350828 The Security System could not establish a secured connection with the server cifs/cae123fs01.ourdomain.com. No authentication protocol was available. 10/4/2004 1:53:42 PM LSASRV Warning SPNEGO (Negotiator) 40960 N/A CAE12350828 "The Security System detected an attempted downgrade attack for server cifs/cae123fs01.ourdomain.com. The failure code from authentication protocol Kerberos was ""There are currently no logon servers available to service the logon request. (0xc05e)""." -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Burkes, Jeremy [Contractor] Sent: Tuesday, October 05, 2004 12:00 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... I believe Windows 2000 and Windows XP will attach their own domain name suffix to search for the host in DNS. For example if you give hostname and the workstation's domain name is domain.com it will try hostname.domain.com to see if it can resolve it in DNS. The search order for Windows 2000 and XP clients I believe is: DNS Cache Local Hosts File (host file) DNS Server LMHost File WINS Jeremy - Jeremy Burkes SSP MIS Department [EMAIL PROTECTED] PH: 202-764-1270 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Renouf, Phil Sent: Tuesday, October 05, 2004 12:43 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... If the client is specifying \\hostname and there is no DNS search suffix set then I believe it will use WINS for name resolution. I could be wrong, but that's my understanding. Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet Sent: Tuesday, October 05, 2004 12:29 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... 2k and XP clients will attempt to use DNS first. There is no way (that I know of) where they would try WINS first. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 05, 2004 11:25 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... How would I know if their drive mappings are using WINS names and not DNS names? \\hostname vs \\hostname.domain.com? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Renouf, Phil Sent: Tuesday, October 05, 2004 10:51 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... If they are using WINS for resolution then yes it could be their issue. If their drive mappings are using WINS names and not DNS names then that would make sense as to why they couldn't map them. I assume they were still able to log on an resolve the DC? Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tues
RE: [ActiveDir] WAN outage caused issues...
2000 DCs should point to another DC as their primary DNS server. They should point to themselves as secondary. A 2000 DC pointing to himself for primary DNS is subject to "islanding". If his IP address changes, he'll update himself, then cease replicating with the rest of the world (because AD replication is "pull" and the other DCs will never see the new IP address). I think 2003 has logic to avoid this problem so that a DC can be his own DNS server. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Tuesday, October 05, 2004 3:15 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... Wouldn't it make more sense to have the server use itself for DNS resolution? I mean, if the wan link goes down, it wouldn't be able to resolve names right? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 05, 2004 4:07 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... No, the sites DC is using HQ as its primary and secondary DNS servers. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Robert N. Leali Sent: Tuesday, October 05, 2004 3:02 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... Do you have the site DC/DNS box using itself as the alternate DNS server and the HQ as primary? just a thought. http://support.microsoft.com/default.aspx?scid=kb;en-us;291382 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 05, 2004 2:24 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... Yes, they're using their own site's DC for DNS resolution and there is a reverse DNS zone there. DNS is active directory integrated. The DC itself is pointed at HQ for dns lookups on its tcp/ip properties (although I dont think that matters?) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Mulnick, Al Sent: Tuesday, October 05, 2004 1:45 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... So I have to ask for more information: Are your clients using their own site's DC for DNS resolution? And is there a reverse DNS zone setup there? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 05, 2004 2:35 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... OK I got more info. Here's whats in the eventlogs of the workstations during the time they were broken: 10/4/2004 1:53:42 PM LSASRV Warning SPNEGO (Negotiator) 40961 N/A CAE12350828 The Security System could not establish a secured connection with the server cifs/cae123fs01.ourdomain.com. No authentication protocol was available. 10/4/2004 1:53:42 PM LSASRV Warning SPNEGO (Negotiator) 40960 N/A CAE12350828 "The Security System detected an attempted downgrade attack for server cifs/cae123fs01.ourdomain.com. The failure code from authentication protocol Kerberos was ""There are currently no logon servers available to service the logon request. (0xc05e)""." -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Burkes, Jeremy [Contractor] Sent: Tuesday, October 05, 2004 12:00 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... I believe Windows 2000 and Windows XP will attach their own domain name suffix to search for the host in DNS. For example if you give hostname and the workstation's domain name is domain.com it will try hostname.domain.com to see if it can resolve it in DNS. The search order for Windows 2000 and XP clients I believe is: DNS Cache Local Hosts File (host file) DNS Server LMHost File WINS Jeremy - Jeremy Burkes SSP MIS Department [EMAIL PROTECTED] PH: 202-764-1270 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Renouf, Phil Sent: Tuesday, October 05, 2004 12:43 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... If the client is specifying \\hostname and there is no DNS search suffix set then I believe it will use WINS for name resolution. I could be wrong, but that's my understanding. Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet Sent: Tuesday, October 05, 2004 12:29 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... 2k and XP clients will attempt to use DNS first. There is no way (that I know of) where they would try WINS first. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 05, 2004 11:25 AM To: '[EMAIL PROTECTED]' Subject:
RE: [ActiveDir] WAN outage caused issues...
Wouldn't that create a DNS "island" though? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Mulnick, Al Sent: Tuesday, October 05, 2004 3:15 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... Wouldn't it make more sense to have the server use itself for DNS resolution? I mean, if the wan link goes down, it wouldn't be able to resolve names right? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 05, 2004 4:07 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... No, the sites DC is using HQ as its primary and secondary DNS servers. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Robert N. Leali Sent: Tuesday, October 05, 2004 3:02 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... Do you have the site DC/DNS box using itself as the alternate DNS server and the HQ as primary? just a thought. http://support.microsoft.com/default.aspx?scid=kb;en-us;291382 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 05, 2004 2:24 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... Yes, they're using their own site's DC for DNS resolution and there is a reverse DNS zone there. DNS is active directory integrated. The DC itself is pointed at HQ for dns lookups on its tcp/ip properties (although I dont think that matters?) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Mulnick, Al Sent: Tuesday, October 05, 2004 1:45 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... So I have to ask for more information: Are your clients using their own site's DC for DNS resolution? And is there a reverse DNS zone setup there? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 05, 2004 2:35 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... OK I got more info. Here's whats in the eventlogs of the workstations during the time they were broken: 10/4/2004 1:53:42 PM LSASRV Warning SPNEGO (Negotiator) 40961 N/A CAE12350828 The Security System could not establish a secured connection with the server cifs/cae123fs01.ourdomain.com. No authentication protocol was available. 10/4/2004 1:53:42 PM LSASRV Warning SPNEGO (Negotiator) 40960 N/A CAE12350828 "The Security System detected an attempted downgrade attack for server cifs/cae123fs01.ourdomain.com. The failure code from authentication protocol Kerberos was ""There are currently no logon servers available to service the logon request. (0xc05e)""." -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Burkes, Jeremy [Contractor] Sent: Tuesday, October 05, 2004 12:00 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... I believe Windows 2000 and Windows XP will attach their own domain name suffix to search for the host in DNS. For example if you give hostname and the workstation's domain name is domain.com it will try hostname.domain.com to see if it can resolve it in DNS. The search order for Windows 2000 and XP clients I believe is: DNS Cache Local Hosts File (host file) DNS Server LMHost File WINS Jeremy - Jeremy Burkes SSP MIS Department [EMAIL PROTECTED] PH: 202-764-1270 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Renouf, Phil Sent: Tuesday, October 05, 2004 12:43 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... If the client is specifying \\hostname and there is no DNS search suffix set then I believe it will use WINS for name resolution. I could be wrong, but that's my understanding. Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet Sent: Tuesday, October 05, 2004 12:29 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... 2k and XP clients will attempt to use DNS first. There is no way (that I know of) where they would try WINS first. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 05, 2004 11:25 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... How would I know if their drive mappings are using WINS names and not DNS names? \\hostname vs \\hostname.domain.com? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Renouf, Phil Sent: Tuesday, October 05, 2004 10:51 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... If they are using WINS for reso
RE: [ActiveDir] WAN outage caused issues...
Is the domain in question a child of another domain? Do your remote DCs have secondary zones for the root domain's DNS? For example, if your parent domain is acme.com, and your user domain is coyote.acme.com, do the coyote.acme.com DC's have a secondary for acme.com (or at least the "_" subdomains of acme.com)? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 05, 2004 2:24 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... Yes, they're using their own site's DC for DNS resolution and there is a reverse DNS zone there. DNS is active directory integrated. The DC itself is pointed at HQ for dns lookups on its tcp/ip properties (although I dont think that matters?) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Mulnick, Al Sent: Tuesday, October 05, 2004 1:45 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... So I have to ask for more information: Are your clients using their own site's DC for DNS resolution? And is there a reverse DNS zone setup there? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 05, 2004 2:35 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... OK I got more info. Here's whats in the eventlogs of the workstations during the time they were broken: 10/4/2004 1:53:42 PM LSASRV Warning SPNEGO (Negotiator) 40961 N/A CAE12350828 The Security System could not establish a secured connection with the server cifs/cae123fs01.ourdomain.com. No authentication protocol was available. 10/4/2004 1:53:42 PM LSASRV Warning SPNEGO (Negotiator) 40960 N/A CAE12350828 "The Security System detected an attempted downgrade attack for server cifs/cae123fs01.ourdomain.com. The failure code from authentication protocol Kerberos was ""There are currently no logon servers available to service the logon request. (0xc05e)""." -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Burkes, Jeremy [Contractor] Sent: Tuesday, October 05, 2004 12:00 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... I believe Windows 2000 and Windows XP will attach their own domain name suffix to search for the host in DNS. For example if you give hostname and the workstation's domain name is domain.com it will try hostname.domain.com to see if it can resolve it in DNS. The search order for Windows 2000 and XP clients I believe is: DNS Cache Local Hosts File (host file) DNS Server LMHost File WINS Jeremy - Jeremy Burkes SSP MIS Department [EMAIL PROTECTED] PH: 202-764-1270 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Renouf, Phil Sent: Tuesday, October 05, 2004 12:43 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... If the client is specifying \\hostname and there is no DNS search suffix set then I believe it will use WINS for name resolution. I could be wrong, but that's my understanding. Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet Sent: Tuesday, October 05, 2004 12:29 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... 2k and XP clients will attempt to use DNS first. There is no way (that I know of) where they would try WINS first. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 05, 2004 11:25 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... How would I know if their drive mappings are using WINS names and not DNS names? \\hostname vs \\hostname.domain.com? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Renouf, Phil Sent: Tuesday, October 05, 2004 10:51 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... If they are using WINS for resolution then yes it could be their issue. If their drive mappings are using WINS names and not DNS names then that would make sense as to why they couldn't map them. I assume they were still able to log on an resolve the DC? Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 05, 2004 11:46 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... No, the site and subnet is defined properly, they're all using their local DC. All users at the remote site had issues. They're using their DC for DNS, and going back to HeadQuarters for WINS. Could the WINS be the issue? They couldn't contact WINS because the WAN link outage, that's for sure. -Original Message- From: [EMAIL PROTE
RE: [ActiveDir] WAN outage caused issues...
Wouldn't it make more sense to have the server use itself for DNS resolution? I mean, if the wan link goes down, it wouldn't be able to resolve names right? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 05, 2004 4:07 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... No, the sites DC is using HQ as its primary and secondary DNS servers. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Robert N. Leali Sent: Tuesday, October 05, 2004 3:02 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... Do you have the site DC/DNS box using itself as the alternate DNS server and the HQ as primary? just a thought. http://support.microsoft.com/default.aspx?scid=kb;en-us;291382 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 05, 2004 2:24 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... Yes, they're using their own site's DC for DNS resolution and there is a reverse DNS zone there. DNS is active directory integrated. The DC itself is pointed at HQ for dns lookups on its tcp/ip properties (although I dont think that matters?) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Mulnick, Al Sent: Tuesday, October 05, 2004 1:45 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... So I have to ask for more information: Are your clients using their own site's DC for DNS resolution? And is there a reverse DNS zone setup there? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 05, 2004 2:35 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... OK I got more info. Here's whats in the eventlogs of the workstations during the time they were broken: 10/4/2004 1:53:42 PM LSASRV Warning SPNEGO (Negotiator) 40961 N/A CAE12350828 The Security System could not establish a secured connection with the server cifs/cae123fs01.ourdomain.com. No authentication protocol was available. 10/4/2004 1:53:42 PM LSASRV Warning SPNEGO (Negotiator) 40960 N/A CAE12350828 "The Security System detected an attempted downgrade attack for server cifs/cae123fs01.ourdomain.com. The failure code from authentication protocol Kerberos was ""There are currently no logon servers available to service the logon request. (0xc05e)""." -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Burkes, Jeremy [Contractor] Sent: Tuesday, October 05, 2004 12:00 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... I believe Windows 2000 and Windows XP will attach their own domain name suffix to search for the host in DNS. For example if you give hostname and the workstation's domain name is domain.com it will try hostname.domain.com to see if it can resolve it in DNS. The search order for Windows 2000 and XP clients I believe is: DNS Cache Local Hosts File (host file) DNS Server LMHost File WINS Jeremy - Jeremy Burkes SSP MIS Department [EMAIL PROTECTED] PH: 202-764-1270 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Renouf, Phil Sent: Tuesday, October 05, 2004 12:43 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... If the client is specifying \\hostname and there is no DNS search suffix set then I believe it will use WINS for name resolution. I could be wrong, but that's my understanding. Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet Sent: Tuesday, October 05, 2004 12:29 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... 2k and XP clients will attempt to use DNS first. There is no way (that I know of) where they would try WINS first. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 05, 2004 11:25 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... How would I know if their drive mappings are using WINS names and not DNS names? \\hostname vs \\hostname.domain.com? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Renouf, Phil Sent: Tuesday, October 05, 2004 10:51 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... If they are using WINS for resolution then yes it could be their issue. If their drive mappings are using WINS names and not DNS names then that would make sense as to why they couldn't map them. I assume they were still able to log on an resolve the DC? Phil -Original Message- From
RE: [ActiveDir] WAN outage caused issues...
No, the sites DC is using HQ as its primary and secondary DNS servers. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Robert N. Leali Sent: Tuesday, October 05, 2004 3:02 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... Do you have the site DC/DNS box using itself as the alternate DNS server and the HQ as primary? just a thought. http://support.microsoft.com/default.aspx?scid=kb;en-us;291382 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 05, 2004 2:24 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... Yes, they're using their own site's DC for DNS resolution and there is a reverse DNS zone there. DNS is active directory integrated. The DC itself is pointed at HQ for dns lookups on its tcp/ip properties (although I dont think that matters?) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Mulnick, Al Sent: Tuesday, October 05, 2004 1:45 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... So I have to ask for more information: Are your clients using their own site's DC for DNS resolution? And is there a reverse DNS zone setup there? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 05, 2004 2:35 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... OK I got more info. Here's whats in the eventlogs of the workstations during the time they were broken: 10/4/2004 1:53:42 PM LSASRV Warning SPNEGO (Negotiator) 40961 N/A CAE12350828 The Security System could not establish a secured connection with the server cifs/cae123fs01.ourdomain.com. No authentication protocol was available. 10/4/2004 1:53:42 PM LSASRV Warning SPNEGO (Negotiator) 40960 N/A CAE12350828 "The Security System detected an attempted downgrade attack for server cifs/cae123fs01.ourdomain.com. The failure code from authentication protocol Kerberos was ""There are currently no logon servers available to service the logon request. (0xc05e)""." -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Burkes, Jeremy [Contractor] Sent: Tuesday, October 05, 2004 12:00 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... I believe Windows 2000 and Windows XP will attach their own domain name suffix to search for the host in DNS. For example if you give hostname and the workstation's domain name is domain.com it will try hostname.domain.com to see if it can resolve it in DNS. The search order for Windows 2000 and XP clients I believe is: DNS Cache Local Hosts File (host file) DNS Server LMHost File WINS Jeremy - Jeremy Burkes SSP MIS Department [EMAIL PROTECTED] PH: 202-764-1270 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Renouf, Phil Sent: Tuesday, October 05, 2004 12:43 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... If the client is specifying \\hostname and there is no DNS search suffix set then I believe it will use WINS for name resolution. I could be wrong, but that's my understanding. Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet Sent: Tuesday, October 05, 2004 12:29 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... 2k and XP clients will attempt to use DNS first. There is no way (that I know of) where they would try WINS first. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 05, 2004 11:25 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... How would I know if their drive mappings are using WINS names and not DNS names? \\hostname vs \\hostname.domain.com? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Renouf, Phil Sent: Tuesday, October 05, 2004 10:51 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... If they are using WINS for resolution then yes it could be their issue. If their drive mappings are using WINS names and not DNS names then that would make sense as to why they couldn't map them. I assume they were still able to log on an resolve the DC? Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 05, 2004 11:46 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... No, the site and subnet is defined properly, they're all using their local DC. All users at the remote site had issues. They're using their DC for DNS, and going back to HeadQuarters for W
RE: [ActiveDir] WAN outage caused issues...
Do you have the site DC/DNS box using itself as the alternate DNS server and the HQ as primary? just a thought. http://support.microsoft.com/default.aspx?scid=kb;en-us;291382 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 05, 2004 2:24 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... Yes, they're using their own site's DC for DNS resolution and there is a reverse DNS zone there. DNS is active directory integrated. The DC itself is pointed at HQ for dns lookups on its tcp/ip properties (although I dont think that matters?) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Mulnick, Al Sent: Tuesday, October 05, 2004 1:45 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... So I have to ask for more information: Are your clients using their own site's DC for DNS resolution? And is there a reverse DNS zone setup there? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 05, 2004 2:35 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... OK I got more info. Here's whats in the eventlogs of the workstations during the time they were broken: 10/4/2004 1:53:42 PM LSASRV Warning SPNEGO (Negotiator) 40961 N/A CAE12350828 The Security System could not establish a secured connection with the server cifs/cae123fs01.ourdomain.com. No authentication protocol was available. 10/4/2004 1:53:42 PM LSASRV Warning SPNEGO (Negotiator) 40960 N/A CAE12350828 "The Security System detected an attempted downgrade attack for server cifs/cae123fs01.ourdomain.com. The failure code from authentication protocol Kerberos was ""There are currently no logon servers available to service the logon request. (0xc05e)""." -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Burkes, Jeremy [Contractor] Sent: Tuesday, October 05, 2004 12:00 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... I believe Windows 2000 and Windows XP will attach their own domain name suffix to search for the host in DNS. For example if you give hostname and the workstation's domain name is domain.com it will try hostname.domain.com to see if it can resolve it in DNS. The search order for Windows 2000 and XP clients I believe is: DNS Cache Local Hosts File (host file) DNS Server LMHost File WINS Jeremy - Jeremy Burkes SSP MIS Department [EMAIL PROTECTED] PH: 202-764-1270 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Renouf, Phil Sent: Tuesday, October 05, 2004 12:43 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... If the client is specifying \\hostname and there is no DNS search suffix set then I believe it will use WINS for name resolution. I could be wrong, but that's my understanding. Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet Sent: Tuesday, October 05, 2004 12:29 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... 2k and XP clients will attempt to use DNS first. There is no way (that I know of) where they would try WINS first. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 05, 2004 11:25 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... How would I know if their drive mappings are using WINS names and not DNS names? \\hostname vs \\hostname.domain.com? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Renouf, Phil Sent: Tuesday, October 05, 2004 10:51 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... If they are using WINS for resolution then yes it could be their issue. If their drive mappings are using WINS names and not DNS names then that would make sense as to why they couldn't map them. I assume they were still able to log on an resolve the DC? Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 05, 2004 11:46 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... No, the site and subnet is defined properly, they're all using their local DC. All users at the remote site had issues. They're using their DC for DNS, and going back to HeadQuarters for WINS. Could the WINS be the issue? They couldn't contact WINS because the WAN link outage, that's for sure. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Mulnick, Al Sent: Tuesday, October 05, 2004 10:37 AM To: '[EMAIL PROTECTED]' Subject: RE: [Active
RE: [ActiveDir] Accept backupuser logon
Ah ha, I was wondering if that was it, but it took an expert to convince me to try it:) Thanks, it is fixed now -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bernard, Aric Sent: Tuesday, October 05, 2004 3:13 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Accept backupuser logon Below you stated that your configuration included: Allow log on through Terminal Services: BUILTIN\administrators Have you tried giving BUILTIN\backup operators this right as well? Aric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: Tuesday, October 05, 2004 11:56 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Accept backupuser logon Right, I have allowed the user in remote desktop settings. Still no luck -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Tuesday, October 05, 2004 2:30 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Accept backupuser logon That's correct. http://support.microsoft.com/default.aspx?scid=kb;en-us;289289&Product=winsv r2003 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, October 05, 2004 2:23 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Accept backupuser logon Don't they have to be in the remote desktop users group on the DC? John "Douglas M. Long" <[EMAIL PROTECTED] u> To Sent by: <[EMAIL PROTECTED]> [EMAIL PROTECTED] cc ail.activedir.org Subject RE: [ActiveDir] Accept backupuser 10/05/2004 01:03 logon PM Please respond to [EMAIL PROTECTED] tivedir.org I was jus using the mstsc client, but tried with /console and get the same message: âThe local policy of this system does not permit you to log on interactivelyâ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Tuesday, October 05, 2004 12:28 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Accept backupuser logon What happens when you try to logon? Are you using mstsc client with the /console switch? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: Tuesday, October 05, 2004 9:56 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Accept backupuser logon OK, I have created a user and added it to the backup operators in built-in. Now I want to be able to logon (through remote desktop) to my DCs with this user to setup my backups. I have two template policies from Hardening Windows Server 2003 in place, with the following Settings: Top policy in list:Allow log on locally: BUILTIN\administrators, BUILTIN\backup operators, BUILTIN\account operators, BUILTIN\server operators, BUILTIN\print operators Deny log on locally: DOMAIN\support_388945a0 Bottom policy in list: Allow log on locally: BUILTIN\backup operators, BUILTIN\administrators Allow log on through Terminal Services: BUILTIN\administrators No deny log on locally settings Now shouldn't these settings allow me to logon as a member of the BUILTIN\backup operators group? What am I missing? Is there a better way to set up backups without logging in to the DC (which would be much better)? Any help is much appreciated. .+-wi0-+YbmPi0-+bÚf.+-j! 0j!orØyØIV+v* List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ .+-wi0-+YbmPi0-+bÚf.+-j! 0j!orØyØIV+v* .+wYØP×.+j joryIV+v* .+-Šwè†Ûiÿü0Á-Š÷+ƒùšŠYb²Øm˜¸¬´P†Ûiÿü0Á-Š÷+ƒùb²×Úf.+-j·!Š÷¡¶Úÿ 0™¨¥j·!Š÷œ¢oÚrØyØãIšŠVœ¶+Þv*è®
RE: [ActiveDir] WAN outage caused issues...
Yes, they're using their own site's DC for DNS resolution and there is a reverse DNS zone there. DNS is active directory integrated. The DC itself is pointed at HQ for dns lookups on its tcp/ip properties (although I dont think that matters?) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Mulnick, Al Sent: Tuesday, October 05, 2004 1:45 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... So I have to ask for more information: Are your clients using their own site's DC for DNS resolution? And is there a reverse DNS zone setup there? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 05, 2004 2:35 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... OK I got more info. Here's whats in the eventlogs of the workstations during the time they were broken: 10/4/2004 1:53:42 PM LSASRV Warning SPNEGO (Negotiator) 40961 N/A CAE12350828 The Security System could not establish a secured connection with the server cifs/cae123fs01.ourdomain.com. No authentication protocol was available. 10/4/2004 1:53:42 PM LSASRV Warning SPNEGO (Negotiator) 40960 N/A CAE12350828 "The Security System detected an attempted downgrade attack for server cifs/cae123fs01.ourdomain.com. The failure code from authentication protocol Kerberos was ""There are currently no logon servers available to service the logon request. (0xc05e)""." -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Burkes, Jeremy [Contractor] Sent: Tuesday, October 05, 2004 12:00 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... I believe Windows 2000 and Windows XP will attach their own domain name suffix to search for the host in DNS. For example if you give hostname and the workstation's domain name is domain.com it will try hostname.domain.com to see if it can resolve it in DNS. The search order for Windows 2000 and XP clients I believe is: DNS Cache Local Hosts File (host file) DNS Server LMHost File WINS Jeremy - Jeremy Burkes SSP MIS Department [EMAIL PROTECTED] PH: 202-764-1270 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Renouf, Phil Sent: Tuesday, October 05, 2004 12:43 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... If the client is specifying \\hostname and there is no DNS search suffix set then I believe it will use WINS for name resolution. I could be wrong, but that's my understanding. Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet Sent: Tuesday, October 05, 2004 12:29 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... 2k and XP clients will attempt to use DNS first. There is no way (that I know of) where they would try WINS first. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 05, 2004 11:25 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... How would I know if their drive mappings are using WINS names and not DNS names? \\hostname vs \\hostname.domain.com? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Renouf, Phil Sent: Tuesday, October 05, 2004 10:51 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... If they are using WINS for resolution then yes it could be their issue. If their drive mappings are using WINS names and not DNS names then that would make sense as to why they couldn't map them. I assume they were still able to log on an resolve the DC? Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 05, 2004 11:46 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... No, the site and subnet is defined properly, they're all using their local DC. All users at the remote site had issues. They're using their DC for DNS, and going back to HeadQuarters for WINS. Could the WINS be the issue? They couldn't contact WINS because the WAN link outage, that's for sure. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Mulnick, Al Sent: Tuesday, October 05, 2004 10:37 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... Were the clients trying to use the remote DCs when they shouldn't be? What was the scope of the problem? Was it all users or just a few users in the site? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 05, 2004 11:34 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caus
RE: [ActiveDir] Accept backupuser logon
Below you stated that your configuration included: Allow log on through Terminal Services: BUILTIN\administrators Have you tried giving BUILTIN\backup operators this right as well? Aric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: Tuesday, October 05, 2004 11:56 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Accept backupuser logon Right, I have allowed the user in remote desktop settings. Still no luck -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Tuesday, October 05, 2004 2:30 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Accept backupuser logon That's correct. http://support.microsoft.com/default.aspx?scid=kb;en-us;289289&Product=winsv r2003 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, October 05, 2004 2:23 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Accept backupuser logon Don't they have to be in the remote desktop users group on the DC? John "Douglas M. Long" <[EMAIL PROTECTED] u> To Sent by: <[EMAIL PROTECTED]> [EMAIL PROTECTED] cc ail.activedir.org Subject RE: [ActiveDir] Accept backupuser 10/05/2004 01:03 logon PM Please respond to [EMAIL PROTECTED] tivedir.org I was jus using the mstsc client, but tried with /console and get the same message: âThe local policy of this system does not permit you to log on interactivelyâ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Tuesday, October 05, 2004 12:28 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Accept backupuser logon What happens when you try to logon? Are you using mstsc client with the /console switch? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: Tuesday, October 05, 2004 9:56 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Accept backupuser logon OK, I have created a user and added it to the backup operators in built-in. Now I want to be able to logon (through remote desktop) to my DCs with this user to setup my backups. I have two template policies from Hardening Windows Server 2003 in place, with the following Settings: Top policy in list:Allow log on locally: BUILTIN\administrators, BUILTIN\backup operators, BUILTIN\account operators, BUILTIN\server operators, BUILTIN\print operators Deny log on locally: DOMAIN\support_388945a0 Bottom policy in list: Allow log on locally: BUILTIN\backup operators, BUILTIN\administrators Allow log on through Terminal Services: BUILTIN\administrators No deny log on locally settings Now shouldn't these settings allow me to logon as a member of the BUILTIN\backup operators group? What am I missing? Is there a better way to set up backups without logging in to the DC (which would be much better)? Any help is much appreciated. .+-wi0-+YbmPi0-+bÚf.+-j! 0j!orØyØIV+v* List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ .+-wi0-+YbmPi0-+bÚf.+-j! 0j!orØyØIV+v*
RE: [ActiveDir] Accept backupuser logon
Maybe you need to add builtin\backup operators to this one: Allow log on through Terminal Services: BUILTIN\administrators John "Douglas M. Long" <[EMAIL PROTECTED] u> To Sent by: <[EMAIL PROTECTED]> [EMAIL PROTECTED] cc ail.activedir.org Subject RE: [ActiveDir] Accept backupuser 10/05/2004 01:56 logon PM Please respond to [EMAIL PROTECTED] tivedir.org Right, I have allowed the user in remote desktop settings. Still no luck -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Tuesday, October 05, 2004 2:30 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Accept backupuser logon That's correct. http://support.microsoft.com/default.aspx?scid=kb;en-us;289289&Product=winsv r2003 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, October 05, 2004 2:23 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Accept backupuser logon Don't they have to be in the remote desktop users group on the DC? John "Douglas M. Long" <[EMAIL PROTECTED] u> To Sent by: <[EMAIL PROTECTED]> [EMAIL PROTECTED] cc ail.activedir.org Subject RE: [ActiveDir] Accept backupuser 10/05/2004 01:03 logon PM Please respond to [EMAIL PROTECTED] tivedir.org I was jus using the mstsc client, but tried with /console and get the same message: âThe local policy of this system does not permit you to log on interactivelyâ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Tuesday, October 05, 2004 12:28 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Accept backupuser logon What happens when you try to logon? Are you using mstsc client with the /console switch? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: Tuesday, October 05, 2004 9:56 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Accept backupuser logon OK, I have created a user and added it to the backup operators in built-in. Now I want to be able to logon (through remote desktop) to my DCs with this user to setup my backups. I have two template policies from Hardening Windows Server 2003 in place, with the following Settings: Top policy in list:Allow log on locally: BUILTIN\administrators, BUILTIN\backup operators, BUILTIN\account operators, BUILTIN\server operators, BUILTIN\print operators Deny log on locally: DOMAIN\support_388945a0 Bottom policy in list: Allow log on locally: BUILTIN\backup operators, BUILTIN\administrators Allow log on through Terminal Services: BUILTIN\administrators No deny log on locally settings Now shouldn't these settings allow me to logon as a member of the BUILTIN\backup operators group? What am I missing? Is there a better way to set up backups without logging in to the DC (which would be much better)? Any help is much appreciated. .+-wi0-+YbmPi0-+bÚf.+-j! 0j!orØyØIV+v* List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ .+-?w.+-Šwè†Ûiÿü0Á-Š÷+ƒùšŠYb²Øm˜¸¬´P†Ûiÿü0Á-Š÷+ƒùb²×Úf.+-j·!Š÷¡¶Úÿ 0™¨¥j·!Š÷œ¢oÚrØyØãIšŠVœ¶+Þv*è®
RE: [ActiveDir] Accept backupuser logon
Right, I have allowed the user in remote desktop settings. Still no luck -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Tuesday, October 05, 2004 2:30 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Accept backupuser logon That's correct. http://support.microsoft.com/default.aspx?scid=kb;en-us;289289&Product=winsv r2003 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, October 05, 2004 2:23 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Accept backupuser logon Don't they have to be in the remote desktop users group on the DC? John "Douglas M. Long" <[EMAIL PROTECTED] u> To Sent by: <[EMAIL PROTECTED]> [EMAIL PROTECTED] cc ail.activedir.org Subject RE: [ActiveDir] Accept backupuser 10/05/2004 01:03 logon PM Please respond to [EMAIL PROTECTED] tivedir.org I was jus using the mstsc client, but tried with /console and get the same message: âThe local policy of this system does not permit you to log on interactivelyâ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Tuesday, October 05, 2004 12:28 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Accept backupuser logon What happens when you try to logon? Are you using mstsc client with the /console switch? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: Tuesday, October 05, 2004 9:56 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Accept backupuser logon OK, I have created a user and added it to the backup operators in built-in. Now I want to be able to logon (through remote desktop) to my DCs with this user to setup my backups. I have two template policies from Hardening Windows Server 2003 in place, with the following Settings: Top policy in list:Allow log on locally: BUILTIN\administrators, BUILTIN\backup operators, BUILTIN\account operators, BUILTIN\server operators, BUILTIN\print operators Deny log on locally: DOMAIN\support_388945a0 Bottom policy in list: Allow log on locally: BUILTIN\backup operators, BUILTIN\administrators Allow log on through Terminal Services: BUILTIN\administrators No deny log on locally settings Now shouldn't these settings allow me to logon as a member of the BUILTIN\backup operators group? What am I missing? Is there a better way to set up backups without logging in to the DC (which would be much better)? Any help is much appreciated. .+-wi0-+YbmPi0-+bÚf.+-j! 0j!orØyØIV+v* List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ .+-Šwè†Ûiÿü0Á-Š÷+ƒùšŠYb²Øm˜¸¬´P†Ûiÿü0Á-Š÷+ƒùb²×Úf.+-j·!Š÷¡¶Úÿ 0™¨¥j·!Š÷œ¢oÚrØyØãIšŠVœ¶+Þv*è®
RE: [ActiveDir] WAN outage caused issues...
So I have to ask for more information: Are your clients using their own site's DC for DNS resolution? And is there a reverse DNS zone setup there? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 05, 2004 2:35 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... OK I got more info. Here's whats in the eventlogs of the workstations during the time they were broken: 10/4/2004 1:53:42 PM LSASRV Warning SPNEGO (Negotiator) 40961 N/A CAE12350828 The Security System could not establish a secured connection with the server cifs/cae123fs01.ourdomain.com. No authentication protocol was available. 10/4/2004 1:53:42 PM LSASRV Warning SPNEGO (Negotiator) 40960 N/A CAE12350828 "The Security System detected an attempted downgrade attack for server cifs/cae123fs01.ourdomain.com. The failure code from authentication protocol Kerberos was ""There are currently no logon servers available to service the logon request. (0xc05e)""." -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Burkes, Jeremy [Contractor] Sent: Tuesday, October 05, 2004 12:00 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... I believe Windows 2000 and Windows XP will attach their own domain name suffix to search for the host in DNS. For example if you give hostname and the workstation's domain name is domain.com it will try hostname.domain.com to see if it can resolve it in DNS. The search order for Windows 2000 and XP clients I believe is: DNS Cache Local Hosts File (host file) DNS Server LMHost File WINS Jeremy - Jeremy Burkes SSP MIS Department [EMAIL PROTECTED] PH: 202-764-1270 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Renouf, Phil Sent: Tuesday, October 05, 2004 12:43 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... If the client is specifying \\hostname and there is no DNS search suffix set then I believe it will use WINS for name resolution. I could be wrong, but that's my understanding. Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet Sent: Tuesday, October 05, 2004 12:29 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... 2k and XP clients will attempt to use DNS first. There is no way (that I know of) where they would try WINS first. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 05, 2004 11:25 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... How would I know if their drive mappings are using WINS names and not DNS names? \\hostname vs \\hostname.domain.com? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Renouf, Phil Sent: Tuesday, October 05, 2004 10:51 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... If they are using WINS for resolution then yes it could be their issue. If their drive mappings are using WINS names and not DNS names then that would make sense as to why they couldn't map them. I assume they were still able to log on an resolve the DC? Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 05, 2004 11:46 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... No, the site and subnet is defined properly, they're all using their local DC. All users at the remote site had issues. They're using their DC for DNS, and going back to HeadQuarters for WINS. Could the WINS be the issue? They couldn't contact WINS because the WAN link outage, that's for sure. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Mulnick, Al Sent: Tuesday, October 05, 2004 10:37 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... Were the clients trying to use the remote DCs when they shouldn't be? What was the scope of the problem? Was it all users or just a few users in the site? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 05, 2004 11:34 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... Yes, all our domain controllers are also DNS servers. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Robert Rutherford Sent: Tuesday, October 05, 2004 10:30 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... Has the remote site got its own DNS server? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: 05 October 2004
RE: [ActiveDir] WAN outage caused issues...
OK I got more info. Here's whats in the eventlogs of the workstations during the time they were broken: 10/4/2004 1:53:42 PM LSASRV Warning SPNEGO (Negotiator) 40961 N/A CAE12350828 The Security System could not establish a secured connection with the server cifs/cae123fs01.ourdomain.com. No authentication protocol was available. 10/4/2004 1:53:42 PM LSASRV Warning SPNEGO (Negotiator) 40960 N/A CAE12350828 "The Security System detected an attempted downgrade attack for server cifs/cae123fs01.ourdomain.com. The failure code from authentication protocol Kerberos was ""There are currently no logon servers available to service the logon request. (0xc05e)""." -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Burkes, Jeremy [Contractor] Sent: Tuesday, October 05, 2004 12:00 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... I believe Windows 2000 and Windows XP will attach their own domain name suffix to search for the host in DNS. For example if you give hostname and the workstation's domain name is domain.com it will try hostname.domain.com to see if it can resolve it in DNS. The search order for Windows 2000 and XP clients I believe is: DNS Cache Local Hosts File (host file) DNS Server LMHost File WINS Jeremy - Jeremy Burkes SSP MIS Department [EMAIL PROTECTED] PH: 202-764-1270 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Renouf, Phil Sent: Tuesday, October 05, 2004 12:43 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... If the client is specifying \\hostname and there is no DNS search suffix set then I believe it will use WINS for name resolution. I could be wrong, but that's my understanding. Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet Sent: Tuesday, October 05, 2004 12:29 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... 2k and XP clients will attempt to use DNS first. There is no way (that I know of) where they would try WINS first. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 05, 2004 11:25 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... How would I know if their drive mappings are using WINS names and not DNS names? \\hostname vs \\hostname.domain.com? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Renouf, Phil Sent: Tuesday, October 05, 2004 10:51 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... If they are using WINS for resolution then yes it could be their issue. If their drive mappings are using WINS names and not DNS names then that would make sense as to why they couldn't map them. I assume they were still able to log on an resolve the DC? Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 05, 2004 11:46 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... No, the site and subnet is defined properly, they're all using their local DC. All users at the remote site had issues. They're using their DC for DNS, and going back to HeadQuarters for WINS. Could the WINS be the issue? They couldn't contact WINS because the WAN link outage, that's for sure. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Mulnick, Al Sent: Tuesday, October 05, 2004 10:37 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... Were the clients trying to use the remote DCs when they shouldn't be? What was the scope of the problem? Was it all users or just a few users in the site? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 05, 2004 11:34 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... Yes, all our domain controllers are also DNS servers. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Robert Rutherford Sent: Tuesday, October 05, 2004 10:30 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... Has the remote site got its own DNS server? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: 05 October 2004 16:27 To: '[EMAIL PROTECTED]' Subject: [ActiveDir] WAN outage caused issues... What's the deal on WAN links going down between AD sites? As long as each site has a Global Catalog, they should be fine, correct? We had a remote site's WAN link go down the other day, and users eventually could not access any network drives (on the local file server even). They rebooted
RE: [ActiveDir] WAN outage caused issues...
Depends on too many variables. Have you checked the local event logs of the workstations affected? What did you find? Can you post a scrubbed version of ipconfig /all from a local affected workstation? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 05, 2004 1:19 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... So we shouldn't have run into this issue.. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Ken Cornetet Sent: Tuesday, October 05, 2004 11:29 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... 2k and XP clients will attempt to use DNS first. There is no way (that I know of) where they would try WINS first. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 05, 2004 11:25 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... How would I know if their drive mappings are using WINS names and not DNS names? \\hostname vs \\hostname.domain.com? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Renouf, Phil Sent: Tuesday, October 05, 2004 10:51 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... If they are using WINS for resolution then yes it could be their issue. If their drive mappings are using WINS names and not DNS names then that would make sense as to why they couldn't map them. I assume they were still able to log on an resolve the DC? Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 05, 2004 11:46 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... No, the site and subnet is defined properly, they're all using their local DC. All users at the remote site had issues. They're using their DC for DNS, and going back to HeadQuarters for WINS. Could the WINS be the issue? They couldn't contact WINS because the WAN link outage, that's for sure. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Mulnick, Al Sent: Tuesday, October 05, 2004 10:37 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... Were the clients trying to use the remote DCs when they shouldn't be? What was the scope of the problem? Was it all users or just a few users in the site? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 05, 2004 11:34 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... Yes, all our domain controllers are also DNS servers. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Robert Rutherford Sent: Tuesday, October 05, 2004 10:30 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... Has the remote site got its own DNS server? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: 05 October 2004 16:27 To: '[EMAIL PROTECTED]' Subject: [ActiveDir] WAN outage caused issues... What's the deal on WAN links going down between AD sites? As long as each site has a Global Catalog, they should be fine, correct? We had a remote site's WAN link go down the other day, and users eventually could not access any network drives (on the local file server even). They rebooted and it took forever to get the ctrl-alt-del logon box too. They couldn't get any network resources at all, just local drives and printers. We're in an Win2k AD domain with SP4. Most of the clients are XP and some are Win2k. Thanks ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ === Scanned for virus infection by Messagelabs === List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corpora
RE: [ActiveDir] Accept backupuser logon
That's correct. http://support.microsoft.com/default.aspx?scid=kb;en-us;289289&Product=winsv r2003 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, October 05, 2004 2:23 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Accept backupuser logon Don't they have to be in the remote desktop users group on the DC? John "Douglas M. Long" <[EMAIL PROTECTED] u> To Sent by: <[EMAIL PROTECTED]> [EMAIL PROTECTED] cc ail.activedir.org Subject RE: [ActiveDir] Accept backupuser 10/05/2004 01:03 logon PM Please respond to [EMAIL PROTECTED] tivedir.org I was jus using the mstsc client, but tried with /console and get the same message: âThe local policy of this system does not permit you to log on interactivelyâ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Tuesday, October 05, 2004 12:28 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Accept backupuser logon What happens when you try to logon? Are you using mstsc client with the /console switch? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: Tuesday, October 05, 2004 9:56 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Accept backupuser logon OK, I have created a user and added it to the backup operators in built-in. Now I want to be able to logon (through remote desktop) to my DCs with this user to setup my backups. I have two template policies from Hardening Windows Server 2003 in place, with the following Settings: Top policy in list:Allow log on locally: BUILTIN\administrators, BUILTIN\backup operators, BUILTIN\account operators, BUILTIN\server operators, BUILTIN\print operators Deny log on locally: DOMAIN\support_388945a0 Bottom policy in list: Allow log on locally: BUILTIN\backup operators, BUILTIN\administrators Allow log on through Terminal Services: BUILTIN\administrators No deny log on locally settings Now shouldn't these settings allow me to logon as a member of the BUILTIN\backup operators group? What am I missing? Is there a better way to set up backups without logging in to the DC (which would be much better)? Any help is much appreciated. .+-wi0-+YbmPi0-+bÚf.+-j!0j!orØyØIV+v* List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Accept backupuser logon
Don't they have to be in the remote desktop users group on the DC? John "Douglas M. Long" <[EMAIL PROTECTED] u> To Sent by: <[EMAIL PROTECTED]> [EMAIL PROTECTED] cc ail.activedir.org Subject RE: [ActiveDir] Accept backupuser 10/05/2004 01:03 logon PM Please respond to [EMAIL PROTECTED] tivedir.org I was jus using the mstsc client, but tried with /console and get the same message: âThe local policy of this system does not permit you to log on interactivelyâ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Tuesday, October 05, 2004 12:28 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Accept backupuser logon What happens when you try to logon? Are you using mstsc client with the /console switch? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: Tuesday, October 05, 2004 9:56 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Accept backupuser logon OK, I have created a user and added it to the backup operators in built-in. Now I want to be able to logon (through remote desktop) to my DCs with this user to setup my backups. I have two template policies from Hardening Windows Server 2003 in place, with the following Settings: Top policy in list:Allow log on locally: BUILTIN\administrators, BUILTIN\backup operators, BUILTIN\account operators, BUILTIN\server operators, BUILTIN\print operators Deny log on locally: DOMAIN\support_388945a0 Bottom policy in list: Allow log on locally: BUILTIN\backup operators, BUILTIN\administrators Allow log on through Terminal Services: BUILTIN\administrators No deny log on locally settings Now shouldn't these settings allow me to logon as a member of the BUILTIN\backup operators group? What am I missing? Is there a better way to set up backups without logging in to the DC (which would be much better)? Any help is much appreciated.
RE: [ActiveDir] Accept backupuser logon
Title: root domain alias I was jus using the mstsc client, but tried with /console and get the same message: “The local policy of this system does not permit you to log on interactively” From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Tuesday, October 05, 2004 12:28 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Accept backupuser logon What happens when you try to logon? Are you using mstsc client with the /console switch? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long Sent: Tuesday, October 05, 2004 9:56 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Accept backupuser logon OK, I have created a user and added it to the backup operators in built-in. Now I want to be able to logon (through remote desktop) to my DCs with this user to setup my backups. I have two template policies from Hardening Windows Server 2003 in place, with the following Settings: Top policy in list: Allow log on locally: BUILTIN\administrators, BUILTIN\backup operators, BUILTIN\account operators, BUILTIN\server operators, BUILTIN\print operators Deny log on locally: DOMAIN\support_388945a0 Bottom policy in list: Allow log on locally: BUILTIN\backup operators, BUILTIN\administrators Allow log on through Terminal Services: BUILTIN\administrators No deny log on locally settings Now shouldn't these settings allow me to logon as a member of the BUILTIN\backup operators group? What am I missing? Is there a better way to set up backups without logging in to the DC (which would be much better)? Any help is much appreciated.
RE: [ActiveDir] WAN outage caused issues...
Yes, in a login script. Basically net use x: \\server\share using Kixstart. Shouldn't they be using DNS and not WINS to map these? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Renouf, Phil Sent: Tuesday, October 05, 2004 11:31 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... Are they mapping their drives in a logon script? If so just check there. If not then you'd have to look on their desktop and see how they have manually mapped the drive. Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 05, 2004 12:25 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... How would I know if their drive mappings are using WINS names and not DNS names? \\hostname vs \\hostname.domain.com? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Renouf, Phil Sent: Tuesday, October 05, 2004 10:51 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... If they are using WINS for resolution then yes it could be their issue. If their drive mappings are using WINS names and not DNS names then that would make sense as to why they couldn't map them. I assume they were still able to log on an resolve the DC? Phil List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] WAN outage caused issues...
So we shouldn't have run into this issue.. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Ken Cornetet Sent: Tuesday, October 05, 2004 11:29 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... 2k and XP clients will attempt to use DNS first. There is no way (that I know of) where they would try WINS first. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 05, 2004 11:25 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... How would I know if their drive mappings are using WINS names and not DNS names? \\hostname vs \\hostname.domain.com? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Renouf, Phil Sent: Tuesday, October 05, 2004 10:51 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... If they are using WINS for resolution then yes it could be their issue. If their drive mappings are using WINS names and not DNS names then that would make sense as to why they couldn't map them. I assume they were still able to log on an resolve the DC? Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 05, 2004 11:46 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... No, the site and subnet is defined properly, they're all using their local DC. All users at the remote site had issues. They're using their DC for DNS, and going back to HeadQuarters for WINS. Could the WINS be the issue? They couldn't contact WINS because the WAN link outage, that's for sure. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Mulnick, Al Sent: Tuesday, October 05, 2004 10:37 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... Were the clients trying to use the remote DCs when they shouldn't be? What was the scope of the problem? Was it all users or just a few users in the site? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 05, 2004 11:34 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... Yes, all our domain controllers are also DNS servers. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Robert Rutherford Sent: Tuesday, October 05, 2004 10:30 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... Has the remote site got its own DNS server? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: 05 October 2004 16:27 To: '[EMAIL PROTECTED]' Subject: [ActiveDir] WAN outage caused issues... What's the deal on WAN links going down between AD sites? As long as each site has a Global Catalog, they should be fine, correct? We had a remote site's WAN link go down the other day, and users eventually could not access any network drives (on the local file server even). They rebooted and it took forever to get the ctrl-alt-del logon box too. They couldn't get any network resources at all, just local drives and printers. We're in an Win2k AD domain with SP4. Most of the clients are XP and some are Win2k. Thanks ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ === Scanned for virus infection by Messagelabs === List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List arc
RE: [ActiveDir] WAN outage caused issues...
There is a nice web cast related to this available for download from http://support.microsoft.com/default.aspx?scid=kb;en-us;325509 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Burkes, Jeremy [Contractor] Sent: Tuesday, October 05, 2004 10:00 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... I believe Windows 2000 and Windows XP will attach their own domain name suffix to search for the host in DNS. For example if you give hostname and the workstation's domain name is domain.com it will try hostname.domain.com to see if it can resolve it in DNS. The search order for Windows 2000 and XP clients I believe is: DNS Cache Local Hosts File (host file) DNS Server LMHost File WINS Jeremy - Jeremy Burkes SSP MIS Department [EMAIL PROTECTED] PH: 202-764-1270 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Renouf, Phil Sent: Tuesday, October 05, 2004 12:43 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... If the client is specifying \\hostname and there is no DNS search suffix set then I believe it will use WINS for name resolution. I could be wrong, but that's my understanding. Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet Sent: Tuesday, October 05, 2004 12:29 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... 2k and XP clients will attempt to use DNS first. There is no way (that I know of) where they would try WINS first. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 05, 2004 11:25 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... How would I know if their drive mappings are using WINS names and not DNS names? \\hostname vs \\hostname.domain.com? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Renouf, Phil Sent: Tuesday, October 05, 2004 10:51 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... If they are using WINS for resolution then yes it could be their issue. If their drive mappings are using WINS names and not DNS names then that would make sense as to why they couldn't map them. I assume they were still able to log on an resolve the DC? Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 05, 2004 11:46 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... No, the site and subnet is defined properly, they're all using their local DC. All users at the remote site had issues. They're using their DC for DNS, and going back to HeadQuarters for WINS. Could the WINS be the issue? They couldn't contact WINS because the WAN link outage, that's for sure. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Mulnick, Al Sent: Tuesday, October 05, 2004 10:37 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... Were the clients trying to use the remote DCs when they shouldn't be? What was the scope of the problem? Was it all users or just a few users in the site? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 05, 2004 11:34 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... Yes, all our domain controllers are also DNS servers. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Robert Rutherford Sent: Tuesday, October 05, 2004 10:30 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... Has the remote site got its own DNS server? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: 05 October 2004 16:27 To: '[EMAIL PROTECTED]' Subject: [ActiveDir] WAN outage caused issues... What's the deal on WAN links going down between AD sites? As long as each site has a Global Catalog, they should be fine, correct? We had a remote site's WAN link go down the other day, and users eventually could not access any network drives (on the local file server even). They rebooted and it took forever to get the ctrl-alt-del logon box too. They couldn't get any network resources at all, just local drives and printers. We're in an Win2k AD domain with SP4. Most of the clients are XP and some are Win2k. Thanks ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error pleas
RE: [ActiveDir] WAN outage caused issues...
I believe Windows 2000 and Windows XP will attach their own domain name suffix to search for the host in DNS. For example if you give hostname and the workstation's domain name is domain.com it will try hostname.domain.com to see if it can resolve it in DNS. The search order for Windows 2000 and XP clients I believe is: DNS Cache Local Hosts File (host file) DNS Server LMHost File WINS Jeremy - Jeremy Burkes SSP MIS Department [EMAIL PROTECTED] PH: 202-764-1270 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Renouf, Phil Sent: Tuesday, October 05, 2004 12:43 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... If the client is specifying \\hostname and there is no DNS search suffix set then I believe it will use WINS for name resolution. I could be wrong, but that's my understanding. Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet Sent: Tuesday, October 05, 2004 12:29 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... 2k and XP clients will attempt to use DNS first. There is no way (that I know of) where they would try WINS first. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 05, 2004 11:25 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... How would I know if their drive mappings are using WINS names and not DNS names? \\hostname vs \\hostname.domain.com? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Renouf, Phil Sent: Tuesday, October 05, 2004 10:51 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... If they are using WINS for resolution then yes it could be their issue. If their drive mappings are using WINS names and not DNS names then that would make sense as to why they couldn't map them. I assume they were still able to log on an resolve the DC? Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 05, 2004 11:46 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... No, the site and subnet is defined properly, they're all using their local DC. All users at the remote site had issues. They're using their DC for DNS, and going back to HeadQuarters for WINS. Could the WINS be the issue? They couldn't contact WINS because the WAN link outage, that's for sure. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Mulnick, Al Sent: Tuesday, October 05, 2004 10:37 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... Were the clients trying to use the remote DCs when they shouldn't be? What was the scope of the problem? Was it all users or just a few users in the site? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 05, 2004 11:34 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... Yes, all our domain controllers are also DNS servers. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Robert Rutherford Sent: Tuesday, October 05, 2004 10:30 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... Has the remote site got its own DNS server? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: 05 October 2004 16:27 To: '[EMAIL PROTECTED]' Subject: [ActiveDir] WAN outage caused issues... What's the deal on WAN links going down between AD sites? As long as each site has a Global Catalog, they should be fine, correct? We had a remote site's WAN link go down the other day, and users eventually could not access any network drives (on the local file server even). They rebooted and it took forever to get the ctrl-alt-del logon box too. They couldn't get any network resources at all, just local drives and printers. We're in an Win2k AD domain with SP4. Most of the clients are XP and some are Win2k. Thanks ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ===
RE: [ActiveDir] WAN outage caused issues...
If the client is specifying \\hostname and there is no DNS search suffix set then I believe it will use WINS for name resolution. I could be wrong, but that's my understanding. Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ken Cornetet Sent: Tuesday, October 05, 2004 12:29 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... 2k and XP clients will attempt to use DNS first. There is no way (that I know of) where they would try WINS first. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 05, 2004 11:25 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... How would I know if their drive mappings are using WINS names and not DNS names? \\hostname vs \\hostname.domain.com? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Renouf, Phil Sent: Tuesday, October 05, 2004 10:51 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... If they are using WINS for resolution then yes it could be their issue. If their drive mappings are using WINS names and not DNS names then that would make sense as to why they couldn't map them. I assume they were still able to log on an resolve the DC? Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 05, 2004 11:46 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... No, the site and subnet is defined properly, they're all using their local DC. All users at the remote site had issues. They're using their DC for DNS, and going back to HeadQuarters for WINS. Could the WINS be the issue? They couldn't contact WINS because the WAN link outage, that's for sure. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Mulnick, Al Sent: Tuesday, October 05, 2004 10:37 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... Were the clients trying to use the remote DCs when they shouldn't be? What was the scope of the problem? Was it all users or just a few users in the site? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 05, 2004 11:34 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... Yes, all our domain controllers are also DNS servers. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Robert Rutherford Sent: Tuesday, October 05, 2004 10:30 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... Has the remote site got its own DNS server? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: 05 October 2004 16:27 To: '[EMAIL PROTECTED]' Subject: [ActiveDir] WAN outage caused issues... What's the deal on WAN links going down between AD sites? As long as each site has a Global Catalog, they should be fine, correct? We had a remote site's WAN link go down the other day, and users eventually could not access any network drives (on the local file server even). They rebooted and it took forever to get the ctrl-alt-del logon box too. They couldn't get any network resources at all, just local drives and printers. We're in an Win2k AD domain with SP4. Most of the clients are XP and some are Win2k. Thanks ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ === Scanned for virus infection by Messagelabs === List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system.
RE: [ActiveDir] WAN outage caused issues...
Are they mapping their drives in a logon script? If so just check there. If not then you'd have to look on their desktop and see how they have manually mapped the drive. Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 05, 2004 12:25 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... How would I know if their drive mappings are using WINS names and not DNS names? \\hostname vs \\hostname.domain.com? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Renouf, Phil Sent: Tuesday, October 05, 2004 10:51 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... If they are using WINS for resolution then yes it could be their issue. If their drive mappings are using WINS names and not DNS names then that would make sense as to why they couldn't map them. I assume they were still able to log on an resolve the DC? Phil List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Accept backupuser logon
Title: root domain alias What happens when you try to logon? Are you using mstsc client with the /console switch? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. LongSent: Tuesday, October 05, 2004 9:56 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Accept backupuser logon OK, I have created a user and added it to the backup operators in built-in. Now I want to be able to logon (through remote desktop) to my DCs with this user to setup my backups. I have two template policies from Hardening Windows Server 2003 in place, with the following Settings: Top policy in list: Allow log on locally: BUILTIN\administrators, BUILTIN\backup operators, BUILTIN\account operators, BUILTIN\server operators, BUILTIN\print operators Deny log on locally: DOMAIN\support_388945a0 Bottom policy in list: Allow log on locally: BUILTIN\backup operators, BUILTIN\administrators Allow log on through Terminal Services: BUILTIN\administrators No deny log on locally settings Now shouldn't these settings allow me to logon as a member of the BUILTIN\backup operators group? What am I missing? Is there a better way to set up backups without logging in to the DC (which would be much better)? Any help is much appreciated.
RE: [ActiveDir] WAN outage caused issues...
2k and XP clients will attempt to use DNS first. There is no way (that I know of) where they would try WINS first. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 05, 2004 11:25 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... How would I know if their drive mappings are using WINS names and not DNS names? \\hostname vs \\hostname.domain.com? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Renouf, Phil Sent: Tuesday, October 05, 2004 10:51 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... If they are using WINS for resolution then yes it could be their issue. If their drive mappings are using WINS names and not DNS names then that would make sense as to why they couldn't map them. I assume they were still able to log on an resolve the DC? Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 05, 2004 11:46 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... No, the site and subnet is defined properly, they're all using their local DC. All users at the remote site had issues. They're using their DC for DNS, and going back to HeadQuarters for WINS. Could the WINS be the issue? They couldn't contact WINS because the WAN link outage, that's for sure. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Mulnick, Al Sent: Tuesday, October 05, 2004 10:37 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... Were the clients trying to use the remote DCs when they shouldn't be? What was the scope of the problem? Was it all users or just a few users in the site? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 05, 2004 11:34 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... Yes, all our domain controllers are also DNS servers. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Robert Rutherford Sent: Tuesday, October 05, 2004 10:30 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... Has the remote site got its own DNS server? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: 05 October 2004 16:27 To: '[EMAIL PROTECTED]' Subject: [ActiveDir] WAN outage caused issues... What's the deal on WAN links going down between AD sites? As long as each site has a Global Catalog, they should be fine, correct? We had a remote site's WAN link go down the other day, and users eventually could not access any network drives (on the local file server even). They rebooted and it took forever to get the ctrl-alt-del logon box too. They couldn't get any network resources at all, just local drives and printers. We're in an Win2k AD domain with SP4. Most of the clients are XP and some are Win2k. Thanks ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ === Scanned for virus infection by Messagelabs === List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ~~~
RE: [ActiveDir] WAN outage caused issues...
How would I know if their drive mappings are using WINS names and not DNS names? \\hostname vs \\hostname.domain.com? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Renouf, Phil Sent: Tuesday, October 05, 2004 10:51 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... If they are using WINS for resolution then yes it could be their issue. If their drive mappings are using WINS names and not DNS names then that would make sense as to why they couldn't map them. I assume they were still able to log on an resolve the DC? Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 05, 2004 11:46 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... No, the site and subnet is defined properly, they're all using their local DC. All users at the remote site had issues. They're using their DC for DNS, and going back to HeadQuarters for WINS. Could the WINS be the issue? They couldn't contact WINS because the WAN link outage, that's for sure. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Mulnick, Al Sent: Tuesday, October 05, 2004 10:37 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... Were the clients trying to use the remote DCs when they shouldn't be? What was the scope of the problem? Was it all users or just a few users in the site? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 05, 2004 11:34 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... Yes, all our domain controllers are also DNS servers. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Robert Rutherford Sent: Tuesday, October 05, 2004 10:30 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... Has the remote site got its own DNS server? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: 05 October 2004 16:27 To: '[EMAIL PROTECTED]' Subject: [ActiveDir] WAN outage caused issues... What's the deal on WAN links going down between AD sites? As long as each site has a Global Catalog, they should be fine, correct? We had a remote site's WAN link go down the other day, and users eventually could not access any network drives (on the local file server even). They rebooted and it took forever to get the ctrl-alt-del logon box too. They couldn't get any network resources at all, just local drives and printers. We're in an Win2k AD domain with SP4. Most of the clients are XP and some are Win2k. Thanks ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ === Scanned for virus infection by Messagelabs === List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it
RE: [ActiveDir] WAN outage caused issues...
Are you getting anything in the eventlogs of the local machines? May also be worth dropping a network sniffer onto a hub with an offending PC to see what traffic its pumping out and to where. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: 05 October 2004 16:46 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... No, the site and subnet is defined properly, they're all using their local DC. All users at the remote site had issues. They're using their DC for DNS, and going back to HeadQuarters for WINS. Could the WINS be the issue? They couldn't contact WINS because the WAN link outage, that's for sure. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Mulnick, Al Sent: Tuesday, October 05, 2004 10:37 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... Were the clients trying to use the remote DCs when they shouldn't be? What was the scope of the problem? Was it all users or just a few users in the site? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 05, 2004 11:34 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... Yes, all our domain controllers are also DNS servers. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Robert Rutherford Sent: Tuesday, October 05, 2004 10:30 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... Has the remote site got its own DNS server? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: 05 October 2004 16:27 To: '[EMAIL PROTECTED]' Subject: [ActiveDir] WAN outage caused issues... What's the deal on WAN links going down between AD sites? As long as each site has a Global Catalog, they should be fine, correct? We had a remote site's WAN link go down the other day, and users eventually could not access any network drives (on the local file server even). They rebooted and it took forever to get the ctrl-alt-del logon box too. They couldn't get any network resources at all, just local drives and printers. We're in an Win2k AD domain with SP4. Most of the clients are XP and some are Win2k. Thanks ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ === Scanned for virus infection by Messagelabs === List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ === Scanned for virus infection by Messagelabs ==
RE: [ActiveDir] WAN outage caused issues...
If they are using WINS for resolution then yes it could be their issue. If their drive mappings are using WINS names and not DNS names then that would make sense as to why they couldn't map them. I assume they were still able to log on an resolve the DC? Phil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 05, 2004 11:46 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... No, the site and subnet is defined properly, they're all using their local DC. All users at the remote site had issues. They're using their DC for DNS, and going back to HeadQuarters for WINS. Could the WINS be the issue? They couldn't contact WINS because the WAN link outage, that's for sure. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Mulnick, Al Sent: Tuesday, October 05, 2004 10:37 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... Were the clients trying to use the remote DCs when they shouldn't be? What was the scope of the problem? Was it all users or just a few users in the site? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 05, 2004 11:34 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... Yes, all our domain controllers are also DNS servers. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Robert Rutherford Sent: Tuesday, October 05, 2004 10:30 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... Has the remote site got its own DNS server? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: 05 October 2004 16:27 To: '[EMAIL PROTECTED]' Subject: [ActiveDir] WAN outage caused issues... What's the deal on WAN links going down between AD sites? As long as each site has a Global Catalog, they should be fine, correct? We had a remote site's WAN link go down the other day, and users eventually could not access any network drives (on the local file server even). They rebooted and it took forever to get the ctrl-alt-del logon box too. They couldn't get any network resources at all, just local drives and printers. We're in an Win2k AD domain with SP4. Most of the clients are XP and some are Win2k. Thanks ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ === Scanned for virus infection by Messagelabs === List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List
RE: [ActiveDir] WAN outage caused issues...
No, the site and subnet is defined properly, they're all using their local DC. All users at the remote site had issues. They're using their DC for DNS, and going back to HeadQuarters for WINS. Could the WINS be the issue? They couldn't contact WINS because the WAN link outage, that's for sure. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Mulnick, Al Sent: Tuesday, October 05, 2004 10:37 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... Were the clients trying to use the remote DCs when they shouldn't be? What was the scope of the problem? Was it all users or just a few users in the site? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 05, 2004 11:34 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... Yes, all our domain controllers are also DNS servers. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Robert Rutherford Sent: Tuesday, October 05, 2004 10:30 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... Has the remote site got its own DNS server? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: 05 October 2004 16:27 To: '[EMAIL PROTECTED]' Subject: [ActiveDir] WAN outage caused issues... What's the deal on WAN links going down between AD sites? As long as each site has a Global Catalog, they should be fine, correct? We had a remote site's WAN link go down the other day, and users eventually could not access any network drives (on the local file server even). They rebooted and it took forever to get the ctrl-alt-del logon box too. They couldn't get any network resources at all, just local drives and printers. We're in an Win2k AD domain with SP4. Most of the clients are XP and some are Win2k. Thanks ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ === Scanned for virus infection by Messagelabs === List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] WAN outage caused issues...
Sounds like DNS to me is some way or another... can you run dcdiag and netdiag and look for obvious errors. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: 05 October 2004 16:34 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... Yes, all our domain controllers are also DNS servers. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Robert Rutherford Sent: Tuesday, October 05, 2004 10:30 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... Has the remote site got its own DNS server? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: 05 October 2004 16:27 To: '[EMAIL PROTECTED]' Subject: [ActiveDir] WAN outage caused issues... What's the deal on WAN links going down between AD sites? As long as each site has a Global Catalog, they should be fine, correct? We had a remote site's WAN link go down the other day, and users eventually could not access any network drives (on the local file server even). They rebooted and it took forever to get the ctrl-alt-del logon box too. They couldn't get any network resources at all, just local drives and printers. We're in an Win2k AD domain with SP4. Most of the clients are XP and some are Win2k. Thanks ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ === Scanned for virus infection by Messagelabs === List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ === Scanned for virus infection by Messagelabs === List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] WAN outage caused issues...
Were the clients trying to use the remote DCs when they shouldn't be? What was the scope of the problem? Was it all users or just a few users in the site? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Tuesday, October 05, 2004 11:34 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] WAN outage caused issues... Yes, all our domain controllers are also DNS servers. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Robert Rutherford Sent: Tuesday, October 05, 2004 10:30 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... Has the remote site got its own DNS server? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: 05 October 2004 16:27 To: '[EMAIL PROTECTED]' Subject: [ActiveDir] WAN outage caused issues... What's the deal on WAN links going down between AD sites? As long as each site has a Global Catalog, they should be fine, correct? We had a remote site's WAN link go down the other day, and users eventually could not access any network drives (on the local file server even). They rebooted and it took forever to get the ctrl-alt-del logon box too. They couldn't get any network resources at all, just local drives and printers. We're in an Win2k AD domain with SP4. Most of the clients are XP and some are Win2k. Thanks ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ === Scanned for virus infection by Messagelabs === List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] WAN outage caused issues...
Yes, all our domain controllers are also DNS servers. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Robert Rutherford Sent: Tuesday, October 05, 2004 10:30 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] WAN outage caused issues... Has the remote site got its own DNS server? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: 05 October 2004 16:27 To: '[EMAIL PROTECTED]' Subject: [ActiveDir] WAN outage caused issues... What's the deal on WAN links going down between AD sites? As long as each site has a Global Catalog, they should be fine, correct? We had a remote site's WAN link go down the other day, and users eventually could not access any network drives (on the local file server even). They rebooted and it took forever to get the ctrl-alt-del logon box too. They couldn't get any network resources at all, just local drives and printers. We're in an Win2k AD domain with SP4. Most of the clients are XP and some are Win2k. Thanks ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ === Scanned for virus infection by Messagelabs === List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] WAN outage caused issues...
Has the remote site got its own DNS server? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: 05 October 2004 16:27 To: '[EMAIL PROTECTED]' Subject: [ActiveDir] WAN outage caused issues... What's the deal on WAN links going down between AD sites? As long as each site has a Global Catalog, they should be fine, correct? We had a remote site's WAN link go down the other day, and users eventually could not access any network drives (on the local file server even). They rebooted and it took forever to get the ctrl-alt-del logon box too. They couldn't get any network resources at all, just local drives and printers. We're in an Win2k AD domain with SP4. Most of the clients are XP and some are Win2k. Thanks ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ === Scanned for virus infection by Messagelabs === List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Definately OT for Collabrative Calendar
If you have someone who can modify some code you might want to look at Tom Howes' "Enterprise Calendar" sample application. There's a link to it at http://www.slipstick.com/calendar/scheduleall.htm under the Live Group Calendar Tools. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D. Team EITC Sent: Monday, October 04, 2004 3:30 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Definately OT for Collabrative Calendar I am trying to find some good software to ease some issues we are having. Currently we have a system in place that thru macros mainly I believe. A section leaders exchange calendar is updated with a meeting. That is then created on a Collaborative calendar that shows when that person will be unavailable etc. Basically we need to have one calendar that people can look at to see when all the important people are available or not without the important peoples secretaries having to open up multiple calendars to do it. Does any one know of some software that does this and will work with exchange? Sorry bout the OT. But you guys seem to know so much useful information I can find other places. Jeff List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] WAN outage caused issues...
What's the deal on WAN links going down between AD sites? As long as each site has a Global Catalog, they should be fine, correct? We had a remote site's WAN link go down the other day, and users eventually could not access any network drives (on the local file server even). They rebooted and it took forever to get the ctrl-alt-del logon box too. They couldn't get any network resources at all, just local drives and printers. We're in an Win2k AD domain with SP4. Most of the clients are XP and some are Win2k. Thanks ~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Directory Service event
Can you check the backup logs to see what time the backup event should have started and then check with the domain controller? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nathan Casey Sent: Tuesday, October 05, 2004 11:07 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Directory Service event I not sure if this event is expected or not. If it was expected as a result of the daily backup I would expect to see it on all of the DC's, that's the concern. >>> [EMAIL PROTECTED] 10/5/2004 6:27:50 AM >>> So is this expected then? Or are you concerned that the other DC's don't show the same events even though your backup program says they are being backed up? Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nathan Casey Sent: Monday, October 04, 2004 5:14 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Directory Service event All DC are being backed up, Netbackup 5.1 client. The event does appear at the same time of day every day starting pretty much when I installed the Netbackup client. >>> [EMAIL PROTECTED] 10/4/2004 2:00:12 PM >>> Is this the only DC that you're running backups? Does it occur at the same time every day as if it's a scheduled event? Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nathan Casey Sent: Monday, October 04, 2004 4:54 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Directory Service event On one of my domain controllers I am getting the following events once a day in the Directory Service event log: (in order listed) Category: Logging/Recovery Event ID: 210 Description: NTDS (796) NTDSA: A full backup is starting. Category: Logging/Recovery Event ID: 220 Description: NTDS (796) NTDSA: Beginning the backup of the file S:\NTDS\ntds.dit (size 24 Mb). Category: Logging/Recovery Event ID: 221 Description: NTDS (796) NTDSA: Ending the backup of the file S:\NTDS\ntds.dit. Category: Logging/Recovery Event ID: 223 Description: NTDS (796) NTDSA: Starting the backup of log files (range T:\NTDS\edb0004C.log - T:\NTDS\edb0004C.log). Category: Logging/Recovery Event ID: 213 Description: NTDS (796) NTDSA: The backup procedure has been successfully completed. This is the only DC that I am getting this Directory Service event. I can't find much info on the event ID's. Any ideas about this event or why they only appear on one of 5 DC's (2 for root, 3 for sub) would be greatly appreciated. Thanks Nathan List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Ghost in the system
Hey all I have a box that suddenly went offline becasue of a "Duplicate IP" on the network. unable to find this "Duplicate IP", I was forced to change the IP of the box. I have tried ping, nbtstat, ipscanners. I cannot find this ghost IP. I know it is not the machine because I tried it on another with the IP in question and achieved the same result. We are running Win2K fully spacked. Any help would be appreciated. JP List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Directory Service event
I not sure if this event is expected or not. If it was expected as a result of the daily backup I would expect to see it on all of the DC's, that's the concern. >>> [EMAIL PROTECTED] 10/5/2004 6:27:50 AM >>> So is this expected then? Or are you concerned that the other DC's don't show the same events even though your backup program says they are being backed up? Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nathan Casey Sent: Monday, October 04, 2004 5:14 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Directory Service event All DC are being backed up, Netbackup 5.1 client. The event does appear at the same time of day every day starting pretty much when I installed the Netbackup client. >>> [EMAIL PROTECTED] 10/4/2004 2:00:12 PM >>> Is this the only DC that you're running backups? Does it occur at the same time every day as if it's a scheduled event? Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nathan Casey Sent: Monday, October 04, 2004 4:54 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Directory Service event On one of my domain controllers I am getting the following events once a day in the Directory Service event log: (in order listed) Category: Logging/Recovery Event ID: 210 Description: NTDS (796) NTDSA: A full backup is starting. Category: Logging/Recovery Event ID: 220 Description: NTDS (796) NTDSA: Beginning the backup of the file S:\NTDS\ntds.dit (size 24 Mb). Category: Logging/Recovery Event ID: 221 Description: NTDS (796) NTDSA: Ending the backup of the file S:\NTDS\ntds.dit. Category: Logging/Recovery Event ID: 223 Description: NTDS (796) NTDSA: Starting the backup of log files (range T:\NTDS\edb0004C.log - T:\NTDS\edb0004C.log). Category: Logging/Recovery Event ID: 213 Description: NTDS (796) NTDSA: The backup procedure has been successfully completed. This is the only DC that I am getting this Directory Service event. I can't find much info on the event ID's. Any ideas about this event or why they only appear on one of 5 DC's (2 for root, 3 for sub) would be greatly appreciated. Thanks Nathan List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Unauthorized Java Applets
Is there a way via GPO to disable only certain Java Applets? Or better yet, only approve specific ones? I know that I can disable Java within IE but certain every tasks depend on Java Applets, specifically the time clock. We have several people here that are using, for example, the Java based version of AOL instant messenger. Of course management shouldn’t have to tell them this but as we all know, some people learn things the hard way. Thank you for your replies, Edwin
[ActiveDir] Accept backupuser logon
Title: root domain alias OK, I have created a user and added it to the backup operators in built-in. Now I want to be able to logon (through remote desktop) to my DCs with this user to setup my backups. I have two template policies from Hardening Windows Server 2003 in place, with the following Settings: Top policy in list: Allow log on locally: BUILTIN\administrators, BUILTIN\backup operators, BUILTIN\account operators, BUILTIN\server operators, BUILTIN\print operators Deny log on locally: DOMAIN\support_388945a0 Bottom policy in list: Allow log on locally: BUILTIN\backup operators, BUILTIN\administrators Allow log on through Terminal Services: BUILTIN\administrators No deny log on locally settings Now shouldn’t these settings allow me to logon as a member of the BUILTIN\backup operators group? What am I missing? Is there a better way to set up backups without logging in to the DC (which would be much better)? Any help is much appreciated.
RE: [ActiveDir] Directory Service event
So is this expected then? Or are you concerned that the other DC's don't show the same events even though your backup program says they are being backed up? Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nathan Casey Sent: Monday, October 04, 2004 5:14 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Directory Service event All DC are being backed up, Netbackup 5.1 client. The event does appear at the same time of day every day starting pretty much when I installed the Netbackup client. >>> [EMAIL PROTECTED] 10/4/2004 2:00:12 PM >>> Is this the only DC that you're running backups? Does it occur at the same time every day as if it's a scheduled event? Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nathan Casey Sent: Monday, October 04, 2004 4:54 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Directory Service event On one of my domain controllers I am getting the following events once a day in the Directory Service event log: (in order listed) Category: Logging/Recovery Event ID: 210 Description: NTDS (796) NTDSA: A full backup is starting. Category: Logging/Recovery Event ID: 220 Description: NTDS (796) NTDSA: Beginning the backup of the file S:\NTDS\ntds.dit (size 24 Mb). Category: Logging/Recovery Event ID: 221 Description: NTDS (796) NTDSA: Ending the backup of the file S:\NTDS\ntds.dit. Category: Logging/Recovery Event ID: 223 Description: NTDS (796) NTDSA: Starting the backup of log files (range T:\NTDS\edb0004C.log - T:\NTDS\edb0004C.log). Category: Logging/Recovery Event ID: 213 Description: NTDS (796) NTDSA: The backup procedure has been successfully completed. This is the only DC that I am getting this Directory Service event. I can't find much info on the event ID's. Any ideas about this event or why they only appear on one of 5 DC's (2 for root, 3 for sub) would be greatly appreciated. Thanks Nathan List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Definately OT for Collabrative Calendar
Are you looking for something other than f/b schedule times? Can you expand on what you're after? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D. Team EITC Sent: Monday, October 04, 2004 6:30 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Definately OT for Collabrative Calendar I am trying to find some good software to ease some issues we are having. Currently we have a system in place that thru macros mainly I believe. A section leaders exchange calendar is updated with a meeting. That is then created on a Collaborative calendar that shows when that person will be unavailable etc. Basically we need to have one calendar that people can look at to see when all the important people are available or not without the important peoples secretaries having to open up multiple calendars to do it. Does any one know of some software that does this and will work with exchange? Sorry bout the OT. But you guys seem to know so much useful information I can find other places. Jeff List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] slow communication
If the problem is opening recordsets then you should have a look at the server itself after verifying that you get the same results with some other application. What you would be looking for is verification that it's not the program that is using a poorly written query. If the query is optimized, and you still have the problem then look at the server configuration (hardware) to verify that the problem is not there. Al -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of cyrus Sent: Tuesday, October 05, 2004 7:15 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] slow communication greetings paul, i think my problem regards timeout is only related to SQL Server, to test this i wrote a vb6 app not to use SQL as backend instead it uses access, my app resides in the server so workstation user could run it on any computer available, and this does not cause any timeout. and also i found out that the timeout does not occur when connecting to the server, it is when it starts to open the recordsets.(now I'm a little lost) even it opens only 1 recordset.\ timeout occurs rgds cyrus Paul van Geldrop writes: > Cyrus, > > Are there any specific error messages appearing on the SQL Server ? > Perhaps using a packetsniffer to have a look at the network traffic > might also give some insight into why the connection times out. > Has anything recently changed in the network/server/database, no > matter how insignificant ? Even the addition of a network card with a > faulty NIC might cause enough disruptions on the network to cause > timeouts. > I'd give the packet sniffer a definite go, as that can often help with > tracing down communications problem. > Have any others problem shown themselves ? Long waiting for share > connections, for example, high ping times, etc ? > > Regards, > > Paul. > > PS: As to my previous remark regarding the domain, please ignore it. > ;) > > - Original Message - From: <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Wednesday, September 29, 2004 7:55 AM > Subject: Re: [ActiveDir] slow communication > > >> greetings paul, >> first it my first time to send message to this site, need ur guidance >> to how i can send porperly. >> were doing app vb6 as front end and sql as backend, workstation r >> connected tru hubs, when we run the app it takes long to connect to >> the sql server database, thus we r receiving msg relating to "TIMEOUT >> EXPIRED" >> my real problem is knowing were the prob is, is it the window 2000 >> server, sql 2000 server or the vb6 app designer or even the hubs were >> using. but it was not like this b4...with this i dont have any idea >> how to solve or what to reconfigure. >> thanks >> cyrus >> >> >> >> Paul writes: >>> Some more information on the systems might be handy (service packs, >>> hotfixes, etc) and what kind of application.. and how are they >>> connected ? >>> And, perhaps somewhat offtopic, but.. how come you're mailing from >>> our domainname.. ? (am-ende.net) Regards, Paul van Geldrop. - >>> Original Message - >>> From: <[EMAIL PROTECTED]> >>> To: <[EMAIL PROTECTED]> >>> Sent: Tuesday, September 28, 2004 12:18 PM >>> Subject: [ActiveDir] slow communication greetings, first of all i'm not sure were problem is, we have window2000 server and SqlServer 2000, when we execute vb6 application to access sql server its very frequent that we r receiving TIMEOUT EXPIRED, I m not sure if >>> SQLServer or window2000 server or VB6 is causing the problem. coz i dont have any >>> idea on how or if any , a way to test and identify the problem. any suggestion >>> ? thnks cyrus List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ >>> >>> List info : http://www.activedir.org/mail_list.htm >>> List FAQ: http://www.activedir.org/list_faq.htm >>> List archive: >>> http://www.mail-archive.com/activedir%40mail.activedir.org/ >> >> >> List info : http://www.activedir.org/mail_list.htm >> List FAQ: http://www.activedir.org/list_faq.htm >> List archive: >> http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm > List FAQ: http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Screensaver GPO not applying?
Hmm.. Good point That might be the case, I'll take a look. Thanks for your suggestion! From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mark WoodsSent: Tuesday, October 05, 2004 3:14 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Screensaver GPO not applying? I had a issue very similar to this, it was caused by the power settings within the Display Properties, by default this is set to 'Turn off monitor' after 20 minutes, setting this to Never made the screen saver kick in, I had to set this manually on each build as I couldn't find a way to script it. -mark From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael WassellSent: 04 October 2004 18:43To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Screensaver GPO not applying? That's what I thought as well. The value is the correct type (REG_SZ) and the GPO is enforced, but I am still having the same issue. The weirdest part is that RSoP shows that the settings are applying, but does not actually apply. Does anyone else have an idea? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-EliaSent: Monday, October 04, 2004 1:26 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Screensaver GPO not applying? The GPO doesn't have to look at the path. All the GPO does is punch in a registry value and its up to Windows to find the file. It will work fine if you just enter in the .scr file name and don't put a path. I've tested this and it works as expected. So I suspect you have another problem. Also note that this registry value is not of type REG_EXPAND_SZ, which means if you put something like %systemroot% in there, Windows will not expand that value correctly when the screensaver path is resolved. You would have to put in C:\windows explicitly. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A.Sent: Monday, October 04, 2004 10:00 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Screensaver GPO not applying? The GPO does not look at the PATH variable on each PC, it processes what it is told only, it does not make assumptions. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael WassellSent: Monday, October 04, 2004 12:47 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Screensaver GPO not applying? Hmm.. I thought if the files were located in that location the path did not need to be specified. I'll give it a shot... Thanks! From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A.Sent: Monday, October 04, 2004 12:24 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Screensaver GPO not applying? You must have in the GPO %systemroot%\system32\logon.scr for this to work correctly. Just having the file name will not work. This is how I do it and I have no problems. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael WassellSent: Monday, October 04, 2004 12:12 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Screensaver GPO not applying? I posted this elsewhere but have gotten no responses yet. Thought I would post it here also to try to gather some opinions. Workstations are mixed 2000 / XP professional. DC's are Windows 2003 and domain is running in Windows 2003 native mode. Desired screensaver is logon.scr. Default installation path for logon.scr is %SYSTEMROOT%\System32\. Path is not specified in GPO, only filename. RSoP shows that the policies are processing properly. The setting seems to apply properly to XP machines but not to 2000 machines. Has anyone else seen or heard of this problem before? I did find a MSKB article regarding the symptom, but it only mentions that the symptom occurs in Windows 2000 domains, and pre-SP3 Windows 2000 machines, neither of which are the case. For anyone curious here is a link: http://support.microsoft.com/?kbid=305357 Michael Wassell Network Administrator PT Marketing Group Pittsburgh, Pennsylvania 15222 Phone: 412-471-8995 / Fax: 412-471-8695 **This e-mail has been scanned for viruses by Edwin Coe at the mail gateway** This email and any attachments are confidential, legally privileged and protected by copyright. If you are not the intended recipient, then the dissemination or copying of this email is prohibited.If you have received this in error, please notify the sender by replying by email and then delete the email completely from your system.This email and any attachments have been scanned for viruses, but it is the responsibility of recipients to conduct their own security measures. No responsibility is accepted by Edwin Coe for loss or damage arising from the receipt or use of this email, nor for personal emails, or emails unconnected with the firm's or clients' business.A list of the names of the partners of Edwin Coe, can be inspected at 2 Stone Buildings, Lincolns Inn, Lon
Re: [ActiveDir] slow communication
greetings paul, i think my problem regards timeout is only related to SQL Server, to test this i wrote a vb6 app not to use SQL as backend instead it uses access, my app resides in the server so workstation user could run it on any computer available, and this does not cause any timeout. and also i found out that the timeout does not occur when connecting to the server, it is when it starts to open the recordsets.(now I'm a little lost) even it opens only 1 recordset.\ timeout occurs rgds cyrus Paul van Geldrop writes: Cyrus, Are there any specific error messages appearing on the SQL Server ? Perhaps using a packetsniffer to have a look at the network traffic might also give some insight into why the connection times out. Has anything recently changed in the network/server/database, no matter how insignificant ? Even the addition of a network card with a faulty NIC might cause enough disruptions on the network to cause timeouts. I'd give the packet sniffer a definite go, as that can often help with tracing down communications problem. Have any others problem shown themselves ? Long waiting for share connections, for example, high ping times, etc ? Regards, Paul. PS: As to my previous remark regarding the domain, please ignore it. ;) - Original Message - From: <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, September 29, 2004 7:55 AM Subject: Re: [ActiveDir] slow communication greetings paul, first it my first time to send message to this site, need ur guidance to how i can send porperly. were doing app vb6 as front end and sql as backend, workstation r connected tru hubs, when we run the app it takes long to connect to the sql server database, thus we r receiving msg relating to "TIMEOUT EXPIRED" my real problem is knowing were the prob is, is it the window 2000 server, sql 2000 server or the vb6 app designer or even the hubs were using. but it was not like this b4...with this i dont have any idea how to solve or what to reconfigure. thanks cyrus Paul writes: Some more information on the systems might be handy (service packs, hotfixes, etc) and what kind of application.. and how are they connected ? And, perhaps somewhat offtopic, but.. how come you're mailing from our domainname.. ? (am-ende.net) Regards, Paul van Geldrop. - Original Message - From: <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, September 28, 2004 12:18 PM Subject: [ActiveDir] slow communication greetings, first of all i'm not sure were problem is, we have window2000 server and SqlServer 2000, when we execute vb6 application to access sql server its very frequent that we r receiving TIMEOUT EXPIRED, I m not sure if SQLServer or window2000 server or VB6 is causing the problem. coz i dont have any idea on how or if any , a way to test and identify the problem. any suggestion ? thnks cyrus List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] [ActiveDir Digest]
In the past, I have simply enabled 'user must change password at next logon' as part of the user creation process. The user will then be *forced* to change his/her password at next (i.e. first) logon and cannot continue to work until that pw change has been actioned. Thanks, Neil PS I am assuming that you did *not* set the above flag when creating users. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: 05 October 2004 04:12 Subject: [ActiveDir Digest] - Subject: [ActiveDir] Minimum Password Age Date: Mon, 4 Oct 2004 08:54:27 -0600 From: "Travis Riddle" <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] Our password policy is set up as follows: Minimum 8 characters Remember 6 passwords Maximium Password Age 90 days Minimum Password Age 15 days Require Complex passwords Windows 2003 3 Sites GC at each site So we just created approximatly 50 new users and assigned them a semi-generic passowrd that they need to change upon login. The problem is they cannot change their password upon login because it hasn't been 15 days since the password was created (I assume). Is this by design? If so how do you get around it? How am I suppose to create new users in the future if this is the case (besides creating them 15 days in advance) My first guess at a solution to this problem is to change the minimum password age to 0, allowing users to change their password immediately. I tried this and forced a refresh on the machine policy with no luck. Does anyone have any ideas of what to do? I now have 50 users that were suppose to be able to be working today not able to log in unless we change their password to NOT change upon login (so they all have the same easy to use password). Am I missing something simple? Any idea's are appreciated. Thanks, Travis - Subject: RE: [ActiveDir] Minimum Password Age Date: Mon, 4 Oct 2004 11:33:01 -0400 From: "Rick Boza" <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] This is a multi-part message in MIME format. --_=_NextPart_001_01C4AA27.CA1C8B32 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Nope, it shouldn't work like that. I just tested it in fact with your = settings and the result I get is what I expected - they are prompted = with a message that "they are required to change their password at first = login." The password change then works fine. =20 What error are they getting? Any events on the DCs? From: [EMAIL PROTECTED] on behalf of Travis Riddle Sent: Mon 10/4/2004 10:54 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Minimum Password Age Our password policy is set up as follows: Minimum 8 characters Remember 6 passwords Maximium Password Age 90 days Minimum Password Age 15 days Require Complex passwords Windows 2003 3 Sites GC at each site So we just created approximatly 50 new users and assigned them a semi-generic passowrd that they need to change upon login. The problem is they cannot change their password upon login because it hasn't been 15 days since the password was created (I assume). Is this by design? If so how do you get around it? How am I suppose to create new users in the future if this is the case (besides creating them 15 days in advance) My first guess at a solution to this problem is to change the minimum password age to 0, allowing users to change their password immediately. I tried this and forced a refresh on the machine policy with no luck. Does anyone have any ideas of what to do? I now have 50 users that were suppose to be able to be working today not able to log in unless we change their password to NOT change upon login (so they all have the same easy to use password). Am I missing something simple? Any idea's are appreciated. Thanks, Travis List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: = http://www.mail-archive.com/activedir%40mail.activedir.org/ == This message is for the sole use of the intended recipient. If you received this message in error please delete it and notify us. If this message was misdirected, CSFB does not waive any confidentiality or privilege. CSFB retains and monitors electronic communications sent through its network. Instructions transmitted over this system are not binding on CSFB until they are confirmed by us. Message transmission is not guaranteed to be secure. == List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Definately OT for Collabrative Calendar
Have a look at AgendaX. It uses a web interface and does IIS and a number of other components. I can't remember if a separate database is required or if it supports its own. I know you can use it with Oracle and SQL. This is based on CDO and I believe works with 5.5 and 2003. Jacqui -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D. Team EITC Sent: 04 October 2004 23:30 To: [EMAIL PROTECTED] Subject: [ActiveDir] Definately OT for Collabrative Calendar I am trying to find some good software to ease some issues we are having. Currently we have a system in place that thru macros mainly I believe. A section leaders exchange calendar is updated with a meeting. That is then created on a Collaborative calendar that shows when that person will be unavailable etc. Basically we need to have one calendar that people can look at to see when all the important people are available or not without the important peoples secretaries having to open up multiple calendars to do it. Does any one know of some software that does this and will work with exchange? Sorry bout the OT. But you guys seem to know so much useful information I can find other places. Jeff List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Screensaver GPO not applying?
I had a issue very similar to this, it was caused by the power settings within the Display Properties, by default this is set to 'Turn off monitor' after 20 minutes, setting this to Never made the screen saver kick in, I had to set this manually on each build as I couldn't find a way to script it. -mark From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael WassellSent: 04 October 2004 18:43To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Screensaver GPO not applying? That's what I thought as well. The value is the correct type (REG_SZ) and the GPO is enforced, but I am still having the same issue. The weirdest part is that RSoP shows that the settings are applying, but does not actually apply. Does anyone else have an idea? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-EliaSent: Monday, October 04, 2004 1:26 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Screensaver GPO not applying? The GPO doesn't have to look at the path. All the GPO does is punch in a registry value and its up to Windows to find the file. It will work fine if you just enter in the .scr file name and don't put a path. I've tested this and it works as expected. So I suspect you have another problem. Also note that this registry value is not of type REG_EXPAND_SZ, which means if you put something like %systemroot% in there, Windows will not expand that value correctly when the screensaver path is resolved. You would have to put in C:\windows explicitly. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A.Sent: Monday, October 04, 2004 10:00 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Screensaver GPO not applying? The GPO does not look at the PATH variable on each PC, it processes what it is told only, it does not make assumptions. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael WassellSent: Monday, October 04, 2004 12:47 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Screensaver GPO not applying? Hmm.. I thought if the files were located in that location the path did not need to be specified. I'll give it a shot... Thanks! From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A.Sent: Monday, October 04, 2004 12:24 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Screensaver GPO not applying? You must have in the GPO %systemroot%\system32\logon.scr for this to work correctly. Just having the file name will not work. This is how I do it and I have no problems. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael WassellSent: Monday, October 04, 2004 12:12 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Screensaver GPO not applying? I posted this elsewhere but have gotten no responses yet. Thought I would post it here also to try to gather some opinions. Workstations are mixed 2000 / XP professional. DC's are Windows 2003 and domain is running in Windows 2003 native mode. Desired screensaver is logon.scr. Default installation path for logon.scr is %SYSTEMROOT%\System32\. Path is not specified in GPO, only filename. RSoP shows that the policies are processing properly. The setting seems to apply properly to XP machines but not to 2000 machines. Has anyone else seen or heard of this problem before? I did find a MSKB article regarding the symptom, but it only mentions that the symptom occurs in Windows 2000 domains, and pre-SP3 Windows 2000 machines, neither of which are the case. For anyone curious here is a link: http://support.microsoft.com/?kbid=305357 Michael Wassell Network Administrator PT Marketing Group Pittsburgh, Pennsylvania 15222 Phone: 412-471-8995 / Fax: 412-471-8695 **This e-mail has been scanned for viruses by Edwin Coe at the mail gateway** This email and any attachments are confidential, legally privileged and protected by copyright. If you are not the intended recipient, then the dissemination or copying of this email is prohibited. If you have received this in error, please notify the sender by replying by email and then delete the email completely from your system. This email and any attachments have been scanned for viruses, but it is the responsibility of recipients to conduct their own security measures. No responsibility is accepted by Edwin Coe for loss or damage arising from the receipt or use of this email, nor for personal emails, or emails unconnected with the firm's or clients' business. A list of the names of the partners of Edwin Coe, can be inspected at 2 Stone Buildings, Lincolns Inn, London WC2A 3TH