RE: permissions problem
My guest would be DNS. Enable all audit logs and check. Before you even attempt to do anything else make sure DNS is absolutely working 100%. Z.V. From: Len Hammond [mailto:[EMAIL PROTECTED] Sent: Saturday, January 19, 2008 10:23 PM To: NT System Admin Issues Subject: permissions problem Hi people, Been off the list a while. My corporate gig ended a while back and now I'm doing some freelance stuff while looking for another permanent position. But now I have a problem with a new domain I'm setting up for a small non-profit. Background: New domain (they are peer to peer until I get the new domain built and installed) New DC (HP dl380) - Server 2003 - file print shares New database member server (HP dl360) - Server 2003 - small database program and a couple of small, low usage file shares. One XP workstation Problem: for some reason I can't set domain permissions on the member server shares. When attempting to set permissions the only item in the list is the member server name, the DC server name is not listed and the 'location' selection button and selection line is not accessible and cannot be changed from the member server name to the domain name. The member server is a member of the domain. I even tried removing the member server and adding it back to the domain without success. It has been a long time since I set up a new domain with more than one server so maybe my feeble memory is forgetting a step in the setup. My googling has not turned up an answer yet. Could someone kindly refresh my memory? Thanks -- Len Hammond Hammond Enterprises [EMAIL PROTECTED] ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~ ~ http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm ~
Re: permissions problem
I don't think there's anything special needed - the default configuration should allow what you want. You should see what groups your account is in, what's in the local administrators group on the second machine, what GPOs apply, and review anything else you might have configured. Steve - Original Message - From: Len Hammond To: NT System Admin Issues Sent: Sunday, January 20, 2008 8:49 AM Subject: Re: permissions problem I was using a Domain Admin Account. Although the local admin account does exactly the same thing. I'm thinking that I missed something in the setup of the DC - like enabling something in policy that would let a Domain Admin set things on member servers. I must not be googling for the right keywords because this should not be this obscure to find the solution to. It can't be that hard as I've done it for another scratch built domain a couple of years ago. I just can't seem to remember what it was. scowls at self Len Was it something about delegation of authority? on the DC? Len On Jan 19, 2008 10:32 PM, Steve Pruitt [EMAIL PROTECTED] wrote: Are you using a domain admin account or a local admin account on the second server? That sounds like a local account, though I haven't tried doing that. Steve - Original Message - From: Len Hammond To: NT System Admin Issues Sent: Saturday, January 19, 2008 10:23 PM Subject: permissions problem Hi people, Been off the list a while. My corporate gig ended a while back and now I'm doing some freelance stuff while looking for another permanent position. But now I have a problem with a new domain I'm setting up for a small non-profit. Background: New domain (they are peer to peer until I get the new domain built and installed) New DC (HP dl380) - Server 2003 - file print shares New database member server (HP dl360) - Server 2003 - small database program and a couple of small, low usage file shares. One XP workstation Problem: for some reason I can't set domain permissions on the member server shares. When attempting to set permissions the only item in the list is the member server name, the DC server name is not listed and the 'location' selection button and selection line is not accessible and cannot be changed from the member server name to the domain name. The member server is a member of the domain. I even tried removing the member server and adding it back to the domain without success. It has been a long time since I set up a new domain with more than one server so maybe my feeble memory is forgetting a step in the setup. My googling has not turned up an answer yet. Could someone kindly refresh my memory? Thanks -- Len Hammond Hammond Enterprises [EMAIL PROTECTED] ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~ ~ http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm ~
Re: permissions problem
Have you checked to see that there are no firewalls up? Does the DC also have DNS/DHCP running? Are both machines in the same subnet? You said anything but these are usually the things that occur first when doing any testing. Jon On Jan 20, 2008 12:56 PM, Len Hammond [EMAIL PROTECTED] wrote: It's a brand new domain and I have made NO policy changes to the DC. I have enabled several services that I always enable like Messenger and Alerter services so that users can get print job completion notices and such but that is all of the chnages made. I didn't remember making any changes to the other domains I created to get this to work. In this domain I have set the Admin password to the member server the same as the password to the admin account for the domain and there might be some kind of confusion in the member server over that. After lunch today I will change the Admin password in hte domain and see if that make any changes and lets me do what I need to do. Keep the ideas coming - I'll try just about anything at this point. Thanks for the thoughts Len On Jan 20, 2008 11:08 AM, Steve Pruitt [EMAIL PROTECTED] wrote: I don't think there's anything special needed - the default configuration should allow what you want. You should see what groups your account is in, what's in the local administrators group on the second machine, what GPOs apply, and review anything else you might have configured. Steve - Original Message - *From:* Len Hammond [EMAIL PROTECTED] *To:* NT System Admin Issues ntsysadmin@lyris.sunbelt-software.com *Sent:* Sunday, January 20, 2008 8:49 AM *Subject:* Re: permissions problem I was using a Domain Admin Account. Although the local admin account does exactly the same thing. I'm thinking that I missed something in the setup of the DC - like enabling something in policy that would let a Domain Admin set things on member servers. I must not be googling for the right keywords because this should not be this obscure to find the solution to. It can't be that hard as I've done it for another scratch built domain a couple of years ago. I just can't seem to remember what it was. scowls at self Len Was it something about delegation of authority? on the DC? Len On Jan 19, 2008 10:32 PM, Steve Pruitt [EMAIL PROTECTED] wrote: Are you using a domain admin account or a local admin account on the second server? That sounds like a local account, though I haven't tried doing that. Steve - Original Message - *From:* Len Hammond [EMAIL PROTECTED] *To:* NT System Admin Issues ntsysadmin@lyris.sunbelt-software.com *Sent:* Saturday, January 19, 2008 10:23 PM *Subject:* permissions problem Hi people, Been off the list a while. My corporate gig ended a while back and now I'm doing some freelance stuff while looking for another permanent position. But now I have a problem with a new domain I'm setting up for a small non-profit. Background: New domain (they are peer to peer until I get the new domain built and installed) New DC (HP dl380) - Server 2003 - file print shares New database member server (HP dl360) - Server 2003 - small database program and a couple of small, low usage file shares. One XP workstation Problem: for some reason I can't set domain permissions on the member server shares. When attempting to set permissions the only item in the list is the member server name, the DC server name is not listed and the 'location' selection button and selection line is not accessible and cannot be changed from the member server name to the domain name. The member server *is* a member of the domain. I even tried removing the member server and adding it back to the domain without success. It has been a long time since I set up a new domain with more than one server so maybe my feeble memory is forgetting a step in the setup. My googling has not turned up an answer yet. Could someone kindly refresh my memory? Thanks -- Len Hammond Hammond Enterprises [EMAIL PROTECTED] -- Len Hammond Hammond Enterprises [EMAIL PROTECTED] ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~ ~ http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm ~
Re: permissions problem
I had done that previously but retested right now and the results are the same. When creating a share and setting share or NTFS permissions the list for selection the location from where the permissions should be set contains only the member server and not the DC or any other item. Len On Jan 20, 2008 1:01 PM, Steve Pruitt [EMAIL PROTECTED] wrote: Create a new domain account and make it a member of Domain Admins. Then log in to the second server with that and see what it can do. - Original Message - *From:* Len Hammond [EMAIL PROTECTED] *To:* NT System Admin Issues ntsysadmin@lyris.sunbelt-software.com *Sent:* Sunday, January 20, 2008 12:56 PM *Subject:* Re: permissions problem It's a brand new domain and I have made NO policy changes to the DC. I have enabled several services that I always enable like Messenger and Alerter services so that users can get print job completion notices and such but that is all of the chnages made. I didn't remember making any changes to the other domains I created to get this to work. In this domain I have set the Admin password to the member server the same as the password to the admin account for the domain and there might be some kind of confusion in the member server over that. After lunch today I will change the Admin password in hte domain and see if that make any changes and lets me do what I need to do. Keep the ideas coming - I'll try just about anything at this point. Thanks for the thoughts Len On Jan 20, 2008 11:08 AM, Steve Pruitt [EMAIL PROTECTED] wrote: I don't think there's anything special needed - the default configuration should allow what you want. You should see what groups your account is in, what's in the local administrators group on the second machine, what GPOs apply, and review anything else you might have configured. Steve - Original Message - *From:* Len Hammond [EMAIL PROTECTED] *To:* NT System Admin Issues ntsysadmin@lyris.sunbelt-software.com *Sent:* Sunday, January 20, 2008 8:49 AM *Subject:* Re: permissions problem I was using a Domain Admin Account. Although the local admin account does exactly the same thing. I'm thinking that I missed something in the setup of the DC - like enabling something in policy that would let a Domain Admin set things on member servers. I must not be googling for the right keywords because this should not be this obscure to find the solution to. It can't be that hard as I've done it for another scratch built domain a couple of years ago. I just can't seem to remember what it was. scowls at self Len Was it something about delegation of authority? on the DC? Len On Jan 19, 2008 10:32 PM, Steve Pruitt [EMAIL PROTECTED] wrote: Are you using a domain admin account or a local admin account on the second server? That sounds like a local account, though I haven't tried doing that. Steve - Original Message - *From:* Len Hammond [EMAIL PROTECTED] *To:* NT System Admin Issues ntsysadmin@lyris.sunbelt-software.com *Sent:* Saturday, January 19, 2008 10:23 PM *Subject:* permissions problem Hi people, Been off the list a while. My corporate gig ended a while back and now I'm doing some freelance stuff while looking for another permanent position. But now I have a problem with a new domain I'm setting up for a small non-profit. Background: New domain (they are peer to peer until I get the new domain built and installed) New DC (HP dl380) - Server 2003 - file print shares New database member server (HP dl360) - Server 2003 - small database program and a couple of small, low usage file shares. One XP workstation Problem: for some reason I can't set domain permissions on the member server shares. When attempting to set permissions the only item in the list is the member server name, the DC server name is not listed and the 'location' selection button and selection line is not accessible and cannot be changed from the member server name to the domain name. The member server *is* a member of the domain. I even tried removing the member server and adding it back to the domain without success. It has been a long time since I set up a new domain with more than one server so maybe my feeble memory is forgetting a step in the setup. My googling has not turned up an answer yet. Could someone kindly refresh my memory? Thanks -- Len Hammond Hammond Enterprises [EMAIL PROTECTED] -- Len Hammond Hammond Enterprises [EMAIL PROTECTED] ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~ ~ http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm ~
RE: permissions problem
DNS is a required service for Active Directory. You need to configure a windows DNS server and load your domain zone. S From: Len Hammond [mailto:[EMAIL PROTECTED] Sent: Sunday, January 20, 2008 3:29 PM To: NT System Admin Issues Subject: Re: permissions problem Yes, I had checked those first and no firewalls are up between the two servers or on either of the servers. The servers are on the same subnet with the same DNS server IP. There are no problems pinging from any box to any other box on the network by name or IP regardless of domain or workgroup membership. As I am building this in my home prior to delivering this to the organization that it is intended for, all machines in this domain, (currently 1 DC, 1 member server and 1 workstation) are on the same subnet. And currently the DHCP and DNS are being handled by my Netgear Firewall/Router. All three of these machines along with my personal workstation, my wifes workstation, my son's workstation and my laptop are on the same subnet - all receiving DHCP from the Netgear device. This being a Netgear WGT624, the default config for the WGT is to deliver it's internal IP address as both DHCP and DNS server IP addresses. Currently I can ping all networked workstations in the house by name and by address regardless that my personal workstation, my wife's workstation and my laptop are in one workgroup, my son's workstation in another workgroup and the two servers and one workstation in the same Domain. All computers can surf the web without problems. The network that these units are headed for also has DHCP and DNS served by the Linksys firewall/router installed there. I had kind of planned to at least move DHCP to the Domain Controller and was thinking about the DNS as well, but had not made my mind up yet on that. They are not hosting and e-mail or web stuff there, that is done outside so having to split DNS between inside and outside stuff should not be needed. As least as I understand it right now. Thanks for making me cover the basics in the post On Jan 20, 2008 1:01 PM, Jon Harris [EMAIL PROTECTED]mailto:[EMAIL PROTECTED] wrote: Have you checked to see that there are no firewalls up? Does the DC also have DNS/DHCP running? Are both machines in the same subnet? You said anything but these are usually the things that occur first when doing any testing. Jon On Jan 20, 2008 12:56 PM, Len Hammond [EMAIL PROTECTED]mailto:[EMAIL PROTECTED] wrote: It's a brand new domain and I have made NO policy changes to the DC. I have enabled several services that I always enable like Messenger and Alerter services so that users can get print job completion notices and such but that is all of the chnages made. I didn't remember making any changes to the other domains I created to get this to work. In this domain I have set the Admin password to the member server the same as the password to the admin account for the domain and there might be some kind of confusion in the member server over that. After lunch today I will change the Admin password in hte domain and see if that make any changes and lets me do what I need to do. Keep the ideas coming - I'll try just about anything at this point. Thanks for the thoughts Len On Jan 20, 2008 11:08 AM, Steve Pruitt [EMAIL PROTECTED]mailto:[EMAIL PROTECTED] wrote: I don't think there's anything special needed - the default configuration should allow what you want. You should see what groups your account is in, what's in the local administrators group on the second machine, what GPOs apply, and review anything else you might have configured. Steve - Original Message - From: Len Hammondmailto:[EMAIL PROTECTED] To: NT System Admin Issuesmailto:ntsysadmin@lyris.sunbelt-software.com Sent: Sunday, January 20, 2008 8:49 AM Subject: Re: permissions problem I was using a Domain Admin Account. Although the local admin account does exactly the same thing. I'm thinking that I missed something in the setup of the DC - like enabling something in policy that would let a Domain Admin set things on member servers. I must not be googling for the right keywords because this should not be this obscure to find the solution to. It can't be that hard as I've done it for another scratch built domain a couple of years ago. I just can't seem to remember what it was. scowls at self Len Was it something about delegation of authority? on the DC? Len On Jan 19, 2008 10:32 PM, Steve Pruitt [EMAIL PROTECTED]mailto:[EMAIL PROTECTED] wrote: Are you using a domain admin account or a local admin account on the second server? That sounds like a local account, though I haven't tried doing that. Steve - Original Message - From: Len Hammondmailto:[EMAIL PROTECTED] To: NT System Admin Issuesmailto:ntsysadmin@lyris.sunbelt-software.com Sent: Saturday, January 19, 2008 10:23 PM Subject: permissions problem Hi people, Been off the list a while. My corporate gig ended a while back and now
Re: permissions problem
I'll get DNS installed. Can I point the Domain DNS to the Netgear and then out of the building. If I make the DC the only DNS server the other workgroup machines will lose the Internet and I need the rest to stay connected. The Domain will depart my house in a few days when I get a couple more workstations built. On Jan 20, 2008 2:33 PM, NTSysAdmin [EMAIL PROTECTED] wrote: DNS is a required service for Active Directory. You need to configure a windows DNS server and load your domain zone. S *From:* Len Hammond [mailto:[EMAIL PROTECTED] *Sent:* Sunday, January 20, 2008 3:29 PM *To:* NT System Admin Issues *Subject:* Re: permissions problem Yes, I had checked those first and no firewalls are up between the two servers or on either of the servers. The servers are on the same subnet with the same DNS server IP. There are no problems pinging from any box to any other box on the network by name or IP regardless of domain or workgroup membership. As I am building this in my home prior to delivering this to the organization that it is intended for, all machines in this domain, (currently 1 DC, 1 member server and 1 workstation) are on the same subnet. And currently the DHCP and DNS are being handled by my Netgear Firewall/Router. All three of these machines along with my personal workstation, my wifes workstation, my son's workstation and my laptop are on the same subnet - all receiving DHCP from the Netgear device. This being a Netgear WGT624, the default config for the WGT is to deliver it's internal IP address as both DHCP and DNS server IP addresses. Currently I can ping all networked workstations in the house by name and by address regardless that my personal workstation, my wife's workstation and my laptop are in one workgroup, my son's workstation in another workgroup and the two servers and one workstation in the same Domain. All computers can surf the web without problems. The network that these units are headed for also has DHCP and DNS served by the Linksys firewall/router installed there. I had kind of planned to at least move DHCP to the Domain Controller and was thinking about the DNS as well, but had not made my mind up yet on that. They are not hosting and e-mail or web stuff there, that is done outside so having to split DNS between inside and outside stuff should not be needed. As least as I understand it right now. Thanks for making me cover the basics in the post On Jan 20, 2008 1:01 PM, Jon Harris [EMAIL PROTECTED] wrote: Have you checked to see that there are no firewalls up? Does the DC also have DNS/DHCP running? Are both machines in the same subnet? You said anything but these are usually the things that occur first when doing any testing. Jon On Jan 20, 2008 12:56 PM, Len Hammond [EMAIL PROTECTED] wrote: It's a brand new domain and I have made NO policy changes to the DC. I have enabled several services that I always enable like Messenger and Alerter services so that users can get print job completion notices and such but that is all of the chnages made. I didn't remember making any changes to the other domains I created to get this to work. In this domain I have set the Admin password to the member server the same as the password to the admin account for the domain and there might be some kind of confusion in the member server over that. After lunch today I will change the Admin password in hte domain and see if that make any changes and lets me do what I need to do. Keep the ideas coming - I'll try just about anything at this point. Thanks for the thoughts Len On Jan 20, 2008 11:08 AM, Steve Pruitt [EMAIL PROTECTED] wrote: I don't think there's anything special needed - the default configuration should allow what you want. You should see what groups your account is in, what's in the local administrators group on the second machine, what GPOs apply, and review anything else you might have configured. Steve - Original Message - *From:* Len Hammond [EMAIL PROTECTED] *To:* NT System Admin Issues ntsysadmin@lyris.sunbelt-software.com *Sent:* Sunday, January 20, 2008 8:49 AM *Subject:* Re: permissions problem I was using a Domain Admin Account. Although the local admin account does exactly the same thing. I'm thinking that I missed something in the setup of the DC - like enabling something in policy that would let a Domain Admin set things on member servers. I must not be googling for the right keywords because this should not be this obscure to find the solution to. It can't be that hard as I've done it for another scratch built domain a couple of years ago. I just can't seem to remember what it was. scowls at self Len Was it something about delegation of authority? on the DC? Len On Jan 19, 2008 10:32 PM, Steve Pruitt [EMAIL PROTECTED] wrote: Are you using a domain admin account or a local admin account on the second server
Re: permissions problem
Pointing DNS to the netgear on the DC should be sufficient for your needs, and ultimately, you'll change it when you deliver the servers to the client. On Jan 20, 2008 4:55 PM, Len Hammond [EMAIL PROTECTED] wrote: I'll get DNS installed. Can I point the Domain DNS to the Netgear and then out of the building. If I make the DC the only DNS server the other workgroup machines will lose the Internet and I need the rest to stay connected. The Domain will depart my house in a few days when I get a couple more workstations built. On Jan 20, 2008 2:33 PM, NTSysAdmin [EMAIL PROTECTED] wrote: DNS is a required service for Active Directory. You need to configure a windows DNS server and load your domain zone. S *From:* Len Hammond [mailto:[EMAIL PROTECTED] *Sent:* Sunday, January 20, 2008 3:29 PM *To:* NT System Admin Issues *Subject:* Re: permissions problem Yes, I had checked those first and no firewalls are up between the two servers or on either of the servers. The servers are on the same subnet with the same DNS server IP. There are no problems pinging from any box to any other box on the network by name or IP regardless of domain or workgroup membership. As I am building this in my home prior to delivering this to the organization that it is intended for, all machines in this domain, (currently 1 DC, 1 member server and 1 workstation) are on the same subnet. And currently the DHCP and DNS are being handled by my Netgear Firewall/Router. All three of these machines along with my personal workstation, my wifes workstation, my son's workstation and my laptop are on the same subnet - all receiving DHCP from the Netgear device. This being a Netgear WGT624, the default config for the WGT is to deliver it's internal IP address as both DHCP and DNS server IP addresses. Currently I can ping all networked workstations in the house by name and by address regardless that my personal workstation, my wife's workstation and my laptop are in one workgroup, my son's workstation in another workgroup and the two servers and one workstation in the same Domain. All computers can surf the web without problems. The network that these units are headed for also has DHCP and DNS served by the Linksys firewall/router installed there. I had kind of planned to at least move DHCP to the Domain Controller and was thinking about the DNS as well, but had not made my mind up yet on that. They are not hosting and e-mail or web stuff there, that is done outside so having to split DNS between inside and outside stuff should not be needed. As least as I understand it right now. Thanks for making me cover the basics in the post On Jan 20, 2008 1:01 PM, Jon Harris [EMAIL PROTECTED] wrote: Have you checked to see that there are no firewalls up? Does the DC also have DNS/DHCP running? Are both machines in the same subnet? You said anything but these are usually the things that occur first when doing any testing. Jon On Jan 20, 2008 12:56 PM, Len Hammond [EMAIL PROTECTED] wrote: It's a brand new domain and I have made NO policy changes to the DC. I have enabled several services that I always enable like Messenger and Alerter services so that users can get print job completion notices and such but that is all of the chnages made. I didn't remember making any changes to the other domains I created to get this to work. In this domain I have set the Admin password to the member server the same as the password to the admin account for the domain and there might be some kind of confusion in the member server over that. After lunch today I will change the Admin password in hte domain and see if that make any changes and lets me do what I need to do. Keep the ideas coming - I'll try just about anything at this point. Thanks for the thoughts Len On Jan 20, 2008 11:08 AM, Steve Pruitt [EMAIL PROTECTED] wrote: I don't think there's anything special needed - the default configuration should allow what you want. You should see what groups your account is in, what's in the local administrators group on the second machine, what GPOs apply, and review anything else you might have configured. Steve - Original Message - *From:* Len Hammond [EMAIL PROTECTED] *To:* NT System Admin Issues ntsysadmin@lyris.sunbelt-software.com *Sent:* Sunday, January 20, 2008 8:49 AM *Subject:* Re: permissions problem I was using a Domain Admin Account. Although the local admin account does exactly the same thing. I'm thinking that I missed something in the setup of the DC - like enabling something in policy that would let a Domain Admin set things on member servers. I must not be googling for the right keywords because this should not be this obscure to find the solution to. It can't be that hard as I've done
RE: permissions problem
The DC DNS should only be servicing the domain members, not the rest of your pc's, they can stay on the netgear. As long as your network properties dns entries on the domain members reflect the DC DNS, (and that includes the DC), and the netgears IP as the gateway you should be rolling in no time. The netgears ip should be put in the forwarders tab of the DNS servers properties. Any reason you didn't use SBS 2003 to save them some money? S From: Len Hammond [mailto:[EMAIL PROTECTED] Sent: Sunday, January 20, 2008 5:56 PM To: NT System Admin Issues Subject: Re: permissions problem I'll get DNS installed. Can I point the Domain DNS to the Netgear and then out of the building. If I make the DC the only DNS server the other workgroup machines will lose the Internet and I need the rest to stay connected. The Domain will depart my house in a few days when I get a couple more workstations built. On Jan 20, 2008 2:33 PM, NTSysAdmin [EMAIL PROTECTED]mailto:[EMAIL PROTECTED] wrote: DNS is a required service for Active Directory. You need to configure a windows DNS server and load your domain zone. S From: Len Hammond [mailto:[EMAIL PROTECTED]mailto:[EMAIL PROTECTED]] Sent: Sunday, January 20, 2008 3:29 PM To: NT System Admin Issues Subject: Re: permissions problem Yes, I had checked those first and no firewalls are up between the two servers or on either of the servers. The servers are on the same subnet with the same DNS server IP. There are no problems pinging from any box to any other box on the network by name or IP regardless of domain or workgroup membership. As I am building this in my home prior to delivering this to the organization that it is intended for, all machines in this domain, (currently 1 DC, 1 member server and 1 workstation) are on the same subnet. And currently the DHCP and DNS are being handled by my Netgear Firewall/Router. All three of these machines along with my personal workstation, my wifes workstation, my son's workstation and my laptop are on the same subnet - all receiving DHCP from the Netgear device. This being a Netgear WGT624, the default config for the WGT is to deliver it's internal IP address as both DHCP and DNS server IP addresses. Currently I can ping all networked workstations in the house by name and by address regardless that my personal workstation, my wife's workstation and my laptop are in one workgroup, my son's workstation in another workgroup and the two servers and one workstation in the same Domain. All computers can surf the web without problems. The network that these units are headed for also has DHCP and DNS served by the Linksys firewall/router installed there. I had kind of planned to at least move DHCP to the Domain Controller and was thinking about the DNS as well, but had not made my mind up yet on that. They are not hosting and e-mail or web stuff there, that is done outside so having to split DNS between inside and outside stuff should not be needed. As least as I understand it right now. Thanks for making me cover the basics in the post On Jan 20, 2008 1:01 PM, Jon Harris [EMAIL PROTECTED]mailto:[EMAIL PROTECTED] wrote: Have you checked to see that there are no firewalls up? Does the DC also have DNS/DHCP running? Are both machines in the same subnet? You said anything but these are usually the things that occur first when doing any testing. Jon On Jan 20, 2008 12:56 PM, Len Hammond [EMAIL PROTECTED]mailto:[EMAIL PROTECTED] wrote: It's a brand new domain and I have made NO policy changes to the DC. I have enabled several services that I always enable like Messenger and Alerter services so that users can get print job completion notices and such but that is all of the chnages made. I didn't remember making any changes to the other domains I created to get this to work. In this domain I have set the Admin password to the member server the same as the password to the admin account for the domain and there might be some kind of confusion in the member server over that. After lunch today I will change the Admin password in hte domain and see if that make any changes and lets me do what I need to do. Keep the ideas coming - I'll try just about anything at this point. Thanks for the thoughts Len On Jan 20, 2008 11:08 AM, Steve Pruitt [EMAIL PROTECTED]mailto:[EMAIL PROTECTED] wrote: I don't think there's anything special needed - the default configuration should allow what you want. You should see what groups your account is in, what's in the local administrators group on the second machine, what GPOs apply, and review anything else you might have configured. Steve - Original Message - From: Len Hammondmailto:[EMAIL PROTECTED] To: NT System Admin Issues mailto:ntsysadmin@lyris.sunbelt-software.com Sent: Sunday, January 20, 2008 8:49 AM Subject: Re: permissions problem I was using a Domain Admin Account. Although the local admin account does
RE: permissions problem
It really makes no difference what DNS server you use. HOWEVER Domain joined clients need to be able to locate SRV (Service) records for DCs, GCs etc in the DNS. It appears at the moment that your Netgear DNS service doesn't accept registration of these records, so no domain joined machines are able to properly locate the DC. So, put a DNS server on your domain controller. Point your domain joined clients to that DNS server. Your workgroup machines can point to whatever DNS server you want (e.g. your Netgear box if you want) And the DNS server on your DC can use any number of possible ways of resolving addresses (root hints, forwarding etc). Cheers Ken From: Len Hammond [EMAIL PROTECTED] Sent: Monday, 21 January 2008 8:55 AM To: NT System Admin Issues Subject: Re: permissions problem I'll get DNS installed. Can I point the Domain DNS to the Netgear and then out of the building. If I make the DC the only DNS server the other workgroup machines will lose the Internet and I need the rest to stay connected. The Domain will depart my house in a few days when I get a couple more workstations built. On Jan 20, 2008 2:33 PM, NTSysAdmin [EMAIL PROTECTED]mailto:[EMAIL PROTECTED] wrote: DNS is a required service for Active Directory. You need to configure a windows DNS server and load your domain zone. S From: Len Hammond [mailto:[EMAIL PROTECTED]mailto:[EMAIL PROTECTED]] Sent: Sunday, January 20, 2008 3:29 PM To: NT System Admin Issues Subject: Re: permissions problem Yes, I had checked those first and no firewalls are up between the two servers or on either of the servers. The servers are on the same subnet with the same DNS server IP. There are no problems pinging from any box to any other box on the network by name or IP regardless of domain or workgroup membership. As I am building this in my home prior to delivering this to the organization that it is intended for, all machines in this domain, (currently 1 DC, 1 member server and 1 workstation) are on the same subnet. And currently the DHCP and DNS are being handled by my Netgear Firewall/Router. All three of these machines along with my personal workstation, my wifes workstation, my son's workstation and my laptop are on the same subnet - all receiving DHCP from the Netgear device. This being a Netgear WGT624, the default config for the WGT is to deliver it's internal IP address as both DHCP and DNS server IP addresses. Currently I can ping all networked workstations in the house by name and by address regardless that my personal workstation, my wife's workstation and my laptop are in one workgroup, my son's workstation in another workgroup and the two servers and one workstation in the same Domain. All computers can surf the web without problems. The network that these units are headed for also has DHCP and DNS served by the Linksys firewall/router installed there. I had kind of planned to at least move DHCP to the Domain Controller and was thinking about the DNS as well, but had not made my mind up yet on that. They are not hosting and e-mail or web stuff there, that is done outside so having to split DNS between inside and outside stuff should not be needed. As least as I understand it right now. Thanks for making me cover the basics in the post On Jan 20, 2008 1:01 PM, Jon Harris [EMAIL PROTECTED]mailto:[EMAIL PROTECTED] wrote: Have you checked to see that there are no firewalls up? Does the DC also have DNS/DHCP running? Are both machines in the same subnet? You said anything but these are usually the things that occur first when doing any testing. Jon On Jan 20, 2008 12:56 PM, Len Hammond [EMAIL PROTECTED]mailto:[EMAIL PROTECTED] wrote: It's a brand new domain and I have made NO policy changes to the DC. I have enabled several services that I always enable like Messenger and Alerter services so that users can get print job completion notices and such but that is all of the chnages made. I didn't remember making any changes to the other domains I created to get this to work. In this domain I have set the Admin password to the member server the same as the password to the admin account for the domain and there might be some kind of confusion in the member server over that. After lunch today I will change the Admin password in hte domain and see if that make any changes and lets me do what I need to do. Keep the ideas coming - I'll try just about anything at this point. Thanks for the thoughts Len On Jan 20, 2008 11:08 AM, Steve Pruitt [EMAIL PROTECTED]mailto:[EMAIL PROTECTED] wrote: I don't think there's anything special needed - the default configuration should allow what you want. You should see what groups your account is in, what's in the local administrators group on the second machine, what GPOs apply, and review anything else you might have configured. Steve - Original Message - From: Len Hammondmailto
Re: permissions problem
Problem solved! Thanks for the help. Misconfigured DNS was the problem. DNS *was* installed in the DC. However, it chose a 192.168.x.x subnet for itself and the Netgear is configured for a 172.17.x.x subnet due to the fact that the head end of the Comcast cable I'm on has issues with 192... according to Comcast. (spent 2 hours on with them on original installation to get it to work) Anyway, the DNS in the DC had some of it set to 192... and some to 172... That's why things couldn't find other things. Once I made everything the same 172... and rebooted both servers it's all working. (then my wife made me power down the servers and the UPS so they could watch a movie. :) I'm building this network in my family room until I get it ready to install) So, as usual the folks on this list ask the right questions and provide the right answers to find the problem and suggest the proper fix. Thanks again for the timely help on a weekend. Len Hammond On Jan 20, 2008 8:29 PM, Ken Schaefer [EMAIL PROTECTED] wrote: It really makes no difference what DNS server you use. HOWEVER Domain joined clients need to be able to locate SRV (Service) records for DCs, GCs etc in the DNS. It appears at the moment that your Netgear DNS service doesn't accept registration of these records, so no domain joined machines are able to properly locate the DC. So, put a DNS server on your domain controller. Point your domain joined clients to that DNS server. Your workgroup machines can point to whatever DNS server you want (e.g. your Netgear box if you want) And the DNS server on your DC can use any number of possible ways of resolving addresses (root hints, forwarding etc). Cheers Ken -- *From:* Len Hammond [EMAIL PROTECTED] *Sent:* Monday, 21 January 2008 8:55 AM *To:* NT System Admin Issues *Subject:* Re: permissions problem I'll get DNS installed. Can I point the Domain DNS to the Netgear and then out of the building. If I make the DC the only DNS server the other workgroup machines will lose the Internet and I need the rest to stay connected. The Domain will depart my house in a few days when I get a couple more workstations built. On Jan 20, 2008 2:33 PM, NTSysAdmin [EMAIL PROTECTED] wrote: DNS is a required service for Active Directory. You need to configure a windows DNS server and load your domain zone. S *From:* Len Hammond [mailto:[EMAIL PROTECTED] *Sent:* Sunday, January 20, 2008 3:29 PM *To:* NT System Admin Issues *Subject:* Re: permissions problem Yes, I had checked those first and no firewalls are up between the two servers or on either of the servers. The servers are on the same subnet with the same DNS server IP. There are no problems pinging from any box to any other box on the network by name or IP regardless of domain or workgroup membership. As I am building this in my home prior to delivering this to the organization that it is intended for, all machines in this domain, (currently 1 DC, 1 member server and 1 workstation) are on the same subnet. And currently the DHCP and DNS are being handled by my Netgear Firewall/Router. All three of these machines along with my personal workstation, my wifes workstation, my son's workstation and my laptop are on the same subnet - all receiving DHCP from the Netgear device. This being a Netgear WGT624, the default config for the WGT is to deliver it's internal IP address as both DHCP and DNS server IP addresses. Currently I can ping all networked workstations in the house by name and by address regardless that my personal workstation, my wife's workstation and my laptop are in one workgroup, my son's workstation in another workgroup and the two servers and one workstation in the same Domain. All computers can surf the web without problems. The network that these units are headed for also has DHCP and DNS served by the Linksys firewall/router installed there. I had kind of planned to at least move DHCP to the Domain Controller and was thinking about the DNS as well, but had not made my mind up yet on that. They are not hosting and e-mail or web stuff there, that is done outside so having to split DNS between inside and outside stuff should not be needed. As least as I understand it right now. Thanks for making me cover the basics in the post On Jan 20, 2008 1:01 PM, Jon Harris [EMAIL PROTECTED] wrote: Have you checked to see that there are no firewalls up? Does the DC also have DNS/DHCP running? Are both machines in the same subnet? You said anything but these are usually the things that occur first when doing any testing. Jon On Jan 20, 2008 12:56 PM, Len Hammond [EMAIL PROTECTED] wrote: It's a brand new domain and I have made NO policy changes to the DC. I have enabled several services that I always enable like Messenger and Alerter services so that users
Re: permissions problem
Are you using a domain admin account or a local admin account on the second server? That sounds like a local account, though I haven't tried doing that. Steve - Original Message - From: Len Hammond To: NT System Admin Issues Sent: Saturday, January 19, 2008 10:23 PM Subject: permissions problem Hi people, Been off the list a while. My corporate gig ended a while back and now I'm doing some freelance stuff while looking for another permanent position. But now I have a problem with a new domain I'm setting up for a small non-profit. Background: New domain (they are peer to peer until I get the new domain built and installed) New DC (HP dl380) - Server 2003 - file print shares New database member server (HP dl360) - Server 2003 - small database program and a couple of small, low usage file shares. One XP workstation Problem: for some reason I can't set domain permissions on the member server shares. When attempting to set permissions the only item in the list is the member server name, the DC server name is not listed and the 'location' selection button and selection line is not accessible and cannot be changed from the member server name to the domain name. The member server is a member of the domain. I even tried removing the member server and adding it back to the domain without success. It has been a long time since I set up a new domain with more than one server so maybe my feeble memory is forgetting a step in the setup. My googling has not turned up an answer yet. Could someone kindly refresh my memory? Thanks -- Len Hammond Hammond Enterprises [EMAIL PROTECTED] ~ Upgrade to Next Generation Antispam/Antivirus with Ninja!~ ~ http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm ~