Re: not prompting for password change

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

From: Ace Fekay [MVP] (PleaseSubstituteMyActualFirstName&LastNameHere_at_hotmail.com)
Date: 10/12/04 

Date: Mon, 11 Oct 2004 22:45:10 -0400

Sorry it took so long to reply. Personal issues had me tied up for a few
days.

Replied inline below.

In news:2c874ed1.0410102005.6269370a@posting.google.com,
aaron.whittaker <aaronwhittaker2002@yahoo.com> made a post then I commented
below
> 1. As mentioned earlier, i have seen case study scenarios where the
> following has occured.
> You could put a group policy that wont allow users to authenticate
> with cached credentials. Issue- laptop users cant login, so i would
> have Deny- apply Group Policy.
> Or the same thing could be done through a registry edit on all
> machines, lot more work for 30 pc's. But I dont think that either of
> these ideas are fully correct as they are really not fixing the source
> of the problem. And also i would like to know what the real problem/
> and fix is.

*** Let's stay away from a GPO for now until ths is resolved.

>
> 2. This wont be the case as there is a DC on site. This is the main
> DC. It is the closest so all machines would go to this one, which has
> the most up to date information. The other one in the US, is a
> centralised redundant machine, for when Aust users logon in other
> parts of the world. As all of my company's connections go back to HQ
> in US.

*** Is the DC in Australia a GC? Does it show up in your SRVs as a GC? Do
all the DCs show up in the SRVs?

>
> 3. Also, the password change issue can be attributed to the PDC
> emulator not
> being available, which can either indicate a DNS issue or WAN link
> communication issue, or both. Which machine holds that role?
> The functional level of the domain is windows 2000 so there is no PDC

*** But there IS a PDC Emulator. That guy coordinates password changes,
updates, time synch, legacy client password support, creating/editing GPOs,
etc. You can find the PDC Emulator by rt-clicking your domain name in ADUC,
choose Operations Masters, choose the PDC Emulator tab. It will tell you who
the current one is.

>
> 4. In DNS, is there a DNS server in both locations? Are the zones AD
> Integrated? If yes or no, do the zones on both DNS have the same exact
> copy
> of data, and the SRV records exist? DNS is in Australia, and is
> different to the US version
> but again i dont think that DNS can be the issue, when basically we
> are only talking and dealing with the Dc in Austrlia.

*** But DNS is the mainstay of AD. Without the proper SRV records registerd,
AD will malfunction. AD RELIES on DNS. That is why I am heavy on finding out
your DNS infrastructure. If it is not sound, or misconfigured, AD is
guaranteed to have problems.

>
> 5. Is there a GC in Australia?
> Don't no. will check.

*** Look in Sites and Services, under your Site name (if the default, it
will be the Default-First-Site-Name), unders servers, choose the server in
Australia, in the right window pane, choose NTDS properties. It will be
checked off as a GC over there.

>
> 5. For netdiag and dcdiag, install the support tools off the Windows
> CDROM.
> THen go to a CMD prompt and run them with the switches you specified.
> Will do.
>
> 6. Is your domain a single label name? I dont know what the means, but
> it is a child domain. Parent domain = US.NET Child Aust domain =
> Aust.US.Net

*** It's not a single label name. Good.

> 7. Can you post an unedited ipconfig /all from both DCs from both
> locations
> please?

*** Read inline below for my comments....

>
> dc ipconfig
> Microsoft Windows 2000 [Version 5.00.2195]
> (C) Copyright 1985-2000 Microsoft Corp.
>
> C:\Documents and Settings\user>ipconfig /all
>
> Windows 2000 IP Configuration
>
> Host Name . . . . . . . . . . . . : DCname
> Primary DNS Suffix . . . . . . . : aust.us.net

*** I assume this is your domain name? The Primary DNS Suffix needs to match
the AD DNS domain name.

> Node Type . . . . . . . . . . . . : Hybrid
> IP Routing Enabled. . . . . . . . : No
> WINS Proxy Enabled. . . . . . . . : No
> DNS Suffix Search List. . . . . . : aust.us.net
> na.us.net
> eu.us.net
> us.com
> companyname.com

**** Why are all these search suffixes on this machine? Are they relevant AD
domain names or just external references? How many domains are in your
infrastructure? I thought there was just one??

*** If not relevant to AD, and you only have one domain, the manually
entered ones should be removed. The only ones that should be here are the
default ones that show up:
aust.us.net
us.net

>
> Ethernet adapter Local Area Connection:
>
> Connection-specific DNS Suffix . : austrlaia.us.net

*** The above should match the Primary DNS Suffix.

> Description . . . . . . . . . . . : Compaq NC3163 Fast
> Ethernet NIC
> Physical Address. . . . . . . . . : 00-02-A5-1B-9D-F3
> DHCP Enabled. . . . . . . . . . . : No
> IP Address. . . . . . . . . . . . : 10.177.1.8
> Subnet Mask . . . . . . . . . . . : 255.255.255.0
> Default Gateway . . . . . . . . . : 10.177.1.1
> DNS Servers . . . . . . . . . . . : 10.177.1.8
> 10.81.217.175

*** Do these two DNS servers listed above have the same exact copy of the
aust.us.net zone data? If not, any servers listed in any machines' IP
properties (DC or clients) need to all have the same exact data.

> Primary WINS Server . . . . . . . : 10.100.8.6
>
> C:\Documents and Settings\user>
>
>
> user ipconfig
> Microsoft Windows XP [Version 5.1.2600]
> (C) Copyright 1985-2001 Microsoft Corp.
>
> C:\Documents and Settings\user>ipconfig /all
>
> Windows IP Configuration
>
> Host Name . . . . . . . . . . . . : my-lap
> Primary Dns Suffix . . . . . . . : aust.us.NET
> Node Type . . . . . . . . . . . . : Hybrid
> IP Routing Enabled. . . . . . . . : No
> WINS Proxy Enabled. . . . . . . . : No
> DNS Suffix Search List. . . . . . : aust.us.net
> companyname.com

*** The 'companyname.com' zone does not need to be here.

>
> Ethernet adapter Wireless Network Connection:
>
> Media State . . . . . . . . . . . : Media disconnected
> Description . . . . . . . . . . . : Intel(R) PRO/Wireless LAN
> 2100 3B Mi
> ni PCI Adapter
> Physical Address. . . . . . . . . : 00-0C-F1-30-E3-0E

*** Go into Network & Dialup Connections, Advanced Menu, Advanced settings,
and move the wireless card to the bottom of the binding order.

>
> Ethernet adapter Local Area Connection:
>
> Connection-specific DNS Suffix . : local.australia.us.com
> Description . . . . . . . . . . . : Intel(R) PRO/100 VE
> Network Connecti
> on
> Physical Address. . . . . . . . . : 00-08-0D-61-88-FD
> Dhcp Enabled. . . . . . . . . . . : Yes
> Autoconfiguration Enabled . . . . : Yes
> IP Address. . . . . . . . . . . . : 10.177.1.93
> Subnet Mask . . . . . . . . . . . : 255.255.255.0
> Default Gateway . . . . . . . . . : 10.177.1.1
> DHCP Server . . . . . . . . . . . : 10.177.1.10
> DNS Servers . . . . . . . . . . . : 10.177.1.8
> 10.177.1.13
> 10.100.8.72

*** I see that 10.177.1.8 is the DC above. What are these other two DNS
servers? They don't match the other one configured on the DC/DNS server
previously listed. Do they have copies of the aust.us.net zone as well??

> Primary WINS Server . . . . . . . : 10.177.1.10
> Lease Obtained. . . . . . . . . . : Monday, 11 October 2004
> 1:54:11 PM
> Lease Expires . . . . . . . . . . : Monday, 11 October 2004
> 4:54:11 PM
>
> C:\Documents and Settings\user>
>
> notice that DNs suffix is different, is this an issue?

How many DNS servers do you have in your company? Why were the suffixes
configured? How many domains do you have? If just one domain, remove all
these excessive suffixes, configure a forwarder on each DNS server to your
ISP's DNS (provided they all hold the same exact copy of the aust.us.net
zone).

Whatever happened to that report?

What were the MS references you were speaking of? Was the the GPO reference?

Ace

Relevant Pages

  • Re: ad and dns setup
    ... MCSE, MVP Directory Services ... _msdcs, forward zone, reverse lookup zone. ... To fully rebuild DNS: ... changes immediately to all servers, this helps to speedup the process. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Global catalog server died before completing replication to new GC server
    ... What about the DNS zones,are all machines listed there? ... Install DNS role and create a forward lookup zone for your complete ... Then make sure all servers are listed in the zones, ... cause Group Policy problems. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Very Critical issue
    ... the clients are configured to go to local Domain Controller for DNS query. ... created secondary zone for b.com in the root server of a.com and vise versa. ... As we are migrating all the users first, the file and other servers are ... "Jorge Silva" wrote: ...
    (microsoft.public.windows.server.active_directory)
  • Re: Help SMPT Errors
    ... FAIL Reverse DNS entries for MX records ERROR: The IP of one or more of your ... it may mean that your DNS servers did not respond fast enough). ... INFO NS records at parent servers Your NS records at the parent servers ... PASS Parent nameservers have your nameservers listed OK. ...
    (microsoft.public.exchange.admin)
  • Re: Windows 2000 logon process
    ... Paul Williams ... when clients are accessing the GPO stored in SYSVOL during logon. ... PW>> Sound's like - that's a combination of DNS and Dfs client pointing ... Global Catalogue servers? ...
    (microsoft.public.win2000.active_directory)