Re: Event ID 1000 (Userenv) Error and Event ID 8021 (BROWSER) Error

From: Kevin D. Goodknecht [MVP] (admin_at_nospam.LSAOL.COM)
Date: 03/01/04 

Date: Mon, 1 Mar 2004 08:58:49 -0600

In news:4042D440.FEF08EAC@N_O_S_P_A_M_cox.net,
Ohaya <ohaya@N_O_S_P_A_M_cox.net> posted a question
Then Kevin replied below:
> "Kevin Goodknecht [MVP]" wrote:
>>
>> In news:40429C1A.A2170B3F@N_O_S_P_A_M_cox.net,
>> Ohaya <ohaya@N_O_S_P_A_M_cox.net> posted a question
>> Then Kevin replied below:
>>> Kevin,
>>>
>>> I've posted the IP configurations for all 3 NICS (2 on machine A,
>>> and 1 on machine B) in an earlier post in this thread, and the
>>> internal NIC is at the top of the binding order already.
>>>
>>> File Sharing is bound only to the internal NIC, but I noted the
>>> Client for MS networks was bound to both the internal and external
>>> NICs.
>>>
>>> I'll unbind Client for MS networks from the external NIC, and post
>>> back, but this'll have to be after an hour or so, since the errors
>>> were showing up at about 100 minute intervals.
>>>
>>> Jim
>> The post had not came up when I started my reply, but looking at it
>> leaves me with questions.
>> How is the internal DNS resolving external names with out a gateway?
>> Do you have NAT on the member server? It should be listed as the
>> gateway for the DC.
>> You cannot have TCP/IP without DNS in Win2k if you leave DNS blank
>> it will pick up the loopback address or use DHCP to get the DNS
>> server. Both NICS on the member should use the DC for DNS.
>> You have no gateways listed for any NIC, how do you get out without a
>> gateway?
>>
>
> Kevin,
>
> You have some good questions, and I only have answers to some of them
> unfortunately :(...
>
> First of all, my desire/intention is to build this 2-machine network
> such that it's kind of a standalone ("standalone", in a limited sense)
> Windows domain, but physically connected to an external network.
>
> The "machine A" runs an IIS web server, and we need "inward" access
> (from clients on the external network) to this web server, but, in
> general, we don't need, or want to allow, "outward" access (from
> machine A, or machine B) to the external network.
>
> The reason for the machine A/machine B configuration is that machine B
> runs a database which is accessed by our web application (which runs
> on machine A), and also, we want to manage all the machines on this
> internal network (consisting of machines A & B) using GPOs, etc. from
> machine A.
>
> Now here's the way that I think that things work (and they are, for
> the most part, working):
>
> You noted that we don't define a gateway for either NIC2 on machine A
> or NIC1 on machine B, but you'll also note that NIC2/machine A and
> NIC1/machine B are on the same subnet (IP addresses 192.168.1.xx). In
> addition, both NIC2/machine A and NIC1/machine B point to machine B
> for their DNS server.
>
> [I'm being a bit vague here] When something in machine A wants to
> connect to either machine A or machine B, since the DNS IP address
> points to machine B, name resolution gets handled by the DNS server on
> machine B.
>
> As to how it "gets out without a gateway", I think it works somewhat
> akin to a 2-computer network using a cross-over cable (and without a
> router) but, in our case, we're using a switch between the 2 computers
> (instead of a cross-over cable). My understanding is that in such a
> configuration, packets with source/destination address get sent out
> the NIC on the source machine, and the machine with the matching
> destination address will simply receive those packets.

If these machines only accept incoming connections then you can get by
without a gateway. If you try to make an outgoing connection from these
machines I don't see how. You need either a gateway, a proxy GDP client, or
a Winsock redirector service. If you are using NAT then you must have a
gateway.

I do not understand why you have the DC connecting through the multihomed
Member.
You would be much better off haveing both the DC and the member connected to
the router.

>
>
> Here are the answers to some of your questions (I think):
>
> Q1) "How is the internal DNS resolving external names with out a
> gateway?"
> A1) We DON'T WANT the internal DNS (on machine B) to resolve external
> names.

If the member needs to resolve external names it should rely on getting
those names from the DC. If the member is using your ISP's DNS I can see
where the error might be coming from, especially if you use the same
internal domain name as your external domain name.
If the member gets the IP address of the domain name from your ISP, then it
is that IP address it is looking for the sysvol share.

>
> Q2) "Do you have NAT on the member server?"
> A2) No, we don't.
>
> Q3) "You have no gateways listed for any NIC, how do you get out
> without a gateway?
> A3) My guess is per what I wrote above.
>
>
> BTW, you mentioned above that:
>
> "> You cannot have TCP/IP without DNS in Win2k if you leave DNS blank
> it will
>> pick up the loopback address or use DHCP to get the DNS server."
>
> Do you know that the above (that it will either default to the
> loopback address or use DHCP to get the IP of the DNS server) is
> true? The reason that I'm asking is that this might be at least part
> of the question in my earlier thread ("How is resolution working?").

If the machine has DNS installed it will get a loopback address, otherwise
the TCP/IP stack won't let you leave the fields blank.
If the router is providing the DNS server for the NIC connected to it then
it is getting its DNS from the router which is most generally your ISP's
DNS in which case may be the cause of your error.
Instead of typing out the settings you have in place I would like to see an
ipconfig /all output from both machines. you cna get the ipconfig by running
this in a command prompt.
C:\ipconfig /all > C:\ipconfig.txt that will drop a text file in the root of
the C drive.

>
> If so, can you point me to some documentation about this? Also, if
> you know, under what circumstances would it default to the loopback
> address vs. trying to get the DNS server IP from DHCP?

Please post the ipconfig from the command I noted above. 

-- 
Best regards,
Kevin D4 Dad Goodknecht Sr. [MVP]
Hope This Helps
============================
-- 
When responding to posts, please "Reply to Group"  via your
newsreader so that others may learn and benefit from your issue.
To respond directly to me remove the nospam. from my email.
==========================================
 http://www.lonestaramerica.com/
==========================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
 http://home.in.tum.de/~jain/software/oe-quotefix/
==========================================
Keep a back up of your OE settings and folders with
OEBackup:
 http://www.oehelp.com/OEBackup/Default.aspx
==========================================

Relevant Pages