Re: netlogon to domain for clients at branch office w/o DC

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: Doug Sherman [MVP] (dsherman_at_nospam.tampabay.rr.com)
Date: 10/13/04 

Date: Wed, 13 Oct 2004 15:36:06 -0400

Hmmm. This configuration should be simple over a T1/VPN.

Make sure whatever VPN hardware/software you are using does not have
built-in filters or firewalls.

If you can actually log onto the domain with the XP machine (even if it
takes 30 min.), check the Site status. You can do this with the nltest
utility available in the Support Tools:

http://www.microsoft.com/downloads/details.aspx?FamilyID=f08d28f3-b835-4847-b810-bb6539362473&DisplayLang=en

run "nltest /dsgetsite" I'm thinking their may be a problem with the Site
configuration.

Also, on the XP machine disable offline files and drive mappings and Check
Event Viewer for errors.

Doug Sherman
MCSE Win2k/NT4.0, MCSA, MCP+I, MVP

"Ric R." <RicR@discussions.microsoft.com> wrote in message
news:F0365C85-783A-4686-B7B8-FD06DBCE81E0@microsoft.com...
> I have done all that. Yes there is a firewall but there are no
restrictions
> on either end.
> All machines can ping the DC/AD/DNS server and it can ping back. name
> resolution works. the client machines all have DC as theri primary DNS.
I
> did also try removing the manual dependant changes to NETLOGON and no
luck.
>
>
> "Doug Sherman [MVP]" wrote:
>
> > Yuck, sounds like we're going backwards. Most likely problems:
> >
> > 1. Remove any manually added dependencies for the netlogon service on a
> > branch office machine.
> >
> > 2. Routing - make sure the branch machine can ping the IP address of
the
> > DC. Make sure the DC can ping the IP address of the branch machine.
> >
> > 3. Firewall - If there is a firewall between the VPN end point and the
DC,
> > you may need to open additional ports - eg. UDP 53 because the branch
> > machine needs to use the DC for primary DNS.
> >
> > Doug Sherman
> > MCSE Win2k/NT4.0, MCSA, MCP+I, MVP
> >
> > "Ric R." <Ric R.@discussions.microsoft.com> wrote in message
> > news:18649AA1-17E1-4070-AD95-F56F0E970BBC@microsoft.com...
> > > Thanks Doug. I tried this on two clients. The first, an XP machine,
> > worked
> > > fine on the first login. Netlogon started and communication to domain
> > > resources seemed to work fine. The next login on the same machine
took
> > over
> > > 30 minutes.
> > > I then tried on a 2000 workstation and the login took over 30 minutes
at
> > > which point I pulled the network connection so the "loading personal
> > settings
> > > would proceed"
> > > Netlogon service does start, but connecting to the XP machine OR
domain
> > > resources including the DC is not working.
> > >
> > > "Doug Sherman [MVP]" wrote:
> > >
> > > > DNS is the service name for the DNS server service. Obviously, this
will
> > > > prevent the netlogon service from starting unless the machine is a
DNS
> > > > server. If you want Netlogon to depend on the DNS client service,
the
> > > > service name is Dnscache.
> > > >
> > > > Doug Sherman
> > > > MCSE Win2k/NT4.0, MCSA, MCP+I, MVP
> > > >
> > > > "Ric R." <Ric R.@discussions.microsoft.com> wrote in message
> > > > news:36225648-FC03-497C-9FEE-1AA2078BD38C@microsoft.com...
> > > > > We have a Windows 2000 based domain. We are trying to deploy a
small
> > > > branch
> > > > > office that will not have a DC on site. There is a T1 VPN
connection
> > > > between
> > > > > the main office and the branch. I have added the subnet of the
branch
> > to
> > > > AD
> > > > > and associated it with the Main office site.
> > > > > We have configured the clients (2000 and XPpro) to be part of the
> > domain
> > > > and
> > > > > would like to have users authenticate back to DC in main office.
> > > > > The only way I have found to successfully make that happen was the
add
> > DNS
> > > > > to the DependOnService under the following .
> > > > > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon
> > > > > This has made the user logon process work well, but now the
Netlogon
> > > > service
> > > > > will not start which prevents those clients from connecting to
peer
> > > > machines
> > > > > at the branch office.
> > > > > Anyone found a solution to this?
> > > > > Thanks.
> > > > > Ric
> > > >
> > > >
> > > >
> >
> >
> >
>

Relevant Pages

  • Re: Host-Base Firewall
    ... Firewalls do need to be configured properly and most of them aren't as Jon mentioned. ... There are significant differences between a Penetration Test, Vulnerability Assessment and a Web Application Assessment. ... A Vulnerability Assessment is similar in that it will identify potentially exploitable vulnerabilities in your infrastructure, but it will not actually exploit those vulnerabilities. ... configuration, and the configuration is only worth ...
    (Security-Basics)
  • RE: PIX with no rules
    ... Most firewalls today are configured default to deny all connections ... > They all requires specific configuration for initial use. ... > Specially PIX. ... > to Internet email for messages of this kind. ...
    (Security-Basics)
  • Re: Additional DC
    ... DC2 - primary DNS points to DC1, ... Not sure which configuration is better. ... Active Directory Domain are not really different from each other. ...
    (microsoft.public.windows.server.general)
  • Re: Firewall and Home Network
    ... and with minimal configuration hassle to boot! ... > Most of the personal firewalls are too difficult to configure and use ... > properly by the average home user but hopefully this will change in the ... >> The other good reason for installing a desktop firewall is to manage ...
    (comp.security.firewalls)
  • Re: SCO 5.0.7 AS FIREWALL
    ... the neighbors dog - we all make mistakes. ... Sounds like security through complexity. ... IDS firewalls are a good idea as they provide the necessary logs to ... for initial configuration. ...
    (comp.unix.sco.misc)