RE: Authenticated users not gaining Directory Service Access

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

From: Chad A. Lacy (clacy_at_nospam.familydollar.com)
Date: 08/26/04 

Date: Thu, 26 Aug 2004 11:57:02 -0700

I would first look at the DNS settings on the client machines. A Common
mistake many users make is by entering the DNS server of their ISP on the
client's machine. This is incorrect. The only DNS addresses a client should
know about are to your internal DNS servers. If you internal DNS servers are
Windows 2000/2003 servers you can then use either conditional forwarders or
root hints for external DNS queries.

The reason this is a problem is that Active Directory uses SRV (or Service)
records in DNS to help clients locate network resources. If your client is
pointing to your ISP, then the client will poll that DNS server for resource
records which it knows nothing about.

Many incorrect deployments I have seen involve the client machine having
both the internal DNS servers address and the ISP's DNS server. This will
result in the queries working sometimes and then not working on other times.
This is simply a result of which ever DNS server responds first.

"PacSec" wrote:

> Every morning for the last couple of weeks I have had
> users unable to access network drives after they log in.
> There is no error on their machine as they log in.
>
> In reviewing the security log on the DC (Win2k3), I see
> that these users do not have the normal log entry
> for "Directory Service Access", event ID 565. I am
> logging both successes and failures but I get no failures
> for the DS access. Finally, after numerous attempts at
> logging on, the user will gain access to the drives and
> there will be entries in the log for DS access.
>
> I am unable to figure out why the user is not being
> granted, or due to lack of failure audits even
> requesting, DS access. Can anyone shed light on this?
>

Relevant Pages

  • Re: GPO problems
    ... It was the ISA 2004 firewall client. ... DNS settings and network properties on the server and client computers. ... > Service of SBS is configured to be the DNS server on the problematic ...
    (microsoft.public.windows.server.sbs)
  • Re: Any known issues withsp2 and non-sp xp ics?
    ... Default Gateway: none ... DNS Server: 192.168.0.1 or your ISP's DNS server ... as my isp is configured to use DHCP (Dynamic Host ... After doing the above changes to the client, ...
    (microsoft.public.windowsxp.network_web)
  • Re: Windows 2003 Question - doing some part time work for a friend
    ... Go to the properties of TCP/IP for the network adapter connecting the client ... using your ISP's DNS server as alternate will cause another set of problems. ... Register those sensitive private SRV records on a server under your ...
    (microsoft.public.windows.server.general)
  • Re: DNS resolves wrong when vpn connects
    ... It involves a registry edit for the VPN client, ... correctly resolving the public DNS name to the internal IP when ... DNS server as their local DNS (i.e. if the local DHCP is passing out a public ... If your internal infrastructure is using one of those ranges, ...
    (microsoft.public.win2000.dns)
  • Re: Clients cant communicate with AD once joined.
    ... the AD dns server should forward requests to your isp. ... I have a AD client which has 10 machines working happily with it. ...
    (microsoft.public.win2000.active_directory)