Re: Basic Active Directory Questions

Hi BobT,
Point your Member server and workstation to '10.81.20.19' as their prefered
DNS server and try accessing the share. You'll see it will work.

Regards,

Austin

"BobT" <BobT@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:AB219906-1F64-41C2-A76F-C82C861727B8@xxxxxxxxxxxxxxxx
Austin,

Running netdiag.exe on dc results in this error:

DNS test . . . . . . . . . . . . . : Passed
PASS - All the DNS entries for DC are registered on DNS server
'10.81.20.19' and other DCs also have some of the names registered.
[WARNING] The DNS entries for this DC are not registered correctly on
DNS server '10.251.7.14'. Please wait for 30 minutes for DNS server
replication.

The DNS server it is referring to is a Novell DNS server. Where can I get
additional details on the error?

Thanks,
Bob

--
BT


"BobT" wrote:

We had DNS server running on DC1, We received 2nd server, installed AD
and
attached to DC1. DNS service was moved to 2nd server.

In checking security logs on DC1 ther is a mixture of authentication. We
have ntlm and also reference to Microsoft Authentication Package ver 1"
We
also show workstations using kerberos. Workstations are running Novell
Client.......

Utility on workstation kerbtray showed no ticket info.

No firewalls on servers/workstations invovled.

What govens whether ntlm or kerberos is used for authentication? How can
I
force kerberos if that is the problem?
--
BT


"Austin Osuide" wrote:

Hi BobT,
What do you exactly mean when you say the DNS server is in a trusted
Domain?
Are there no DNS servers in the Domain the servers are members of? And
is
this DNS server authoritative for the domain namespace?
Things you'll need to check to ensure Kerberos is functioning are:

1. No firewalls between the boxes and if there are, make sure the
following
protocols are allowed:
53 TCP & UDP
88 TCP & UDP
123 TCP & UDP
464 TCP
2. DNS is functioning
3. The times on the boxes are correct to within 5 mins

Enable auditing of successful account logon events for user
authentication
and confirm that Kerberos and not NTLM is being used by checking the
security event log on the DC and confirming the protocol used.
Download the WS03 utilities and on the workstation, use the kerbtray
utility
to confirm Kerberos tickets are obtained from the DC.

Regards,

Austin


"BobT" <BobT@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:C305B3A6-39B2-416D-9F1D-39861904D50E@xxxxxxxxxxxxxxxx
Austin,

The results are as follows:

DC1 Server
IP address 10.81.20.11
DNS 10.81.20.19

MB1 Server
IP Address 10.81.20.15
DNS 10.81.20.19

Workstation
IP Address 10.4.24.111
DNS 10.81.20.19


The DC1 Server is a AD global catalog

The DNS address refers to another domain controller server that has a
trust
to DC1

Bob


--
BT


"Austin Osuide" wrote:

Hi BobT,
From what you are describing, Kerberos is broke in that environment.
You should be able to single sign on to the share.

Check that DNS is configured correctly on the client Workstation.
Do an ipconfig /all for all 3 boxes and post pls.

Regards,

Austin

"BobT" <BobT@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:8AF0C1C6-147F-4CA8-817F-E7EC8F99167F@xxxxxxxxxxxxxxxx
Well, I'll start over and hopefully explain this scenario in
clearer
form.

I have domain controller named DC1

I have member server named MB1

I attached member server to DC1 through changing the workgroup on
MB1
to
attach to domain on DC1.

I then create a share on MB1. The share is configured for group1
that
is
defined in DC1. File permissions for this share is also for this
group
with
full control.

From a workstation that is logged into DC1 I unc to
\\MB1\DownlaodShare
which is the shared directory on MB1. When I do this from the
workstation
I
am prompted for login credentials. The user that I am logged into
the
workstation is a member of group1.

I should be able to access the share without requiring to provide
authenticated credentials since I am already logged into DC1.

Someone has told me that there may be a policy that I need to
change to
allow this?

Thanks,

--
BT


"Paul Bergson [MVP-DS]" wrote:

"I'm not quite sure what you are asking. On the member server I
have
a
share that is for groupA on domainA - member server is attached
to
domain"
. Which domain does the member server reside in?

"If I try to access member server in unc form
\\memberserver\downloads
I
am
prompted for credentials"
. When you are attempting to access the member server, from
your
workstation, which domain are you attempting to access it from?
Are
they
in
different domains?

" If I do the same from the domain server I am not prompted for
credentials
and the directory displays."
.Domain server and member server should be the exact same
thing.
What
is
this you are trying to explain?

I am confused because I don't fully understand what does and
doesn't
work
and where it is happening from. Also what specific permissions
are
provided, it just isn't clear to me.

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the
NewsGroup
This posting is provided "AS IS" with no warranties, and confers
no
rights.

"BobT" <BobT@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:8BF02E69-BFA8-42F3-9DAA-0B15E4B7097E@xxxxxxxxxxxxxxxx
Paul, Jorge,

I'm not quite sure what you are asking. On the member server I
have
a
share
that is for groupA on domainA - member server is attached to
domain.

If I try to access member server in unc form
\\memberserver\downloads
I am prompted for credentials. If I do the same from the
domain
server
I
am
not prompted for credentials and the directory displays. The
workstation
that I try this from is attached to the domain.

Bob

--
BT


"Paul Bergson [MVP-DS]" wrote:

I think what Jorge would like to know is

Share A = domaina\group1 change
NTFS = domaina\group1 read



--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the
NewsGroup
This posting is provided "AS IS" with no warranties, and
confers no
rights.

"BobT" <BobT@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:EBF4F450-CD3C-4303-8347-D2618B166411@xxxxxxxxxxxxxxxx
In this previous example, I have a simple share setup on a
folder
with
a
couple of files in in. The Folder permissions include
sample
group
a,
the
ntfs file permissions within this folder include sample
group a.
When
trying
to access share via unc I am requested for credentials,
whereas
if I
unc
to
the domain I am not.


--
BT


"Jorge Silva" wrote:

Can you tell the Share Permissions and NTFS permissions ?

--

===================================
I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MCSE, MVP Directory Services
===================================

"BobT" <BobT@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:7530022E-F40F-4CC6-899E-CFBE9BE68C88@xxxxxxxxxxxxxxxx
Well we still seem to have a problem. I have Server 1
which
is a
PDC.
I
have server 2 no AD installed. I attach Server 2 to
domain 1.
I
have
an
existing group on DC. On Server 2 I share a directory to
this
group
on
domain 1. When creating share it asks for domain
credentials
which
I
use
domain administrator. I setup the share and now users in
this
group
on
server 1 should have access to this share created on
server 2.

when user from workstation tries to access server 2, they
get
a
login
screen. If I go to server 1 and as admin try to access
the
share
all
is
fine.

What problem is not allowing the users to authenticate
properly
to
server
2
when they are a member of group on DC that server 2 has a
share
defined
to
allow that group access.

Thanks,
Bob




.

Relevant Pages

  • Re: Problem connection XP SP2 Workstation after installing SBS 2k3
    ... > server are pointing to the SBS internal IP address of the only DNS server. ... please refer to the following Microsoft ... > | Subject: Re: Problem connection XP SP2 Workstation after installing SBS ...
    (microsoft.public.windows.server.sbs)
  • Re: Cannot get access to router on SBS server
    ... point the DNS server setting to the IP of the SBS ... calling CNetCommit::ValidateFulltimeConnectionProperties. ... Call to Reading web publishing selection returned ok. ...
    (microsoft.public.windows.server.sbs)
  • Re: Herb Martin...Global Catalog SRV record missing!
    ... Error: Root hints list has invalid root hint server: ... DNS server: 128.63.2.53 ... PTR record query for the ...
    (microsoft.public.windows.server.dns)
  • [UNIX] Hardening the BIND DNS Server
    ... Hardening the BIND DNS Server ... Your Domain Name Service is the road sign to your systems on the Internet. ...
    (Securiteam)
  • Re: NTDS Inbound neighbos removal
    ... There is no primary WINS server defined for this adapter. ... There is no secondary WINS server defined for this adapter. ... PASS - All the DNS entries for DC are registered on DNS server ... Upper Component: NWLink SPX/SPXII Protocol ...
    (microsoft.public.windows.server.active_directory)