Re: Basic Active Directory Questions
- From: BobT <BobT@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 8 Nov 2007 10:26:06 -0800
Austin,
Your info helped me greatly. I found a number of problems.
1. Primary DC DNS service was disabled.
2. All workstations DHCP assignments had as primary DNS this DC which of
course was off.
3. Seondary DNS server has problem address with this DC
4. All workstations had Novell Client with Zenworks. Zenworks dynamic user
enabled which created a local user not domain user. Thus when accessing
share from workstation local account did not have permissions.
Thanks for all the help I appreciate it.
Bob
--
BT
"Austin Osuide" wrote:
Hi BobT,.
Point your Member server and workstation to '10.81.20.19' as their prefered
DNS server and try accessing the share. You'll see it will work.
Regards,
Austin
"BobT" <BobT@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:AB219906-1F64-41C2-A76F-C82C861727B8@xxxxxxxxxxxxxxxx
Austin,
Running netdiag.exe on dc results in this error:
DNS test . . . . . . . . . . . . . : Passed
PASS - All the DNS entries for DC are registered on DNS server
'10.81.20.19' and other DCs also have some of the names registered.
[WARNING] The DNS entries for this DC are not registered correctly on
DNS server '10.251.7.14'. Please wait for 30 minutes for DNS server
replication.
The DNS server it is referring to is a Novell DNS server. Where can I get
additional details on the error?
Thanks,
Bob
--
BT
"BobT" wrote:
We had DNS server running on DC1, We received 2nd server, installed AD
and
attached to DC1. DNS service was moved to 2nd server.
In checking security logs on DC1 ther is a mixture of authentication. We
have ntlm and also reference to Microsoft Authentication Package ver 1"
We
also show workstations using kerberos. Workstations are running Novell
Client.......
Utility on workstation kerbtray showed no ticket info.
No firewalls on servers/workstations invovled.
What govens whether ntlm or kerberos is used for authentication? How can
I
force kerberos if that is the problem?
--
BT
"Austin Osuide" wrote:
Hi BobT,
What do you exactly mean when you say the DNS server is in a trusted
Domain?
Are there no DNS servers in the Domain the servers are members of? And
is
this DNS server authoritative for the domain namespace?
Things you'll need to check to ensure Kerberos is functioning are:
1. No firewalls between the boxes and if there are, make sure the
following
protocols are allowed:
53 TCP & UDP
88 TCP & UDP
123 TCP & UDP
464 TCP
2. DNS is functioning
3. The times on the boxes are correct to within 5 mins
Enable auditing of successful account logon events for user
authentication
and confirm that Kerberos and not NTLM is being used by checking the
security event log on the DC and confirming the protocol used.
Download the WS03 utilities and on the workstation, use the kerbtray
utility
to confirm Kerberos tickets are obtained from the DC.
Regards,
Austin
"BobT" <BobT@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:C305B3A6-39B2-416D-9F1D-39861904D50E@xxxxxxxxxxxxxxxx
Austin,
The results are as follows:
DC1 Server
IP address 10.81.20.11
DNS 10.81.20.19
MB1 Server
IP Address 10.81.20.15
DNS 10.81.20.19
Workstation
IP Address 10.4.24.111
DNS 10.81.20.19
The DC1 Server is a AD global catalog
The DNS address refers to another domain controller server that has a
trust
to DC1
Bob
--
BT
"Austin Osuide" wrote:
Hi BobT,
From what you are describing, Kerberos is broke in that environment.
You should be able to single sign on to the share.
Check that DNS is configured correctly on the client Workstation.
Do an ipconfig /all for all 3 boxes and post pls.
Regards,
Austin
"BobT" <BobT@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:8AF0C1C6-147F-4CA8-817F-E7EC8F99167F@xxxxxxxxxxxxxxxx
Well, I'll start over and hopefully explain this scenario in
clearer
form.
I have domain controller named DC1
I have member server named MB1
I attached member server to DC1 through changing the workgroup on
MB1
to
attach to domain on DC1.
I then create a share on MB1. The share is configured for group1
that
is
defined in DC1. File permissions for this share is also for this
group
with
full control.
From a workstation that is logged into DC1 I unc to
\\MB1\DownlaodShare
which is the shared directory on MB1. When I do this from the
workstation
I
am prompted for login credentials. The user that I am logged into
the
workstation is a member of group1.
I should be able to access the share without requiring to provide
authenticated credentials since I am already logged into DC1.
Someone has told me that there may be a policy that I need to
change to
allow this?
Thanks,
--
BT
"Paul Bergson [MVP-DS]" wrote:
"I'm not quite sure what you are asking. On the member server I
have
a
share that is for groupA on domainA - member server is attached
to
domain"
. Which domain does the member server reside in?
"If I try to access member server in unc form
\\memberserver\downloads
I
am
prompted for credentials"
. When you are attempting to access the member server, from
your
workstation, which domain are you attempting to access it from?
Are
they
in
different domains?
" If I do the same from the domain server I am not prompted for
credentials
and the directory displays."
.Domain server and member server should be the exact same
thing.
What
is
this you are trying to explain?
I am confused because I don't fully understand what does and
doesn't
work
and where it is happening from. Also what specific permissions
are
provided, it just isn't clear to me.
--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT
http://www.pbbergs.com
Please no e-mails, any questions should be posted in the
NewsGroup
This posting is provided "AS IS" with no warranties, and confers
no
rights.
"BobT" <BobT@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:8BF02E69-BFA8-42F3-9DAA-0B15E4B7097E@xxxxxxxxxxxxxxxx
Paul, Jorge,
I'm not quite sure what you are asking. On the member server I
have
a
share
that is for groupA on domainA - member server is attached to
domain.
If I try to access member server in unc form
\\memberserver\downloads
I am prompted for credentials. If I do the same from the
domain
server
I
am
not prompted for credentials and the directory displays. The
workstation
that I try this from is attached to the domain.
Bob
--
BT
"Paul Bergson [MVP-DS]" wrote:
I think what Jorge would like to know is
Share A = domaina\group1 change
NTFS = domaina\group1 read
--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT
http://www.pbbergs.com
Please no e-mails, any questions should be posted in the
NewsGroup
This posting is provided "AS IS" with no warranties, and
confers no
rights.
"BobT" <BobT@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:EBF4F450-CD3C-4303-8347-D2618B166411@xxxxxxxxxxxxxxxx
In this previous example, I have a simple share setup on a
folder
with
a
couple of files in in. The Folder permissions include
sample
group
a,
the
ntfs file permissions within this folder include sample
group a.
When
trying
to access share via unc I am requested for credentials,
whereas
if I
unc
- References:
- Re: Basic Active Directory Questions
- From: Paul Bergson [MVP-DS]
- Re: Basic Active Directory Questions
- From: BobT
- Re: Basic Active Directory Questions
- From: Paul Bergson [MVP-DS]
- Re: Basic Active Directory Questions
- From: BobT
- Re: Basic Active Directory Questions
- From: Austin Osuide
- Re: Basic Active Directory Questions
- From: BobT
- Re: Basic Active Directory Questions
- From: Austin Osuide
- Re: Basic Active Directory Questions
- From: BobT
- Re: Basic Active Directory Questions
- From: BobT
- Re: Basic Active Directory Questions
- From: Austin Osuide
- Re: Basic Active Directory Questions
- Prev by Date: Re: AD to ADAM sync issues
- Next by Date: Re: Azman BK
- Previous by thread: Re: Basic Active Directory Questions
- Next by thread: Re: Dcpromo & iinstalling DNS on new server
- Index(es):
Relevant Pages
|
Loading
