Re: Assign Domain Security Policy/Manage remote computer

From: Steven L Umbach (sumbach@ameritech.net)
Date: 03/29/03 

From: "Steven L Umbach" <sumbach@ameritech.net>
Date: Sat, 29 Mar 2003 18:56:02 GMT

     Netdiag will need to installed. You can download from MS or install
from XP cdrom under support/tools folder - run setup file there for tools.
XP machine must be joined to domain to use domain group policies. I would
recommend unassign ipsec domain policy until you can verify that XP box is
joined to domain and communicating with dc as should be using netdiag. Do
not use require (secure server) policy on dc as it seems to cause unreliable
communications with domain clients and will not allow new workstations to be
joined to the domain. --- Steve

"Martin" <x@y.z> wrote in message
news:ONIpFph9CHA.1680@TK2MSFTNGP12.phx.gbl...
> Hi Steve,
>
> I've run netdiag and dcdiag on the domain controller (Active Directory
> server), nothing fails a few netdiag tests are passed namely:
> WINS service test (none configured)
> Trust relationship (none configured).
>
> All dcdiag tests pass.
>
> The dc does refer to itself as it's DNS server.
> My client is a Windows XP Pro box. I can't find any reference to netdiag
> for this OS. Any ideas?
>
> It was not configured to use the DC dns server, but now has that as it's
> primary DNS server.
>
> Not done anything more with the IPSec config yet, except it now specifies
> specific IP addresses at both source and destination.
>
> Thanks again
> Martin
>
>
>
>
> "Steven L Umbach" <sumbach@ameritech.net> wrote in message
> news:FQjha.328$kd1.378217@newssrv26.news.prodigy.com...
> > I would recommend running netdiag and dcdiag on your domain
> controller
> > to see if it is set up properly, especially with regards to dns zone
> > creation and dns srv records. The dc needs to be pointing to itself, by
> it's
> > assinged ip address, as it's primary dns server. The clients need to
point
> > to the dc as their dns server. Run netdiag on the client computers to
see
> if
> > they are correctly configured. As far as ipsec policy. I recommend that
> you
> > assignd the "request" (not require) policy to the domain controllers via
> > domain controllers group/security policy if you need to include them.
Then
> > assign whatever you require to the rest of the domain computers -
usually
> > client (respond only) to workstations and request/require to servers
based
> > on their security needs. Computers of course will need to be in
domain/OU
> > where policy is implemented. Only W2K/XP computers can implement ipsec,
so
> > if you have any W9X or NT4.0 computers they will not be able to
> communicate
> > with any computers requiring ipsec. Use ipsecmon to monitor and
> > troubleshoot ipsec security associations. If you do implement ipsec on
the
> > domain controllers you may want to create a policy exempting dns traffic
> to
> > keep network communications responsive. --- Steve
> >
> > "Martin" <x@y.z> wrote in message
> > news:eHQYN4S9CHA.3412@TK2MSFTNGP11.phx.gbl...
> > > Hi,
> > >
> > > I've just setup active direcotry, and added other computers to the new
> > > domain - maintained backwards compatibility with domains, though I did
> not
> > > have a domain before.
> > >
> > > From my AD server, I can see the other computers and they can also see
> > each
> > > other.
> > >
> > > I have defined an ISPec policy that I want all computers in the domain
> to
> > > adopt. I defined it in the Domain Security Policy section on my AD
> > server.
> > > How do I apply it to the other computers in my domain? Simply doing
> > assign
> > > by the new policy doesn't seem to work - though there may be an error
in
> > my
> > > policy settings.
> > > Roughly the policy has IP filter source My Address, dest Any IP
Address,
> > All
> > > protocols, and mirror. I had previously used a similar policy
explictly
> > > setup on two separate computers to secure traffic between the two.
Now
> I
> > > want to have a policy that is administered from AD.
> > >
> > > I believe I don't need to define this policy anway else, but each
> computer
> > > in my domain needs to adopt it - how do I make that happen?
> > >
> > > I tried to do Computer Management on one of the domain members, from
my
> AD
> > > server, but although I can browse to it, and the shares fine, I can't
do
> > > Computer Management of it from my AD server. I can see the name when
> I'm
> > > asked what computer to manage, but it then says "Computer
> \\mc1.domain.com
> > > cannot be managed. The network path was not found."
> > >
> > > Help!
> > >
> > > Thanks
> > > Martin
> > >
> > >
> >
> >
>
>

Relevant Pages

  • Re: Netdiag kerberos failure
    ... important for kerberos. ... keep in time synch with the domain controller that is the pdc fsmo which is the time ... Check the Event Viewer on the domain controller and run first netdiag on it and then ... assigned IP address as it's preferred dns server in tcp/ip properties and W2K/Xp Pro ...
    (microsoft.public.win2000.networking)
  • Re: GP cannont find Domain Controller
    ... so netdiag run on the DC see no problem. ... > DNS server is running and at least apparently working ok ... >> If it come out clean on the DCs, ... >> Microsoft MVP (Windows Security) ...
    (microsoft.public.windows.group_policy)
  • Re: My XP Clients are not updating their IP Addresses
    ... 006 is both of my internal 2k3 AD intragrated DNS server. ... Also check the local config of the clients and it is correct as well. ... under DHCP settings for the scope I have "enable DNS dynamic updates ...
    (microsoft.public.windows.server.dns)
  • Re: Netdiag errors, again, [FATAL] Invalid DNS entries
    ... > specific DNS suffixes, ... > primary DNS suffix) restarted DNS server, ran Netdiag, ... Then run ipconfig /flushdns, ipconfig /registerdns and ...
    (microsoft.public.win2000.dns)
  • Re: How to Connect my Network to the Internet
    ... on so that you correctly configure the DNS and default gateway settings. ... Here is a sample setup (it's my home network, ... LAN machines (config from DHCP on the D-Link) ... 192.168.0.x dg 192.168.0.1 DNS ISP's DNS server ...
    (microsoft.public.windows.server.networking)