Re: Assign Domain Security Policy/Manage remote computer

From: Steven L Umbach (sumbach@ameritech.net)
Date: 03/29/03 

From: "Steven L Umbach" <sumbach@ameritech.net>
Date: Sat, 29 Mar 2003 19:53:17 GMT

     Hmm. If the dc discover, domain membership, and everything else passed
though you might be OK, but I am not sure. Try on the client computer -
ipconfig /registerdns and then netdiag /fix. Then try running netdiag
again. Also the gpresult tool will help you troublehoot the problem and see
if domain group policy has ever been applied to that computer. Have a good
weekend. --- Steve

http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/gpresult
-o.asp

"Martin" <x@y.z> wrote in message
news:eNjNCFi9CHA.1868@TK2MSFTNGP12.phx.gbl...
> Hi Steve,
>
> Done that now. Interesting - the DC list test fails.
>
> Nothing else of note.
>
> Any thoughts on the DC list failure?
>
> Your help is much appreciated - especially given it's Saturday.
> Unfortunately, I'm going to have to quit this in about 30 minutes.
>
> Thanks again
> Martin
>
> "Steven L Umbach" <sumbach@ameritech.net> wrote in message
> news:6%lha.485$kd1.414326@newssrv26.news.prodigy.com...
> > Netdiag will need to installed. You can download from MS or install
> > from XP cdrom under support/tools folder - run setup file there for
tools.
> > XP machine must be joined to domain to use domain group policies. I
would
> > recommend unassign ipsec domain policy until you can verify that XP box
is
> > joined to domain and communicating with dc as should be using netdiag.
Do
> > not use require (secure server) policy on dc as it seems to cause
> unreliable
> > communications with domain clients and will not allow new workstations
to
> be
> > joined to the domain. --- Steve
> >
> > "Martin" <x@y.z> wrote in message
> > news:ONIpFph9CHA.1680@TK2MSFTNGP12.phx.gbl...
> > > Hi Steve,
> > >
> > > I've run netdiag and dcdiag on the domain controller (Active Directory
> > > server), nothing fails a few netdiag tests are passed namely:
> > > WINS service test (none configured)
> > > Trust relationship (none configured).
> > >
> > > All dcdiag tests pass.
> > >
> > > The dc does refer to itself as it's DNS server.
> > > My client is a Windows XP Pro box. I can't find any reference to
> netdiag
> > > for this OS. Any ideas?
> > >
> > > It was not configured to use the DC dns server, but now has that as
it's
> > > primary DNS server.
> > >
> > > Not done anything more with the IPSec config yet, except it now
> specifies
> > > specific IP addresses at both source and destination.
> > >
> > > Thanks again
> > > Martin
> > >
> > >
> > >
> > >
> > > "Steven L Umbach" <sumbach@ameritech.net> wrote in message
> > > news:FQjha.328$kd1.378217@newssrv26.news.prodigy.com...
> > > > I would recommend running netdiag and dcdiag on your domain
> > > controller
> > > > to see if it is set up properly, especially with regards to dns zone
> > > > creation and dns srv records. The dc needs to be pointing to itself,
> by
> > > it's
> > > > assinged ip address, as it's primary dns server. The clients need to
> > point
> > > > to the dc as their dns server. Run netdiag on the client computers
to
> > see
> > > if
> > > > they are correctly configured. As far as ipsec policy. I recommend
> that
> > > you
> > > > assignd the "request" (not require) policy to the domain controllers
> via
> > > > domain controllers group/security policy if you need to include
them.
> > Then
> > > > assign whatever you require to the rest of the domain computers -
> > usually
> > > > client (respond only) to workstations and request/require to servers
> > based
> > > > on their security needs. Computers of course will need to be in
> > domain/OU
> > > > where policy is implemented. Only W2K/XP computers can implement
> ipsec,
> > so
> > > > if you have any W9X or NT4.0 computers they will not be able to
> > > communicate
> > > > with any computers requiring ipsec. Use ipsecmon to monitor and
> > > > troubleshoot ipsec security associations. If you do implement ipsec
on
> > the
> > > > domain controllers you may want to create a policy exempting dns
> traffic
> > > to
> > > > keep network communications responsive. --- Steve
> > > >
> > > > "Martin" <x@y.z> wrote in message
> > > > news:eHQYN4S9CHA.3412@TK2MSFTNGP11.phx.gbl...
> > > > > Hi,
> > > > >
> > > > > I've just setup active direcotry, and added other computers to the
> new
> > > > > domain - maintained backwards compatibility with domains, though I
> did
> > > not
> > > > > have a domain before.
> > > > >
> > > > > From my AD server, I can see the other computers and they can also
> see
> > > > each
> > > > > other.
> > > > >
> > > > > I have defined an ISPec policy that I want all computers in the
> domain
> > > to
> > > > > adopt. I defined it in the Domain Security Policy section on my
AD
> > > > server.
> > > > > How do I apply it to the other computers in my domain? Simply
doing
> > > > assign
> > > > > by the new policy doesn't seem to work - though there may be an
> error
> > in
> > > > my
> > > > > policy settings.
> > > > > Roughly the policy has IP filter source My Address, dest Any IP
> > Address,
> > > > All
> > > > > protocols, and mirror. I had previously used a similar policy
> > explictly
> > > > > setup on two separate computers to secure traffic between the two.
> > Now
> > > I
> > > > > want to have a policy that is administered from AD.
> > > > >
> > > > > I believe I don't need to define this policy anway else, but each
> > > computer
> > > > > in my domain needs to adopt it - how do I make that happen?
> > > > >
> > > > > I tried to do Computer Management on one of the domain members,
from
> > my
> > > AD
> > > > > server, but although I can browse to it, and the shares fine, I
> can't
> > do
> > > > > Computer Management of it from my AD server. I can see the name
> when
> > > I'm
> > > > > asked what computer to manage, but it then says "Computer
> > > \\mc1.domain.com
> > > > > cannot be managed. The network path was not found."
> > > > >
> > > > > Help!
> > > > >
> > > > > Thanks
> > > > > Martin
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>