Re: Assign Domain Security Policy/Manage remote computer

From: Martin (x@y.z)
Date: 03/29/03 

From: "Martin" <x@y.z>
Date: Sat, 29 Mar 2003 19:46:48 -0000

Steve,

After running ipconfig /registerdns on the client, I got the following
system event log warning:
Source LSASRV
Category SPNEGO (Negiotator)
Event ID 40961

"The security system could not establish a secured connection with the
server DNS/prisoner.iana.org. No authentication protocol was available."

Never heard of prisoner.iana.org

On running netdiag /fix, the DC list test still fails. Yes DC discover,
and domain membership tests both pass.

With the LDAP test (which passes), I get a warning:
 You are logged on as a local user. Cannot test NTLM authetication to
<active directory box>. Failed to query SPN registration on <active
directory box>

Not tried grabbing gpresult yet.

Must go now.

Thanks again for all your help.
Have a good weekend yourself.

Cheers
Martin
"Steven L Umbach" <sumbach@ameritech.net> wrote in message
news:NQmha.500$kd1.426871@newssrv26.news.prodigy.com...
> Hmm. If the dc discover, domain membership, and everything else
passed
> though you might be OK, but I am not sure. Try on the client computer -
> ipconfig /registerdns and then netdiag /fix. Then try running netdiag
> again. Also the gpresult tool will help you troublehoot the problem and
see
> if domain group policy has ever been applied to that computer. Have a good
> weekend. --- Steve
>
>
http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/gpresult
> -o.asp
>
> "Martin" <x@y.z> wrote in message
> news:eNjNCFi9CHA.1868@TK2MSFTNGP12.phx.gbl...
> > Hi Steve,
> >
> > Done that now. Interesting - the DC list test fails.
> >
> > Nothing else of note.
> >
> > Any thoughts on the DC list failure?
> >
> > Your help is much appreciated - especially given it's Saturday.
> > Unfortunately, I'm going to have to quit this in about 30 minutes.
> >
> > Thanks again
> > Martin
> >
> > "Steven L Umbach" <sumbach@ameritech.net> wrote in message
> > news:6%lha.485$kd1.414326@newssrv26.news.prodigy.com...
> > > Netdiag will need to installed. You can download from MS or
install
> > > from XP cdrom under support/tools folder - run setup file there for
> tools.
> > > XP machine must be joined to domain to use domain group policies. I
> would
> > > recommend unassign ipsec domain policy until you can verify that XP
box
> is
> > > joined to domain and communicating with dc as should be using netdiag.
> Do
> > > not use require (secure server) policy on dc as it seems to cause
> > unreliable
> > > communications with domain clients and will not allow new workstations
> to
> > be
> > > joined to the domain. --- Steve
> > >
> > > "Martin" <x@y.z> wrote in message
> > > news:ONIpFph9CHA.1680@TK2MSFTNGP12.phx.gbl...
> > > > Hi Steve,
> > > >
> > > > I've run netdiag and dcdiag on the domain controller (Active
Directory
> > > > server), nothing fails a few netdiag tests are passed namely:
> > > > WINS service test (none configured)
> > > > Trust relationship (none configured).
> > > >
> > > > All dcdiag tests pass.
> > > >
> > > > The dc does refer to itself as it's DNS server.
> > > > My client is a Windows XP Pro box. I can't find any reference to
> > netdiag
> > > > for this OS. Any ideas?
> > > >
> > > > It was not configured to use the DC dns server, but now has that as
> it's
> > > > primary DNS server.
> > > >
> > > > Not done anything more with the IPSec config yet, except it now
> > specifies
> > > > specific IP addresses at both source and destination.
> > > >
> > > > Thanks again
> > > > Martin
> > > >
> > > >
> > > >
> > > >
> > > > "Steven L Umbach" <sumbach@ameritech.net> wrote in message
> > > > news:FQjha.328$kd1.378217@newssrv26.news.prodigy.com...
> > > > > I would recommend running netdiag and dcdiag on your domain
> > > > controller
> > > > > to see if it is set up properly, especially with regards to dns
zone
> > > > > creation and dns srv records. The dc needs to be pointing to
itself,
> > by
> > > > it's
> > > > > assinged ip address, as it's primary dns server. The clients need
to
> > > point
> > > > > to the dc as their dns server. Run netdiag on the client computers
> to
> > > see
> > > > if
> > > > > they are correctly configured. As far as ipsec policy. I
recommend
> > that
> > > > you
> > > > > assignd the "request" (not require) policy to the domain
controllers
> > via
> > > > > domain controllers group/security policy if you need to include
> them.
> > > Then
> > > > > assign whatever you require to the rest of the domain computers -
> > > usually
> > > > > client (respond only) to workstations and request/require to
servers
> > > based
> > > > > on their security needs. Computers of course will need to be in
> > > domain/OU
> > > > > where policy is implemented. Only W2K/XP computers can implement
> > ipsec,
> > > so
> > > > > if you have any W9X or NT4.0 computers they will not be able to
> > > > communicate
> > > > > with any computers requiring ipsec. Use ipsecmon to monitor and
> > > > > troubleshoot ipsec security associations. If you do implement
ipsec
> on
> > > the
> > > > > domain controllers you may want to create a policy exempting dns
> > traffic
> > > > to
> > > > > keep network communications responsive. --- Steve
> > > > >
> > > > > "Martin" <x@y.z> wrote in message
> > > > > news:eHQYN4S9CHA.3412@TK2MSFTNGP11.phx.gbl...
> > > > > > Hi,
> > > > > >
> > > > > > I've just setup active direcotry, and added other computers to
the
> > new
> > > > > > domain - maintained backwards compatibility with domains, though
I
> > did
> > > > not
> > > > > > have a domain before.
> > > > > >
> > > > > > From my AD server, I can see the other computers and they can
also
> > see
> > > > > each
> > > > > > other.
> > > > > >
> > > > > > I have defined an ISPec policy that I want all computers in the
> > domain
> > > > to
> > > > > > adopt. I defined it in the Domain Security Policy section on my
> AD
> > > > > server.
> > > > > > How do I apply it to the other computers in my domain? Simply
> doing
> > > > > assign
> > > > > > by the new policy doesn't seem to work - though there may be an
> > error
> > > in
> > > > > my
> > > > > > policy settings.
> > > > > > Roughly the policy has IP filter source My Address, dest Any IP
> > > Address,
> > > > > All
> > > > > > protocols, and mirror. I had previously used a similar policy
> > > explictly
> > > > > > setup on two separate computers to secure traffic between the
two.
> > > Now
> > > > I
> > > > > > want to have a policy that is administered from AD.
> > > > > >
> > > > > > I believe I don't need to define this policy anway else, but
each
> > > > computer
> > > > > > in my domain needs to adopt it - how do I make that happen?
> > > > > >
> > > > > > I tried to do Computer Management on one of the domain members,
> from
> > > my
> > > > AD
> > > > > > server, but although I can browse to it, and the shares fine, I
> > can't
> > > do
> > > > > > Computer Management of it from my AD server. I can see the name
> > when
> > > > I'm
> > > > > > asked what computer to manage, but it then says "Computer
> > > > \\mc1.domain.com
> > > > > > cannot be managed. The network path was not found."
> > > > > >
> > > > > > Help!
> > > > > >
> > > > > > Thanks
> > > > > > Martin
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>

Relevant Pages

  • Client access problems after domain change.
    ... Got a weird problem since changing the domain membership of a SQL server. ... opening the SQl client the error "SQL Server is unavailable or does not ...
    (microsoft.public.sqlserver.server)
  • RE: Clients cant connect
    ... Chances are that you get ... Domain membership should not make a difference, ... > it runs without license-server activated. ... So each client should ...
    (microsoft.public.win2000.termserv.apps)