Re: Assign Domain Security Policy/Manage remote computer
From: Steven L Umbach (sumbach@ameritech.net)
Date: 03/29/03
- Next message: Jim Matthews: ""Access denied" to IIS Admin Tool"
- Previous message: Martin: "Re: Assign Domain Security Policy/Manage remote computer"
- In reply to: Martin: "Re: Assign Domain Security Policy/Manage remote computer"
- Next in thread: Martin: "Re: Assign Domain Security Policy/Manage remote computer"
- Reply: Martin: "Re: Assign Domain Security Policy/Manage remote computer"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Steven L Umbach" <sumbach@ameritech.net> Date: Sat, 29 Mar 2003 21:10:08 GMT
Apparently your computer is trying to register with one of the
internets "black hole" dns servers. I still suspect your client is not
configured correctly for dns. In tcp/ip properties make sure it is
configured to use the dc as it's dns server and NO other dns servers are
listed. My guess is you have an ISP dns server listed also. Use ipconfig
/all to confirm only dc is listed as dns server. Then reboot client and run
ipconfig /registerdns again. If still having problems I would try
disjoining/rejoining domain and if successfull domain security policies
should be in place. Have a good weekend. --- Steve
http://archives.neohapsis.com/archives/incidents/2002-09/0059.html
"Martin" <x@y.z> wrote in message
news:uIPsxvi9CHA.1932@TK2MSFTNGP12.phx.gbl...
> Steve,
>
> After running ipconfig /registerdns on the client, I got the following
> system event log warning:
> Source LSASRV
> Category SPNEGO (Negiotator)
> Event ID 40961
>
> "The security system could not establish a secured connection with the
> server DNS/prisoner.iana.org. No authentication protocol was available."
>
> Never heard of prisoner.iana.org
>
> On running netdiag /fix, the DC list test still fails. Yes DC discover,
> and domain membership tests both pass.
>
> With the LDAP test (which passes), I get a warning:
> You are logged on as a local user. Cannot test NTLM authetication to
> <active directory box>. Failed to query SPN registration on <active
> directory box>
>
> Not tried grabbing gpresult yet.
>
> Must go now.
>
> Thanks again for all your help.
> Have a good weekend yourself.
>
> Cheers
> Martin
> "Steven L Umbach" <sumbach@ameritech.net> wrote in message
> news:NQmha.500$kd1.426871@newssrv26.news.prodigy.com...
> > Hmm. If the dc discover, domain membership, and everything else
> passed
> > though you might be OK, but I am not sure. Try on the client computer -
> > ipconfig /registerdns and then netdiag /fix. Then try running netdiag
> > again. Also the gpresult tool will help you troublehoot the problem and
> see
> > if domain group policy has ever been applied to that computer. Have a
good
> > weekend. --- Steve
> >
> >
>
http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/gpresult
> > -o.asp
> >
> > "Martin" <x@y.z> wrote in message
> > news:eNjNCFi9CHA.1868@TK2MSFTNGP12.phx.gbl...
> > > Hi Steve,
> > >
> > > Done that now. Interesting - the DC list test fails.
> > >
> > > Nothing else of note.
> > >
> > > Any thoughts on the DC list failure?
> > >
> > > Your help is much appreciated - especially given it's Saturday.
> > > Unfortunately, I'm going to have to quit this in about 30 minutes.
> > >
> > > Thanks again
> > > Martin
> > >
> > > "Steven L Umbach" <sumbach@ameritech.net> wrote in message
> > > news:6%lha.485$kd1.414326@newssrv26.news.prodigy.com...
> > > > Netdiag will need to installed. You can download from MS or
> install
> > > > from XP cdrom under support/tools folder - run setup file there for
> > tools.
> > > > XP machine must be joined to domain to use domain group policies. I
> > would
> > > > recommend unassign ipsec domain policy until you can verify that XP
> box
> > is
> > > > joined to domain and communicating with dc as should be using
netdiag.
> > Do
> > > > not use require (secure server) policy on dc as it seems to cause
> > > unreliable
> > > > communications with domain clients and will not allow new
workstations
> > to
> > > be
> > > > joined to the domain. --- Steve
> > > >
> > > > "Martin" <x@y.z> wrote in message
> > > > news:ONIpFph9CHA.1680@TK2MSFTNGP12.phx.gbl...
> > > > > Hi Steve,
> > > > >
> > > > > I've run netdiag and dcdiag on the domain controller (Active
> Directory
> > > > > server), nothing fails a few netdiag tests are passed namely:
> > > > > WINS service test (none configured)
> > > > > Trust relationship (none configured).
> > > > >
> > > > > All dcdiag tests pass.
> > > > >
> > > > > The dc does refer to itself as it's DNS server.
> > > > > My client is a Windows XP Pro box. I can't find any reference to
> > > netdiag
> > > > > for this OS. Any ideas?
> > > > >
> > > > > It was not configured to use the DC dns server, but now has that
as
> > it's
> > > > > primary DNS server.
> > > > >
> > > > > Not done anything more with the IPSec config yet, except it now
> > > specifies
> > > > > specific IP addresses at both source and destination.
> > > > >
> > > > > Thanks again
> > > > > Martin
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > "Steven L Umbach" <sumbach@ameritech.net> wrote in message
> > > > > news:FQjha.328$kd1.378217@newssrv26.news.prodigy.com...
> > > > > > I would recommend running netdiag and dcdiag on your
domain
> > > > > controller
> > > > > > to see if it is set up properly, especially with regards to dns
> zone
> > > > > > creation and dns srv records. The dc needs to be pointing to
> itself,
> > > by
> > > > > it's
> > > > > > assinged ip address, as it's primary dns server. The clients
need
> to
> > > > point
> > > > > > to the dc as their dns server. Run netdiag on the client
computers
> > to
> > > > see
> > > > > if
> > > > > > they are correctly configured. As far as ipsec policy. I
> recommend
> > > that
> > > > > you
> > > > > > assignd the "request" (not require) policy to the domain
> controllers
> > > via
> > > > > > domain controllers group/security policy if you need to include
> > them.
> > > > Then
> > > > > > assign whatever you require to the rest of the domain
computers -
> > > > usually
> > > > > > client (respond only) to workstations and request/require to
> servers
> > > > based
> > > > > > on their security needs. Computers of course will need to be in
> > > > domain/OU
> > > > > > where policy is implemented. Only W2K/XP computers can implement
> > > ipsec,
> > > > so
> > > > > > if you have any W9X or NT4.0 computers they will not be able to
> > > > > communicate
> > > > > > with any computers requiring ipsec. Use ipsecmon to monitor and
> > > > > > troubleshoot ipsec security associations. If you do implement
> ipsec
> > on
> > > > the
> > > > > > domain controllers you may want to create a policy exempting dns
> > > traffic
> > > > > to
> > > > > > keep network communications responsive. --- Steve
> > > > > >
> > > > > > "Martin" <x@y.z> wrote in message
> > > > > > news:eHQYN4S9CHA.3412@TK2MSFTNGP11.phx.gbl...
> > > > > > > Hi,
> > > > > > >
> > > > > > > I've just setup active direcotry, and added other computers to
> the
> > > new
> > > > > > > domain - maintained backwards compatibility with domains,
though
> I
> > > did
> > > > > not
> > > > > > > have a domain before.
> > > > > > >
> > > > > > > From my AD server, I can see the other computers and they can
> also
> > > see
> > > > > > each
> > > > > > > other.
> > > > > > >
> > > > > > > I have defined an ISPec policy that I want all computers in
the
> > > domain
> > > > > to
> > > > > > > adopt. I defined it in the Domain Security Policy section on
my
> > AD
> > > > > > server.
> > > > > > > How do I apply it to the other computers in my domain? Simply
> > doing
> > > > > > assign
> > > > > > > by the new policy doesn't seem to work - though there may be
an
> > > error
> > > > in
> > > > > > my
> > > > > > > policy settings.
> > > > > > > Roughly the policy has IP filter source My Address, dest Any
IP
> > > > Address,
> > > > > > All
> > > > > > > protocols, and mirror. I had previously used a similar policy
> > > > explictly
> > > > > > > setup on two separate computers to secure traffic between the
> two.
> > > > Now
> > > > > I
> > > > > > > want to have a policy that is administered from AD.
> > > > > > >
> > > > > > > I believe I don't need to define this policy anway else, but
> each
> > > > > computer
> > > > > > > in my domain needs to adopt it - how do I make that happen?
> > > > > > >
> > > > > > > I tried to do Computer Management on one of the domain
members,
> > from
> > > > my
> > > > > AD
> > > > > > > server, but although I can browse to it, and the shares fine,
I
> > > can't
> > > > do
> > > > > > > Computer Management of it from my AD server. I can see the
name
> > > when
> > > > > I'm
> > > > > > > asked what computer to manage, but it then says "Computer
> > > > > \\mc1.domain.com
> > > > > > > cannot be managed. The network path was not found."
> > > > > > >
> > > > > > > Help!
> > > > > > >
> > > > > > > Thanks
> > > > > > > Martin
> > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>
>
- Next message: Jim Matthews: ""Access denied" to IIS Admin Tool"
- Previous message: Martin: "Re: Assign Domain Security Policy/Manage remote computer"
- In reply to: Martin: "Re: Assign Domain Security Policy/Manage remote computer"
- Next in thread: Martin: "Re: Assign Domain Security Policy/Manage remote computer"
- Reply: Martin: "Re: Assign Domain Security Policy/Manage remote computer"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
