Re: Child/Parent Domain sanity Check
From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 10/01/05
- Next message: Steven L Umbach: "Re: Too many Logon/Logoff security log entries"
- Previous message: Steven L Umbach: "Re: KIOSK MODE?"
- In reply to: James Fabulous: "Re: Child/Parent Domain sanity Check"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 30 Sep 2005 17:39:02 -0500
Thanks for reporting back what you found out as that is helpful information.
I am a bit surprised that computer browser service being stopped could cause
such a problem and all the usual tests did not indicate that it was a
problem. My assumption was that this server was not a domain controller. I
know that users sometimes disable the tcp/ip NetBIOS helper service thinking
it will improve security but it is an essential service. My understanding
was that the computer browser service would allow a computer to be a master
browser or backup browser but if disabled the computer should still be able
to find a master browser to find computer/shares for My Network Places
though a domain controller such as a pdc fsmo wants to be the domain master
browser always and should not have that service disabled. It would have
been interesting to see if you had the same problem trying to access the
server by it's IP address instead of name [again assuming it is not a domain
controller]. Anyhow I did look the Windows 2003 Server Security Guide and
they do recommend that the computer browser service be set to automatic for
baseline server even for high security situations so it maybe has some
importance other than allowing a computer to be master browser/backup
browser. It can be difficult to determine exactly what services need to be
running on a server based on it's role without referring to documentation
that is not always easy for everyone to find. When I do have a problem I do
find it useful to take a look at the services via services.msc set to start
automatically and see if any of them are not running. --- Steve
"James Fabulous" <James.Fabulous@hotmail.com> wrote in message
news:eNraqIgxFHA.1256@TK2MSFTNGP09.phx.gbl...
> Steven,
>
> First of all - Thank You. What you say is correct, and I had already
> tested all of the points you mention below (I apologise if my query wasn't
> specific enough (sometimes that scares people from replying).
> DNS-correct,
> WINS (I know, I know - Symantec requires it)-correct, netdiag-correct,
> dcdiag /a-correct, DNS servers-correct, IPsec-correct. This was a very
> exhaustive process and you may be thinking so what the heck was it? The
> target server lacked 1 running service - the computer browser was set to
> automatic but had been stopped manually by one of the application
> administrators.
>
> I've been working with NT/AD for a good long time and never noticed this
> issue before so FYI :-)
>
>
> "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
> news:kf2dnbLqdfYJhabeRVn-tQ@comcast.com...
>> This often indicates a dns problem or some sort of network connectivity
>> problem. What I would do is to run netdiag on both the client computer
>> and
>> the server the user wants to remote into and run dcdiag /a and netdiag on
>> the pdc fsmo domain controller in each domain to see if any related
> problems
>> are found. You should also be able to use nslookup to resolve the full
>> qualified domain name of any domain computer in the forest from any
>> domain
>> computer in the forest and I would start with the domain computer trying
> to
>> access the server in the other domain. Also make sure that there are NO
> ISP
>> dns servers listed as a preferred dns server for any domain computer in
> the
>> domain. If you have delegated the child dns zone to a the dns servers in
> the
>> child domain [probably domain controllers] you will need to create a
>> secondary dns zone for the parent domain on dns servers in the child
> domain
>> or if using Windows 2003 domain controllers you could use conditional
>> forwarding, stub zones, or configure dns to replicate to all dns
>> servers/domain controllers in the forest. The link below explains how to
>> configure DNS for Active Directory. Ipsec policies can also cause
>> problems
>> if not configured correctly. --- Steve
>>
>> http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B291382
>>
>> "James Fabulous" <James.Fabulous@hotmail.com> wrote in message
>> news:OyFzncGxFHA.2232@TK2MSFTNGP11.phx.gbl...
>> > Having some issues that I'm trying to work through:
>> > A user from parent domain A wants to RDP to server in Child domain B
>> > The user from A doesn't have a user account in B - but his account is a
>> > member of a universal group in A which is a member of a universal group
> by
>> > the same name in B that is a member of the administrators group of the
>> > target machine.
>> >
>> > Error is: "the specified domain does not exist or could not be
> contacted"
>> > ot
>> > "The system cannot log you on because the domain is not available"
>> > tried: user, password, A
>> > user@a.com, password
>> > A\user, password
>> > A.com\user, password
>> > all fail. Even when we test with a domain admin from A we get the same
>> > error.
>> >
>> > This has previously worked, and from what I can tell via NLtests
> netlogon
>> > is
>> > working properly and the domains are replicating normally. The DC for
>> > B
>> > can
>> > see the member group from A and enumerate it's users on the members
>> > tab.
>> > Target machine is 2000 running terminal services in administration
>> > mode.
>> >
>> >
>>
>>
>
>
- Next message: Steven L Umbach: "Re: Too many Logon/Logoff security log entries"
- Previous message: Steven L Umbach: "Re: KIOSK MODE?"
- In reply to: James Fabulous: "Re: Child/Parent Domain sanity Check"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
