Re: Forced client disconnect problem.
- From: "Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxx>
- Date: Tue, 6 Dec 2005 12:28:11 -0600
That certainly can be a problem and often the problem will be intermittent
as often the first DNS server in the list is used but many times the second
or third dns server in the list can be used if there is any time lag in the
first DNS server responding. The KB article [ and the stuff I pasted below]
tells how to use an ISP DNS server for DNS name resolution for internet
hosts by having your domain controller forward to it any DNS queries it can
not resolve. --- Steve
Windows 2000/2003 can take advantage of DNS forwarders. This feature
forwards DNS requests to external servers. If a DNS server cannot find a
resource record in its zones, it can send the request to another DNS server
for additional attempts at resolution. A common scenario might be to
configure forwarders to your ISP's DNS servers.
To Configure Forwarders
1. In DNS Manager, right-click the DNS Server object, and then click
Properties.
2. Click the Forwarders tab.
3. Click to select the Enable Forwarders check box.
4. In the IP address box, type the first DNS server to which you want
to forward, and then click Add.
5. Repeat step 4 until you have added all the DNS servers to which you
want to forward.
If you can not configure forwarders remove the root dns zone.
To Remove the Root DNS Zone
1. In DNS Manager, expand the DNS Server object. Expand the Forward
Lookup Zones folder.
2. Right-click the "." zone, and then click Delete.
"Gerry Armstrong" <gerrya@xxxxxxxxxxx> wrote in message
news:11pbl0u6bag1j1b@xxxxxxxxxxxxxxxxxxxxx
> Steven,
> Thanks for this info, it is very interesting as I have an ISP DNS
> configured as the secondary DNS controller so maybe that is causing my
> problems?
>
> "Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxx> wrote in message
> news:%23s4PLgo%23FHA.3388@xxxxxxxxxxxxxxxxxxxxxxx
>> The time service should definitely be running on all computers in a
>> domain though that may not be the problem. By default kerberos only
>> allows for a 5 minute time skew to prevent replay attacks. Domain
>> computers will synch their time with the pdc fsmo domain controller.
>> Since the users can not save a file to a network server the problem could
>> also be network related or name resolution related. I would also run the
>> support tool netdiag on the domain controller, the file server, and a
>> couple domain workstations looking for problems for dns, dc discovery,
>> and trust/secure channel. If netdiag shows ipsec is configured on nay
>> computer that can also cause problems if it is not configured correctly
>> as domain controllers need to be exempt for ipsec for any protocol used
>> for authentication between it and domain clients.
>>
>> Often DNS misconfiguration is the root of many connectivity problems. See
>> the link below on AD DNS FAQ to see how DNS MUST be configured for an AD
>> domain. The short of it is that domain controllers need to point to
>> themselves and/or other domain controllers only as their preferred DNS
>> server and the pdc FSMO usually points only to itself. Then the domain
>> computers point only to domain controllers as their DNS preferred server.
>> Often you will see that if any ISP DNS servers are listed as a preferred
>> DNS server for any domain computer many problems will occur. --- Steve
>>
>> http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B291382
>>
>> "Gerry Armstrong" <gerrya@xxxxxxxxxxx> wrote in message
>> news:11pavklk9agtu8e@xxxxxxxxxxxxxxxxxxxxx
>>> Steve,
>>>
>>> I have not been on site as yet to see this problem for myself but what
>>> is reported is that the users are logged in and then try to save a file
>>> or some similar process and are told that the drive is not available or
>>> a similar error relating to not being able to access the fileserver. I
>>> have not checked the logs on a client but the logs on the servers do not
>>> indicate any errors as all which is what is confusing me.
>>>
>>> I noticed when running secpol.msc that the option "Microsoft network
>>> server: Disconnect clients when logon hours expire" was "enabled" so I
>>> have now disabled that. The force logoff when logon hours expire is
>>> diabled and I have the users logon hours set to be any time.
>>>
>>> I ran the dcdiag and found that the Time Service gave me some errors and
>>> noticed that the service was turned off on the SBS2003 server. Should
>>> both Domain servers have this service enabled? Will this cause the
>>> problem that I am having? I am also applying the latest service packs to
>>> the SBS2003 server as I write this, no errors so far.
>>>
>>>
>>>
>>> "Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxx> wrote in message
>>> news:OocRt7g%23FHA.740@xxxxxxxxxxxxxxxxxxxxxxx
>>>> What are they being disconnected from and what error or warning message
>>>> do they get or what happens?? Look in the logs via Event Viewer of the
>>>> domain controller, the domain client, and any server they are being
>>>> disconnected from to see if any pertinent logon failure or other events
>>>> are being recorded. Make sure that auditing of logon events for success
>>>> and failure is enabled in Domain Security Policy. By default Windows
>>>> 2003 servers should have this enabled. Though it should not matter
>>>> [since accounts are not restricted] check the Local Security Policy
>>>> [secpol.msc] to make sure that Network Security: Force logoff when
>>>> logon hours expire is shown as disabled. Also when this happens see if
>>>> the client computers can ping the servers by name and IP address to see
>>>> if basic network security exists or not and check the servers to make
>>>> sure that the server service is started and run the support tool
>>>> netdiag on them to see if any problems are found that may be related.
>>>> It would also be a good idea to run dcdiag and gpotool on your domain
>>>> controllers to check for their domain configuration health. The support
>>>> tools are on the install disk in the support/tools folder where you
>>>> have to run the setup program. --- Steve
>>>>
>>>>
>>>> "Gerry Armstrong" <gerrya@xxxxxxxxxxx> wrote in message
>>>> news:11p8tl7qtt6ni9c@xxxxxxxxxxxxxxxxxxxxx
>>>>>I have a problem with my clients being disconnected form the network at
>>>>>the same time every day that is driving me around the bend. I have set
>>>>>the Network Security: Force logoff when logon hours expire policy to
>>>>>Disable but it is still happening. I have also checked that the Logon
>>>>>Hours for the users has no time restrictions at all so they should have
>>>>>access to the network at any time of day. The domain consist of a
>>>>>SBS2003 server and a 2003 Standard server both Domain controllers and
>>>>>25 Windows 2000/XP Pro clients. Currently the SBS2003 server is only
>>>>>providing Exchange services and is not being used as a file server, the
>>>>>2003 Standard server is providing fileservices only.
>>>>>
>>>>> Is there something I am missing here? Any suggestions as to what I
>>>>> should look for?
>>>>>
>>>>> Thanks for any input guys.
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>
.
- References:
- Forced client disconnect problem.
- From: Gerry Armstrong
- Re: Forced client disconnect problem.
- From: Steven L Umbach
- Re: Forced client disconnect problem.
- From: Gerry Armstrong
- Re: Forced client disconnect problem.
- From: Steven L Umbach
- Re: Forced client disconnect problem.
- From: Gerry Armstrong
- Forced client disconnect problem.
- Prev by Date: Re: Forced client disconnect problem.
- Next by Date: Re: Microsoft Crypto Directory
- Previous by thread: Re: Forced client disconnect problem.
- Next by thread: Re: Forced client disconnect problem.
- Index(es):
Relevant Pages
|
Loading
