Re: Adding domain users to local Administrator group
From: Roger Abell [MVP] (mvpNoSpam_at_asu.edu)
Date: 05/26/03
- Next message: Roger Abell [MVP]: "Re: plain text passwords"
- Previous message: Roger Abell [MVP]: "Re: NTFS & FAT32 File Systems"
- In reply to: Brad Leppla: "Re: Adding domain users to local Administrator group"
- Next in thread: Brad Leppla: "Re: Adding domain users to local Administrator group"
- Reply: Brad Leppla: "Re: Adding domain users to local Administrator group"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 25 May 2003 17:33:44 -0700
Thanks for the update Brad. Makes sense.
Did you create a MX record in the internal DNS zone that
points to the A record for mail.yourdomain.com ?
I am a little confused by what you asy
> receive. I have created A records in our internal DNS server that point to
> the DNS servers authoritative for our domain name for both the
> www.ourdomainname.com and mail.ourdomainname.com but to no avail as far as
> email functionality is concerned. Any ideas?
What you want is internal records that point directly to the
www and mail servers themselves, not that point to the DNS
servers that know about them (I am assuming some things
about ourdomainname.com being used inside and outside).
If different, then things should "just work" unless the www and
mail are such as www.outer.ourdomainname.com and your AD
is ourdomainname.com, in which case you need a stub zone
to point to the DNS for the outer DNS subzone.
Roger
"Brad Leppla" <F0rres7@email.uophx.edu> wrote in message
news:e1epIzNIDHA.2180@TK2MSFTNGP11.phx.gbl...
> Roger,
>
> We are functional now and here is the answer: it was in fact DNS. I
> erroneously thought that W2K3 was like W2K server insofar as DNS creating
> the "." folder in the Forward Lookup Zone is concerned. I couldn't find it
> and figured (correctly) that MS had removed this "feature" so that DNS
> wouldn't think it was authoritative for the world. What I failed to do,
> though, was set up DHCP DNS entries so that they would point only to the
> internal DNS server. Therefore, we had workstations that were registering
> with DNS dynamically but did not know about the internal DNS server for
> internal name resolution. The reason that some workstations could add
domain
> accounts to the local admin group was that in the course of
troubleshooting,
> we had added the internal DNS server to the workstation's TCP/IP
properties.
> So yeah, it had no problem resolving internal names! Once I corrected
this,
> we had no problems adding domain accounts to the local Admin group. The
> answer started to reveal itself when we started examining the DNS
> configuration after we discovered that we could not surf to our own web
site
> from inside the network. And yes, we had named our internal domain the
same
> as our externally registered domain name, hence the problem with surfing
to
> our own web site hosted by another entity.
>
> But here is another rub. our email is received through our domain name and
> worked fine prior to the introduction of W2K3. Now, with the same email
> configuration in Outlook (i.e. POP3 and SMTP servers remaining the same),
> when the workstation joins the domain it cannot get email to send or
> receive. I have created A records in our internal DNS server that point to
> the DNS servers authoritative for our domain name for both the
> www.ourdomainname.com and mail.ourdomainname.com but to no avail as far as
> email functionality is concerned. Any ideas?
>
> By the way, thanks for your help on the above matter. Next time I will not
> assume I have set it up correctly and take a closer look at helpful
> suggestions.
>
> Thanks,
>
> Brad Leppla
> --
> Brad Leppla
> University of Phoenix Faculty
> F0rres7@email.uophx.edu
> "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message
> news:uctl0xzHDHA.3804@tk2msftngp13.phx.gbl...
> > So you are in the clear and functional now ?
> > Was it the first discusssed policy, or what ?
> > Thx,
> > Roger
> >
> > "Brad Leppla" <F0rres7@email.uophx.edu> wrote in message
> > news:OydD4esHDHA.452@TK2MSFTNGP11.phx.gbl...
> > > Good advice - I would not have known to look for this. Thanks,
> > >
> > > Brad
> > >
> > > --
> > > Brad Leppla
> > > University of Phoenix Faculty
> > > F0rres7@email.uophx.edu
> > > "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message
> > > news:eHFRBSpHDHA.1612@TK2MSFTNGP11.phx.gbl...
> > > > Brad,
> > > >
> > > > There is one other policy that you need to check.
> > > > Make sure that the LAN Manager authentication levels will
> > > > have a way to agree. An XP client seems (for some reason
> > > > I cannot reason out) to default to not using NTLM v2. So,
> > > > if you have tried to restrict the domain down to only NTLM v2
> > > > (which AIUI one cannot actually do on domain controllers
> > > > even when the policy is at 5 which claims to do this) you
> > > > could have problems. I have seen this, but it is when the
> > > > XP tries to authenticate a session to a member.
> > > >
> > > > Roger
> > > > "Brad Leppla" <F0rres7@email.uophx.edu> wrote in message
> > > > news:OSQ046gHDHA.1720@TK2MSFTNGP11.phx.gbl...
> > > > > Roger,
> > > > >
> > > > > I have not tried forcing the policy updates as yet but I will try
> it.
> > I
> > > am
> > > > > also thinking that this may be very close to the real issue. Will
> post
> > > > > results when obtained.
> > > > >
> > > > > Thanks,
> > > > >
> > > > > Brad
> > > > >
> > > > > --
> > > > > Brad Leppla
> > > > > University of Phoenix Faculty
> > > > > F0rres7@email.uophx.edu
> > > > > "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message
> > > > > news:#spEeSXHDHA.2172@TK2MSFTNGP12.phx.gbl...
> > > > > > Brad,
> > > > > >
> > > > > > That confirms it. Some people actually do think that there is
> > > > > > no "join the domain" step to be done at the client machine.
> > > > > >
> > > > > > Have you tried adjusting the policy and then forcing application
> > > > > > with gpupdate ?
> > > > > >
> > > > > > Roger
> > > > > >
> > > > > > "Brad Leppla" <F0rres7@email.uophx.edu> wrote in message
> > > > > > news:uYivErUHDHA.1608@TK2MSFTNGP11.phx.gbl...
> > > > > > > >You still have not verified that, at the XP, you did join
>the
> > > > machine
> > > > > to
> > > > > > > the domain
> > > > > > >
> > > > > > > Other than having the domain name as a selectable item in the
> > logon
> > > > > window
> > > > > > > and successfully logging on utilizing the very domain account
> > which
> > > I
> > > > > want
> > > > > > > to add locally is there another form of verification that I am
> > > > missing?
> > > > > > >
> > > > > > > Thanks for all your input. I now have two XP machines doing
> > exactly
> > > > the
> > > > > > same
> > > > > > > thing but on two different networks. The other network is an
> > > > > AD-integrated
> > > > > > > W2K single DC setup. Very wierd.
> > > > > > >
> > > > > > > Brad
> > > > > > >
> > > > > > > --
> > > > > > > Brad Leppla
> > > > > > > University of Phoenix Faculty
> > > > > > > F0rres7@email.uophx.edu
> > > > > > > "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message
> > > > > > > news:OnSe$aPHDHA.2248@TK2MSFTNGP10.phx.gbl...
> > > > > > > > inlined . . .
> > > > > > > > "Brad Leppla" <F0rres7@email.uophx.edu> wrote in message
> > > > > > > > news:OszurXPHDHA.1548@TK2MSFTNGP12.phx.gbl...
> > > > > > > > > I can see the machine name in the domain as displayed on
the
> > > > server.
> > > > > > > >
> > > > > > > > That only means the computer object exists, and you did say
> you
> > > > > > > > created it. You still have not verified that, at the XP,
you
> > did
> > > > join
> > > > > > > > the machine to the domain.
> > > > > > > >
> > > > > > > > > I am
> > > > > > > > > sure that DNS is configured properly. We are using static
> > TCP/IP
> > > > > > > settings
> > > > > > > > as
> > > > > > > > > a legacy from the workgroup that did not include the W2K3
> > server
> > > > DNS
> > > > > > > > > (because it did not exist). It is now the only DC running
AD
> > > > inside
> > > > > > the
> > > > > > > > > domain. But if DNS was an issue, wouldn't W2K Professional
> > > > > > workstations
> > > > > > > be
> > > > > > > > > having the same problem? WinXP is the only one having
> > > difficulties
> > > > > > > seeing
> > > > > > > > > the domain.
> > > > > > > >
> > > > > > > > Yes, I would think that rules out DNS.
> > > > > > > >
> > > > > > > > >
> > > > > > > > > Haven't tried the policy tweaking on the XP workstation as
> yet
> > > but
> > > > I
> > > > > > > will.
> > > > > > > > >
> > > > > > > > > Thanks,
> > > > > > > > >
> > > > > > > > > Brad
> > > > > > > > >
> > > > > > > > > --
> > > > > > > > > Brad Leppla
> > > > > > > > > University of Phoenix Faculty
> > > > > > > > > F0rres7@email.uophx.edu
> > > > > > > > > "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message
> > > > > > > > > news:ePt3e#MHDHA.1024@TK2MSFTNGP10.phx.gbl...
> > > > > > > > > > You mentioned creating the computer object in the
domain,
> > > > > > > > > > but you did not mention joining the machine to the
domain.
> > > > > > > > > > I assume that was done, that you can log in with a
domain
> > > > > > > > > > account, and so you know the machine is in the domain.
> > > > > > > > > >
> > > > > > > > > > Two things have been interrupting XP at SP1 from interop
> > > > > > > > > > with domain control, but for your W2k3 AD I would hope
> > > > > > > > > > the second is not an issue.
> > > > > > > > > > 1. use the correct DNS server and only DNS servers that
> > > > > > > > > > can locate the AD supporting DNS zone(s)
> > > > > > > > > > 2. try disabling the policy on the XP client in the
> Security
> > > > > > > > > > Settings under Microsoft network client the ones to
do
> > > > > > > > > > digital signing (either always or when server
agrees)
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > "Brad Leppla" <F0rres7@email.uophx.edu> wrote in message
> > > > > > > > > > news:eMZcroHHDHA.2220@TK2MSFTNGP11.phx.gbl...
> > > > > > > > > > > All,
> > > > > > > > > > >
> > > > > > > > > > > I have a twist to the seemingly easy process of adding
a
> > > > domain
> > > > > > user
> > > > > > > > > > account
> > > > > > > > > > > to the local administrator group in WXP Pro that which
> > seems
> > > > to
> > > > > > > evade
> > > > > > > > > > > resolution (TechNet is no help). Whenever I attempt
this
> > > > > process,
> > > > > > > > > clicking
> > > > > > > > > > > on the "Locations" button shows ONLY the local
> > workstation,
> > > > not
> > > > > > the
> > > > > > > > > > domain.
> > > > > > > > > > > In other words, its as if the domain does not exist.
> Yet,
> > I
> > > > have
> > > > > > > > > > > successfully created, deleted, then recreated the
> computer
> > > > > account
> > > > > > > in
> > > > > > > > > the
> > > > > > > > > > > domain. Any thoughts? Configuration particulars:
> > > > > > > > > > >
> > > > > > > > > > > Windows Server 2003 Standard Edition with AD installed
> > > > > > > > > > >
> > > > > > > > > > > Windows 2000 Professional workstations have no
problems
> > > adding
> > > > > > > domain
> > > > > > > > > user
> > > > > > > > > > > accounts to local Admin group
> > > > > > > > > > >
> > > > > > > > > > > Network consists of 17 PCs of various flavors (WinMe,
> W98,
> > > W2K
> > > > > > Pro,
> > > > > > > > WXP
> > > > > > > > > > Pro)
> > > > > > > > > > > that existed in a workgroup prior to introduction of
> W2K3
> > > > > > > > > > >
> > > > > > > > > > > SP 1 applied to affected XP Pro workstation
> > > > > > > > > > >
> > > > > > > > > > > DNS configured to allow secure and unsecure dynamic
> > updates
> > > > > > > > > > >
> > > > > > > > > > > WINS configured on network
> > > > > > > > > > >
> > > > > > > > > > > My thinking leads me to believe that it has something
to
> > do
> > > > with
> > > > > > > local
> > > > > > > > > GPO
> > > > > > > > > > > on the workstation but I cannot reason out the
location
> or
> > > the
> > > > > > > > > conditions
> > > > > > > > > > > which would affect a resolution. Any help would be
> > > appreciated
> > > > > as
> > > > > > > our
> > > > > > > > > > > migration project is now halted because of this
problem.
> > > > > > > > > > >
> > > > > > > > > > > Thanks,
> > > > > > > > > > >
> > > > > > > > > > > Brad Leppla
> > > > > > > > > > >
> > > > > > > > > > > solutions@network-professionals.net
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>
- Next message: Roger Abell [MVP]: "Re: plain text passwords"
- Previous message: Roger Abell [MVP]: "Re: NTFS & FAT32 File Systems"
- In reply to: Brad Leppla: "Re: Adding domain users to local Administrator group"
- Next in thread: Brad Leppla: "Re: Adding domain users to local Administrator group"
- Reply: Brad Leppla: "Re: Adding domain users to local Administrator group"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
