Re: Adding domain users to local Administrator group

From: Brad Leppla (F0rres7_at_email.uophx.edu)
Date: 05/28/03 

Date: Wed, 28 May 2003 06:07:43 -0600

Unfortunately, we are not allowed to mess with that stuff as it belongs to
another entity (another business in the building) that does not want any
changes made to their equipment. What I don't understand, though, is why
Outlook configurations suddenly don't work (at least insofar as receiving
mail is concerned) when our network changes seemingly have not changed any
part of that infrastructure. I agree that whatever proxy software may reside
on the router / firewall could be causing some of these problems, but what
has changed to make it so? This is what is unfathomable to me. Putting the
IP address of the POP server into the Outlook configuration should work
regardless of proxy filtering unless this IP address specifically was
blocked at the point of exit. But then why would it work on some machines
and not others?

Thanks,

Brad 

--
Brad Leppla
University of Phoenix Faculty
F0rres7@email.uophx.edu
"Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message
news:OULrm4#IDHA.2232@TK2MSFTNGP10.phx.gbl...
> >  . . . Therefore, we have tried configuring Outlook to use the IP
> > address of their POP3 server and have had limited success.
>
> I would speculate then that any amount of DNS changing is
> not going to resolve this for you.
> Has the firewall and/or ISA/Proxy been changed in the process
> of the upgrades to W2k3 ?
>
> Roger
>
> "Brad Leppla" <F0rres7@email.uophx.edu> wrote in message
> news:utoF0F6IDHA.1784@TK2MSFTNGP11.phx.gbl...
> > Roger,
> >
> > Have not created MX records internally that point to the A record for
> > mail.ourdomain.com. As I think about that statement, it seems obvious
that
> > this is what should be done. I will try this and I suspect that this
> should
> > solve the problem.
> >
> > Our setup is as follows: mail is hosted by an outside entity that is not
> > associated with our website (i.e. this entity hosts only our mailboxes).
> > Once we made the cutover to W2K3 server, email became erratice (working
on
> > some workstations and not others - there seems to be no rhyme or reason
> for
> > the failures). Users are on Outlook, not Outlook Express. Sending email
is
> > no problem - the way this company had it set up prior to my arrival was
> that
> > outbound would be sent to the ISP's relay server and then out. Don't
like
> > those types of setups but am unwilling to mess with it at the present
> until
> > we get inbound squared away. Inbound mail (POP3) server set up within
> > Outlook does not work as before. Therefore, we have tried configuring
> > Outlook to use the IP address of their POP3 server and have had limited
> > success. However, the one thing we have not tried which you suggest here
> is
> > to create an internal A record pointing to mail.ourdomainname.com and
set
> > Outlook to use mail.ourdomainname.com as the POP3 server. Like I said,
> makes
> > sense now that I can stand back and look at it.
> >
> > Will post results here when I have a chance to revisit client.
> >
> > Thanks,
> >
> > Brad
> >
> > --
> > Brad Leppla
> > University of Phoenix Faculty
> > F0rres7@email.uophx.edu
> > "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message
> > news:ea77o5xIDHA.1772@TK2MSFTNGP10.phx.gbl...
> > > Thanks for the update Brad.  Makes sense.
> > > Did you create a MX record in the internal DNS zone that
> > > points to the A record for mail.yourdomain.com ?
> > > I am a little confused by what you asy
> > > > receive. I have created A records in our internal DNS server that
> point
> > to
> > > > the  DNS servers authoritative for our domain name for both the
> > > > www.ourdomainname.com and mail.ourdomainname.com but to no avail as
> far
> > as
> > > > email functionality is concerned. Any ideas?
> > > What you want is internal records that point directly to the
> > > www and mail servers themselves, not that point to the DNS
> > > servers that know about them (I am assuming some things
> > > about ourdomainname.com being used inside and outside).
> > > If different, then things should "just work" unless the www and
> > > mail are such as www.outer.ourdomainname.com and your AD
> > > is ourdomainname.com, in which case you need a stub zone
> > > to point to the DNS for the outer DNS subzone.
> > >
> > > Roger
> > >
> > > "Brad Leppla" <F0rres7@email.uophx.edu> wrote in message
> > > news:e1epIzNIDHA.2180@TK2MSFTNGP11.phx.gbl...
> > > > Roger,
> > > >
> > > > We are functional now and here is the answer: it was in fact DNS. I
> > > > erroneously thought that W2K3 was like W2K server insofar as DNS
> > creating
> > > > the "." folder in the Forward Lookup Zone is concerned. I couldn't
> find
> > it
> > > > and figured (correctly) that MS had removed this "feature" so that
DNS
> > > > wouldn't think it was authoritative for the world. What I failed to
> do,
> > > > though, was set up DHCP DNS entries so that they would point only to
> the
> > > > internal DNS server. Therefore, we had workstations that were
> > registering
> > > > with DNS dynamically but did not know about the internal DNS server
> for
> > > > internal name resolution. The reason that some workstations could
add
> > > domain
> > > > accounts to the local admin group was that in the course of
> > > troubleshooting,
> > > > we had added the internal DNS server to the workstation's TCP/IP
> > > properties.
> > > > So yeah, it had no problem resolving internal names! Once I
corrected
> > > this,
> > > > we had no problems adding domain accounts to the local Admin group.
> The
> > > > answer started to reveal itself when we started examining the DNS
> > > > configuration after we discovered that we could not surf to our own
> web
> > > site
> > > > from inside the network. And yes, we had named our internal domain
the
> > > same
> > > > as our externally registered domain name, hence the problem with
> surfing
> > > to
> > > > our own web site hosted by another entity.
> > > >
> > > > But here is another rub. our email is received through our domain
name
> > and
> > > > worked fine prior to the introduction of W2K3. Now, with the same
> email
> > > > configuration in Outlook (i.e. POP3 and SMTP servers remaining the
> > same),
> > > > when the workstation joins the domain it cannot get email to send or
> > > > receive. I have created A records in our internal DNS server that
> point
> > to
> > > > the  DNS servers authoritative for our domain name for both the
> > > > www.ourdomainname.com and mail.ourdomainname.com but to no avail as
> far
> > as
> > > > email functionality is concerned. Any ideas?
> > > >
> > > > By the way, thanks for your help on the above matter. Next time I
will
> > not
> > > > assume I have set it up correctly and take a closer look at helpful
> > > > suggestions.
> > > >
> > > > Thanks,
> > > >
> > > > Brad Leppla
> > > > --
> > > > Brad Leppla
> > > > University of Phoenix Faculty
> > > > F0rres7@email.uophx.edu
> > > > "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message
> > > > news:uctl0xzHDHA.3804@tk2msftngp13.phx.gbl...
> > > > > So you are in the clear and functional now ?
> > > > > Was it the first discusssed policy, or what ?
> > > > > Thx,
> > > > > Roger
> > > > >
> > > > > "Brad Leppla" <F0rres7@email.uophx.edu> wrote in message
> > > > > news:OydD4esHDHA.452@TK2MSFTNGP11.phx.gbl...
> > > > > > Good advice - I would not have known to look for this. Thanks,
> > > > > >
> > > > > > Brad
> > > > > >
> > > > > > --
> > > > > > Brad Leppla
> > > > > > University of Phoenix Faculty
> > > > > > F0rres7@email.uophx.edu
> > > > > > "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message
> > > > > > news:eHFRBSpHDHA.1612@TK2MSFTNGP11.phx.gbl...
> > > > > > > Brad,
> > > > > > >
> > > > > > > There is one other policy that you need to check.
> > > > > > > Make sure that the LAN Manager authentication levels will
> > > > > > > have a way to agree.  An XP client seems (for some reason
> > > > > > > I cannot reason out) to default to not using NTLM v2.  So,
> > > > > > > if you have tried to restrict the domain down to only NTLM v2
> > > > > > > (which AIUI one cannot actually do on domain controllers
> > > > > > > even when the policy is at 5 which claims to do this) you
> > > > > > > could have problems.  I have seen this, but it is when the
> > > > > > > XP tries to authenticate a session to a member.
> > > > > > >
> > > > > > > Roger
> > > > > > > "Brad Leppla" <F0rres7@email.uophx.edu> wrote in message
> > > > > > > news:OSQ046gHDHA.1720@TK2MSFTNGP11.phx.gbl...
> > > > > > > > Roger,
> > > > > > > >
> > > > > > > > I have not tried forcing the policy updates as yet but I
will
> > try
> > > > it.
> > > > > I
> > > > > > am
> > > > > > > > also thinking that this may be very close to the real issue.
> > Will
> > > > post
> > > > > > > > results when obtained.
> > > > > > > >
> > > > > > > > Thanks,
> > > > > > > >
> > > > > > > > Brad
> > > > > > > >
> > > > > > > > --
> > > > > > > > Brad Leppla
> > > > > > > > University of Phoenix Faculty
> > > > > > > > F0rres7@email.uophx.edu
> > > > > > > > "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message
> > > > > > > > news:#spEeSXHDHA.2172@TK2MSFTNGP12.phx.gbl...
> > > > > > > > > Brad,
> > > > > > > > >
> > > > > > > > > That confirms it.  Some people actually do think that
there
> is
> > > > > > > > > no "join the domain" step to be done at the client
machine.
> > > > > > > > >
> > > > > > > > > Have you tried adjusting the policy and then forcing
> > application
> > > > > > > > > with gpupdate ?
> > > > > > > > >
> > > > > > > > > Roger
> > > > > > > > >
> > > > > > > > > "Brad Leppla" <F0rres7@email.uophx.edu> wrote in message
> > > > > > > > > news:uYivErUHDHA.1608@TK2MSFTNGP11.phx.gbl...
> > > > > > > > > > >You still have not verified that, at the XP, you did
join
> > > >the
> > > > > > > machine
> > > > > > > > to
> > > > > > > > > > the domain
> > > > > > > > > >
> > > > > > > > > > Other than having the domain name as a selectable item
in
> > the
> > > > > logon
> > > > > > > > window
> > > > > > > > > > and successfully logging on utilizing the very domain
> > account
> > > > > which
> > > > > > I
> > > > > > > > want
> > > > > > > > > > to add locally is there another form of verification
that
> I
> > am
> > > > > > > missing?
> > > > > > > > > >
> > > > > > > > > > Thanks for all your input. I now have two XP machines
> doing
> > > > > exactly
> > > > > > > the
> > > > > > > > > same
> > > > > > > > > > thing but on two different networks. The other network
is
> an
> > > > > > > > AD-integrated
> > > > > > > > > > W2K single DC setup. Very wierd.
> > > > > > > > > >
> > > > > > > > > > Brad
> > > > > > > > > >
> > > > > > > > > > --
> > > > > > > > > > Brad Leppla
> > > > > > > > > > University of Phoenix Faculty
> > > > > > > > > > F0rres7@email.uophx.edu
> > > > > > > > > > "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in message
> > > > > > > > > > news:OnSe$aPHDHA.2248@TK2MSFTNGP10.phx.gbl...
> > > > > > > > > > > inlined . . .
> > > > > > > > > > > "Brad Leppla" <F0rres7@email.uophx.edu> wrote in
message
> > > > > > > > > > > news:OszurXPHDHA.1548@TK2MSFTNGP12.phx.gbl...
> > > > > > > > > > > > I can see the machine name in the domain as
displayed
> on
> > > the
> > > > > > > server.
> > > > > > > > > > >
> > > > > > > > > > > That only means the computer object exists, and you
did
> > say
> > > > you
> > > > > > > > > > > created it.  You still have not verified that, at the
> XP,
> > > you
> > > > > did
> > > > > > > join
> > > > > > > > > > > the machine to the domain.
> > > > > > > > > > >
> > > > > > > > > > > > I am
> > > > > > > > > > > > sure that DNS is configured properly. We are using
> > static
> > > > > TCP/IP
> > > > > > > > > > settings
> > > > > > > > > > > as
> > > > > > > > > > > > a legacy from the workgroup that did not include the
> > W2K3
> > > > > server
> > > > > > > DNS
> > > > > > > > > > > > (because it did not exist). It is now the only DC
> > running
> > > AD
> > > > > > > inside
> > > > > > > > > the
> > > > > > > > > > > > domain. But if DNS was an issue, wouldn't W2K
> > Professional
> > > > > > > > > workstations
> > > > > > > > > > be
> > > > > > > > > > > > having the same problem? WinXP is the only one
having
> > > > > > difficulties
> > > > > > > > > > seeing
> > > > > > > > > > > > the domain.
> > > > > > > > > > >
> > > > > > > > > > > Yes, I would think that rules out DNS.
> > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > > Haven't tried the policy tweaking on the XP
> workstation
> > as
> > > > yet
> > > > > > but
> > > > > > > I
> > > > > > > > > > will.
> > > > > > > > > > > >
> > > > > > > > > > > > Thanks,
> > > > > > > > > > > >
> > > > > > > > > > > > Brad
> > > > > > > > > > > >
> > > > > > > > > > > > --
> > > > > > > > > > > > Brad Leppla
> > > > > > > > > > > > University of Phoenix Faculty
> > > > > > > > > > > > F0rres7@email.uophx.edu
> > > > > > > > > > > > "Roger Abell [MVP]" <mvpNoSpam@asu.edu> wrote in
> message
> > > > > > > > > > > > news:ePt3e#MHDHA.1024@TK2MSFTNGP10.phx.gbl...
> > > > > > > > > > > > > You mentioned creating the computer object in the
> > > domain,
> > > > > > > > > > > > > but you did not mention joining the machine to the
> > > domain.
> > > > > > > > > > > > > I assume that was done, that you can log in with a
> > > domain
> > > > > > > > > > > > > account, and so you know the machine is in the
> domain.
> > > > > > > > > > > > >
> > > > > > > > > > > > > Two things have been interrupting XP at SP1 from
> > interop
> > > > > > > > > > > > > with domain control, but for your W2k3 AD I would
> hope
> > > > > > > > > > > > > the second is not an issue.
> > > > > > > > > > > > > 1. use the correct DNS server and only DNS servers
> > that
> > > > > > > > > > > > >     can locate the AD supporting DNS zone(s)
> > > > > > > > > > > > > 2. try disabling the policy on the XP client in
the
> > > > Security
> > > > > > > > > > > > >     Settings under Microsoft network client the
ones
> > to
> > > do
> > > > > > > > > > > > >     digital signing (either always or when server
> > > agrees)
> > > > > > > > > > > > >
> > > > > > > > > > > > >
> > > > > > > > > > > > > "Brad Leppla" <F0rres7@email.uophx.edu> wrote in
> > message
> > > > > > > > > > > > > news:eMZcroHHDHA.2220@TK2MSFTNGP11.phx.gbl...
> > > > > > > > > > > > > > All,
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > I have a twist to the seemingly easy process of
> > adding
> > > a
> > > > > > > domain
> > > > > > > > > user
> > > > > > > > > > > > > account
> > > > > > > > > > > > > > to the local administrator group in WXP Pro that
> > which
> > > > > seems
> > > > > > > to
> > > > > > > > > > evade
> > > > > > > > > > > > > > resolution (TechNet is no help). Whenever I
> attempt
> > > this
> > > > > > > > process,
> > > > > > > > > > > > clicking
> > > > > > > > > > > > > > on the "Locations" button shows ONLY the local
> > > > > workstation,
> > > > > > > not
> > > > > > > > > the
> > > > > > > > > > > > > domain.
> > > > > > > > > > > > > > In other words, its as if the domain does not
> exist.
> > > > Yet,
> > > > > I
> > > > > > > have
> > > > > > > > > > > > > > successfully created, deleted, then recreated
the
> > > > computer
> > > > > > > > account
> > > > > > > > > > in
> > > > > > > > > > > > the
> > > > > > > > > > > > > > domain. Any thoughts? Configuration particulars:
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > Windows Server 2003 Standard Edition with AD
> > installed
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > Windows 2000 Professional workstations have no
> > > problems
> > > > > > adding
> > > > > > > > > > domain
> > > > > > > > > > > > user
> > > > > > > > > > > > > > accounts to local Admin group
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > Network consists of 17 PCs of various flavors
> > (WinMe,
> > > > W98,
> > > > > > W2K
> > > > > > > > > Pro,
> > > > > > > > > > > WXP
> > > > > > > > > > > > > Pro)
> > > > > > > > > > > > > > that existed in a workgroup prior to
introduction
> of
> > > > W2K3
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > SP 1 applied to affected XP Pro workstation
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > DNS configured to allow secure and unsecure
> dynamic
> > > > > updates
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > WINS configured on network
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > My thinking leads me to believe that it has
> > something
> > > to
> > > > > do
> > > > > > > with
> > > > > > > > > > local
> > > > > > > > > > > > GPO
> > > > > > > > > > > > > > on the workstation but I cannot reason out the
> > > location
> > > > or
> > > > > > the
> > > > > > > > > > > > conditions
> > > > > > > > > > > > > > which would affect a resolution. Any help would
be
> > > > > > appreciated
> > > > > > > > as
> > > > > > > > > > our
> > > > > > > > > > > > > > migration project is now halted because of this
> > > problem.
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > Thanks,
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > Brad Leppla
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > solutions@network-professionals.net
> > > > > > > > > > > > > >
> > > > > > > > > > > > > >
> > > > > > > > > > > > >
> > > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>