Hi,

I've described this in other posts, but I have a network consisting of 2
Win2K Advanced Servers.

Machine A has 2 NICs, and one NIC is connected to my cablemodem/router,
while the other is connected to Machine B via a switch. Machine A is
just a member server, joined to my test domain, foo1.com. Machine A's
name is WEB.

Machine B is named "DATA", and it's the domain controller for domain
foo1.com, and also has DNS server running on it.

On Machine A, I am getting an error in the Application Event log, and a
warning in the System Event log:

Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1000
Date: 2/29/2004
Time: 6:14:42 PM
User: NT AUTHORITY\SYSTEM
Computer: WEB
Description:
Windows cannot access the registry information at
\\foo1.com\sysvol\foo1.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\registry.pol
with (53).


Event Type: Warning
Event Source: BROWSER
Event Category: None
Event ID: 8021
Date: 2/29/2004
Time: 12:12:33 PM
User: N/A
Computer: WEB
Description:
The browser was unable to retrieve a list of servers from the browser
master \\DATA on the network
\Device\NetBT_Tcpip_{DD072267-53C5-42D8-9C23-0A9B943837CF}. The data is
the error code.
Data:
0000: 35 00 00 00 5...

The Userenv error is occurring about every 100 minutes or so.


I've mostly been working on trying to eliminate the Userenv error. So
far, I've tried switching the binding order of the NICs, and that didn't
fix the problem. From Machine A, I can use My Network Places, and
browse to the
\\foo1.com\sysvol\foo1.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\registry.pol
without any problem.

I've even tried adding Everyone with Full Control to the sysvol
directory, and that didn't get rid of the problem, so I'm a bit puzzled
about why Machine A can't access it.


I'm not quite sure what to do about the BROWSER warning, but I kind of
have a feeling that it might be related.

Any ideas?

Thanks!

Jim

Where is your DNS pointing. It should be your own DNS server.


"Ohaya" <ohaya@N_O_S_P_A_M_cox.net> wrote in message
news:404288CE.97A43664@N_O_S_P_A_M_cox.net...
> Hi,
>
> I've described this in other posts, but I have a network consisting of 2
> Win2K Advanced Servers.
>
> Machine A has 2 NICs, and one NIC is connected to my cablemodem/router,
> while the other is connected to Machine B via a switch. Machine A is
> just a member server, joined to my test domain, foo1.com. Machine A's
> name is WEB.
>
> Machine B is named "DATA", and it's the domain controller for domain
> foo1.com, and also has DNS server running on it.
>
> On Machine A, I am getting an error in the Application Event log, and a
> warning in the System Event log:
>
> Event Type: Error
> Event Source: Userenv
> Event Category: None
> Event ID: 1000
> Date: 2/29/2004
> Time: 6:14:42 PM
> User: NT AUTHORITY\SYSTEM
> Computer: WEB
> Description:
> Windows cannot access the registry information at
>
\\foo1.com\sysvol\foo1.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\M
achine\registry.pol
> with (53).
>
>
> Event Type: Warning
> Event Source: BROWSER
> Event Category: None
> Event ID: 8021
> Date: 2/29/2004
> Time: 12:12:33 PM
> User: N/A
> Computer: WEB
> Description:
> The browser was unable to retrieve a list of servers from the browser
> master \\DATA on the network
> \Device\NetBT_Tcpip_{DD072267-53C5-42D8-9C23-0A9B943837CF}. The data is
> the error code.
> Data:
> 0000: 35 00 00 00 5...
>
> The Userenv error is occurring about every 100 minutes or so.
>
>
> I've mostly been working on trying to eliminate the Userenv error. So
> far, I've tried switching the binding order of the NICs, and that didn't
> fix the problem. From Machine A, I can use My Network Places, and
> browse to the
>
\\foo1.com\sysvol\foo1.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\M
achine\registry.pol
> without any problem.
>
> I've even tried adding Everyone with Full Control to the sysvol
> directory, and that didn't get rid of the problem, so I'm a bit puzzled
> about why Machine A can't access it.
>
>
> I'm not quite sure what to do about the BROWSER warning, but I kind of
> have a feeling that it might be related.
>
> Any ideas?
>
> Thanks!
>
> Jim

Rob,

I think I already have that.

Here's the IP configuration info:

Machine A: Member of domain "foo1.com"

Machine A, NIC1:
IP: 192.168.0.111
GWY: None
DNS: None

Machine A, NIC2:
IP: 192.168.1.110
GWY: None
DNS Server: 192.168.1.109

Machine B: Domain Controller for domain "foo1.com"/Active Directory/DNS
Server

Machine B: NIC1:
IP: 192.168.1.109
GWY: None
DNS Server: 192.168.1.109

Jim



"Rob Elder, MVP-Networking" wrote:
>
> Where is your DNS pointing. It should be your own DNS server.
>
> "Ohaya" <ohaya@N_O_S_P_A_M_cox.net> wrote in message
> news:404288CE.97A43664@N_O_S_P_A_M_cox.net...
> > Hi,
> >
> > I've described this in other posts, but I have a network consisting of 2
> > Win2K Advanced Servers.
> >
> > Machine A has 2 NICs, and one NIC is connected to my cablemodem/router,
> > while the other is connected to Machine B via a switch. Machine A is
> > just a member server, joined to my test domain, foo1.com. Machine A's
> > name is WEB.
> >
> > Machine B is named "DATA", and it's the domain controller for domain
> > foo1.com, and also has DNS server running on it.
> >
> > On Machine A, I am getting an error in the Application Event log, and a
> > warning in the System Event log:
> >
> > Event Type: Error
> > Event Source: Userenv
> > Event Category: None
> > Event ID: 1000
> > Date: 2/29/2004
> > Time: 6:14:42 PM
> > User: NT AUTHORITY\SYSTEM
> > Computer: WEB
> > Description:
> > Windows cannot access the registry information at
> >
> \\foo1.com\sysvol\foo1.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\M
> achine\registry.pol
> > with (53).
> >
> >
> > Event Type: Warning
> > Event Source: BROWSER
> > Event Category: None
> > Event ID: 8021
> > Date: 2/29/2004
> > Time: 12:12:33 PM
> > User: N/A
> > Computer: WEB
> > Description:
> > The browser was unable to retrieve a list of servers from the browser
> > master \\DATA on the network
> > \Device\NetBT_Tcpip_{DD072267-53C5-42D8-9C23-0A9B943837CF}. The data is
> > the error code.
> > Data:
> > 0000: 35 00 00 00 5...
> >
> > The Userenv error is occurring about every 100 minutes or so.
> >
> >
> > I've mostly been working on trying to eliminate the Userenv error. So
> > far, I've tried switching the binding order of the NICs, and that didn't
> > fix the problem. From Machine A, I can use My Network Places, and
> > browse to the
> >
> \\foo1.com\sysvol\foo1.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\M
> achine\registry.pol
> > without any problem.
> >
> > I've even tried adding Everyone with Full Control to the sysvol
> > directory, and that didn't get rid of the problem, so I'm a bit puzzled
> > about why Machine A can't access it.
> >
> >
> > I'm not quite sure what to do about the BROWSER warning, but I kind of
> > have a feeling that it might be related.
> >
> > Any ideas?
> >
> > Thanks!
> >
> > Jim

In news:404288CE.97A43664@N_O_S_P_A_M_cox.net,
Ohaya <ohaya@N_O_S_P_A_M_cox.net> posted a question
Then Kevin replied below:
> Hi,
>
> I've described this in other posts, but I have a network consisting
> of 2
> Win2K Advanced Servers.
>
> Machine A has 2 NICs, and one NIC is connected to my
> cablemodem/router,
> while the other is connected to Machine B via a switch. Machine A is
> just a member server, joined to my test domain, foo1.com. Machine A's
> name is WEB.
>
> Machine B is named "DATA", and it's the domain controller for domain
> foo1.com, and also has DNS server running on it.
>
> On Machine A, I am getting an error in the Application Event log, and
> a
> warning in the System Event log:
>
> Event Type: Error
> Event Source: Userenv
> Event Category: None
> Event ID: 1000
> Date: 2/29/2004
> Time: 6:14:42 PM
> User: NT AUTHORITY\SYSTEM
> Computer: WEB
> Description:
> Windows cannot access the registry information at
>
\\foo1.com\sysvol\foo1.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\M
achine\registry.pol
> with (53).
>
>
> Event Type: Warning
> Event Source: BROWSER
> Event Category: None
> Event ID: 8021
> Date: 2/29/2004
> Time: 12:12:33 PM
> User: N/A
> Computer: WEB
> Description:
> The browser was unable to retrieve a list of servers from the browser
> master \\DATA on the network
> \Device\NetBT_Tcpip_{DD072267-53C5-42D8-9C23-0A9B943837CF}. The data
> is
> the error code.
> Data:
> 0000: 35 00 00 00 5...
>
> The Userenv error is occurring about every 100 minutes or so.
>
>
> I've mostly been working on trying to eliminate the Userenv error. So
> far, I've tried switching the binding order of the NICs, and that
> didn't
> fix the problem. From Machine A, I can use My Network Places, and
> browse to the
>
\\foo1.com\sysvol\foo1.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\M
achine\registry.pol
> without any problem.

You can? How can you browse to this share in network places when this share
is not in Network places. Only the sysvol share under the machine name is in
Network places. The domain SYSVOL share must be resolved through your
internal DNS server.


>
> I've even tried adding Everyone with Full Control to the sysvol
> directory, and that didn't get rid of the problem, so I'm a bit
> puzzled
> about why Machine A can't access it.
>
>
> I'm not quite sure what to do about the BROWSER warning, but I kind of
> have a feeling that it might be related.
>
> Any ideas?
>
> Thanks!
>
> Jim

On machine A your bindings are out of order and/or you have the wrong DNS
server listed in TCP/IP properties.

Make sure that both NICs on machine A only have the DC listed for DNS, no
ISP's DNS allowed on any member of an AD domain.

To fix your binding order, in network properties, in the Advanced menu,
select Advanced Settings. Move the internal NIC to the top of the binding
order, with File sharing and Client for MS networks also bound ONLY to the
internal interface.
For internet resolution configure the internal DNS with a forwarder to your
ISP.
300202 - HOW TO: Configure DNS for Internet Access in Windows 2000
http://support.microsoft.com/?id=300202&FR=1

--
Best regards,
Kevin D4 Dad Goodknecht Sr. [MVP]
Hope This Helps
============================
--
When responding to posts, please "Reply to Group" via your
newsreader so that others may learn and benefit from your issue.
To respond directly to me remove the nospam. from my email.
==========================================
http://www.lonestaramerica.com/
==========================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
==========================================
Keep a back up of your OE settings and folders with
OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
==========================================

"Kevin Goodknecht [MVP]" wrote:
>
> In news:404288CE.97A43664@N_O_S_P_A_M_cox.net,
> Ohaya <ohaya@N_O_S_P_A_M_cox.net> posted a question
> Then Kevin replied below:
> > Hi,
> >
> > I've described this in other posts, but I have a network consisting
> > of 2
> > Win2K Advanced Servers.
> >
> > Machine A has 2 NICs, and one NIC is connected to my
> > cablemodem/router,
> > while the other is connected to Machine B via a switch. Machine A is
> > just a member server, joined to my test domain, foo1.com. Machine A's
> > name is WEB.
> >
> > Machine B is named "DATA", and it's the domain controller for domain
> > foo1.com, and also has DNS server running on it.
> >
> > On Machine A, I am getting an error in the Application Event log, and
> > a
> > warning in the System Event log:
> >
> > Event Type: Error
> > Event Source: Userenv
> > Event Category: None
> > Event ID: 1000
> > Date: 2/29/2004
> > Time: 6:14:42 PM
> > User: NT AUTHORITY\SYSTEM
> > Computer: WEB
> > Description:
> > Windows cannot access the registry information at
> >
> \\foo1.com\sysvol\foo1.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\M
> achine\registry.pol
> > with (53).
> >
> >
> > Event Type: Warning
> > Event Source: BROWSER
> > Event Category: None
> > Event ID: 8021
> > Date: 2/29/2004
> > Time: 12:12:33 PM
> > User: N/A
> > Computer: WEB
> > Description:
> > The browser was unable to retrieve a list of servers from the browser
> > master \\DATA on the network
> > \Device\NetBT_Tcpip_{DD072267-53C5-42D8-9C23-0A9B943837CF}. The data
> > is
> > the error code.
> > Data:
> > 0000: 35 00 00 00 5...
> >
> > The Userenv error is occurring about every 100 minutes or so.
> >
> >
> > I've mostly been working on trying to eliminate the Userenv error. So
> > far, I've tried switching the binding order of the NICs, and that
> > didn't
> > fix the problem. From Machine A, I can use My Network Places, and
> > browse to the
> >
> \\foo1.com\sysvol\foo1.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\M
> achine\registry.pol
> > without any problem.
>
> You can? How can you browse to this share in network places when this share
> is not in Network places. Only the sysvol share under the machine name is in
> Network places. The domain SYSVOL share must be resolved through your
> internal DNS server.
>
> >
> > I've even tried adding Everyone with Full Control to the sysvol
> > directory, and that didn't get rid of the problem, so I'm a bit
> > puzzled
> > about why Machine A can't access it.
> >
> >
> > I'm not quite sure what to do about the BROWSER warning, but I kind of
> > have a feeling that it might be related.
> >
> > Any ideas?
> >
> > Thanks!
> >
> > Jim
>
> On machine A your bindings are out of order and/or you have the wrong DNS
> server listed in TCP/IP properties.
>
> Make sure that both NICs on machine A only have the DC listed for DNS, no
> ISP's DNS allowed on any member of an AD domain.
>
> To fix your binding order, in network properties, in the Advanced menu,
> select Advanced Settings. Move the internal NIC to the top of the binding
> order, with File sharing and Client for MS networks also bound ONLY to the
> internal interface.
> For internet resolution configure the internal DNS with a forwarder to your
> ISP.
> 300202 - HOW TO: Configure DNS for Internet Access in Windows 2000
> http://support.microsoft.com/?id=300202&FR=1


Kevin,

I've posted the IP configurations for all 3 NICS (2 on machine A, and 1
on machine B) in an earlier post in this thread, and the internal NIC is
at the top of the binding order already.

File Sharing is bound only to the internal NIC, but I noted the Client
for MS networks was bound to both the internal and external NICs.

I'll unbind Client for MS networks from the external NIC, and post back,
but this'll have to be after an hour or so, since the errors were
showing up at about 100 minute intervals.

Jim

In news:40429C1A.A2170B3F@N_O_S_P_A_M_cox.net,
Ohaya <ohaya@N_O_S_P_A_M_cox.net> posted a question
Then Kevin replied below:
> Kevin,
>
> I've posted the IP configurations for all 3 NICS (2 on machine A, and
> 1 on machine B) in an earlier post in this thread, and the internal
> NIC is at the top of the binding order already.
>
> File Sharing is bound only to the internal NIC, but I noted the Client
> for MS networks was bound to both the internal and external NICs.
>
> I'll unbind Client for MS networks from the external NIC, and post
> back, but this'll have to be after an hour or so, since the errors
> were showing up at about 100 minute intervals.
>
> Jim
The post had not came up when I started my reply, but looking at it leaves
me with questions.
How is the internal DNS resolving external names with out a gateway?
Do you have NAT on the member server? It should be listed as the gateway for
the DC.
You cannot have TCP/IP without DNS in Win2k if you leave DNS blank it will
pick up the loopback address or use DHCP to get the DNS server. Both NICS on
the member should use the DC for DNS.
You have no gateways listed for any NIC, how do you get out without a
gateway?


--
Best regards,
Kevin D4 Dad Goodknecht Sr. [MVP]
Hope This Helps
============================
--
When responding to posts, please "Reply to Group" via your
newsreader so that others may learn and benefit from your issue.
To respond directly to me remove the nospam. from my email.
==========================================
http://www.lonestaramerica.com/
==========================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
==========================================
Keep a back up of your OE settings and folders with
OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
==========================================

In news:4zx0c.3260$(E-Mail Removed),
Kevin Goodknecht [MVP] <(E-Mail Removed)> posted their thoughts, then
I offered mine
> In news:40429C1A.A2170B3F@N_O_S_P_A_M_cox.net,
> Ohaya <ohaya@N_O_S_P_A_M_cox.net> posted a question
> Then Kevin replied below:
>> Kevin,
>>
>> I've posted the IP configurations for all 3 NICS (2 on machine A, and
>> 1 on machine B) in an earlier post in this thread, and the internal
>> NIC is at the top of the binding order already.
>>
>> File Sharing is bound only to the internal NIC, but I noted the
>> Client for MS networks was bound to both the internal and external
>> NICs.
>>
>> I'll unbind Client for MS networks from the external NIC, and post
>> back, but this'll have to be after an hour or so, since the errors
>> were showing up at about 100 minute intervals.
>>
>> Jim
> The post had not came up when I started my reply, but looking at it
> leaves me with questions.
> How is the internal DNS resolving external names with out a gateway?
> Do you have NAT on the member server? It should be listed as the
> gateway for the DC.
> You cannot have TCP/IP without DNS in Win2k if you leave DNS blank it
> will pick up the loopback address or use DHCP to get the DNS server.
> Both NICS on the member should use the DC for DNS.
> You have no gateways listed for any NIC, how do you get out without a
> gateway?
>
>
> --
> Best regards,
> Kevin D4 Dad Goodknecht Sr. [MVP]
> Hope This Helps
> ============================

Kevin, Rob, this is a confusing issue. I was trying to help out earlier, so
if you guys want to look back to Jim's original post on this in this thread
below, maybe you can see something that's going on that I may have missed.
More eyes the merrier!

From: "Ohaya" <Ohaya@NO_SPAM.cox.net>
Subject: How is DNS resolution working?
Date: Wed, 25 Feb 2004 14:23:35 -0500

There is one thing that I would suggest, is not to mutli home Machine A and
just use the internal infrastructure to resolve the external resources,
which I had mentioned that to Jim in the previous thread. This will insure
proper resolution and AD functionality (which now the Event ID 1000 is
popping up) and I believe Jim was using the external DNS (and as Rob Elder
pointed out not to use the external DNS) on that interface with the binding
order of the NIC on that interface set higher, which is what I believe may
be happening, but apparently there are other factors at work. Multi homing
can cause these issues if not set properly.

Hope you guys pick up something that was missed in the other thread....


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
--
=================================

"Kevin Goodknecht [MVP]" wrote:
>
> In news:40429C1A.A2170B3F@N_O_S_P_A_M_cox.net,
> Ohaya <ohaya@N_O_S_P_A_M_cox.net> posted a question
> Then Kevin replied below:
> > Kevin,
> >
> > I've posted the IP configurations for all 3 NICS (2 on machine A, and
> > 1 on machine B) in an earlier post in this thread, and the internal
> > NIC is at the top of the binding order already.
> >
> > File Sharing is bound only to the internal NIC, but I noted the Client
> > for MS networks was bound to both the internal and external NICs.
> >
> > I'll unbind Client for MS networks from the external NIC, and post
> > back, but this'll have to be after an hour or so, since the errors
> > were showing up at about 100 minute intervals.
> >
> > Jim
> The post had not came up when I started my reply, but looking at it leaves
> me with questions.
> How is the internal DNS resolving external names with out a gateway?
> Do you have NAT on the member server? It should be listed as the gateway for
> the DC.
> You cannot have TCP/IP without DNS in Win2k if you leave DNS blank it will
> pick up the loopback address or use DHCP to get the DNS server. Both NICS on
> the member should use the DC for DNS.
> You have no gateways listed for any NIC, how do you get out without a
> gateway?
>

Kevin,

You have some good questions, and I only have answers to some of them
unfortunately ...

First of all, my desire/intention is to build this 2-machine network
such that it's kind of a standalone ("standalone", in a limited sense)
Windows domain, but physically connected to an external network.

The "machine A" runs an IIS web server, and we need "inward" access
(from clients on the external network) to this web server, but, in
general, we don't need, or want to allow, "outward" access (from machine
A, or machine B) to the external network.

The reason for the machine A/machine B configuration is that machine B
runs a database which is accessed by our web application (which runs on
machine A), and also, we want to manage all the machines on this
internal network (consisting of machines A & B) using GPOs, etc. from
machine A.

Now here's the way that I think that things work (and they are, for the
most part, working):

You noted that we don't define a gateway for either NIC2 on machine A or
NIC1 on machine B, but you'll also note that NIC2/machine A and
NIC1/machine B are on the same subnet (IP addresses 192.168.1.xx). In
addition, both NIC2/machine A and NIC1/machine B point to machine B for
their DNS server.

[I'm being a bit vague here] When something in machine A wants to
connect to either machine A or machine B, since the DNS IP address
points to machine B, name resolution gets handled by the DNS server on
machine B.

As to how it "gets out without a gateway", I think it works somewhat
akin to a 2-computer network using a cross-over cable (and without a
router) but, in our case, we're using a switch between the 2 computers
(instead of a cross-over cable). My understanding is that in such a
configuration, packets with source/destination address get sent out the
NIC on the source machine, and the machine with the matching destination
address will simply receive those packets.


Here are the answers to some of your questions (I think):

Q1) "How is the internal DNS resolving external names with out a
gateway?"
A1) We DON'T WANT the internal DNS (on machine B) to resolve external
names.

Q2) "Do you have NAT on the member server?"
A2) No, we don't.

Q3) "You have no gateways listed for any NIC, how do you get out without
a gateway?
A3) My guess is per what I wrote above.


BTW, you mentioned above that:

"> You cannot have TCP/IP without DNS in Win2k if you leave DNS blank it
will
> pick up the loopback address or use DHCP to get the DNS server."

Do you know that the above (that it will either default to the loopback
address or use DHCP to get the IP of the DNS server) is true? The
reason that I'm asking is that this might be at least part of the
question in my earlier thread ("How is resolution working?").

If so, can you point me to some documentation about this? Also, if you
know, under what circumstances would it default to the loopback address
vs. trying to get the DNS server IP from DHCP?

Jim

In news:4042D440.FEF08EAC@N_O_S_P_A_M_cox.net,
Ohaya <ohaya@N_O_S_P_A_M_cox.net> posted a question
Then Kevin replied below:
> "Kevin Goodknecht [MVP]" wrote:
>>
>> In news:40429C1A.A2170B3F@N_O_S_P_A_M_cox.net,
>> Ohaya <ohaya@N_O_S_P_A_M_cox.net> posted a question
>> Then Kevin replied below:
>>> Kevin,
>>>
>>> I've posted the IP configurations for all 3 NICS (2 on machine A,
>>> and 1 on machine B) in an earlier post in this thread, and the
>>> internal NIC is at the top of the binding order already.
>>>
>>> File Sharing is bound only to the internal NIC, but I noted the
>>> Client for MS networks was bound to both the internal and external
>>> NICs.
>>>
>>> I'll unbind Client for MS networks from the external NIC, and post
>>> back, but this'll have to be after an hour or so, since the errors
>>> were showing up at about 100 minute intervals.
>>>
>>> Jim
>> The post had not came up when I started my reply, but looking at it
>> leaves me with questions.
>> How is the internal DNS resolving external names with out a gateway?
>> Do you have NAT on the member server? It should be listed as the
>> gateway for the DC.
>> You cannot have TCP/IP without DNS in Win2k if you leave DNS blank
>> it will pick up the loopback address or use DHCP to get the DNS
>> server. Both NICS on the member should use the DC for DNS.
>> You have no gateways listed for any NIC, how do you get out without a
>> gateway?
>>
>
> Kevin,
>
> You have some good questions, and I only have answers to some of them
> unfortunately ...
>
> First of all, my desire/intention is to build this 2-machine network
> such that it's kind of a standalone ("standalone", in a limited sense)
> Windows domain, but physically connected to an external network.
>
> The "machine A" runs an IIS web server, and we need "inward" access
> (from clients on the external network) to this web server, but, in
> general, we don't need, or want to allow, "outward" access (from
> machine A, or machine B) to the external network.
>
> The reason for the machine A/machine B configuration is that machine B
> runs a database which is accessed by our web application (which runs
> on machine A), and also, we want to manage all the machines on this
> internal network (consisting of machines A & B) using GPOs, etc. from
> machine A.
>
> Now here's the way that I think that things work (and they are, for
> the most part, working):
>
> You noted that we don't define a gateway for either NIC2 on machine A
> or NIC1 on machine B, but you'll also note that NIC2/machine A and
> NIC1/machine B are on the same subnet (IP addresses 192.168.1.xx). In
> addition, both NIC2/machine A and NIC1/machine B point to machine B
> for their DNS server.
>
> [I'm being a bit vague here] When something in machine A wants to
> connect to either machine A or machine B, since the DNS IP address
> points to machine B, name resolution gets handled by the DNS server on
> machine B.
>
> As to how it "gets out without a gateway", I think it works somewhat
> akin to a 2-computer network using a cross-over cable (and without a
> router) but, in our case, we're using a switch between the 2 computers
> (instead of a cross-over cable). My understanding is that in such a
> configuration, packets with source/destination address get sent out
> the NIC on the source machine, and the machine with the matching
> destination address will simply receive those packets.

If these machines only accept incoming connections then you can get by
without a gateway. If you try to make an outgoing connection from these
machines I don't see how. You need either a gateway, a proxy GDP client, or
a Winsock redirector service. If you are using NAT then you must have a
gateway.

I do not understand why you have the DC connecting through the multihomed
Member.
You would be much better off haveing both the DC and the member connected to
the router.

>
>
> Here are the answers to some of your questions (I think):
>
> Q1) "How is the internal DNS resolving external names with out a
> gateway?"
> A1) We DON'T WANT the internal DNS (on machine B) to resolve external
> names.

If the member needs to resolve external names it should rely on getting
those names from the DC. If the member is using your ISP's DNS I can see
where the error might be coming from, especially if you use the same
internal domain name as your external domain name.
If the member gets the IP address of the domain name from your ISP, then it
is that IP address it is looking for the sysvol share.

>
> Q2) "Do you have NAT on the member server?"
> A2) No, we don't.
>
> Q3) "You have no gateways listed for any NIC, how do you get out
> without a gateway?
> A3) My guess is per what I wrote above.
>
>
> BTW, you mentioned above that:
>
> "> You cannot have TCP/IP without DNS in Win2k if you leave DNS blank
> it will
>> pick up the loopback address or use DHCP to get the DNS server."
>
> Do you know that the above (that it will either default to the
> loopback address or use DHCP to get the IP of the DNS server) is
> true? The reason that I'm asking is that this might be at least part
> of the question in my earlier thread ("How is resolution working?").

If the machine has DNS installed it will get a loopback address, otherwise
the TCP/IP stack won't let you leave the fields blank.
If the router is providing the DNS server for the NIC connected to it then
it is getting its DNS from the router which is most generally your ISP's
DNS in which case may be the cause of your error.
Instead of typing out the settings you have in place I would like to see an
ipconfig /all output from both machines. you cna get the ipconfig by running
this in a command prompt.
C:\ipconfig /all > C:\ipconfig.txt that will drop a text file in the root of
the C drive.

>
> If so, can you point me to some documentation about this? Also, if
> you know, under what circumstances would it default to the loopback
> address vs. trying to get the DNS server IP from DHCP?

Please post the ipconfig from the command I noted above.


--
Best regards,
Kevin D4 Dad Goodknecht Sr. [MVP]
Hope This Helps
============================
--
When responding to posts, please "Reply to Group" via your
newsreader so that others may learn and benefit from your issue.
To respond directly to me remove the nospam. from my email.
==========================================
http://www.lonestaramerica.com/
==========================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
==========================================
Keep a back up of your OE settings and folders with
OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
==========================================

In news:4042D440.FEF08EAC@N_O_S_P_A_M_cox.net,
Ohaya <ohaya@N_O_S_P_A_M_cox.net> posted their thoughts, then I offered mine

> Kevin,
>
> You have some good questions, and I only have answers to some of them
> unfortunately ...
>
> First of all, my desire/intention is to build this 2-machine network
> such that it's kind of a standalone ("standalone", in a limited sense)
> Windows domain, but physically connected to an external network.
>
> The "machine A" runs an IIS web server, and we need "inward" access
> (from clients on the external network) to this web server, but, in
> general, we don't need, or want to allow, "outward" access (from
> machine
> A, or machine B) to the external network.
>
> The reason for the machine A/machine B configuration is that machine B
> runs a database which is accessed by our web application (which runs
> on machine A), and also, we want to manage all the machines on this
> internal network (consisting of machines A & B) using GPOs, etc. from
> machine A.
>
> Now here's the way that I think that things work (and they are, for
> the
> most part, working):
>
> You noted that we don't define a gateway for either NIC2 on machine A
> or
> NIC1 on machine B, but you'll also note that NIC2/machine A and
> NIC1/machine B are on the same subnet (IP addresses 192.168.1.xx). In
> addition, both NIC2/machine A and NIC1/machine B point to machine B
> for
> their DNS server.
>
> [I'm being a bit vague here] When something in machine A wants to
> connect to either machine A or machine B, since the DNS IP address
> points to machine B, name resolution gets handled by the DNS server on
> machine B.
>
> As to how it "gets out without a gateway", I think it works somewhat
> akin to a 2-computer network using a cross-over cable (and without a
> router) but, in our case, we're using a switch between the 2 computers
> (instead of a cross-over cable). My understanding is that in such a
> configuration, packets with source/destination address get sent out
> the
> NIC on the source machine, and the machine with the matching
> destination address will simply receive those packets.
>
>
> Here are the answers to some of your questions (I think):
>
> Q1) "How is the internal DNS resolving external names with out a
> gateway?"
> A1) We DON'T WANT the internal DNS (on machine B) to resolve external
> names.
>
> Q2) "Do you have NAT on the member server?"
> A2) No, we don't.
>
> Q3) "You have no gateways listed for any NIC, how do you get out
> without
> a gateway?
> A3) My guess is per what I wrote above.
>
>
> BTW, you mentioned above that:
>
> "> You cannot have TCP/IP without DNS in Win2k if you leave DNS blank
> it
> will
>> pick up the loopback address or use DHCP to get the DNS server."
>
> Do you know that the above (that it will either default to the
> loopback address or use DHCP to get the IP of the DNS server) is
> true? The
> reason that I'm asking is that this might be at least part of the
> question in my earlier thread ("How is resolution working?").
>
> If so, can you point me to some documentation about this? Also, if
> you
> know, under what circumstances would it default to the loopback
> address
> vs. trying to get the DNS server IP from DHCP?
>
> Jim

To add, if you want external communication, you'll need to specify a
gateway, unless you do not want to have Inernet communication from this
machine?

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
--
=================================