Event ID 1000 (Userenv) Error and Event ID 8021 (BROWSER) Error

[Ohaya]

Hi,

I've described this in other posts, but I have a network consisting of 2
Win2K Advanced Servers.

Machine A has 2 NICs, and one NIC is connected to my cablemodem/router,
while the other is connected to Machine B via a switch. Machine A is
just a member server, joined to my test domain, foo1.com. Machine A's
name is WEB.

Machine B is named "DATA", and it's the domain controller for domain
foo1.com, and also has DNS server running on it.

On Machine A, I am getting an error in the Application Event log, and a
warning in the System Event log:

Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1000
Date: 2/29/2004
Time: 6:14:42 PM
User: NT AUTHORITY\SYSTEM
Computer: WEB
Description:
Windows cannot access the registry information at
\\foo1.com\sysvol\foo1.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\registry.pol
with (53).


Event Type: Warning
Event Source: BROWSER
Event Category: None
Event ID: 8021
Date: 2/29/2004
Time: 12:12:33 PM
User: N/A
Computer: WEB
Description:
The browser was unable to retrieve a list of servers from the browser
master \\DATA on the network
\Device\NetBT_Tcpip_{DD072267-53C5-42D8-9C23-0A9B943837CF}. The data is
the error code.
Data:
0000: 35 00 00 00 5...

The Userenv error is occurring about every 100 minutes or so.


I've mostly been working on trying to eliminate the Userenv error. So
far, I've tried switching the binding order of the NICs, and that didn't
fix the problem. From Machine A, I can use My Network Places, and
browse to the
\\foo1.com\sysvol\foo1.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\registry.pol
without any problem.

I've even tried adding Everyone with Full Control to the sysvol
directory, and that didn't get rid of the problem, so I'm a bit puzzled
about why Machine A can't access it.


I'm not quite sure what to do about the BROWSER warning, but I kind of
have a feeling that it might be related.

Any ideas?

Thanks!

Jim

 

[Rob Elder, MVP-Networking]

Where is your DNS pointing. It should be your own DNS server.

 

[Ohaya]

Rob,

I think I already have that.

Here's the IP configuration info:

Machine A: Member of domain "foo1.com"

Machine A, NIC1:
IP: 192.168.0.111
GWY: None
DNS: None

Machine A, NIC2:
IP: 192.168.1.110
GWY: None
DNS Server: 192.168.1.109

Machine B: Domain Controller for domain "foo1.com"/Active Directory/DNS
Server

Machine B: NIC1:
IP: 192.168.1.109
GWY: None
DNS Server: 192.168.1.109

Jim

 

[Kevin Goodknecht [MVP]]

In

Hi,

I've described this in other posts, but I have a network consisting
of 2
Win2K Advanced Servers.

Machine A has 2 NICs, and one NIC is connected to my
cablemodem/router,
while the other is connected to Machine B via a switch. Machine A is
just a member server, joined to my test domain, foo1.com. Machine A's
name is WEB.

Machine B is named "DATA", and it's the domain controller for domain
foo1.com, and also has DNS server running on it.

On Machine A, I am getting an error in the Application Event log, and
a
warning in the System Event log:

Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1000
Date: 2/29/2004
Time: 6:14:42 PM
User: NT AUTHORITY\SYSTEM
Computer: WEB
Description:
Windows cannot access the registry information at
\\foo1.com\sysvol\foo1.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\M
achine\registry.pol
with (53).


Event Type: Warning
Event Source: BROWSER
Event Category: None
Event ID: 8021
Date: 2/29/2004
Time: 12:12:33 PM
User: N/A
Computer: WEB
Description:
The browser was unable to retrieve a list of servers from the browser
master \\DATA on the network
\Device\NetBT_Tcpip_{DD072267-53C5-42D8-9C23-0A9B943837CF}. The data
is
the error code.
Data:
0000: 35 00 00 00 5...

The Userenv error is occurring about every 100 minutes or so.


I've mostly been working on trying to eliminate the Userenv error. So
far, I've tried switching the binding order of the NICs, and that
didn't
fix the problem. From Machine A, I can use My Network Places, and
browse to the
\\foo1.com\sysvol\foo1.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\M
achine\registry.pol
without any problem.

You can? How can you browse to this share in network places when this share
is not in Network places. Only the sysvol share under the machine name is in
Network places. The domain SYSVOL share must be resolved through your
internal DNS server.

I've even tried adding Everyone with Full Control to the sysvol
directory, and that didn't get rid of the problem, so I'm a bit
puzzled
about why Machine A can't access it.


I'm not quite sure what to do about the BROWSER warning, but I kind of
have a feeling that it might be related.

Any ideas?

Thanks!

Jim

On machine A your bindings are out of order and/or you have the wrong DNS
server listed in TCP/IP properties.

Make sure that both NICs on machine A only have the DC listed for DNS, no
ISP's DNS allowed on any member of an AD domain.

To fix your binding order, in network properties, in the Advanced menu,
select Advanced Settings. Move the internal NIC to the top of the binding
order, with File sharing and Client for MS networks also bound ONLY to the
internal interface.
For internet resolution configure the internal DNS with a forwarder to your
ISP.
300202 - HOW TO: Configure DNS for Internet Access in Windows 2000
http://support.microsoft.com/?id=300202&FR=1

 

[Ohaya]

In

You can? How can you browse to this share in network places when this share
is not in Network places. Only the sysvol share under the machine name is in
Network places. The domain SYSVOL share must be resolved through your
internal DNS server.


On machine A your bindings are out of order and/or you have the wrong DNS
server listed in TCP/IP properties.

Make sure that both NICs on machine A only have the DC listed for DNS, no
ISP's DNS allowed on any member of an AD domain.

To fix your binding order, in network properties, in the Advanced menu,
select Advanced Settings. Move the internal NIC to the top of the binding
order, with File sharing and Client for MS networks also bound ONLY to the
internal interface.
For internet resolution configure the internal DNS with a forwarder to your
ISP.
300202 - HOW TO: Configure DNS for Internet Access in Windows 2000
http://support.microsoft.com/?id=300202&FR=1

Kevin,

I've posted the IP configurations for all 3 NICS (2 on machine A, and 1
on machine B) in an earlier post in this thread, and the internal NIC is
at the top of the binding order already.

File Sharing is bound only to the internal NIC, but I noted the Client
for MS networks was bound to both the internal and external NICs.

I'll unbind Client for MS networks from the external NIC, and post back,
but this'll have to be after an hour or so, since the errors were
showing up at about 100 minute intervals.

Jim

 

[Kevin Goodknecht [MVP]]

In

Kevin,

I've posted the IP configurations for all 3 NICS (2 on machine A, and
1 on machine B) in an earlier post in this thread, and the internal
NIC is at the top of the binding order already.

File Sharing is bound only to the internal NIC, but I noted the Client
for MS networks was bound to both the internal and external NICs.

I'll unbind Client for MS networks from the external NIC, and post
back, but this'll have to be after an hour or so, since the errors
were showing up at about 100 minute intervals.

Jim

The post had not came up when I started my reply, but looking at it leaves
me with questions.
How is the internal DNS resolving external names with out a gateway?
Do you have NAT on the member server? It should be listed as the gateway for
the DC.
You cannot have TCP/IP without DNS in Win2k if you leave DNS blank it will
pick up the loopback address or use DHCP to get the DNS server. Both NICS on
the member should use the DC for DNS.
You have no gateways listed for any NIC, how do you get out without a
gateway?

 

[Ace Fekay [MVP]]

In

In
The post had not came up when I started my reply, but looking at it
leaves me with questions.
How is the internal DNS resolving external names with out a gateway?
Do you have NAT on the member server? It should be listed as the
gateway for the DC.
You cannot have TCP/IP without DNS in Win2k if you leave DNS blank it
will pick up the loopback address or use DHCP to get the DNS server.
Both NICS on the member should use the DC for DNS.
You have no gateways listed for any NIC, how do you get out without a
gateway?


--
Best regards,
Kevin D4 Dad Goodknecht Sr. [MVP]
Hope This Helps
============================

Kevin, Rob, this is a confusing issue. I was trying to help out earlier, so
if you guys want to look back to Jim's original post on this in this thread
below, maybe you can see something that's going on that I may have missed.
More eyes the merrier!

From: "Ohaya" <Ohaya@NO_SPAM.cox.net>
Subject: How is DNS resolution working?
Date: Wed, 25 Feb 2004 14:23:35 -0500

There is one thing that I would suggest, is not to mutli home Machine A and
just use the internal infrastructure to resolve the external resources,
which I had mentioned that to Jim in the previous thread. This will insure
proper resolution and AD functionality (which now the Event ID 1000 is
popping up) and I believe Jim was using the external DNS (and as Rob Elder
pointed out not to use the external DNS) on that interface with the binding
order of the NIC on that interface set higher, which is what I believe may
be happening, but apparently there are other factors at work. Multi homing
can cause these issues if not set properly.

Hope you guys pick up something that was missed in the other thread....


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Ohaya]

In
The post had not came up when I started my reply, but looking at it leaves
me with questions.
How is the internal DNS resolving external names with out a gateway?
Do you have NAT on the member server? It should be listed as the gateway for
the DC.
You cannot have TCP/IP without DNS in Win2k if you leave DNS blank it will
pick up the loopback address or use DHCP to get the DNS server. Both NICS on
the member should use the DC for DNS.
You have no gateways listed for any NIC, how do you get out without a
gateway?

Kevin,

You have some good questions, and I only have answers to some of them
unfortunately ...

First of all, my desire/intention is to build this 2-machine network
such that it's kind of a standalone ("standalone", in a limited sense)
Windows domain, but physically connected to an external network.

The "machine A" runs an IIS web server, and we need "inward" access
(from clients on the external network) to this web server, but, in
general, we don't need, or want to allow, "outward" access (from machine
A, or machine B) to the external network.

The reason for the machine A/machine B configuration is that machine B
runs a database which is accessed by our web application (which runs on
machine A), and also, we want to manage all the machines on this
internal network (consisting of machines A & B) using GPOs, etc. from
machine A.

Now here's the way that I think that things work (and they are, for the
most part, working):

You noted that we don't define a gateway for either NIC2 on machine A or
NIC1 on machine B, but you'll also note that NIC2/machine A and
NIC1/machine B are on the same subnet (IP addresses 192.168.1.xx). In
addition, both NIC2/machine A and NIC1/machine B point to machine B for
their DNS server.

[I'm being a bit vague here] When something in machine A wants to
connect to either machine A or machine B, since the DNS IP address
points to machine B, name resolution gets handled by the DNS server on
machine B.

As to how it "gets out without a gateway", I think it works somewhat
akin to a 2-computer network using a cross-over cable (and without a
router) but, in our case, we're using a switch between the 2 computers
(instead of a cross-over cable). My understanding is that in such a
configuration, packets with source/destination address get sent out the
NIC on the source machine, and the machine with the matching destination
address will simply receive those packets.


Here are the answers to some of your questions (I think):

Q1) "How is the internal DNS resolving external names with out a
gateway?"
A1) We DON'T WANT the internal DNS (on machine B) to resolve external
names.

Q2) "Do you have NAT on the member server?"
A2) No, we don't.

Q3) "You have no gateways listed for any NIC, how do you get out without
a gateway?
A3) My guess is per what I wrote above.


BTW, you mentioned above that:

"> You cannot have TCP/IP without DNS in Win2k if you leave DNS blank it
will

pick up the loopback address or use DHCP to get the DNS server."

Do you know that the above (that it will either default to the loopback
address or use DHCP to get the IP of the DNS server) is true? The
reason that I'm asking is that this might be at least part of the
question in my earlier thread ("How is resolution working?").

If so, can you point me to some documentation about this? Also, if you
know, under what circumstances would it default to the loopback address
vs. trying to get the DNS server IP from DHCP?

Jim

 

[Kevin D. Goodknecht [MVP]]

In

In
The post had not came up when I started my reply, but looking at it
leaves me with questions.
How is the internal DNS resolving external names with out a gateway?
Do you have NAT on the member server? It should be listed as the
gateway for the DC.
You cannot have TCP/IP without DNS in Win2k if you leave DNS blank
it will pick up the loopback address or use DHCP to get the DNS
server. Both NICS on the member should use the DC for DNS.
You have no gateways listed for any NIC, how do you get out without a
gateway?

Kevin,

You have some good questions, and I only have answers to some of them
unfortunately ...

First of all, my desire/intention is to build this 2-machine network
such that it's kind of a standalone ("standalone", in a limited sense)
Windows domain, but physically connected to an external network.

The "machine A" runs an IIS web server, and we need "inward" access
(from clients on the external network) to this web server, but, in
general, we don't need, or want to allow, "outward" access (from
machine A, or machine B) to the external network.

The reason for the machine A/machine B configuration is that machine B
runs a database which is accessed by our web application (which runs
on machine A), and also, we want to manage all the machines on this
internal network (consisting of machines A & B) using GPOs, etc. from
machine A.

Now here's the way that I think that things work (and they are, for
the most part, working):

You noted that we don't define a gateway for either NIC2 on machine A
or NIC1 on machine B, but you'll also note that NIC2/machine A and
NIC1/machine B are on the same subnet (IP addresses 192.168.1.xx). In
addition, both NIC2/machine A and NIC1/machine B point to machine B
for their DNS server.

[I'm being a bit vague here] When something in machine A wants to
connect to either machine A or machine B, since the DNS IP address
points to machine B, name resolution gets handled by the DNS server on
machine B.

As to how it "gets out without a gateway", I think it works somewhat
akin to a 2-computer network using a cross-over cable (and without a
router) but, in our case, we're using a switch between the 2 computers
(instead of a cross-over cable). My understanding is that in such a
configuration, packets with source/destination address get sent out
the NIC on the source machine, and the machine with the matching
destination address will simply receive those packets.

If these machines only accept incoming connections then you can get by
without a gateway. If you try to make an outgoing connection from these
machines I don't see how. You need either a gateway, a proxy GDP client, or
a Winsock redirector service. If you are using NAT then you must have a
gateway.

I do not understand why you have the DC connecting through the multihomed
Member.
You would be much better off haveing both the DC and the member connected to
the router.

Here are the answers to some of your questions (I think):

Q1) "How is the internal DNS resolving external names with out a
gateway?"
A1) We DON'T WANT the internal DNS (on machine B) to resolve external
names.

If the member needs to resolve external names it should rely on getting
those names from the DC. If the member is using your ISP's DNS I can see
where the error might be coming from, especially if you use the same
internal domain name as your external domain name.
If the member gets the IP address of the domain name from your ISP, then it
is that IP address it is looking for the sysvol share.

Q2) "Do you have NAT on the member server?"
A2) No, we don't.

Q3) "You have no gateways listed for any NIC, how do you get out
without a gateway?
A3) My guess is per what I wrote above.


BTW, you mentioned above that:

"> You cannot have TCP/IP without DNS in Win2k if you leave DNS blank
it will

Do you know that the above (that it will either default to the
loopback address or use DHCP to get the IP of the DNS server) is
true? The reason that I'm asking is that this might be at least part
of the question in my earlier thread ("How is resolution working?").

If the machine has DNS installed it will get a loopback address, otherwise
the TCP/IP stack won't let you leave the fields blank.
If the router is providing the DNS server for the NIC connected to it then
it is getting its DNS from the router which is most generally your ISP's
DNS in which case may be the cause of your error.
Instead of typing out the settings you have in place I would like to see an
ipconfig /all output from both machines. you cna get the ipconfig by running
this in a command prompt.
C:\ipconfig /all > C:\ipconfig.txt that will drop a text file in the root of
the C drive.

If so, can you point me to some documentation about this? Also, if
you know, under what circumstances would it default to the loopback
address vs. trying to get the DNS server IP from DHCP?

Please post the ipconfig from the command I noted above.

 

[Ace Fekay [MVP]]

In

Kevin,

You have some good questions, and I only have answers to some of them
unfortunately ...

First of all, my desire/intention is to build this 2-machine network
such that it's kind of a standalone ("standalone", in a limited sense)
Windows domain, but physically connected to an external network.

The "machine A" runs an IIS web server, and we need "inward" access
(from clients on the external network) to this web server, but, in
general, we don't need, or want to allow, "outward" access (from
machine
A, or machine B) to the external network.

The reason for the machine A/machine B configuration is that machine B
runs a database which is accessed by our web application (which runs
on machine A), and also, we want to manage all the machines on this
internal network (consisting of machines A & B) using GPOs, etc. from
machine A.

Now here's the way that I think that things work (and they are, for
the
most part, working):

You noted that we don't define a gateway for either NIC2 on machine A
or
NIC1 on machine B, but you'll also note that NIC2/machine A and
NIC1/machine B are on the same subnet (IP addresses 192.168.1.xx). In
addition, both NIC2/machine A and NIC1/machine B point to machine B
for
their DNS server.

[I'm being a bit vague here] When something in machine A wants to
connect to either machine A or machine B, since the DNS IP address
points to machine B, name resolution gets handled by the DNS server on
machine B.

As to how it "gets out without a gateway", I think it works somewhat
akin to a 2-computer network using a cross-over cable (and without a
router) but, in our case, we're using a switch between the 2 computers
(instead of a cross-over cable). My understanding is that in such a
configuration, packets with source/destination address get sent out
the
NIC on the source machine, and the machine with the matching
destination address will simply receive those packets.


Here are the answers to some of your questions (I think):

Q1) "How is the internal DNS resolving external names with out a
gateway?"
A1) We DON'T WANT the internal DNS (on machine B) to resolve external
names.

Q2) "Do you have NAT on the member server?"
A2) No, we don't.

Q3) "You have no gateways listed for any NIC, how do you get out
without
a gateway?
A3) My guess is per what I wrote above.


BTW, you mentioned above that:

"> You cannot have TCP/IP without DNS in Win2k if you leave DNS blank
it
will

pick up the loopback address or use DHCP to get the DNS server."

Do you know that the above (that it will either default to the
loopback address or use DHCP to get the IP of the DNS server) is
true? The
reason that I'm asking is that this might be at least part of the
question in my earlier thread ("How is resolution working?").

If so, can you point me to some documentation about this? Also, if
you
know, under what circumstances would it default to the loopback
address
vs. trying to get the DNS server IP from DHCP?

Jim

To add, if you want external communication, you'll need to specify a
gateway, unless you do not want to have Inernet communication from this
machine?

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Ohaya]

In

Kevin,

You have some good questions, and I only have answers to some of them
unfortunately ...

First of all, my desire/intention is to build this 2-machine network
such that it's kind of a standalone ("standalone", in a limited sense)
Windows domain, but physically connected to an external network.

The "machine A" runs an IIS web server, and we need "inward" access
(from clients on the external network) to this web server, but, in
general, we don't need, or want to allow, "outward" access (from
machine
A, or machine B) to the external network.

The reason for the machine A/machine B configuration is that machine B
runs a database which is accessed by our web application (which runs
on machine A), and also, we want to manage all the machines on this
internal network (consisting of machines A & B) using GPOs, etc. from
machine A.

Now here's the way that I think that things work (and they are, for
the
most part, working):

You noted that we don't define a gateway for either NIC2 on machine A
or
NIC1 on machine B, but you'll also note that NIC2/machine A and
NIC1/machine B are on the same subnet (IP addresses 192.168.1.xx). In
addition, both NIC2/machine A and NIC1/machine B point to machine B
for
their DNS server.

[I'm being a bit vague here] When something in machine A wants to
connect to either machine A or machine B, since the DNS IP address
points to machine B, name resolution gets handled by the DNS server on
machine B.

As to how it "gets out without a gateway", I think it works somewhat
akin to a 2-computer network using a cross-over cable (and without a
router) but, in our case, we're using a switch between the 2 computers
(instead of a cross-over cable). My understanding is that in such a
configuration, packets with source/destination address get sent out
the
NIC on the source machine, and the machine with the matching
destination address will simply receive those packets.


Here are the answers to some of your questions (I think):

Q1) "How is the internal DNS resolving external names with out a
gateway?"
A1) We DON'T WANT the internal DNS (on machine B) to resolve external
names.

Q2) "Do you have NAT on the member server?"
A2) No, we don't.

Q3) "You have no gateways listed for any NIC, how do you get out
without
a gateway?
A3) My guess is per what I wrote above.


BTW, you mentioned above that:

"> You cannot have TCP/IP without DNS in Win2k if you leave DNS blank
it
will

pick up the loopback address or use DHCP to get the DNS server."

Do you know that the above (that it will either default to the
loopback address or use DHCP to get the IP of the DNS server) is
true? The
reason that I'm asking is that this might be at least part of the
question in my earlier thread ("How is resolution working?").

If so, can you point me to some documentation about this? Also, if
you
know, under what circumstances would it default to the loopback
address
vs. trying to get the DNS server IP from DHCP?

Jim

To add, if you want external communication, you'll need to specify a
gateway, unless you do not want to have Inernet communication from this
machine?

Hi Ace et al,

I was testing all weekend with my new test setup, and I think that I've
figured out what's going, at least partially, mainly with the DNS part.
I still can't figure out what's going on with the subject of this thread
though (the Event ID problem).

The explanation is going to be a bit complicated, but I'll try to touch
on the main points.

Basically, I started looking at what was happening to the routing table
("route print") on the multi-homed machine when I made various changes
to the GWY and DNS pointers on NIC1 and NIC2.

It turns out that if the GWY is populated in both NIC1 and NIC2, two
default routes (Destination 0.0.0.0) get created in the routing table.
For example, if one NIC has IP 192.168.0.9, GWY 192.168.0.1 and the
other NIC has IP 192.168.1.111, GWY 192.168.1.110, the entries look
something like:

0.0.0.0 ................. 192.168.0.1 192.168.0.109 1
0.0.0.0 ................. 192.168.1.109 192.168.1.110 1

As I understand it, the routing logic will look for a match between the
destination address in a packet and the entries in the routing table,
and when it finds the best match, that determines which interface the
packet will be sent out on (ok, that explanation is somewhat
simplistic).

In my case, I always had Metric set to 1, so basically what I found was
the ORDER that these routes were being added to the routing table would
depend on the ORDER in which I added the GWY pointers to the NICs.

If I just happened to get the order one way, so that the 0.0.0.0
destination route entry with the 192.168.0.1 GWY was higher priority,
then pings to the external network would be able to get to the external
network via the "Default Gateway" of 192.168.0.1 (which was a router on
the external network), and from there to the open Internet.

If I just happened to get the order the other way, so that the 0.0.0.0
destination route entry with the 192.168.1.109 GWY was higher priority,
then all outgoing traffic, including pings to the external network,
would instead be routed through the 192.168.1.110 NIC back into my small
network. Remember, the only other machine on this small network was
machine B, so basically, these packets would get responded to with an
"unreachable".


An additional item is that it appears that if any of the NICs in the
machine have a specific IP address (e.g., 192.168.1.110), a route to the
entire subnet gets added that looks some like:

192.168.1.0 ............... 192.168.1.110 192.168.1.110 1

Note that the above route will, by itself, provide a way for packets
with destination addresses on the 192.168.1 subnet to get to the
192.168.1 subnet. Since this is the case, this means that even I don't
have a default route that can get me to the 192.168.1 subnet, I can
still get to the 192.168.1 subnet via the above route. This is why I
was able to still resolve the names of machines on my internal network
(served by the DNS server on machine B) even when I didn't have a GWY
setting on the NIC.

As I said above, a bit complicated ...


Ok, now that I've figured that out, there's still the matter of the 2
Event IDs in my original post.

I've figured out one of them, the warning about the browser, by
disabling the Alerter and the BITs service, but I'm still getting the
Event ID 1000 (userenv).

Before we get into that, can someone explain what this error is
exactly? It looks like it's saying that the machine can't access a
certain file (registry.pol) on my DC?

If that is correct, what is the ramification of this? What kind of
problem will it cause?

Also, as I mentioned in one of my original posts, yes, I can click
through My Network Places to the DC, then to SYSVOL directory, then on
downward all the way to the registry.pol file on my DC.

Since I *can* do that, doesn't that imply that this machine CAN access
registry.pol on my DC? And if THAT is correct, then why am I still
getting this error??

If it's an access problem, as I mentioned earlier, I've already added
Everyone to that whole tree (just to try to get this working)...

Thanks for all your patience!!

Jim

 

[Ace Fekay [MVP]]

In

In

Kevin,

You have some good questions, and I only have answers to some of
them unfortunately ...

First of all, my desire/intention is to build this 2-machine network
such that it's kind of a standalone ("standalone", in a limited
sense) Windows domain, but physically connected to an external
network.

The "machine A" runs an IIS web server, and we need "inward" access
(from clients on the external network) to this web server, but, in
general, we don't need, or want to allow, "outward" access (from
machine
A, or machine B) to the external network.

The reason for the machine A/machine B configuration is that
machine B runs a database which is accessed by our web application
(which runs
on machine A), and also, we want to manage all the machines on this
internal network (consisting of machines A & B) using GPOs, etc.
from machine A.

Now here's the way that I think that things work (and they are, for
the
most part, working):

You noted that we don't define a gateway for either NIC2 on machine
A
or
NIC1 on machine B, but you'll also note that NIC2/machine A and
NIC1/machine B are on the same subnet (IP addresses 192.168.1.xx).
In addition, both NIC2/machine A and NIC1/machine B point to
machine B
for
their DNS server.

[I'm being a bit vague here] When something in machine A wants to
connect to either machine A or machine B, since the DNS IP address
points to machine B, name resolution gets handled by the DNS server
on machine B.

As to how it "gets out without a gateway", I think it works somewhat
akin to a 2-computer network using a cross-over cable (and without a
router) but, in our case, we're using a switch between the 2
computers (instead of a cross-over cable). My understanding is
that in such a configuration, packets with source/destination
address get sent out
the
NIC on the source machine, and the machine with the matching
destination address will simply receive those packets.


Here are the answers to some of your questions (I think):

Q1) "How is the internal DNS resolving external names with out a
gateway?"
A1) We DON'T WANT the internal DNS (on machine B) to resolve
external names.

Q2) "Do you have NAT on the member server?"
A2) No, we don't.

Q3) "You have no gateways listed for any NIC, how do you get out
without
a gateway?
A3) My guess is per what I wrote above.


BTW, you mentioned above that:

"> You cannot have TCP/IP without DNS in Win2k if you leave DNS
blank
it
will
pick up the loopback address or use DHCP to get the DNS server."

Do you know that the above (that it will either default to the
loopback address or use DHCP to get the IP of the DNS server) is
true? The
reason that I'm asking is that this might be at least part of the
question in my earlier thread ("How is resolution working?").

If so, can you point me to some documentation about this? Also, if
you
know, under what circumstances would it default to the loopback
address
vs. trying to get the DNS server IP from DHCP?

Jim

To add, if you want external communication, you'll need to specify a
gateway, unless you do not want to have Inernet communication from
this machine?

Hi Ace et al,

I was testing all weekend with my new test setup, and I think that
I've figured out what's going, at least partially, mainly with the
DNS part.
I still can't figure out what's going on with the subject of this
thread though (the Event ID problem).

The explanation is going to be a bit complicated, but I'll try to
touch
on the main points.

Basically, I started looking at what was happening to the routing
table ("route print") on the multi-homed machine when I made various
changes
to the GWY and DNS pointers on NIC1 and NIC2.

It turns out that if the GWY is populated in both NIC1 and NIC2, two
default routes (Destination 0.0.0.0) get created in the routing table.
For example, if one NIC has IP 192.168.0.9, GWY 192.168.0.1 and the
other NIC has IP 192.168.1.111, GWY 192.168.1.110, the entries look
something like:

0.0.0.0 ................. 192.168.0.1 192.168.0.109 1
0.0.0.0 ................. 192.168.1.109 192.168.1.110 1

As I understand it, the routing logic will look for a match between
the destination address in a packet and the entries in the routing
table,
and when it finds the best match, that determines which interface the
packet will be sent out on (ok, that explanation is somewhat
simplistic).

In my case, I always had Metric set to 1, so basically what I found
was
the ORDER that these routes were being added to the routing table
would depend on the ORDER in which I added the GWY pointers to the
NICs.

If I just happened to get the order one way, so that the 0.0.0.0
destination route entry with the 192.168.0.1 GWY was higher priority,
then pings to the external network would be able to get to the
external network via the "Default Gateway" of 192.168.0.1 (which was
a router on
the external network), and from there to the open Internet.

If I just happened to get the order the other way, so that the 0.0.0.0
destination route entry with the 192.168.1.109 GWY was higher
priority,
then all outgoing traffic, including pings to the external network,
would instead be routed through the 192.168.1.110 NIC back into my
small network. Remember, the only other machine on this small
network was
machine B, so basically, these packets would get responded to with an
"unreachable".


An additional item is that it appears that if any of the NICs in the
machine have a specific IP address (e.g., 192.168.1.110), a route to
the entire subnet gets added that looks some like:

192.168.1.0 ............... 192.168.1.110 192.168.1.110 1

Note that the above route will, by itself, provide a way for packets
with destination addresses on the 192.168.1 subnet to get to the
192.168.1 subnet. Since this is the case, this means that even I
don't
have a default route that can get me to the 192.168.1 subnet, I can
still get to the 192.168.1 subnet via the above route. This is why I
was able to still resolve the names of machines on my internal network
(served by the DNS server on machine B) even when I didn't have a GWY
setting on the NIC.

As I said above, a bit complicated ...


Ok, now that I've figured that out, there's still the matter of the 2
Event IDs in my original post.

I've figured out one of them, the warning about the browser, by
disabling the Alerter and the BITs service, but I'm still getting the
Event ID 1000 (userenv).

Before we get into that, can someone explain what this error is
exactly? It looks like it's saying that the machine can't access a
certain file (registry.pol) on my DC?

If that is correct, what is the ramification of this? What kind of
problem will it cause?

Also, as I mentioned in one of my original posts, yes, I can click
through My Network Places to the DC, then to SYSVOL directory, then on
downward all the way to the registry.pol file on my DC.

Since I *can* do that, doesn't that imply that this machine CAN access
registry.pol on my DC? And if THAT is correct, then why am I still
getting this error??

If it's an access problem, as I mentioned earlier, I've already added
Everyone to that whole tree (just to try to get this working)...

Thanks for all your patience!!

Jim

Just to let you know, Event ID 1000 is normally caused (99% of the time) by
using the incorrect DNS server in IP properties that is not hosting the AD
zone name, hence the need to use the internal servers only in any AD design.
See this for more info:
http://www.eventid.net/display.asp?eventid=1000&source=

As for the dual gates, that is why we only usually put in one default
gateway on one or the other NIC (unless I misinterpreted your post). Would
have rather seen an actual ipconfig /all of this machine....



--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Kevin D. Goodknecht [MVP]]

In

In

Kevin,

You have some good questions, and I only have answers to some of
them unfortunately ...

First of all, my desire/intention is to build this 2-machine network
such that it's kind of a standalone ("standalone", in a limited
sense) Windows domain, but physically connected to an external
network.

The "machine A" runs an IIS web server, and we need "inward" access
(from clients on the external network) to this web server, but, in
general, we don't need, or want to allow, "outward" access (from
machine
A, or machine B) to the external network.

The reason for the machine A/machine B configuration is that
machine B runs a database which is accessed by our web application
(which runs on machine A), and also, we want to manage all the
machines on this internal network (consisting of machines A & B)
using GPOs, etc. from machine A.

Now here's the way that I think that things work (and they are, for
the
most part, working):

You noted that we don't define a gateway for either NIC2 on machine
A or
NIC1 on machine B, but you'll also note that NIC2/machine A and
NIC1/machine B are on the same subnet (IP addresses 192.168.1.xx).
In addition, both NIC2/machine A and NIC1/machine B point to
machine B for
their DNS server.

[I'm being a bit vague here] When something in machine A wants to
connect to either machine A or machine B, since the DNS IP address
points to machine B, name resolution gets handled by the DNS server
on machine B.

As to how it "gets out without a gateway", I think it works somewhat
akin to a 2-computer network using a cross-over cable (and without a
router) but, in our case, we're using a switch between the 2
computers (instead of a cross-over cable). My understanding is
that in such a configuration, packets with source/destination
address get sent out the
NIC on the source machine, and the machine with the matching
destination address will simply receive those packets.


Here are the answers to some of your questions (I think):

Q1) "How is the internal DNS resolving external names with out a
gateway?"
A1) We DON'T WANT the internal DNS (on machine B) to resolve
external names.

Q2) "Do you have NAT on the member server?"
A2) No, we don't.

Q3) "You have no gateways listed for any NIC, how do you get out
without
a gateway?
A3) My guess is per what I wrote above.


BTW, you mentioned above that:

"> You cannot have TCP/IP without DNS in Win2k if you leave DNS
blank it
will
pick up the loopback address or use DHCP to get the DNS server."

Do you know that the above (that it will either default to the
loopback address or use DHCP to get the IP of the DNS server) is
true? The
reason that I'm asking is that this might be at least part of the
question in my earlier thread ("How is resolution working?").

If so, can you point me to some documentation about this? Also, if
you
know, under what circumstances would it default to the loopback
address
vs. trying to get the DNS server IP from DHCP?

Jim

To add, if you want external communication, you'll need to specify a
gateway, unless you do not want to have Inernet communication from
this machine?

Hi Ace et al,

I was testing all weekend with my new test setup, and I think that
I've figured out what's going, at least partially, mainly with the
DNS part. I still can't figure out what's going on with the subject
of this thread though (the Event ID problem).

The explanation is going to be a bit complicated, but I'll try to
touch on the main points.

Basically, I started looking at what was happening to the routing
table ("route print") on the multi-homed machine when I made various
changes to the GWY and DNS pointers on NIC1 and NIC2.

It turns out that if the GWY is populated in both NIC1 and NIC2, two
default routes (Destination 0.0.0.0) get created in the routing table.
For example, if one NIC has IP 192.168.0.9, GWY 192.168.0.1 and the
other NIC has IP 192.168.1.111, GWY 192.168.1.110, the entries look
something like:

0.0.0.0 ................. 192.168.0.1 192.168.0.109 1
0.0.0.0 ................. 192.168.1.109 192.168.1.110 1

As I understand it, the routing logic will look for a match between
the destination address in a packet and the entries in the routing
table, and when it finds the best match, that determines which
interface the packet will be sent out on (ok, that explanation is
somewhat simplistic).

In my case, I always had Metric set to 1, so basically what I found
was the ORDER that these routes were being added to the routing table
would depend on the ORDER in which I added the GWY pointers to the
NICs.

If I just happened to get the order one way, so that the 0.0.0.0
destination route entry with the 192.168.0.1 GWY was higher priority,
then pings to the external network would be able to get to the
external network via the "Default Gateway" of 192.168.0.1 (which was
a router on the external network), and from there to the open
Internet.

If I just happened to get the order the other way, so that the 0.0.0.0
destination route entry with the 192.168.1.109 GWY was higher
priority, then all outgoing traffic, including pings to the external
network, would instead be routed through the 192.168.1.110 NIC back
into my small network. Remember, the only other machine on this
small network was machine B, so basically, these packets would get
responded to with an "unreachable".


An additional item is that it appears that if any of the NICs in the
machine have a specific IP address (e.g., 192.168.1.110), a route to
the entire subnet gets added that looks some like:

192.168.1.0 ............... 192.168.1.110 192.168.1.110 1

Note that the above route will, by itself, provide a way for packets
with destination addresses on the 192.168.1 subnet to get to the
192.168.1 subnet. Since this is the case, this means that even I
don't have a default route that can get me to the 192.168.1 subnet, I
can still get to the 192.168.1 subnet via the above route. This is
why I was able to still resolve the names of machines on my internal
network (served by the DNS server on machine B) even when I didn't
have a GWY setting on the NIC.

As I said above, a bit complicated ...


Ok, now that I've figured that out, there's still the matter of the 2
Event IDs in my original post.

I've figured out one of them, the warning about the browser, by
disabling the Alerter and the BITs service, but I'm still getting the
Event ID 1000 (userenv).

Before we get into that, can someone explain what this error is
exactly? It looks like it's saying that the machine can't access a
certain file (registry.pol) on my DC?

If that is correct, what is the ramification of this? What kind of
problem will it cause?

Also, as I mentioned in one of my original posts, yes, I can click
through My Network Places to the DC, then to SYSVOL directory, then on
downward all the way to the registry.pol file on my DC.

Since I *can* do that, doesn't that imply that this machine CAN access
registry.pol on my DC? And if THAT is correct, then why am I still
getting this error??

No, the sysvol share is not found by other machines using the machine name
in the same way as using Network places. It is a DFS share and is accessed
by the domain name, not by the machine name. DFS shares cannot be browsed to
in Network places. It can be published in Network places as
\\foo1.com\sysvol.
What happens when you type this in your browser \\foo1.com\sysvol which is
the root of the DFS share?

When you run ipconfig /displaydns what is the IP address of the foo1.com
record?

 

[Ohaya]

In

In Ohaya <ohaya@N_O_S_P_A_M_cox.net> posted their thoughts, then I
offered mine

Kevin,

You have some good questions, and I only have answers to some of
them unfortunately ...

First of all, my desire/intention is to build this 2-machine network
such that it's kind of a standalone ("standalone", in a limited
sense) Windows domain, but physically connected to an external
network.

The "machine A" runs an IIS web server, and we need "inward" access
(from clients on the external network) to this web server, but, in
general, we don't need, or want to allow, "outward" access (from
machine
A, or machine B) to the external network.

The reason for the machine A/machine B configuration is that
machine B runs a database which is accessed by our web application
(which runs
on machine A), and also, we want to manage all the machines on this
internal network (consisting of machines A & B) using GPOs, etc.
from machine A.

Now here's the way that I think that things work (and they are, for
the
most part, working):

You noted that we don't define a gateway for either NIC2 on machine
A
or
NIC1 on machine B, but you'll also note that NIC2/machine A and
NIC1/machine B are on the same subnet (IP addresses 192.168.1.xx).
In addition, both NIC2/machine A and NIC1/machine B point to
machine B
for
their DNS server.

[I'm being a bit vague here] When something in machine A wants to
connect to either machine A or machine B, since the DNS IP address
points to machine B, name resolution gets handled by the DNS server
on machine B.

As to how it "gets out without a gateway", I think it works somewhat
akin to a 2-computer network using a cross-over cable (and without a
router) but, in our case, we're using a switch between the 2
computers (instead of a cross-over cable). My understanding is
that in such a configuration, packets with source/destination
address get sent out
the
NIC on the source machine, and the machine with the matching
destination address will simply receive those packets.


Here are the answers to some of your questions (I think):

Q1) "How is the internal DNS resolving external names with out a
gateway?"
A1) We DON'T WANT the internal DNS (on machine B) to resolve
external names.

Q2) "Do you have NAT on the member server?"
A2) No, we don't.

Q3) "You have no gateways listed for any NIC, how do you get out
without
a gateway?
A3) My guess is per what I wrote above.


BTW, you mentioned above that:

"> You cannot have TCP/IP without DNS in Win2k if you leave DNS
blank
it
will
pick up the loopback address or use DHCP to get the DNS server."

Do you know that the above (that it will either default to the
loopback address or use DHCP to get the IP of the DNS server) is
true? The
reason that I'm asking is that this might be at least part of the
question in my earlier thread ("How is resolution working?").

If so, can you point me to some documentation about this? Also, if
you
know, under what circumstances would it default to the loopback
address
vs. trying to get the DNS server IP from DHCP?

Jim

To add, if you want external communication, you'll need to specify a
gateway, unless you do not want to have Inernet communication from
this machine?

Hi Ace et al,

I was testing all weekend with my new test setup, and I think that
I've figured out what's going, at least partially, mainly with the
DNS part.
I still can't figure out what's going on with the subject of this
thread though (the Event ID problem).

The explanation is going to be a bit complicated, but I'll try to
touch
on the main points.

Basically, I started looking at what was happening to the routing
table ("route print") on the multi-homed machine when I made various
changes
to the GWY and DNS pointers on NIC1 and NIC2.

It turns out that if the GWY is populated in both NIC1 and NIC2, two
default routes (Destination 0.0.0.0) get created in the routing table.
For example, if one NIC has IP 192.168.0.9, GWY 192.168.0.1 and the
other NIC has IP 192.168.1.111, GWY 192.168.1.110, the entries look
something like:

0.0.0.0 ................. 192.168.0.1 192.168.0.109 1
0.0.0.0 ................. 192.168.1.109 192.168.1.110 1

As I understand it, the routing logic will look for a match between
the destination address in a packet and the entries in the routing
table,
and when it finds the best match, that determines which interface the
packet will be sent out on (ok, that explanation is somewhat
simplistic).

In my case, I always had Metric set to 1, so basically what I found
was
the ORDER that these routes were being added to the routing table
would depend on the ORDER in which I added the GWY pointers to the
NICs.

If I just happened to get the order one way, so that the 0.0.0.0
destination route entry with the 192.168.0.1 GWY was higher priority,
then pings to the external network would be able to get to the
external network via the "Default Gateway" of 192.168.0.1 (which was
a router on
the external network), and from there to the open Internet.

If I just happened to get the order the other way, so that the 0.0.0.0
destination route entry with the 192.168.1.109 GWY was higher
priority,
then all outgoing traffic, including pings to the external network,
would instead be routed through the 192.168.1.110 NIC back into my
small network. Remember, the only other machine on this small
network was
machine B, so basically, these packets would get responded to with an
"unreachable".


An additional item is that it appears that if any of the NICs in the
machine have a specific IP address (e.g., 192.168.1.110), a route to
the entire subnet gets added that looks some like:

192.168.1.0 ............... 192.168.1.110 192.168.1.110 1

Note that the above route will, by itself, provide a way for packets
with destination addresses on the 192.168.1 subnet to get to the
192.168.1 subnet. Since this is the case, this means that even I
don't
have a default route that can get me to the 192.168.1 subnet, I can
still get to the 192.168.1 subnet via the above route. This is why I
was able to still resolve the names of machines on my internal network
(served by the DNS server on machine B) even when I didn't have a GWY
setting on the NIC.

As I said above, a bit complicated ...


Ok, now that I've figured that out, there's still the matter of the 2
Event IDs in my original post.

I've figured out one of them, the warning about the browser, by
disabling the Alerter and the BITs service, but I'm still getting the
Event ID 1000 (userenv).

Before we get into that, can someone explain what this error is
exactly? It looks like it's saying that the machine can't access a
certain file (registry.pol) on my DC?

If that is correct, what is the ramification of this? What kind of
problem will it cause?

Also, as I mentioned in one of my original posts, yes, I can click
through My Network Places to the DC, then to SYSVOL directory, then on
downward all the way to the registry.pol file on my DC.

Since I *can* do that, doesn't that imply that this machine CAN access
registry.pol on my DC? And if THAT is correct, then why am I still
getting this error??

If it's an access problem, as I mentioned earlier, I've already added
Everyone to that whole tree (just to try to get this working)...

Thanks for all your patience!!

Jim

Just to let you know, Event ID 1000 is normally caused (99% of the time) by
using the incorrect DNS server in IP properties that is not hosting the AD
zone name, hence the need to use the internal servers only in any AD design.
See this for more info:
http://www.eventid.net/display.asp?eventid=1000&source=

As for the dual gates, that is why we only usually put in one default
gateway on one or the other NIC (unless I misinterpreted your post). Would
have rather seen an actual ipconfig /all of this machine....

Ace,

Yes, I think we agree about 1 GWY for the machine with 2 NICs. That
part makes sense now to me (as I tried to explain in my earlier post
!). Until I realized what was going on in the route table, I couldn't
figure out how traffic was getting out to my 192.168.1 subnet without
the 2nd GWY.

Sorry about not posting the ipconfig. I've been making so many changes,
back and forth, that I didn't know which one would be representative. I
hope that you understand.

I'm waiting on a test now of the Event ID thing, and will post back in
this thread.

BTW, is there any way to reduce the time between whatever is causing the
Event ID 1000? I'm seeing between 90-100 minutes between these errors
in the Event log, so testing any changes is a bit time-consuming...

Jim

 

[Ohaya]

In

In Ohaya <ohaya@N_O_S_P_A_M_cox.net> posted their thoughts, then I
offered mine

Kevin,

You have some good questions, and I only have answers to some of
them unfortunately ...

First of all, my desire/intention is to build this 2-machine network
such that it's kind of a standalone ("standalone", in a limited
sense) Windows domain, but physically connected to an external
network.

The "machine A" runs an IIS web server, and we need "inward" access
(from clients on the external network) to this web server, but, in
general, we don't need, or want to allow, "outward" access (from
machine
A, or machine B) to the external network.

The reason for the machine A/machine B configuration is that
machine B runs a database which is accessed by our web application
(which runs on machine A), and also, we want to manage all the
machines on this internal network (consisting of machines A & B)
using GPOs, etc. from machine A.

Now here's the way that I think that things work (and they are, for
the
most part, working):

You noted that we don't define a gateway for either NIC2 on machine
A or
NIC1 on machine B, but you'll also note that NIC2/machine A and
NIC1/machine B are on the same subnet (IP addresses 192.168.1.xx).
In addition, both NIC2/machine A and NIC1/machine B point to
machine B for
their DNS server.

[I'm being a bit vague here] When something in machine A wants to
connect to either machine A or machine B, since the DNS IP address
points to machine B, name resolution gets handled by the DNS server
on machine B.

As to how it "gets out without a gateway", I think it works somewhat
akin to a 2-computer network using a cross-over cable (and without a
router) but, in our case, we're using a switch between the 2
computers (instead of a cross-over cable). My understanding is
that in such a configuration, packets with source/destination
address get sent out the
NIC on the source machine, and the machine with the matching
destination address will simply receive those packets.


Here are the answers to some of your questions (I think):

Q1) "How is the internal DNS resolving external names with out a
gateway?"
A1) We DON'T WANT the internal DNS (on machine B) to resolve
external names.

Q2) "Do you have NAT on the member server?"
A2) No, we don't.

Q3) "You have no gateways listed for any NIC, how do you get out
without
a gateway?
A3) My guess is per what I wrote above.


BTW, you mentioned above that:

"> You cannot have TCP/IP without DNS in Win2k if you leave DNS
blank it
will
pick up the loopback address or use DHCP to get the DNS server."

Do you know that the above (that it will either default to the
loopback address or use DHCP to get the IP of the DNS server) is
true? The
reason that I'm asking is that this might be at least part of the
question in my earlier thread ("How is resolution working?").

If so, can you point me to some documentation about this? Also, if
you
know, under what circumstances would it default to the loopback
address
vs. trying to get the DNS server IP from DHCP?

Jim

To add, if you want external communication, you'll need to specify a
gateway, unless you do not want to have Inernet communication from
this machine?

Hi Ace et al,

I was testing all weekend with my new test setup, and I think that
I've figured out what's going, at least partially, mainly with the
DNS part. I still can't figure out what's going on with the subject
of this thread though (the Event ID problem).

The explanation is going to be a bit complicated, but I'll try to
touch on the main points.

Basically, I started looking at what was happening to the routing
table ("route print") on the multi-homed machine when I made various
changes to the GWY and DNS pointers on NIC1 and NIC2.

It turns out that if the GWY is populated in both NIC1 and NIC2, two
default routes (Destination 0.0.0.0) get created in the routing table.
For example, if one NIC has IP 192.168.0.9, GWY 192.168.0.1 and the
other NIC has IP 192.168.1.111, GWY 192.168.1.110, the entries look
something like:

0.0.0.0 ................. 192.168.0.1 192.168.0.109 1
0.0.0.0 ................. 192.168.1.109 192.168.1.110 1

As I understand it, the routing logic will look for a match between
the destination address in a packet and the entries in the routing
table, and when it finds the best match, that determines which
interface the packet will be sent out on (ok, that explanation is
somewhat simplistic).

In my case, I always had Metric set to 1, so basically what I found
was the ORDER that these routes were being added to the routing table
would depend on the ORDER in which I added the GWY pointers to the
NICs.

If I just happened to get the order one way, so that the 0.0.0.0
destination route entry with the 192.168.0.1 GWY was higher priority,
then pings to the external network would be able to get to the
external network via the "Default Gateway" of 192.168.0.1 (which was
a router on the external network), and from there to the open
Internet.

If I just happened to get the order the other way, so that the 0.0.0.0
destination route entry with the 192.168.1.109 GWY was higher
priority, then all outgoing traffic, including pings to the external
network, would instead be routed through the 192.168.1.110 NIC back
into my small network. Remember, the only other machine on this
small network was machine B, so basically, these packets would get
responded to with an "unreachable".


An additional item is that it appears that if any of the NICs in the
machine have a specific IP address (e.g., 192.168.1.110), a route to
the entire subnet gets added that looks some like:

192.168.1.0 ............... 192.168.1.110 192.168.1.110 1

Note that the above route will, by itself, provide a way for packets
with destination addresses on the 192.168.1 subnet to get to the
192.168.1 subnet. Since this is the case, this means that even I
don't have a default route that can get me to the 192.168.1 subnet, I
can still get to the 192.168.1 subnet via the above route. This is
why I was able to still resolve the names of machines on my internal
network (served by the DNS server on machine B) even when I didn't
have a GWY setting on the NIC.

As I said above, a bit complicated ...


Ok, now that I've figured that out, there's still the matter of the 2
Event IDs in my original post.

I've figured out one of them, the warning about the browser, by
disabling the Alerter and the BITs service, but I'm still getting the
Event ID 1000 (userenv).

Before we get into that, can someone explain what this error is
exactly? It looks like it's saying that the machine can't access a
certain file (registry.pol) on my DC?

If that is correct, what is the ramification of this? What kind of
problem will it cause?

Also, as I mentioned in one of my original posts, yes, I can click
through My Network Places to the DC, then to SYSVOL directory, then on
downward all the way to the registry.pol file on my DC.

Since I *can* do that, doesn't that imply that this machine CAN access
registry.pol on my DC? And if THAT is correct, then why am I still
getting this error??

No, the sysvol share is not found by other machines using the machine name
in the same way as using Network places. It is a DFS share and is accessed
by the domain name, not by the machine name. DFS shares cannot be browsed to
in Network places. It can be published in Network places as
\\foo1.com\sysvol.
What happens when you type this in your browser \\foo1.com\sysvol which is
the root of the DFS share?

When you run ipconfig /displaydns what is the IP address of the foo1.com
record?

When I use \\foo1.com\sysvol it brings up a window with a folder named
foo1.com. When I do ipconfig /displaydns after that, it shows the IP
address of foo1.com as 192.168.1.109, which is correct.

Jim

 

[Ohaya]

Ace, Kevin, Robert et al,

I've been waiting for awhile now (about 5 hours), and so far, no more
Event ID 1000s!!

Here's my current "ipconfig /all" for the multi-homed machine:


Windows 2000 IP Configuration



Host Name . . . . . . . . . . . . : web
Primary DNS Suffix . . . . . . . : foo1.com
Node Type . . . . . . . . . . . . : Broadcast

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . . . : foo1.com

Ethernet adapter Local Area Connection 2:



Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : D-Link DE660 PCMCIA LAN adapter
Physical Address. . . . . . . . . : 00-80-C8-B9-E8-D5

DHCP Enabled. . . . . . . . . . . : No

IP Address. . . . . . . . . . . . : 192.168.1.110

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . :

DNS Servers . . . . . . . . . . . : 192.168.1.109

Ethernet adapter Local Area Connection:



Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : ORiNOCO PC Card (5 Volt)
Physical Address. . . . . . . . . : 00-02-2D-3B-E9-47

DHCP Enabled. . . . . . . . . . . : No

IP Address. . . . . . . . . . . . : 192.168.0.111

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.0.1

DNS Servers . . . . . . . . . . . : 192.168.0.1

NIC1 is connected to the external network, and NIC2 is connected to a
switch, which is connected to my DC/DNS server (192.168.1.109).

NIC2 is at the top of the binding order.

NIC1 is bound to Client for Microsoft Networks/TCP/IP

NIC2 is bound to Client for Microsoft Networks/TCP/IP and to File and
Printer Sharing/TCP/IP.

Netbios over TCP/IP is enabled for both NIC1 and NIC2.

With all of that, my gut feel is that all of the above settings wasn't
what finally got this working. What happened is that I started going
through the steps in the following articles:

http://support.microsoft.com/default.aspx?scid=kb;en-us;290647

and

http://support.microsoft.com/default.aspx?scid=kb;EN-US;259398

In particular, in the 1st article, at the end, it said:

"Verify that the sysvol share permissions are set correctly.

Default Share permissions are:
Administrators = FC
Authenticated Users = FC
Everyone = Read"


On Machine B, I found that "Authenticated Users" had none of the "Allow"
check boxes checked after going through the steps in that article, so I
checked all of the boxes.

In the 2nd article, it said:

"Check the following registry value:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Mup
DisableDFS: REG_DWORD: range: 0 or 1
0 = enabled; 1 = disabled
Default: 0

Make sure that the value is set to 0, enabling the Dfs client. Also,
File and Printer Sharing for Microsoft Networks must be enabled on the
interface."


On both Machine A and Machine B, I found that registry value
(DisableDFS) completely missing, so I added it and set it to 0.


I then rebooted Machine B (the DC) and then Machine A (the multi-homed
server).

It's been about 5 hours now, and so far, no more Event ID 1000 errors in
the Application Event log!!


I haven't had time to go back and undo the changes yet, to see which
change did it, but I have a feeling that it may've been a combination of
things (the security settings and the DisableDFS). Kevin had mentioned
something about DFS in his last post, so that may've been it...


In any event, I really appreciate all of your help and patience in
sticking with this!!!


I'll keep an eye on the Event log for the next day or so, but assuming
it was the DisableDFS, do any of you have any idea how this might've not
been set in the first place (remember, it didn't exist on either
machine)?

Both systems were clean installs from Win2K AS CDs, so I'm kind of
puzzled about that.

The only thing that I can recall that was strange about the
installations was that on Machine B (the DC), I had originally installed
it as a DC, then I DCPROMO'ed it to make it a server, then I DCPROMO'ed
it again to make it a DC again. I wonder if that may've caused the
DisableDFS to disappear?

Again, thanks a lot!!

Jim

 

[Ace Fekay [MVP]]

In

Ace,

Yes, I think we agree about 1 GWY for the machine with 2 NICs. That
part makes sense now to me (as I tried to explain in my earlier post
!). Until I realized what was going on in the route table, I
couldn't figure out how traffic was getting out to my 192.168.1
subnet without
the 2nd GWY.

Sorry about not posting the ipconfig. I've been making so many
changes,
back and forth, that I didn't know which one would be representative.
I
hope that you understand.

I'm waiting on a test now of the Event ID thing, and will post back in
this thread.

BTW, is there any way to reduce the time between whatever is causing
the Event ID 1000? I'm seeing between 90-100 minutes between these
errors
in the Event log, so testing any changes is a bit time-consuming...

Jim

I understand about the ipconfig. And yes, you can only have one doorway out
to the outside. Kind of akin it to you being in a room with two possible
doors to get out, but you knowing the proper one to use. The other can lead
out, but it's more of a round about way. You would know how to use the
doors, but if it were a computer, you would need to tell it which is the
"default" door.... make sense? There can only be one "default".

The 90-100 minutes is inline with GPO refresh times on a workstation/member
server. GPOs refresh every 90 minutes (+/- 30). On a DC it's ever 5 minutes.
These are default settings. So it kind of tells me more and more that it is
a DNS lookup issue...



--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Kevin D. Goodknecht [MVP]]

In

Ace, Kevin, Robert et al,

I've been waiting for awhile now (about 5 hours), and so far, no more
Event ID 1000s!!

Here's my current "ipconfig /all" for the multi-homed machine:


Windows 2000 IP Configuration



Host Name . . . . . . . . . . . . : web
Primary DNS Suffix . . . . . . . : foo1.com
Node Type . . . . . . . . . . . . : Broadcast

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

DNS Suffix Search List. . . . . . : foo1.com

Ethernet adapter Local Area Connection 2:



Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : D-Link DE660 PCMCIA LAN adapter
Physical Address. . . . . . . . . : 00-80-C8-B9-E8-D5

DHCP Enabled. . . . . . . . . . . : No

IP Address. . . . . . . . . . . . : 192.168.1.110

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . :

DNS Servers . . . . . . . . . . . : 192.168.1.109

Ethernet adapter Local Area Connection:



Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : ORiNOCO PC Card (5 Volt)
Physical Address. . . . . . . . . : 00-02-2D-3B-E9-47

DHCP Enabled. . . . . . . . . . . : No

IP Address. . . . . . . . . . . . : 192.168.0.111

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.0.1

DNS Servers . . . . . . . . . . . : 192.168.0.1<---change to DC's address.

If you will remove the router from the configuration as a DNS server your
1000 events will go away.
You should not use any external DNS in any position of any NIC on any domain
member, I believe I stated that. Change the DNS on this to the DC's address.

 

[Ace Fekay [MVP]]

In

If you will remove the router from the configuration as a DNS server
your 1000 events will go away.
You should not use any external DNS in any position of any NIC on any
domain member, I believe I stated that. Change the DNS on this to the
DC's address.



--
Best regards,
Kevin D4 Dad Goodknecht Sr. [MVP]
Hope This Helps
============================

That would definitely cause the problem! Using anything other than your
internal server(s) that AD is registering into is no-no with AD.


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory