Problem settin user rights

[David Kerber]

We recently (2 wks ago) replaced our old NT domain controller with a
Windows 2000 Active Directory controller, and now I'm having trouble
setting up various permissions on my XP Pro client machines.

What's happening is that when I try to add users to a user rights list,
it will not list the domain as a possible location to get users from,
only the local machine. I have tried this when logged in as both a
local administrator, and as domain admin, and in neither case does it
list my domain as a location to get users and groups from.

How do I get this fixed so I can get my permissions set properly??

Thanks!

 

[Steven L Umbach]

Possibly you do not have your DNS configured correctly for an Active
Directory domain. In short domain controllers must point only to themselves
and/or other domain controllers as preferred their DNS servers and domain
workstations must point only to domain controllers as their preferred DNS
servers as shown with ipconfig /all and NEVER list an ISP DNS server as a
preferred DNS server for any domain computer. I would also run the support
tool netdiag on your domain controllers and a couple problem workstations to
see if there are any problems reporter for DNS, dc discovery, and
trust/secure channel. Proper DNS configuration is critical in an AD domain
or all sorts of problems will ensue. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;291382 ---
Active Directory DNS FAQ.

 

[David Kerber]

Given your description, DNS could be the problem; I'll take a look and
post back.

Right now, my network's firewall machine is set as the DNS server for
all machines on the in-house network, including the domain controller.
Only the firewall machine looks at the ISP DNS servers for resolution
when something isn't in its own cache.

A couple of questions:

If the DC points to itself for DNS, how do I tell it where to
forward requests for addresses not in its domain (outside world
addresses, that is)?

Where can I find the netdiag tool? It's not being found on either
my client or the domain server.

Thanks!

Possibly you do not have your DNS configured correctly for an Active
Directory domain. In short domain controllers must point only to themselves
and/or other domain controllers as preferred their DNS servers and domain
workstations must point only to domain controllers as their preferred DNS
servers as shown with ipconfig /all and NEVER list an ISP DNS server as a
preferred DNS server for any domain computer. I would also run the support
tool netdiag on your domain controllers and a couple problem workstations to
see if there are any problems reporter for DNS, dc discovery, and
trust/secure channel. Proper DNS configuration is critical in an AD domain
or all sorts of problems will ensue. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;291382 ---
Active Directory DNS FAQ.

 

[Steven L Umbach]

Hi David.

Most definitely your problem is DNS from the description of your
configuration. You need to configure your domain controller to forward to
your ISP DNS servers as described below and you may have to remove the root
zone if it is present because if it is you will not be able to configure
forwarding. You need to disable DHCP on your firewall if used and configure
it on your domain controller and configure the DHCP scope to point to the
domain controller as DNS servers and use your firewall/router as the default
gateway. The domain controller must have a static IP address. The support
tools are on the install disk for the operating system in the support/tools
folder where you have to run the setup program there to install the set of
support tools. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;300429&sd=tech ---
how to configure DHCP.

To Remove the Root DNS Zone
1. In DNS Manager, expand the DNS Server object. Expand the Forward
Lookup Zones folder.
2. Right-click the "." zone, and then click Delete.
Windows 2000 can take advantage of DNS forwarders. This feature forwards DNS
requests to external servers. If a DNS server cannot find a resource record
in its zones, it can send the request to another DNS server for additional
attempts at resolution. A common scenario might be to configure forwarders
to your ISP's DNS servers.


To Configure Forwarders
1. In DNS Manager, right-click the DNS Server object, and then click
Properties.
2. Click the Forwarders tab.
3. Click to select the Enable Forwarders check box.
4. In the IP address box, type the first DNS server to which you want
to forward, and then click Add.
5. Repeat step 4 until you have added all the DNS servers to which you
want to forward.

Given your description, DNS could be the problem; I'll take a look and
post back.

Right now, my network's firewall machine is set as the DNS server for
all machines on the in-house network, including the domain controller.
Only the firewall machine looks at the ISP DNS servers for resolution
when something isn't in its own cache.

A couple of questions:

If the DC points to itself for DNS, how do I tell it where to
forward requests for addresses not in its domain (outside world
addresses, that is)?

Where can I find the netdiag tool? It's not being found on either
my client or the domain server.

Thanks!

 

[David Kerber]

I got one of my machines to work with the new user groups, but not
another one. There are a couple of differences between the two
machines: the one which is working shows a node type of "hybrid" when I
do an ipconfig /all, while the one which is not working is showing as a
"peer" type. The one which is not working also had the Cisco VPN client
installed, but not running while I'm trying to get this stuff working.

Any ideas? Also, see below for additional answers...

Hi David.

Most definitely your problem is DNS from the description of your
configuration. You need to configure your domain controller to forward to
your ISP DNS servers as described below and you may have to remove the root
zone if it is present because if it is you will not be able to configure

That works; actually the auto-forwarding worked once I removed ".", so I
don't need to manually set forwarding.

forwarding. You need to disable DHCP on your firewall if used and configure
it on your domain controller and configure the DHCP scope to point to the
domain controller as DNS servers and use your firewall/router as the default

I only use DHCP for remote (VPN) clients. The in-house machines all
have static IP addresses.

gateway. The domain controller must have a static IP address. The support

Yes, I already knew that.

tools are on the install disk for the operating system in the support/tools
folder where you have to run the setup program there to install the set of
support tools. --- Steve

I ran DcDiag, and it tells me that the guid DNS name could not be
resolved, but the server name could be, and that I should "Check that
the IP address (192.168.1.1) is registered correctlyt with the DNS
server." How do I do that? As far as I can tell, it's all set up in
the DNS manager, but I'm obviously missing something...

Thanks again!

http://support.microsoft.com/default.aspx?scid=kb;en-us;300429&sd=tech ---
how to configure DHCP.

To Remove the Root DNS Zone
1. In DNS Manager, expand the DNS Server object. Expand the Forward
Lookup Zones folder.
2. Right-click the "." zone, and then click Delete.
Windows 2000 can take advantage of DNS forwarders. This feature forwards DNS
requests to external servers. If a DNS server cannot find a resource record
in its zones, it can send the request to another DNS server for additional
attempts at resolution. A common scenario might be to configure forwarders
to your ISP's DNS servers.


To Configure Forwarders
1. In DNS Manager, right-click the DNS Server object, and then click
Properties.
2. Click the Forwarders tab.
3. Click to select the Enable Forwarders check box.
4. In the IP address box, type the first DNS server to which you want
to forward, and then click Add.
5. Repeat step 4 until you have added all the DNS servers to which you
want to forward.

 

[Steven L Umbach]

I got one of my machines to work with the new user groups, but not
another one. There are a couple of differences between the two
machines: the one which is working shows a node type of "hybrid" when I
do an ipconfig /all, while the one which is not working is showing as a
"peer" type. The one which is not working also had the Cisco VPN client
installed, but not running while I'm trying to get this stuff working.

Any ideas? Also, see below for additional answers...

Run netdiag on the computer that can not use domain groups to see if there
is a problem with dns or computer account/secure channel. If there is a
problem with that then you migh need to logon to the computer as a local
administrator, unjoin the computer from the domain to a workgroup, reboot,
logon and join the domain again and reboot again. Node type refers to how
the computer does netbios name resolution and should not have a bearing on
your problem. Hybrid indicates that the computer is a wins client that can
use broadcasts if wins fails while peer is an unusual configuration in a
Windows domain.

That works; actually the auto-forwarding worked once I removed ".", so I
don't need to manually set forwarding.

Glad it works and in your case it is using "root hints" by directly
contacting the root DNS server on the internet to initiate DNS name
reolution if the host name can not be found on your internal domain or in
the DNS cache for your DNS server or the client DNS resolver cache.

I only use DHCP for remote (VPN) clients. The in-house machines all
have static IP addresses.



Yes, I already knew that.



I ran DcDiag, and it tells me that the guid DNS name could not be
resolved, but the server name could be, and that I should "Check that
the IP address (192.168.1.1) is registered correctlyt with the DNS
server." How do I do that? As far as I can tell, it's all set up in
the DNS manager, but I'm obviously missing something...

Thanks again!

Run ipconfig /all to find the domain controller's static IP address and make
sure that IP address shows as the only preferred DNS server. If not use
networking propteries, select your network adapter, select tcp/ip
properties/advanced/dns - dns server addresses to configure correctly. An
address of 192.168.1.1 is typically the default gateway. If you make any
changes reboot the domain controller and run netdiag and dcdiag again to see
what is reported.. --- Steve