Can XP PRO join 2K domain w/o installing AD?

[Myweb]

Hello alfredo,

If you don't make your server a domain controller, you have no domain to
join. Check that the server and workstation are in the same named Workgroup.
What did you mean with internet domain? Explain your network configuration
a bit more, how are they connected?

Best regards

Myweb
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.

 

[Dave Patrick]

Yes. Try turning off the XP firewall and bind NetBIOS over tcp/ip to the
connection on Windows XP



--

Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

 

[Herb Martin]

I have a SOHO with only one Win2K internet server and one XP PRO
workstation, so it would be ridiculous to use AD.

When I try to join the Win 2k's internet domain, I get "The DNS SRV
record is not registered in DNS", which of course is true. I don't want
AD if I can help it.

There is not "domain" in Win2000+ without AD -- Active Directory DCs
create the domain, or rather the first one to do DCPromo creates the domain.

The XP PRO machine is then supposed to try to log in using the WINS
protocol but there's no sign of it trying.

WINS is merely a name resolution server for resolving NetBIOS names
to IP addresses. It is NOT an authentication protocol, or even technically
a profile at all.

NetBIOS is not an authentication profile either, but a naming standard and
a programmers' API for obtaining (mostly legacy) network services.

- Nothing related in Event Viewer except computer browser can't download
list from PDC (naturally since it's not logged in)

There are no PDC or BDCs in Win2000+. There is a PDC Emulator but this
only occurs after the DCPromo creation of the AD Domain.

I would like my XP computer to join this domain without installing AD on
the 2k server. How can I make that happen?

Did you do DCPromo and create a domain or not?


You have not "Win2000+ Domain" until you use DCPromo to create an Active
Directory Domain.

 

[Herb Martin]

Thank you, the server is indeed a PDC and has been for years. This is
not a workgroup I'm trying to join, it is a domain.

Then you have already installed Active Directory and you question
makes no sense "Can XP PRO join 2K domain w/o installing AD?" or "I have a
SOHO
with only one Win2K internet server and one XP PRO workstation, so it
would be ridiculous to use AD."

If you have a Win2000+ DC (there are no PDC/BDCs in Win2000) then
you have an Active Directory Domain.

In that case you create an account for the Computer on the DC (AD Users
and Computers) and you create an account for the user.

You set the workstation DNS Server to strictly the internal DNS (likely
needing to run on the DC) and that ia pretty much it.

You do have DNS running on the DC, don't you? AD has a requirement
to use a "Dynamic DNS" zone with the same name as the domain.

And hopefully you have named the AD Domain (and DNS zone) with at
least two LABELS, e.g., domain.com and not just "domain".

 

[Herb Martin]

Thank you Dave. The server has no software firewall.

The XP's Windows firewall was always turned off, on the XP I use Zone
Alarm which is turned off for the trusted zone, in which I placed the
server, and Netbios over TCPIP was always enabled.

So, for all intents and purposes there is no firewall between the XP and
2k machines.

Mainly I am thrilled you say I can do what I want, without AD, thanks
for that.

No, you cannot. You even claimed later that you have AD on the server.

There are no Win2000 DCs except with Active Directly domains.

Anything else I can answer? Would love to do this so I can go enjoy the
long holiday.

What are you REALLY trying to accomplish? Obviously it has little to do
with yoru subject line.

 

[Dave Patrick]

I haven't read this but this book may be for you.

http://www.oreilly.com/catalog/1928994547/#top

--

Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

 

[Frankster]

Thank you, the server is indeed a PDC and has been for years. This is
not a workgroup I'm trying to join, it is a domain.

A Windows 2000 Domain is not possible without Active Directory. Therefore,
your assertion that you have a Windows Domain without Active Directory can't
be true. That leads me to believe you may not have a Windows Domain. Or you
do have Active Directory. Makes it kinda hard to suggest a fix for a
problem that can't (technically) exist.

Now, you call this an "Internet Domain". If so, that is entirely different
than a Windows Domain. I suspect (not sure!) that maybe all you want to do
is access the Internet via your workstation. And/or, share files between the
Workstation and the server. Is that true? If not, please elaborate on your
intended result.

-Frank

 

[Herb Martin]

I claimed nothing of the kind.

You said it was a (Win2000) DC -- that is precisely equivalent to saying it
has Active Directory on it.

I am REAAAALY trying to accomplish what it says in my subject line.

Then you don't understand Win2000, AD, or Domain Controllers - -this isn't
a criticism but you are asking to do something that is logically impossible.

 

[Herb Martin]

Thank you. That's very useful, at least I know now that what I hoped to
do may be futile, oh well.

If you have a DC then you already have a domain. If it runs Win2000+
Servers as DC then it is by definition and design an AD domain.

What you cannot do is have a (Win2000+) Domain without Active Directory
since these are the SAME THING.

I hoped to do it because I just think that AD is a gigantic PITA and
unnecessary overkill for my tiny one-machine internet server.

If you have a (P)DC running Win2000 you already have AD.

You obviously don't have enough experience with AD to make an informed
judgement about how big a PITA it is or is not. That is just a fact not a
criticism.

For only a few machines AD may not be necessary to satisfy some specific
set of goals but AD is not difficult if you have just a few basic key points
well understood. (Like most AD problems are really a DNS issue.)

No, have never done that, thought that my machine was a PDC.

Ok, well it either is a DC (with AD) or it is not.

IF you upgraded the NT domain PDC then it is a Win2000 DC with AD.

IF you instead did DCPromo (or anything equivalent from "Manage My
Server") then it became a DC and has AD.

Ugh. Sorry to hear about that, but thanks for telling me.

Have you ever managed an AD?

Have you ever done a DCPromo to create ANY DC?

 

[Herb Martin]

Okay, I see. I set this up under NT, when it was possible to set up
your server as a PDC, and migrated to 2K.

"Migrated" how? If you upgraded the PDC to Win2000 then that
automatically UPGRADED (not migrated) your NT domain to AD.

If you "Migrated" your domain users accounts and computers accounts to a new
Win2000 DC then that would have required a domain.

If you just installed a Server without making it a DC then there was no
"NT migration" of the user and computer accounts of the NT domain.

The reason I (used to?) think I have a windows domain is that, right
now, today, in the 2K server, when I click on Explorer > My network
places > Entire network > Microsoft Windows Network >
MyInternetDomain.COM > MyWin2kMachine is shown.

You can have DNS domains and zones completely distinct from AD domains.

Most of the world of the Internet running on Unix/Linux/Mac etc has DNS
without having AD which is (largely) a Microsoft only concept.

AD on the other hand REQUIRES DNS, and DYNAMIC DNS at that.

Sure. This machine serves as both an internet web server (I own my
internet domain name and run the server here at home, that's the 2K
machine) and have a personal machine (the XP machine) with which I would
like to join that domain as domain administrator, be able to share files
and printers, etc.

Well if you wish to "join a domain" that means DCPromo to DC and thus
creating an AD Domain.

If you just want the machine to use a particular DNS name (in no way will
this "join" anything) that is also possible but won't accomplish much.

So we are back to what PRECISELY do you wish to accomplish -- by
"joining" a Win2000 domain?

(Saying that you want to do what the subject line says is logically
impossible
and doesn't say what advantages you would hope to achieve even were it
possible -- what are you actual goals with this?)

What would work then that doesn't work for you now? What features or
functions are you hoping to see or use?

Don't try to describe (initially at least) how you think that might be
accomplished but rather focus on what services and features will be
available afterwards....

 

[Nepatsfan]

In

Thanks for any help, greatly appreciated!!

You might want to check your clock. You're posting from the
future.

Nepatsfan

 

[Peter Foldes]

Alfredo

Yes you are able to. You might need to disable the Firewall on the XP side and you will need to check the NetBios of your connection

 

[Herb Martin]

Alfredo

Yes you are able to. You might need to disable the Firewall on the XP side
and you will need to check the NetBios of your connection

Please explain how someone can join a "Win2000 Domain" without having
an Active Directory?

In Win2000+ Active Directory IS the DOMAIN.

Please see the subject line: "join 2K domain w/o installing AD"

 

[Kerry Brown]

(Like most AD problems are really a DNS issue.)

This should be written at the start of every troubleshooting guide for AD
ever written.

 

[Leythos]

I would like my XP computer to join this domain without installing AD on
the 2k server. How can I make that happen?

So, you want it to be just a file server?

You don't JOIN XP to a 2000 server without there being Active Directory,
but you can have the 2000 Server in Workgroup instead of AD and create a
user account that is the same as on the XP box and then setup/map shares
between them.

It appears you have AD (according to other users posts) already on the
server.

What exactly do you want to do and how do you have the 2000 server setup?

 

[Herb Martin]

This should be written at the start of every troubleshooting guide for AD
ever written.

I like that suggestion.

It should also be at the start of every subsection where other less
command issues are discussed, too. <grin>

Like:
GC missing
Time out of sync (more than 5 minutes by default)
Local Firewalls (built-in or third party like ZoneAlarm)
Intermediate Firewalls (routers/switches and other filtering)
Routing and network hardware in general, including explicitly
funcky swithes AND ESPECIALLY "bad drop cables".

Most importantly of course:

The vast majority of AD replication and authentication problems are DNS
based issues.

 

[Kerry Brown]

I like that suggestion.

It should also be at the start of every subsection where other less
command issues are discussed, too. <grin>

Like:
GC missing

DNS misconfigured, can't find GC.

Time out of sync (more than 5 minutes by default)

DNS misconfigured can't find PDC emulator

Local Firewalls (built-in or third party like ZoneAlarm)
Intermediate Firewalls (routers/switches and other filtering)

Blocking DNS

Routing and network hardware in general, including explicitly
funcky swithes AND ESPECIALLY "bad drop cables".

I guess this one really isn't DNS related

 

[Herb Martin]

DNS misconfigured, can't find GC.


DNS misconfigured can't find PDC emulator


Blocking DNS


I guess this one really isn't DNS related

Or try:

And so, since the hardware, IP, or IP routing isn't working you cannot
even get to the DNS server much less the DC.

 

[Herb Martin]

I see. I intimated it, but did not explicitly claim it. I used to
think they were independent things. I stand corrected.

It looks like I'm learning, with everyone's help, that my 2K machine is
not a *windows* DC at all, even though it is indeed a standard internet
server.

Actually you said it was a DC directly

"> Thank you, the server is indeed a PDC and has been for years.

And that is the same as saying it has AD.

I would like my XP workstation to be able to share files and map drives
to and from the NT2K server. I can probably do that with a workgroup.

Yes, you can do that with a WORKGROUP. Put them in the Same
"NetBIOS" name workgroup is easiest. There are ways without this but
this makes it simplest.

Technically you can also just authenticate EXPLICITLY to the Server
using commands like:

Net use * \\IP.Server.Add.ress\Share * /user:ServerName\Username

Even the NetBIOS or DNS name can be used if they can be fully resolved
but the IP is the one that pretty much always does if you can route on the
correct ports for sharing.

Second thing, a smaller deal, I would prefer the server to authorize my
login into the domain

There is no domain on Win2000 without Active Directory.

...so that my NTFS rights and permissions on both the
server and the client belong to the same security ID.

That is precisely why people create domains.

But with your lack of experience and knowledge of Windows and AD
I would STRONGLY recommend against making a public web server
a Domain Controller.

Web servers are hard enough to keep secure, DCs exposed to the
Internet are probably 2-10 times more difficult to protect over time.

I need the server to be (what used to be called) a PDC. I hear from you
guys that AD is
unconditionally required for this, which is too bad.

And what about AD is worse than an NT-SAM based domain?

I would agree in general that a domain may be unnecessary for a
couple of machines (except for your single logon/same SID requirement)
but AD is not more trouble than NT for these simple situations either.

 

[Gregg Hill]

First of all, as others have said, if you did an in-place upgrade of an NT4
PDC, I believe it forces the new 2000 server to be a domain controller,
which requires it to have Active Directory. Active Directory requires DNS to
operate.

In Administrative Tools, do you see Active Directory Users and Computers
listed?

In Administrative Tools, do you see Active Directory Sites and Services
listed?

In Administrative Tools, do you see DNS listed?

Post an unedited "ipconfig /all" output from the server.

Right click My Computer, click Properties > Computer Name, and see if says
"Workgroup" or "Domain" right under Full Computer Name.

What name is listed as Full Computer Name (unedited, please)?



Gregg Hill