Client need to key in credential to access shared folder

[Guest]

Hi Guys,

Recently I have upgraded my existing NT4 domain to Win2k active directory using in-place-upgrade. Then join the upgraded Win2k domain to an existing forest (win2k).

Everything was ok except when my client (XP) need to access shared folder from the other client (XP) in a different domain but in the same forest need to input the credential like username & password before he can view the shared folders. Both the domains have transitive trust bet them already. "net view" using ip add no problem. "net view" using pc name "access denied".

Any ideas ,guys ???? Thanks in advance

Jeremy

 

[Herb Martin]

Users need to logon to a DOMAIN account instead of
their older "machine local accounts."

--
Herb Martin

Hi Guys,

Recently I have upgraded my existing NT4 domain to Win2k active directory

using in-place-upgrade. Then join the upgraded Win2k domain to an existing
forest (win2k).

Everything was ok except when my client (XP) need to access shared folder

from the other client (XP) in a different domain but in the same forest need
to input the credential like username & password before he can view the
shared folders. Both the domains have transitive trust bet them already.
"net view" using ip add no problem. "net view" using pc name "access
denied".

 

[Guest]

Hi Herb Martin,

All my users logon to Domain account instead of their PC local account. My Win98 users does not have this problem. Only XP & Win2k have this issue.

 

[Herb Martin]

Hi Herb Martin,

All my users logon to Domain account instead of their PC local account. My

Win98 users does not have this problem. Only XP & Win2k have this issue.
Ok, then your "server" needs to be in the domain.

If both of those are true and you are still getting authentication
challenges you have a DND problem.

For AD, DNS Server must be internal, DYNAMIC for the zone
supporting AD.

ALL clients must specify SOLELY this internal, dynamic DNS
server (group) in their NIC properties.

Servers, DNS and DCs too, are also DNS clients so they must
do this also.

If you change anything related to the DC(s) you must restart the
NetLogon process on that/those DCs.

[/QUOTE]

 

[Guest]

All my client and server have already specified their own internal DNS server. We have check thru all our DNS setting and the client can resolve the other domain client IP address.

Currently the two domains (A & B) are in different location separated by 2 firewall on each side. We have confirmed that all appropriate ports have been open up..

Previously domain A in on NT4 and we upgrade it to win2k advance server & join to a existing forest which has only domain B (Win2k server). So Domain B is the root domain of the forest. As both the domains are in the same forest they have transitive trust created between the two domain automatically when domain A join the domain B forest.

Currently now we still have no clue that this cause by DNS or the client itself ?? We are still troubleshooting the problem.

 

[Herb Martin]

All my client and server have already specified their own internal DNS

server. We have check thru all our DNS setting and the client can resolve
the other domain client IP address.

Currently the two domains (A & B) are in different location separated by 2

firewall on each side.

How are they "connected" or mapped to each other?

We have confirmed that all appropriate ports have been open up..

Saying "all appropriate" does NOT let us help you.

Depending on how they are connected you will need UDP Port 53
AND TCP Port 53 from all possible requested to and from all
possible responders.

Previously domain A in on NT4 and we upgrade it to win2k advance server &

join to a existing forest which has only domain B (Win2k server). So Domain
B is the root domain of the forest. As both the domains are in the same
forest they have transitive trust created between the two domain
automatically when domain A join the domain B forest.

Yes.

Currently now we still have no clue that this cause by DNS or the client

itself ?? We are still troubleshooting the problem.

You don't seem to mention a problem.

One would expect that you IF you need to communicate between
these two that each DNS server on A, is also holding a "secondary"
for B; and vice versa.

If you do this, then the network addresses returned must also be
routable.

If the trusts are going to work then after the DNS is correct you
must open the ports between DCs and their clients.

If you want "other services" to work after the trust, then you have
to open for those services too.

 

[Guest]

Q : How are they "connected" or mapped to each other?
Ans: They are connected thru WAN Link.

We have even try to open all services bet the two domain to check it is the firewall that blocking the ports but the problem still persist.

The ports bet Client and DC have already been open up.

The actual problem we have is when client at domain A connect to client at domain B, it prompt the user(domain A) to input credential before client A can view the share folder. The share folder at client B is share to everyone. Then We try to use "net view" at the command line, "net view client ip address" can view the share but "net view client hostname" it prompt "access denied".

 

[Herb Martin]

Q : How are they "connected" or mapped to each other?
Ans: They are connected thru WAN Link.

We have even try to open all services bet the two domain to check it is

the firewall that blocking the ports but the problem still persist.

"WAN link" isn't very specific but since you "opened all
ports" that should cover it.

One presumes you can "ping" etc. between them?

The ports bet Client and DC have already been open up.

The actual problem we have is when client at domain A connect to client at

domain B, it prompt the user(domain A) to input credential before client A
can view the share folder. The share folder at client B is share to
everyone. Then We try to use "net view" at the command line, "net view
client ip address" can view the share but "net view client hostname" it
prompt "access denied".

You ignored all my questions about DNS....?

How can you go to a client A machine and trace the DNS
resolution so that it can resolve both it's own servers and
the B servers?

How can servers (especially DCs) in both A and B resolve
each other?

Confirm that all machines are MEMBERS of their domain as
are all USERS?

--
Herb Martin

Q : How are they "connected" or mapped to each other?
Ans: They are connected thru WAN Link.

We have even try to open all services bet the two domain to check it is

the firewall that blocking the ports but the problem still persist.

The ports bet Client and DC have already been open up.

The actual problem we have is when client at domain A connect to client at

domain B, it prompt the user(domain A) to input credential before client A
can view the share folder. The share folder at client B is share to
everyone. Then We try to use "net view" at the command line, "net view
client ip address" can view the share but "net view client hostname" it
prompt "access denied".

 

[Guest]

One presumes you can "ping" etc. between them?
Ans : We can ping each other.

You ignored all my questions about DNS....?
Ans: Each DC have a secondary zone of each other.

How can you go to a client A machine and trace the DNS
resolution so that it can resolve both it's own servers and the B servers?
Ans: We use "nslookup" to test the DNS resolution.

How can servers (especially DCs) in both A and B resolve
each other?
Ans: They resolve by using their secondary DNS.

Confirm that all machines are MEMBERS of their domain as
are all USERS?
All my users are members of their own domain.

 

[Herb Martin]

One presumes you can "ping" etc. between them?
Ans : We can ping each other.

You ignored all my questions about DNS....?
Ans: Each DC have a secondary zone of each other.

Ok, so are the Primaries "dynamic" and are the "_underscore"
subdomains (_msdcs, _sites) being created and replicated to
the secondaries?

Are the DNS clients (including the DCs/DNS servers) set
SOLELY to their own DNS (no "ISP" in there) on the NIC
IP properties for DNS server?

How can you go to a client A machine and trace the DNS
resolution so that it can resolve both it's own servers and the B servers?
Ans: We use "nslookup" to test the DNS resolution.

Does it work from both "clients" to the other Server AND DCs and
also from DCs to DC cross domain?

How can servers (especially DCs) in both A and B resolve
each other?
Ans: They resolve by using their secondary DNS.

So testing this with "NSlookup" (or another tool) succeeds in
both directions from the DCs and also from the Clients to the
DCs and servers?

Confirm that all machines are MEMBERS of their domain as
are all USERS?
All my users are members of their own domain.

How about the MACHINES?

What are your domain names? Do they have AT LEAST "two tags",
e.g., domain.com, child.domain.com, but NOT "domain".