Domain workstation cannot see the domain for adding user permissio

[Guest]

Everything (just about) works fine. This machine is a member of our only
domain and can access the domain shares. The full domain can be browsed in
"My Network Places".

The problem is that this is the only machine on the network that cannot see
the domain when you try to share a folder and go to:
Share Permissions > Add > Locations
Here, other machines see the local machine (and all created accounts on it)
plus the domain server (and all accounts on that). But, this one only sees
the local machine and NOT the domain.

Ultimately I would like to share files with a few, specific domain users,
which is why I need this.

If it helps, I think I broke this functionality myself because a few days
ago I was trying to remove domain users from being able to log on locally to
this workstation. Which reminds me.. How would I do that? I want only a
few, specific domain users to be able to log on to the domain on this
specific machine. Is that possible? If so, how would I set that up?

Thanks!

 

[Steven L Umbach]

It sounds like that computer has a DNS name resolution problem, connectivity
problem to a domain controller, or a problem with it's security account.
Verify that it is using only domain controllers as it's preferred and
alternate DNS servers in tcp/ip properties and as shown with ipconfig /all.
Check the logs with Event Viewer to see if any problems are found and run
the support tool netdiag on it to see if it reports any relevant problems.
To control what users can logon to a domain computer manage the user right
for logon locally to only include the authorized users/groups which can be
done in Local Security Policy under local policies-user rights. Be very
careful with the user right for deny logon locally as it overrides the logon
locally user right and that administrators are members of users and everyone
groups. --- Steve

 

[Guest]

Hi,
You are correct, both netdiag and evenviewer show problems finding the
domain controller, finding a primary authoritative DNS server, etc. Given
this, (and that I am new to a DC'd windows network), let me explain where I
assume the problem is.
The network has a dsl router which only some machines are allowed to use for
internet access. The machines that do not use the internet access, have
their DNS settings to obtain dns automatically (and these can browse all
domain entities fine). The machines that have internet access have their dns
server address set to the ones supplied by the ISP. These machines, with the
manually set dns addresses cannot browse the local domain machines and users.
And thus the question: How can I set the dns settings so that the machines
with internet access have not only internet access but also the ability to
browse the domain users? (Remember, the machines can connect to the domain
controller to run programs and share files as they are right now. Also, all
the machines can browse all the other machines via "Network Neighborhood".
It's just that all the security features where domain users and computers
SHOULD be listed, only include the local machine entities and the domain
users and machines are NOT shown)
Thanks again for the help.

 

[Steven L Umbach]

For an Active Directory domain to work correctly all domain computer must
use only domain controllers as their preferred DNS servers because in an AD
domain DNS is used to located services and domain controllers - not just
resolve host names. What I would do is to disable DHCP on the internet
router if it is enabled and configure those computers that need internet
access to also obtain their DNS server automatically as the rest of the
computers in the domain. Then you need to configure your domain controllers
which are also the DNS server to forward to the ISP DNS server so that
internet name resolution requests can be done by them. I don't know how
access is being controlled to the internet by that usually is done by
filtering IP address at the firewall/internet router or making sure that
only computers that need to access the internet are configured to use the
default gateway. The domain controllers will also need to be configured to
use the default gateway. The links below explain more on how DNS needs to be
configured in an Active Directory domain. After reconfiguring those domain
computers to use a domain controller you may need to reboot them and then
run netdiag on them again to see if the problem has been resolved or not. Be
advised to NOT browse the internet or access email from domain
ontrollers. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;291382
http://support.microsoft.com/default.aspx?scid=kb;en-us;300202 --- see
sections starting at To Remove the Root DNS Zone which you may need to do if
you can not configure a forwarder.

 

[Guest]

Steve,
Thanks for the help, everything is working now! I used the your information
and the stuff included in the links you provided and came up with a more
simple idea that also seems to work. My ISP had provided two dns server
addresses so i placed only one of them and the other dns server I set it to
the ip of the DC. That was it. Now I have internet access via the dsl
router and full domain access on the LAN as well.
Again, thank you for everything.

 

[Steven L Umbach]

Well I am glad that it is working but I strongly advise to not use that
approach but to instead use ONLY your domain controllers and configure them
to resolve internet names for domain clients by either forwarding to your
ISP DNS servers or using root hints. The way DNS client is works is that
once it finds a DNS server it uses that one for the DNS name request and
does not go to the other one if the DNS server returns a "not found"
message. Problems will arise when your domain computers use the ISP DNS
server to try and resolve your domain names and find domain services since
they will not be on the ISP DNS server. The computer will always attempt to
use the primary DNS server first but there will be times where the primary
DNS server will not answer requests in a timely fashion and then the
operating system will try the alternate DNS servers even when the primary
DNS server is functional but has a temporary lag in performance. It may seem
to work well now but including ISP DNS servers in the list of DNS servers
for domain computers will lead to inconsistent results. --- Steve