Workstation can't find AD?

[Bob Perez]

Small 2003 server AD network with a few workstations, all configured with XP
Pro SP2, and all fully patched throughout the system. One workstation (call
it the primary computer) is having some problems, one of which is that it
cannot print. Attempts to find and install a default directory fail
routinely. I open the Find dialog, select Directory in the dropdown and hit
Find Now, and the hourglass comes up and it appears to hang there, nothing
ever happens.

This delay in the Add Printer search occurred on another workstation as well
(call it the alternate computer), but on this machine I was able to specify
the name of the printer on the network using a Servername\\Printername
reference. On another occasion I let this alternate computer run the Find
Now dialog for a bit and eventually it actually produce the search result
with the correct printer showing, and I was able to install it as the
default printer for the computer and verify that it prints. Upon searching
the event viewer on both this alternate and the primary computer, I noticed
several errrors and warnings, several of which referenced an inability to
contact the a domain controller. For example, Auto-Enrollment errors
indicating that the machine was unable to register a certificate because it
could not communicate with the Active Domain controller. Also, many W32Time
errors and warnings on both computers indicating no active domain controller
available for a time reference.

Ok, so it sounds like a network connectivity issue yes? But no, Exchange
2003 is installed on the domain controller (like I said, it's a very small
network) and all the workstations are able to get their mail and visit the
Internet just fine, there is no hardware connectivity issue with any of the
machines on the network. And all other machines have been configured to
print to this printer, even though they were not easily able to search the
Directory for it.

It seems like there's some kind of issue with my Active Directory not being
properly configured for access by all workstations. The only thing that's
recently changed in my system is that I changed routers and the new one I
purchased used a different Class C set up from my previous router (the old
was configured as 192.168.1.1, the new one was 192.168.0.1) so I had to
change some IP references on the domain controller so that it was now
192.168.0.5 instead of its previous 192.168.1.5, if that makes sense. DNS
appears to be set up correctly and the domain controller references itself
and all machines on the net reference the domain controller.

Still, I'm concerned that my AD installation isn't properly configured as I
keep getting these errors and the primary computer is completely unable to
see the Directory and install the printer. Also, I've noticed that the
primary computer takes a long time (20-30 seconds or so) from the time I
enter the domain login password, to the time the login dialog disappears and
the desktop starts appearing. In the past, and on the other machines in the
domain, login to desktop has been virtually instantaneous.

Are all these symptoms that I may have a corrpupt AD installation, or
something wrong on my primary computer? And ideas?

Thanks in advance,

Bob

 

[Laura A. Robinson [MVP]]

circa Mon, 13 Sep 2004 16:45:10 -0700, in
microsoft.public.win2000.active_directory, Bob Perez
([email protected]) said,

Small 2003 server AD network with a few workstations, all configured with XP
Pro SP2, and all fully patched throughout the system. One workstation (call
it the primary computer) is having some problems, one of which is that it
cannot print. Attempts to find and install a default directory fail
routinely. I open the Find dialog, select Directory in the dropdown and hit
Find Now, and the hourglass comes up and it appears to hang there, nothing
ever happens.

This delay in the Add Printer search occurred on another workstation as well
(call it the alternate computer), but on this machine I was able to specify
the name of the printer on the network using a Servername\\Printername
reference. On another occasion I let this alternate computer run the Find
Now dialog for a bit and eventually it actually produce the search result
with the correct printer showing, and I was able to install it as the
default printer for the computer and verify that it prints. Upon searching
the event viewer on both this alternate and the primary computer, I noticed
several errrors and warnings, several of which referenced an inability to
contact the a domain controller. For example, Auto-Enrollment errors
indicating that the machine was unable to register a certificate because it
could not communicate with the Active Domain controller. Also, many W32Time
errors and warnings on both computers indicating no active domain controller
available for a time reference.

Ok, so it sounds like a network connectivity issue yes? But no, Exchange
2003 is installed on the domain controller (like I said, it's a very small
network) and all the workstations are able to get their mail and visit the
Internet just fine, there is no hardware connectivity issue with any of the
machines on the network. And all other machines have been configured to
print to this printer, even though they were not easily able to search the
Directory for it.

It seems like there's some kind of issue with my Active Directory not being
properly configured for access by all workstations. The only thing that's
recently changed in my system is that I changed routers and the new one I
purchased used a different Class C set up from my previous router (the old
was configured as 192.168.1.1, the new one was 192.168.0.1) so I had to
change some IP references on the domain controller so that it was now
192.168.0.5 instead of its previous 192.168.1.5, if that makes sense. DNS
appears to be set up correctly and the domain controller references itself
and all machines on the net reference the domain controller.

Still, I'm concerned that my AD installation isn't properly configured as I
keep getting these errors and the primary computer is completely unable to
see the Directory and install the printer. Also, I've noticed that the
primary computer takes a long time (20-30 seconds or so) from the time I
enter the domain login password, to the time the login dialog disappears and
the desktop starts appearing. In the past, and on the other machines in the
domain, login to desktop has been virtually instantaneous.

Are all these symptoms that I may have a corrpupt AD installation, or
something wrong on my primary computer? And ideas?

Thanks in advance,

Bob

This sounds like a problem with the firewall in XP; I’m betting ICMP
traffic is blocked, which would cause the problems you mention. Is
the XP firewall enabled? If so, what happens if you disable it?

Laura

 

[Bob Perez]

This sounds like a problem with the firewall in XP; I’m betting ICMP
traffic is blocked, which would cause the problems you mention. Is
the XP firewall enabled? If so, what happens if you disable it?

Hi Laura, thanks for the response. Interesting, I had never set it on in the
first place, but it is indeed on, probably by default as a result of
installing SP2. I'm not sure how to tell if ICMP traffic is blocked, but I
notice under the Firewall's Advanced tab there is an ICMP button, which when
opened displays a series of checkboxes, all of which are UN-checked. What
would you suggest I do with these?

I have a netgear ProSafe firewall/router. Should I have both of these on
simultaneously or should I follow my instincts and leave the ProSafe on and
disable the XP firewall? What do you recommend?

Thanks again, I would never have thought to check that!

Bob

 

[Laura A. Robinson [MVP]]

circa Mon, 13 Sep 2004 20:08:25 -0700, in
microsoft.public.win2000.active_directory, Bob Perez
([email protected]) said,

Hi Laura, thanks for the response. Interesting, I had never set it on in the
first place, but it is indeed on, probably by default as a result of
installing SP2.

Yes, that is the case.

I'm not sure how to tell if ICMP traffic is blocked, but I
notice under the Firewall's Advanced tab there is an ICMP button, which when
opened displays a series of checkboxes, all of which are UN-checked.

If the firewall is enabled and these are all deselected, then the
machine is indeed not allowing ICMP traffic.

What
would you suggest I do with these?

Well, that will depend on the below...

I have a netgear ProSafe firewall/router. Should I have both of these on
simultaneously or should I follow my instincts and leave the ProSafe on and
disable the XP firewall? What do you recommend?

Thanks again, I would never have thought to check that!

Given that you have the hardware firewall, you could disable the XP
one, at least unless and until you come up with a plan for what to
allow/disallow in it. If, on the other hand, you just want to let
this machine "talk" to AD while leaving the XP firewall in place, you
could allow port 445 traffic (Exceptions tab, File and Printer
Sharing list item, Edit button) as the bare minimum (it'll
automatically allow ICMP as a result of your selecting this).
However, if you're going to use the XP firewall, you're really more
likely to want to set up a specific set of allowed
ports/applications.

So, I guess my advice is to do whatever you think works best for your
environment. ;-)

Laura