Cannot join domain or change passwords through firewall

Hi All,

Bit of a weird problem. We have some NT clients on the outside of our pix
firewall. They can log onto the domain, pick up e-mail (exchange) and map
network drives, but the users cannot change their passwords or join a pc to
the domain.

Also can't use user manager, server manager etc. They get error messages
like "domain xxxxx is not available" etc.

When we try to join a machine to the domain, we get prompted for
credentials etc, but after that it fails.

Any other ports that may have been missed? We've opened 137, 138, 139.

HELP!
Cires

Can we assume they also some form of name resolution
e.g., WINS or lmhosts? If not the clients may not be able
to find the PDC and setup a secure channel. In NT 4.0
the PDC holds the only modifiable copy of the SAM therefore
it must be contacted when making any domain wide changes.
Immediately after a failed password change attempt open a
dos prompt and run nbtstat -c. What do you see? You should
at least see computer names 00, 20., 03, domain names 1b
and 1c also pointing towards the PDC of the domain.

"Cires" <(E-Mail Removed)> wrote in message news:
> Bit of a weird problem. We have some NT clients on the outside of our pix
> firewall. They can log onto the domain, pick up e-mail (exchange) and map
> network drives, but the users cannot change their passwords or join a pc
> to
> the domain.
>
> Also can't use user manager, server manager etc. They get error messages
> like "domain xxxxx is not available" etc.
>
> When we try to join a machine to the domain, we get prompted for
> credentials etc, but after that it fails.
>
> Any other ports that may have been missed? We've opened 137, 138, 139.
>

Hi there,

We were using WINS and when that didn't work we tried hosts/lmhosts files.
Still no joy.
I'll try the nbtstat -c tomorrow, thanks.

Cires


"Michael Giorgio - MS MVP" <(E-Mail Removed)> wrote
in news:(E-Mail Removed):

> Can we assume they also some form of name resolution
> e.g., WINS or lmhosts? If not the clients may not be able
> to find the PDC and setup a secure channel. In NT 4.0
> the PDC holds the only modifiable copy of the SAM therefore
> it must be contacted when making any domain wide changes.
> Immediately after a failed password change attempt open a
> dos prompt and run nbtstat -c. What do you see? You should
> at least see computer names 00, 20., 03, domain names 1b
> and 1c also pointing towards the PDC of the domain.

Cires <(E-Mail Removed)> wrote in
news:Xns96A6D1087F157stan110nospamhotmail@216.196. 109.145:

Hello People,

If I run nbtstat -c from a pc on site I get (00) (1c) and (20)
If I search for the PDC server I can see it OK, and can open the netlogon
share. I can do a "Net Use" and map a drive.
However, from My Network places I can only see the other PCs on the same
site.

Any thoughts?

Cires




> Hi All,
>
> Bit of a weird problem. We have some NT clients on the outside of our
> pix firewall. They can log onto the domain, pick up e-mail (exchange)
> and map network drives, but the users cannot change their passwords or
> join a pc to the domain.
>
> Also can't use user manager, server manager etc. They get error
> messages like "domain xxxxx is not available" etc.
>
> When we try to join a machine to the domain, we get prompted for
> credentials etc, but after that it fails.
>
> Any other ports that may have been missed? We've opened 137, 138, 139.
>
> HELP!
> Cires
>