Domain authentication problem

Hi,


I'm not sure if this is the right group to ask for help in my problem.

For 2 weeks, my intranet has been acting weird. First I tought was
something with DNS and DHCP.

After lots of clicks and guess, that part now is OK (AFAIK).

All machines getting dynamic IP thru my DLink DI-624 DHCP. It routes
internet too.

Somethimes when I ping some machine, the IP isnt returned. So I cant reach
those machines.

The bigest problem, is within shared folders. Even when I can find a
machine (my server i.e.), and I try to enter in \\server, windows ask for my
password! but I already input that at windows login, when I try again, it
says that password was already attempted but no domain responded. Same
happen if I try any other password.

Aparently my AD lost something, his connection to my DNS?? Both are in the
same Windows 2003, only my DHCP is on dlink router.

What can I do??


Thanks

Feijó





Feijó

Disable DHCP on the Dlink

Run DHCP on the DC.
If you configure the DHCP Service *correctly* on the DC, the rest of your
problems will "go away".

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

"Feijó" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hi,
>
>
> I'm not sure if this is the right group to ask for help in my problem.
>
> For 2 weeks, my intranet has been acting weird. First I tought was
> something with DNS and DHCP.
>
> After lots of clicks and guess, that part now is OK (AFAIK).
>
> All machines getting dynamic IP thru my DLink DI-624 DHCP. It routes
> internet too.
>
> Somethimes when I ping some machine, the IP isnt returned. So I cant
> reach those machines.
>
> The bigest problem, is within shared folders. Even when I can find a
> machine (my server i.e.), and I try to enter in \\server, windows ask for
> my password! but I already input that at windows login, when I try again,
> it says that password was already attempted but no domain responded. Same
> happen if I try any other password.
>
> Aparently my AD lost something, his connection to my DNS?? Both are in the
> same Windows 2003, only my DHCP is on dlink router.
>
> What can I do??
>
>
> Thanks
>
> Feijó
>
>
>

Philip,


I was using DHCP from DC. After that problems begin, I try with router and
with DC. Didn't help.

Why can't I use with dlink? With current configuration, I do not need my DC
server to go online.

I found that page in microsoft.com http://support.microsoft.com/kb/263108

I'm trying to do that config in a virtual win2000 machine right now.


Thanks for your prompt reply


Feijó


"Phillip Windell" <(E-Mail Removed)> escreveu na mensagem
news:(E-Mail Removed)...
> Disable DHCP on the Dlink
>
> Run DHCP on the DC.
> If you configure the DHCP Service *correctly* on the DC, the rest of your
> problems will "go away".
>
> --
> Phillip Windell
> www.wandtv.com
>
> The views expressed, are my own and not those of my employer, or
> Microsoft,
> or anyone else associated with me, including my cats.
> -----------------------------------------------------
>
> "Feijó" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> Hi,
>>
>>
>> I'm not sure if this is the right group to ask for help in my problem.
>>
>> For 2 weeks, my intranet has been acting weird. First I tought was
>> something with DNS and DHCP.
>>
>> After lots of clicks and guess, that part now is OK (AFAIK).
>>
>> All machines getting dynamic IP thru my DLink DI-624 DHCP. It routes
>> internet too.
>>
>> Somethimes when I ping some machine, the IP isnt returned. So I cant
>> reach those machines.
>>
>> The bigest problem, is within shared folders. Even when I can find a
>> machine (my server i.e.), and I try to enter in \\server, windows ask for
>> my password! but I already input that at windows login, when I try again,
>> it says that password was already attempted but no domain responded.
>> Same happen if I try any other password.
>>
>> Aparently my AD lost something, his connection to my DNS?? Both are in
>> the same Windows 2003, only my DHCP is on dlink router.
>>
>> What can I do??
>>
>>
>> Thanks
>>
>> Feijó
>>

"Feijó" <(E-Mail Removed)> wrote in message
news:uUS$(E-Mail Removed)...

> I was using DHCP from DC. After that problems begin, I try with router
> and with DC. Didn't help.

Then you just didn't do it correctly when you configured DHCP on the DC.
Doing it on the "cheap" and "over-simnplistic" DLink box is not the answer.
The MS DHCP is 200% more capable than the Dink box ever has a prayer of
doing, you just have to do it right.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

To add to what Phillip said, there is no way to get this working properly
with the DC offline. If you have a domain, all machines, including the DC
itself, should be using the AD-linked DNS. Using an external DNS might get
you Internet access, but access to AD resources will fail. Only your local
DNS has these records.

All machines should use the D-Link as default gateway but use the DC for
DNS and DHCP. The local DNS should be set to forward to an external DNS.
(Forwarding to the D-Link should work, or you can use the DNS of your ISP).
The DC needs to be up and running at all times.

"Phillip Windell" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>
> "Feijó" <(E-Mail Removed)> wrote in message
> news:uUS$(E-Mail Removed)...
>
>> I was using DHCP from DC. After that problems begin, I try with router
>> and with DC. Didn't help.
>
> Then you just didn't do it correctly when you configured DHCP on the DC.
> Doing it on the "cheap" and "over-simnplistic" DLink box is not the
> answer. The MS DHCP is 200% more capable than the Dink box ever has a
> prayer of doing, you just have to do it right.
>
> --
> Phillip Windell
> www.wandtv.com
>
> The views expressed, are my own and not those of my employer, or
> Microsoft,
> or anyone else associated with me, including my cats.
> -----------------------------------------------------
>
>

In news:(E-Mail Removed),
Bill Grant <not.available@online> typed:
> To add to what Phillip said, there is no way to get this working
> properly with the DC offline. If you have a domain, all machines,
> including the DC itself, should be using the AD-linked DNS. Using an
> external DNS might get you Internet access, but access to AD
> resources will fail. Only your local DNS has these records.
>
> All machines should use the D-Link as default gateway but use the
> DC for DNS and DHCP. The local DNS should be set to forward to an
> external DNS. (Forwarding to the D-Link should work, or you can use
> the DNS of your ISP). The DC needs to be up and running at all times.

Bill and Phillip, I agree, this is a huge problem with many configurations
that time was not taken to understand how AD works, from conception,
planning, and implemting AD. Configuring DNS and DHCP alone counts for 80%-
90% of AD problems where the administrators are providing the DC and their
clients with the ISP's DNS address or some other DNS that does not host the
internal private AD zone. All they have to do is point DNS on ALL machines
in the domain to the DC, setup a forwarder, and be done with it. COnfigure
Windows DHCP Option 006 with the DC's IP address and all will be happy.
Otherwise as what I like to say, it cuts into their drinking time when
problems arise from doing it otherwise. :-)

Another huge problem I believe the original poster should take into account
is that I believe takes up 10% of AD problems (keep in mind these are my
guesstimates based on what we've see in these newsgroups in the past 8
years - and this figure has been dwindling since AD came out due to
increased awareness and education on how AD works) is an AD domain
configured as a single label name ("domain" vs the required format of
"domain.com"). Tough one with this design error. A rename is possible, but I
have not seen a successful one yet especially if Exchange is involved. A
migration or worse, a reisntall to a new domain properly named, will fix
this biggy.

We all know the above scenarios will DEFINITELY cause authentication issues,
replication issues, can't open ADUC or any other AD tool, the DC can't even
"find" itself, etc.

Why does this occur? I usually say, and this is with all due respect to the
original poster, is lack of preparation and education on AD in understanding
how AD works. Simply plugging the CD into the drive and installing the OS,
etc, is not the answer to providing a properly functioning AD. I can
understand that many companies either lack the resources or refuse to offer
the ability to send their employees to classes to learn this stuff. In the
long run it will cost them more in support, headaches and downtime. A five
day Microsoft course on AD (MOC #2279) for around $1500 will do wonders. But
I am NOT here to sell a course. Just stating this as a fact from my
experience as a trainer and a consultant since the early 90's. Matter of
fact, this type of thing keeps me in business providing billable time as a
consultant. :-)

Also many times with these Linksys, Netgear, etc, routers, especially if the
ISP service they have is giving them an automatic IP address on the WAN
interface, takes on the ISP's DNS addresses. So when you implement DHCP on
some of these routers (not all of them but I know there are many that do)
they automatically use these external DNS addresses in the lease. I know the
ActionTecs do this by default and you can't change them. PITA they are. The
router manufacturers designed these low-end routers for mostly home/consumer
use and were not intended for an AD infrastructrure, but nontheless, they
are used. No big deal, the idea is to just disable DHCP on them and use
Windows. On top of that, the BIG reason not to use DHCP on a router is in
all the cases I've seen, their DHCP service does NOT support DHCP Option
081, which dictates DNS Dynamic Registration, which we all know is a
necessary funtion of AD.

Here are some articles for the original poster to read, and anyone else out
there reading this post. I hope it helps them to get on the right track with
AD.

825036 - Best practices for DNS client settings in Windows 2000 Server and
in Windows Server 2003
http://support.microsoft.com/?id=825036

291382 - Frequently asked questions about Windows 2000 DNS and Windows
Server 2003 DNS
http://support.microsoft.com/?id=291382

323380 - HOW TO Configure DNS for Internet Access in Windows Server 2003
(forwarding) :
http://support.microsoft.com/?id=323380

300684 - Information About Configuring Windows 2000 for Domains with
Single-Label DNS Names
http://support.microsoft.com/?id=300684

Permissions, groups, OUs and GPOs are a whole other ballpark ...

--
Regards,
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT,
MVP Microsoft MVP - Directory Services
Microsoft Certified Trainer

Infinite Diversities in Infinite Combinations

"Ace Fekay [MVP]" wrote:

<snip>
> Also many times with these Linksys, Netgear, etc, routers, especially if the
> ISP service they have is giving them an automatic IP address on the WAN
> interface, takes on the ISP's DNS addresses. So when you implement DHCP on
> some of these routers (not all of them but I know there are many that do)
> they automatically use these external DNS addresses in the lease. I know the
> ActionTecs do this by default and you can't change them. PITA they are. The
> router manufacturers designed these low-end routers for mostly home/consumer
> use and were not intended for an AD infrastructrure, but nontheless, they
> are used. No big deal, the idea is to just disable DHCP on them and use
> Windows. On top of that, the BIG reason not to use DHCP on a router is in
> all the cases I've seen, their DHCP service does NOT support DHCP Option
> 081, which dictates DNS Dynamic Registration, which we all know is a
> necessary funtion of AD.
>
<snip>
> --
> Regards,
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT,
> MVP Microsoft MVP - Directory Services
> Microsoft Certified Trainer
>
> Infinite Diversities in Infinite Combinations
>
>

Using Win2k3 AD ourdomain.local (all MS servers and clients), I have had to
disable this option, as the well-known tcpsvcs.exe memory leak was eating RAM
and disk.

My understanding is that all I have lost is the ability to join clients with
OS older than Windows 2000 to my domain.
Please tell me I'm not wrong on this!

--
Regards,
Newell White

In news:B3A9D29B-3C91-49AA-8C1D-(E-Mail Removed),
Newell White <(E-Mail Removed)> typed:
> "Ace Fekay [MVP]" wrote:

> Using Win2k3 AD ourdomain.local (all MS servers and clients), I have
> had to disable this option, as the well-known tcpsvcs.exe memory leak
> was eating RAM and disk.

Are you saying you disabled DNS Dynamic Updates? On your clients or in the
ourdomain.local zone properties?

>
> My understanding is that all I have lost is the ability to join
> clients with OS older than Windows 2000 to my domain.
> Please tell me I'm not wrong on this!

Can you tell me exactly what you disabled and where you disabled it please?

Thank you,

Ace

"Ace Fekay [MVP]" wrote:

> In news:B3A9D29B-3C91-49AA-8C1D-(E-Mail Removed),
> Newell White <(E-Mail Removed)> typed:
> > "Ace Fekay [MVP]" wrote:
>
> > Using Win2k3 AD ourdomain.local (all MS servers and clients), I have
> > had to disable this option, as the well-known tcpsvcs.exe memory leak
> > was eating RAM and disk.
>
> Are you saying you disabled DNS Dynamic Updates? On your clients or in the
> ourdomain.local zone properties?
>
> >
> > My understanding is that all I have lost is the ability to join
> > clients with OS older than Windows 2000 to my domain.
> > Please tell me I'm not wrong on this!
>
> Can you tell me exactly what you disabled and where you disabled it please?
>
> Thank you,
>
> Ace
>
>
>
>
In the DNS tab of 'Properties' of the DHCP server.
See http://support.microsoft.com/default.aspx/kb/939928

I notice however that this box is now checked again on our two DHCP servers
- not by me.

I have not altered the settings on any client.
Any info to improve my mind will be gratefully received!
--
Regards,
Newell White

> "Ace Fekay [MVP]" wrote:
>
> > In news:B3A9D29B-3C91-49AA-8C1D-(E-Mail Removed),
> > Newell White <(E-Mail Removed)> typed:
> > > "Ace Fekay [MVP]" wrote:
> >
> > > Using Win2k3 AD ourdomain.local (all MS servers and clients), I have
> > > had to disable this option, as the well-known tcpsvcs.exe memory leak
> > > was eating RAM and disk.
> >
> > Are you saying you disabled DNS Dynamic Updates? On your clients or in the
> > ourdomain.local zone properties?
> >
> > >
> > > My understanding is that all I have lost is the ability to join
> > > clients with OS older than Windows 2000 to my domain.
> > > Please tell me I'm not wrong on this!
> >
> > Can you tell me exactly what you disabled and where you disabled it please?
> >
> > Thank you,
> >
> > Ace
> >
> >
> >
> >
> In the DNS tab of 'Properties' of the DHCP server.
> See http://support.microsoft.com/default.aspx/kb/939928
>
> I notice however that this box is now checked again on our two DHCP servers
> - not by me.
>
> I have not altered the settings on any client.
> Any info to improve my mind will be gratefully received!
> --
> Regards,
> Newell White
>

OK I guess that restarting DHCP service restored the default configuration
of Dynamic DNS, hence updates now enabled. My brain not at full speed 8a.m.
(UK time) on Monday morning!

So I will monitor memory usage of tcpsvcs.exe to see if MS have fixed this
bug, or to free up the memory as recommended in kb/939928 when required.
--
Regards,
Newell White