Domain authentication problem

Discussion in 'Server Networking' started by Feijó, Jan 3, 2008.

  1. Feijó

    Feijó Guest


    I'm not sure if this is the right group to ask for help in my problem.

    For 2 weeks, my intranet has been acting weird. First I tought was
    something with DNS and DHCP.

    After lots of clicks and guess, that part now is OK (AFAIK).

    All machines getting dynamic IP thru my DLink DI-624 DHCP. It routes
    internet too.

    Somethimes when I ping some machine, the IP isnt returned. So I cant reach
    those machines.

    The bigest problem, is within shared folders. Even when I can find a
    machine (my server i.e.), and I try to enter in \\server, windows ask for my
    password! but I already input that at windows login, when I try again, it
    says that password was already attempted but no domain responded. Same
    happen if I try any other password.

    Aparently my AD lost something, his connection to my DNS?? Both are in the
    same Windows 2003, only my DHCP is on dlink router.

    What can I do??


    Feijó, Jan 3, 2008
    1. Advertisements

  2. Disable DHCP on the Dlink

    Run DHCP on the DC.
    If you configure the DHCP Service *correctly* on the DC, the rest of your
    problems will "go away".

    Phillip Windell

    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    Phillip Windell, Jan 3, 2008
    1. Advertisements

  3. Feijó

    Feijó Guest


    I was using DHCP from DC. After that problems begin, I try with router and
    with DC. Didn't help.

    Why can't I use with dlink? With current configuration, I do not need my DC
    server to go online.

    I found that page in

    I'm trying to do that config in a virtual win2000 machine right now.

    Thanks for your prompt reply

    Feijó, Jan 3, 2008
  4. Then you just didn't do it correctly when you configured DHCP on the DC.
    Doing it on the "cheap" and "over-simnplistic" DLink box is not the answer.
    The MS DHCP is 200% more capable than the Dink box ever has a prayer of
    doing, you just have to do it right.

    Phillip Windell

    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    Phillip Windell, Jan 3, 2008
  5. Feijó

    Bill Grant Guest

    To add to what Phillip said, there is no way to get this working properly
    with the DC offline. If you have a domain, all machines, including the DC
    itself, should be using the AD-linked DNS. Using an external DNS might get
    you Internet access, but access to AD resources will fail. Only your local
    DNS has these records.

    All machines should use the D-Link as default gateway but use the DC for
    DNS and DHCP. The local DNS should be set to forward to an external DNS.
    (Forwarding to the D-Link should work, or you can use the DNS of your ISP).
    The DC needs to be up and running at all times.
    Bill Grant, Jan 3, 2008
  6. In
    Bill and Phillip, I agree, this is a huge problem with many configurations
    that time was not taken to understand how AD works, from conception,
    planning, and implemting AD. Configuring DNS and DHCP alone counts for 80%-
    90% of AD problems where the administrators are providing the DC and their
    clients with the ISP's DNS address or some other DNS that does not host the
    internal private AD zone. All they have to do is point DNS on ALL machines
    in the domain to the DC, setup a forwarder, and be done with it. COnfigure
    Windows DHCP Option 006 with the DC's IP address and all will be happy.
    Otherwise as what I like to say, it cuts into their drinking time when
    problems arise from doing it otherwise. :)

    Another huge problem I believe the original poster should take into account
    is that I believe takes up 10% of AD problems (keep in mind these are my
    guesstimates based on what we've see in these newsgroups in the past 8
    years - and this figure has been dwindling since AD came out due to
    increased awareness and education on how AD works) is an AD domain
    configured as a single label name ("domain" vs the required format of
    ""). Tough one with this design error. A rename is possible, but I
    have not seen a successful one yet especially if Exchange is involved. A
    migration or worse, a reisntall to a new domain properly named, will fix
    this biggy.

    We all know the above scenarios will DEFINITELY cause authentication issues,
    replication issues, can't open ADUC or any other AD tool, the DC can't even
    "find" itself, etc.

    Why does this occur? I usually say, and this is with all due respect to the
    original poster, is lack of preparation and education on AD in understanding
    how AD works. Simply plugging the CD into the drive and installing the OS,
    etc, is not the answer to providing a properly functioning AD. I can
    understand that many companies either lack the resources or refuse to offer
    the ability to send their employees to classes to learn this stuff. In the
    long run it will cost them more in support, headaches and downtime. A five
    day Microsoft course on AD (MOC #2279) for around $1500 will do wonders. But
    I am NOT here to sell a course. Just stating this as a fact from my
    experience as a trainer and a consultant since the early 90's. Matter of
    fact, this type of thing keeps me in business providing billable time as a
    consultant. :)

    Also many times with these Linksys, Netgear, etc, routers, especially if the
    ISP service they have is giving them an automatic IP address on the WAN
    interface, takes on the ISP's DNS addresses. So when you implement DHCP on
    some of these routers (not all of them but I know there are many that do)
    they automatically use these external DNS addresses in the lease. I know the
    ActionTecs do this by default and you can't change them. PITA they are. The
    router manufacturers designed these low-end routers for mostly home/consumer
    use and were not intended for an AD infrastructrure, but nontheless, they
    are used. No big deal, the idea is to just disable DHCP on them and use
    Windows. On top of that, the BIG reason not to use DHCP on a router is in
    all the cases I've seen, their DHCP service does NOT support DHCP Option
    081, which dictates DNS Dynamic Registration, which we all know is a
    necessary funtion of AD.

    Here are some articles for the original poster to read, and anyone else out
    there reading this post. I hope it helps them to get on the right track with

    825036 - Best practices for DNS client settings in Windows 2000 Server and
    in Windows Server 2003

    291382 - Frequently asked questions about Windows 2000 DNS and Windows
    Server 2003 DNS

    323380 - HOW TO Configure DNS for Internet Access in Windows Server 2003
    (forwarding) :

    300684 - Information About Configuring Windows 2000 for Domains with
    Single-Label DNS Names

    Permissions, groups, OUs and GPOs are a whole other ballpark ...


    This posting is provided "AS-IS" with no warranties or guarantees and
    confers no rights.

    Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT,
    MVP Microsoft MVP - Directory Services
    Microsoft Certified Trainer

    Infinite Diversities in Infinite Combinations
    Ace Fekay [MVP], Jan 4, 2008
  7. Feijó

    Newell White Guest


    Using Win2k3 AD ourdomain.local (all MS servers and clients), I have had to
    disable this option, as the well-known tcpsvcs.exe memory leak was eating RAM
    and disk.

    My understanding is that all I have lost is the ability to join clients with
    OS older than Windows 2000 to my domain.
    Please tell me I'm not wrong on this!
    Newell White, Jan 4, 2008
  8. In
    Are you saying you disabled DNS Dynamic Updates? On your clients or in the
    ourdomain.local zone properties?
    Can you tell me exactly what you disabled and where you disabled it please?

    Thank you,

    Ace Fekay [MVP], Jan 5, 2008
  9. Feijó

    Newell White Guest

    In the DNS tab of 'Properties' of the DHCP server.

    I notice however that this box is now checked again on our two DHCP servers
    - not by me.

    I have not altered the settings on any client.
    Any info to improve my mind will be gratefully received!
    Newell White, Jan 7, 2008
  10. Feijó

    Newell White Guest

    OK I guess that restarting DHCP service restored the default configuration
    of Dynamic DNS, hence updates now enabled. My brain not at full speed 8a.m.
    (UK time) on Monday morning!

    So I will monitor memory usage of tcpsvcs.exe to see if MS have fixed this
    bug, or to free up the memory as recommended in kb/939928 when required.
    Newell White, Jan 7, 2008
  11. In
    Ok, so you followed the article's instructions to retrieve and install the
    hotfix? If so, there's no need to disable DHCP's ability to automatically
    perform updates for clients. Curious, what symptoms did you observed to
    believe you needed this hotfix? So far I've handled a large client base and
    have not ever had a problem or seen this issue. Maybe you can elborate so I
    can understand.

    Also, you mentioned this earlier:

    /begin quote:
    /end quote

    Here is a summarized list of possible causes:
    1. Single label name.
    2. SRV records missing.
    3. Disjointed namespace.- AD domain name doesn't match the Primary DNS
    Suffix and/or the zone name.
    4. Using an ISP's DNS in IP properties of the DC and clients.
    5. DHCP Client service disabled.
    6. DCs are possibly multihomed (more than one NIC not teamed)
    7. 3rd party firewalls
    8. Antivirus software blocking functionality
    9. Antispyware blocking functionality
    10. etc....

    I think we should help you with this issue, since it is your original
    question. I am still curious about the memory leak issue. However, to help
    with your original problem, please post the following information. This will
    help us to help you better. - Thanks!

    1. Unedited ipconfig /all from two of your DCs, and one of your clients..
    2. The exact zone name spellng in DNS and whether updates are allowed on the
    3. The AD DNS domain name as it shows up in ADUC.
    4. If the SRV records exist under your zone.
    5. Any errors in the Event logs on the DC under System, Replication Service
    and Directory Services (post the Event ID# and Source names please)
    6. Dcdiag /v /fix > c:\dcdiag.txt (post the dcdiag.txt as an attachment)
    7. Netdiag /v /fix > c:\netdiag.txt (post the dcdiag.txt as an attachment)
    8. More than one subnet?
    9. Forwarder(s) configured?

    Ace Fekay [MVP], Jan 8, 2008
  12. Feijó

    Newell White Guest

    Comments in-line
    Newell White

    No, as an ex-software author and supplier I am not a fan of hot fixes from
    either side of the counter.
    I followed the work-around.

    Problem appeared a few months after I introduced about 16 reservations into
    our scope.
    So that these could be duplicated on both DHCP servers I allocated IP
    addresses in an excluded interval.
    3-4 weeks after server re-start (updates from MS) I got some warnings in
    server event viewer that it was having to increase the size of pagefile.sys.
    Investigation showed tcpsvcs.exe was using 290Mbyte RAM (1G installed) and 3x
    as much virtual memory. A deeper look showed same thing had happened the
    month before, cured by server restart.
    I am not OP, I joined thread when you said to OP it was important that DHCP
    server does Dynanic DNS updates - I was not aware then that restarting DHCP
    server (apparently) restores this as default after I turned it off.
    I was interested in why that is important when most LANs now only have
    modern Windows versions where clients can register their own IP address with
    Newell White, Jan 8, 2008
  13. In
    Oops, sorry. I thought you were the OP under a different name. It happens
    alot. Some will post under one account or thru the web, then later again and
    use a different name or account.

    As for the hotfixes, they are a necessary evil to fix things that are broke,
    such as in your case. Matter of fact, the hotfixes get rolled up in future
    service packs. Microsoft recognized a problem with a service and provided a
    fix. I would rather install the hotfix as well as have DHCP register my
    clients, IMHO, so I would have chosen the hotfix for these two reasons.

    The DNS Update capabilities of a DHCP server is actually DHCP Option 081,
    which MIcrosoft supports this part of the DHCP RFC. Routers do not.

    If DHCP registers the client, DHCP owns the record and will change the
    record for the client. The default setting is to register if the client

    Here's a good read on it. Also pay attention to the part about the
    DNSUpdateProxy group.

    317590 - HOW TO Configure DNS Dynamic Update in Windows 2000 [DNS reg-dereg
    and DNSUpdateProxy Group]:;en-us;317590&Product=win2000#51

    Ace Fekay [MVP], Jan 9, 2008
  14. Feijó

    Newell White Guest

    Thanks Ace.
    It is a good read, like a whodunit.
    In fact I still don't know whodunit.
    Our clients (WinXP Pro SP2) are configured to Register IP address with DNS,
    our DHCP servers are configured to register records with DNS for clients
    which request this service.

    But I can't work out whether the clients are contacting the DNS server
    directly, or the DHCP server to request it to do so on their behalf.

    I'd better read it again :)
    BTW tcpsvcs.exe memory is now well-behaved, growing at 20kbyte/day.

    As for merit of hotfixes, sometimes even pukka updates that have been
    compatibility -tested to death can apparently cause PDCs to stop distributing
    time to NT5DS configured domain members - if we are to believe what I have
    just read in this news group.

    Thanks for info.

    Newell White
    Newell White, Jan 9, 2008
  15. In
    It's in there. If the client asks, it will register, if not, it will not and
    the client will do it directly. In most cases DHCP will reg the client, but
    the client will reg the PTR. Read up on it again.

    About NT5DS, are you saying domain members default time settings were

    I usually go with hotfixes. But that's me. If a problem arises, I'll remove

    Ace Fekay [MVP], Jan 10, 2008
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.