NEWBIE Question

Discussion in 'Server Networking' started by Tym, Feb 19, 2006.

  1. Tym

    Tym Guest

    I've recently set up a 2003 server (standard eddition SP1) on my small
    network (5 workstations all running Xp pro)

    A couple of questions.

    1. I have a printer on one of the workstations that I want to share,
    but no-one can connect to it - what do I need to do to set it up
    properly please? I've logged on to workstatn as admin and set share
    paramaters, but when another ws re-connectes, it asks for log on
    details, even though all ws machines are in the domain.

    2. After a while the XP Pros seem to "loose" the network and need to
    log off and reconnect to see the shared resources on the server
    (printer/directories etc) - why? I've heard there is a fix but can't
    find it on MSDN

    Please help, no-one in public.windows.server.general seems to want to
    assist!!!

    Tym
     
    Tym, Feb 19, 2006
    #1
    1. Advertisements

  2. Tym

    LoneWolf Guest

    Forgive me if I seem to be starting off too simple, but have you created a
    domain with this server? Are the machines joined to that domain, and the
    users logged into the domain?
     
    LoneWolf, Feb 19, 2006
    #2
    1. Advertisements

  3. In
    Did you allow access by Domain Users in the printer's share permissions and
    under the security tab?
    Curious of your infrastructure setup. Since this is AD, are all the XPs and
    DC ONLY pointing to itself for DNS in their IP properties? Just an FYI, you
    cannot have any ISP DNS or any other outside DNS server that doesn't host
    the AD zone name. During logon and authentication, all machines requesting
    an AD service will query DNS for the resource location (the SRV records), to
    find them in AD. If this there's another DNS in there that doesn't host the
    zone, expect problems.

    Is your domain a single label name (domain rather than the required format
    of at least domain.com, domain.local, domain.tym, etc)?

    Other than that, the firewall by default will allow domain communication
    traffic if joined to a domain.

    I assume there are no AD errors in the Event logs?

    I thought I heard of a fix for something about XP and this, but I think it's
    more of a setting, so not sure. At least make sure you have the latest
    drivers, hofixes and updates installed, and just for the heck of it, check
    the wiring to the DC is ok. You would be surprised how a simple bad plug can
    cause numerous issues.
    --
    Ace

    This posting is provided "AS-IS" with no warranties or guarantees and
    confers no rights.

    Having difficulty reading or finding responses to your post?
    Instead of the website you're using, I suggest to use OEx (Outlook Express
    or any other newsreader), and configure a news account, pointing to
    news.microsoft.com. This is a direct link to the Microsoft Public
    Newsgroups. It is FREE and requires NO ISP's Usenet account. OEx allows you
    to easily find, track threads, cross-post, sort by date, poster's name,
    watched threads or subject.

    Not sure how? It's easy:
    How to Configure OEx for Internet News
    http://support.microsoft.com/?id=171164

    Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
    Microsoft MVP - Windows Server Directory Services
    Microsoft Certified Trainer
    Assimilation Imminent. Resistance is Futile.
    Infinite Diversities in Infinite Combinations.

    The only thing in life is change. Anything more is a blackhole consuming
    unnecessary energy.
    ===========================
     
    Ace Fekay [MVP], Feb 20, 2006
    #3
  4. In
    Double check both Share AND Security Tab. But my feeling is this maybe an AD
    issue.

    AD = Active Directory !!!!
    If this is truly a single label domain name, then it can be very problematic
    and cause numerous issues. I think possibly the single label name may be
    causing this, but I am not coming to any conclusions until I see some
    configuration info. Please post an UNEDITED ipconfig /all of your Win2003
    domain controller and one from a sample workstation please. You can simply
    run in a CMD window:

    On the DC: ipconfig /all > c:\DCipconfig.txt
    On the workstation: ipconfig /all > c:\PCipconfig.txt

    Then open and copy/paste into your response.

    ALSO: Post any errors in the Event Logs, specifically post the Event ID#s
    and it's Source name please.

    FYI: In Active Directory, there is no more PDCs and BDCs like there was in
    NT4. That terminology is GONE. However, there is a PDC Emulator Role that
    runs on a domain controller. THere's more than this, but too much to
    mention here.

    Ace
     
    Ace Fekay [MVP], Feb 20, 2006
    #4
  5. Tym

    Tym Guest

    Before I go any further on this, one thig which has come to light
    is...

    On the security tab when sharing the printer, I went to add
    DOMAIN\users, but it wouldn't let me. On clicking the "Locations"
    button, all it is offering me is the workstation name, no domain name
    is offered
     
    Tym, Feb 22, 2006
    #5
  6. In
    I assume the machine is joined to the domain, you are logged on as a domain
    admin, and only the internal DNS servers are in IP properties of ALL
    internal machines (meaning no ISP's DNS)?

    After re-reading your previous posts, you apparently are NOT using your
    internal DNS server. Thbat is apparent by your previous statements:
    Your internal DNS server that AD uses is the domain controller and NOT the
    router. You MUST ONLY USE your domain controller's IP address for DNS on
    your machines. NO OTHERS. Otherwise how will even find your domain?

    Here's a repost I give everyone on this when they are not familiar with AD.
    Since you are the administrator (I assume so), I would like you to carefully
    read this passage and the links provided. This will give you a better
    insight on what AD is and how it works and how internet resolution is
    handled. -

    Good luck. Once you've made the necessary changes, post back and let me know
    how you made out.

    _________________________
    AD & DNS:

    Just an FYI about AD, DNS, authentication, finding the domain, GPOs, RPC
    issues, etc:

    I usually see these sort of errors (GPOs not working, can't find the domain,
    RPC issues, etc), when the ISP's DNS servers are listed on a client, DCs
    and/or member servers.

    If you have your ISP's DNS addresses in your IP configuration (all DCs,
    member servers and clients), they need to be REMOVED and ONLY use the
    internal DNS server(s). This is what is causing the whole problem.

    Just a little background: AD uses DNS. DNS stores AD's resource and service
    locations in the form of SRV records, hence how everything that is part of
    the domain will find resources in the domain. If the ISP's DNS is configured
    in the any of the internal AD member machines' IP properties, (including all
    client machines and DCs), the machines will be asking the ISP's DNS 'where
    is the domain controller for my domain?", whenever it needs to perform a
    function, (such as a logon request, replication request, querying and
    applying GPOs, etc). Unfortunately, the ISP's DNS does not have that info
    and they reply with an "I dunno know", and things just fail. Unfortunately,
    the ISP's DNS doesn't have information or records about your internal
    private AD domain, and they shouldn't have that sort of information.

    Also, don't use use the router as a DNS or DHCP server either. If you are
    using your NT4 as a DNS server in your AD domain, change it over to Win2003
    DNS. Same with DHCP. NT4 DNS cannot support AD's SRV requirements and
    dynamic updates.

    If there are multiple DNS entries in the IP properties of a machine (whether
    a DC, member server or client), it will ask the first DNS entry in the list
    first. If it doesn't have the answer, it will go to the second entry, but it
    REMOVES the first entry from the "eligible resolvers" list, and won't go
    back to it. This can cause issues within AD when accessing a resource such
    as a printer, folder, getting GPOs to function, etc. Another good reason to
    ONLY use the internal DNS server(s).

    For Internet resolution, the Root Hints will be used by default, unless a
    root zone exists (looks like a period or dot "." zone). Therefore, the
    recommended "best practice" to insure full AD and client functionality is to
    point all machines ONLY to the internal server(s), and configure a forwarder
    to your ISP's DNS. This way all machines query your DNS and if it doesn't
    have the answer, it asks outside. If the forwarding option is grayed out,
    delete the Root zone (that dot zone). If not sure how to perform these two
    tasks, please follow one of the two articles listed below, depending on your
    operating system. They show a step by step on how to perform these tasks.

    291382 - Frequently asked questions about Windows 2000 DNS and Windows
    Server 2003 DNS
    http://support.microsoft.com/default.aspx?scid=kb;en-us;291382

    323380 - HOW TO Configure DNS for Internet Access in Windows Server 2003
    (forwarding) :
    http://support.microsoft.com/?id=323380

    300202 - HOW TO Configure DNS for Internet Access in Windows Server 2000
    (forwarding) :
    http://support.microsoft.com/?id=300202

    825036 - Best practices for DNS client settings in Windows 2000 Server and
    in Windows Server 2003
    http://support.microsoft.com/?id=825036

    Common Mistakes When Upgrading a Windows 2000 Domain To a Windows 2003
    Domain (whether it was upgraded or not, this is full of useful information
    relating to AD and DNS, among other info):
    http://support.microsoft.com/default.aspx?scid=kb;en-us;555040

    Domain Controller's Domain Name System Suffix Does Not Match Domain Name:
    http://support.microsoft.com/?id=257623

    Clients cannot dynamically register DNS records in a single-label forward
    lookup zone:
    http://support.microsoft.com/?id=826743

    300684 - Information About Configuring Windows 2000 for Domains with
    Single-Label DNS Names
    http://support.microsoft.com/default.aspx?scid=kb;en-us;300684

    828263 - DNS query responses do not travel through a firewall in Windows
    Server 2003:
    http://support.microsoft.com/?id=828263

    __________________________
    __________________________

    Ace
     
    Ace Fekay [MVP], Feb 22, 2006
    #6
  7. Tym

    Tym Guest

    Root of the problem - thanks

    WS can now see the domain!

    Added domain.net\domainusers to the security tab

    HOwever, the ws which has the printer on still isn't viewable in the
    entire network window

    When I try to view the resource, I get

    "\\WS is not accessible. You might not haver permission to use this
    network resource.....

    There is currently no logon server to service this log on request."

    Is this a WS firewall issue or another AD issue, or both!!

    Thanks for yor help thus far!



    Tym
     
    Tym, Feb 22, 2006
    #7
  8. In
    I'm glad that worked.
    No prob, Tym.

    As for viewing the printer on the workstation, I assumed you shared it, also
    assume the network is only one subnet.
    Are you viewing it from another workstation or from the server?
    Can you directly connect to it, such as \\ws\printername and just can't view
    it in Network Neighborhood or a \\ws?

    btw- you can also search in AD for printers. By default any printer shared
    on a network

    I assume you also changed all the workstations' DNS entries to use the DC
    only.

    Ace
     
    Ace Fekay [MVP], Feb 23, 2006
    #8
  9. On your AD domain controller, go into your DNS management console, expand
    into Froward Lookup Zones, and then into your domain name zone and add an A
    record, naming it www and giving it the IP address of your web site name.
     
    Todd J Heron [MVP], Feb 23, 2006
    #9
  10. In
    Split-zone. :) Good call, Todd!

    Tym - Configure a forwarder too in DNS properties.
    323380 - HOW TO Configure DNS for Internet Access in Windows Server 2003
    (forwarding) :
    http://support.microsoft.com/?id=323380

    Ace
     
    Ace Fekay [MVP], Feb 24, 2006
    #10
  11. In
    Tym, can you ping the printer?
    Try pinging the workstation the printer is on by:

    ping workstationName
    ping workstationName.domain.com

    Ace
     
    Ace Fekay [MVP], Feb 24, 2006
    #11
  12. In

    Tym,

    Pinging an FQDN doesn't work? That's not good. You did say the workstation
    is joined to the domain, correct?

    Time to see your actual configuration. Please post an UNEDITED ipconfig /all
    of your domain controller and of your workstation. Easiest way to do it is
    in a CMD prompt and type in:

    ipconfig /all > c:\ipconfig.txt.

    Then copy the data from that file and paste it here.

    Ace
     
    Ace Fekay [MVP], Feb 24, 2006
    #12
  13. In
    They should have auto registered. Can I see an ipconfig of the workstation
    please?

    Ace
     
    Ace Fekay [MVP], Feb 25, 2006
    #13
  14. In
    An Unedited ipconfig /all that is, please.
     
    Ace Fekay [MVP], Feb 25, 2006
    #14
  15. In

    Ok, I see a couple of problems and now I understand what's happening. I hope
    the info below helps you out and helps you and others reading this post
    about AD and DNS and registration. Since this post is buried in this thread,
    I kind of doubt many will bother looking, but I hope at least it helps you
    out! Ok, let's see...

    The DC's DNS addresses listed as show above are:
    What is 192.168.0.100??
    Remove both of these and just indicate itself as DNS, meaning 192.168.0.1
    ONLY.

    Is the zone name in DNS called ictis.net?

    If the zone name in DNS is called ictis.net, and updates are allowed in the
    zone, and once you've made the changes i recommended above on the above on
    the DC, then do this in a CMD prompt:
    ipconfig /registerdns
    net stop netlogon
    net start netlogon

    Refresh and check the DNS zone to see if they updated. May need to give it a
    moment or so. Check for the SRV records too, which are the 3 yellow folders
    and one grayed out folder called: _msdcs (grayed out), _sites, _tcp, _udp.
    You will also see a zone called _msdcs.ictis.net. That is normal and
    required. Don';t touch it.

    FYI: Rules for DNS Dynamic update registration and Active Directory:
    1. AD DNS domain name MUST be in an FQDN format (domain.com, etc).

    2. Zone name in DNS MUST match name in #1.

    3. Zone properties of #2 MUST allow updates (Secure or Secure and Unsecure).

    4. The IP address show for the DNS server in IP properties of all machines
    that are part of the domain (DCs, clients, member servers, etc etc etc),
    MUST ONLY use the internal DNS that is hosting the AD name. Otherwise, AD
    WILL NOT FUNCTION PROPERLY. If you are worried about internet resolution, it
    will work based on the Root Hints in DNS, or to make it more efficient, you
    can configure a forwarder as show in this article:
    323380 - HOW TO Configure DNS for Internet Access in Windows Server 2003:
    http://support.microsoft.com/?id=323380

    For the printer, if it's installed and shared from a machine joined to the
    domain, then you would use the machine's name to get to it. If not, and it's
    a standalone printer with a network card in it, such as an HP JetDirect, or
    Intel, etc, then yes, you can manually create a record in the zone by
    rt-clicking the zone, new HOst record, type in the name and provide the IP
    address.

    More info for your reading pleasure explaining AD and DNS:
    AD & DNS:
    =====================================
    Just an FYI about AD, DNS, authentication, finding the domain, GPOs, RPC
    issues, etc:

    I usually see these sort of errors (GPOs not working, can't find the domain,
    RPC issues, etc), when the ISP's DNS servers are listed on a client, DCs
    and/or member servers.

    If you have your ISP's DNS addresses in your IP configuration (all DCs,
    member servers and clients), they need to be REMOVED and ONLY use the
    internal DNS server(s). This is what is causing the whole problem.

    Just a little background: AD uses DNS. DNS stores AD's resource and service
    locations in the form of SRV records, hence how everything that is part of
    the domain will find resources in the domain. If the ISP's DNS is configured
    in the any of the internal AD member machines' IP properties, (including all
    client machines and DCs), the machines will be asking the ISP's DNS 'where
    is the domain controller for my domain?", whenever it needs to perform a
    function, (such as a logon request, replication request, querying and
    applying GPOs, etc). Unfortunately, the ISP's DNS does not have that info
    and they reply with an "I dunno know", and things just fail. Unfortunately,
    the ISP's DNS doesn't have information or records about your internal
    private AD domain, and they shouldn't have that sort of information.

    Also, don't use use the router as a DNS or DHCP server either. If you are
    using your NT4 as a DNS server in your AD domain, change it over to Win2003
    DNS. Same with DHCP. NT4 DNS cannot support AD's SRV requirements and
    dynamic updates.If there are multiple DNS entries in the IP properties of a
    machine (whether a DC, member server or client), it will ask the first DNS
    entry in the list first. If it doesn't have the answer, it will go to the
    second entry, but it REMOVES the first entry from the "eligible resolvers"
    list, and won't go back to it. This can cause issues within AD when
    accessing a resource such as a printer, folder, getting GPOs to function,
    etc. Another good reason to ONLY use the internal DNS server(s).

    For Internet resolution, the Root Hints will be used by default, unless a
    root zone exists (looks like a period or dot "." zone). Therefore, the
    recommended "best practice" to insure full AD and client functionality is to
    point all machines ONLY to the internal server(s), and configure a forwarder
    to your ISP's DNS. This way all machines query your DNS and if it doesn't
    have the answer, it asks outside. If the forwarding option is grayed out,
    delete the Root zone (that dot zone). If not sure how to perform these two
    tasks, please follow one of the two articles listed below, depending on your
    operating system. They show a step by step on how to perform these tasks.

    291382 - Frequently asked questions about Windows 2000 DNS and Windows
    Server 2003 DNS
    http://support.microsoft.com/default.aspx?scid=kb;en-us;291382

    323380 - HOW TO Configure DNS for Internet Access in Windows Server 2003
    (forwarding) :
    http://support.microsoft.com/?id=323380

    300202 - HOW TO Configure DNS for Internet Access in Windows Server 2000
    (forwarding) :
    http://support.microsoft.com/?id=300202

    825036 - Best practices for DNS client settings in Windows 2000 Server and
    in Windows Server 2003
    http://support.microsoft.com/?id=825036

    Common Mistakes When Upgrading a Windows 2000 Domain To a Windows 2003
    Domain (whether it was upgraded or not, this is full of useful information
    relating to

    AD and DNS, among other info):
    http://support.microsoft.com/default.aspx?scid=kb;en-us;555040

    Domain Controller's Domain Name System Suffix Does Not Match Domain Name:
    http://support.microsoft.com/?id=257623

    Clients cannot dynamically register DNS records in a single-label forward
    lookup zone:
    http://support.microsoft.com/?id=826743

    300684 - Information About Configuring Windows 2000 for Domains with
    Single-Label DNS Names
    http://support.microsoft.com/default.aspx?scid=kb;en-us;300684

    828263 - DNS query responses do not travel through a firewall in Windows
    Server 2003:
    http://support.microsoft.com/?id=828263

    __________________________

    Ace
     
    Ace Fekay [MVP], Mar 1, 2006
    #15
  16. In
    Did you implement my recommendations?

    Ace
     
    Ace Fekay [MVP], Mar 6, 2006
    #16
  17. In
    Hmm, don't know what happened. I see you're using Forte Agent. I'm not
    familiar with Forte, but are there any options dealing with how posts are
    synched? I'm using OEx now, and that doesn't have any such settings, but I
    used to use Gracity and that had some settings for server farms and they way
    they sync posts, etc...

    Anyway, here you go... I hope they are helpful.

    ===================================
    From: "Ace Fekay [MVP]"
    <PleaseSubstituteMyActualFirstName&>
    Subject: Re: Active Directory, DNS, DNS Dynamic Updates and how they work
    Date: Tue, 28 Feb 2006 23:18:29 -0500

    In

    Ok, I see a couple of problems and now I understand what's happening. I hope
    the info below helps you out and helps you and others reading this post
    about AD and DNS and registration. Since this post is buried in this thread,
    I kind of doubt many will bother looking, but I hope at least it helps you
    out! Ok, let's see...

    The DC's DNS addresses listed as show above are:
    What is 192.168.0.100??
    Remove both of these and just indicate itself as DNS, meaning 192.168.0.1
    ONLY.

    Is the zone name in DNS called ictis.net?

    If the zone name in DNS is called ictis.net, and updates are allowed in the
    zone, and once you've made the changes i recommended above on the above on
    the DC, then do this in a CMD prompt:
    ipconfig /registerdns
    net stop netlogon
    net start netlogon

    Refresh and check the DNS zone to see if they updated. May need to give it a
    moment or so. Check for the SRV records too, which are the 3 yellow folders
    and one grayed out folder called: _msdcs (grayed out), _sites, _tcp, _udp.
    You will also see a zone called _msdcs.ictis.net. That is normal and
    required. Don';t touch it.

    FYI: Rules for DNS Dynamic update registration and Active Directory:
    1. AD DNS domain name MUST be in an FQDN format (domain.com, etc).

    2. Zone name in DNS MUST match name in #1.

    3. Zone properties of #2 MUST allow updates (Secure or Secure and Unsecure).

    4. The IP address show for the DNS server in IP properties of all machines
    that are part of the domain (DCs, clients, member servers, etc etc etc),
    MUST ONLY use the internal DNS that is hosting the AD name. Otherwise, AD
    WILL NOT FUNCTION PROPERLY. If you are worried about internet resolution, it
    will work based on the Root Hints in DNS, or to make it more efficient, you
    can configure a forwarder as show in this article:
    323380 - HOW TO Configure DNS for Internet Access in Windows Server 2003:
    http://support.microsoft.com/?id=323380

    For the printer, if it's installed and shared from a machine joined to the
    domain, then you would use the machine's name to get to it. If not, and it's
    a standalone printer with a network card in it, such as an HP JetDirect, or
    Intel, etc, then yes, you can manually create a record in the zone by
    rt-clicking the zone, new HOst record, type in the name and provide the IP
    address.

    More info for your reading pleasure explaining AD and DNS:
    AD & DNS:
    =====================================
    Just an FYI about AD, DNS, authentication, finding the domain, GPOs, RPC
    issues, etc:

    I usually see these sort of errors (GPOs not working, can't find the domain,
    RPC issues, etc), when the ISP's DNS servers are listed on a client, DCs
    and/or member servers.

    If you have your ISP's DNS addresses in your IP configuration (all DCs,
    member servers and clients), they need to be REMOVED and ONLY use the
    internal DNS server(s). This is what is causing the whole problem.

    Just a little background: AD uses DNS. DNS stores AD's resource and service
    locations in the form of SRV records, hence how everything that is part of
    the domain will find resources in the domain. If the ISP's DNS is configured
    in the any of the internal AD member machines' IP properties, (including all
    client machines and DCs), the machines will be asking the ISP's DNS 'where
    is the domain controller for my domain?", whenever it needs to perform a
    function, (such as a logon request, replication request, querying and
    applying GPOs, etc). Unfortunately, the ISP's DNS does not have that info
    and they reply with an "I dunno know", and things just fail. Unfortunately,
    the ISP's DNS doesn't have information or records about your internal
    private AD domain, and they shouldn't have that sort of information.

    Also, don't use use the router as a DNS or DHCP server either. If you are
    using your NT4 as a DNS server in your AD domain, change it over to Win2003
    DNS. Same with DHCP. NT4 DNS cannot support AD's SRV requirements and
    dynamic updates.If there are multiple DNS entries in the IP properties of a
    machine (whether a DC, member server or client), it will ask the first DNS
    entry in the list first. If it doesn't have the answer, it will go to the
    second entry, but it REMOVES the first entry from the "eligible resolvers"
    list, and won't go back to it. This can cause issues within AD when
    accessing a resource such as a printer, folder, getting GPOs to function,
    etc. Another good reason to ONLY use the internal DNS server(s).

    For Internet resolution, the Root Hints will be used by default, unless a
    root zone exists (looks like a period or dot "." zone). Therefore, the
    recommended "best practice" to insure full AD and client functionality is to
    point all machines ONLY to the internal server(s), and configure a forwarder
    to your ISP's DNS. This way all machines query your DNS and if it doesn't
    have the answer, it asks outside. If the forwarding option is grayed out,
    delete the Root zone (that dot zone). If not sure how to perform these two
    tasks, please follow one of the two articles listed below, depending on your
    operating system. They show a step by step on how to perform these tasks.

    291382 - Frequently asked questions about Windows 2000 DNS and Windows
    Server 2003 DNS
    http://support.microsoft.com/default.aspx?scid=kb;en-us;291382

    323380 - HOW TO Configure DNS for Internet Access in Windows Server 2003
    (forwarding) :
    http://support.microsoft.com/?id=323380

    300202 - HOW TO Configure DNS for Internet Access in Windows Server 2000
    (forwarding) :
    http://support.microsoft.com/?id=300202

    825036 - Best practices for DNS client settings in Windows 2000 Server and
    in Windows Server 2003
    http://support.microsoft.com/?id=825036

    Common Mistakes When Upgrading a Windows 2000 Domain To a Windows 2003
    Domain (whether it was upgraded or not, this is full of useful information
    relating to

    AD and DNS, among other info):
    http://support.microsoft.com/default.aspx?scid=kb;en-us;555040

    Domain Controller's Domain Name System Suffix Does Not Match Domain Name:
    http://support.microsoft.com/?id=257623

    Clients cannot dynamically register DNS records in a single-label forward
    lookup zone:
    http://support.microsoft.com/?id=826743

    300684 - Information About Configuring Windows 2000 for Domains with
    Single-Label DNS Names
    http://support.microsoft.com/default.aspx?scid=kb;en-us;300684

    828263 - DNS query responses do not travel through a firewall in Windows
    Server 2003:
    http://support.microsoft.com/?id=828263

    __________________________

    Ace
     
    Ace Fekay [MVP], Mar 7, 2006
    #17
  18. Tym

    Tym Guest

    Thanks for the post. I've gone back to square 1. and am partly worse
    off now!!!

    I've wiped the DC and reinstalled 2003. All DNS settings are correct.
    BTW 192.168.0.100 is the ADSL router. This is just set as the gateway
    address now.

    Problem is the WSs do not allow connections. I always get the "\\WS is
    not accessible. You might not have permission to use this network
    resource. Contact the administrator of this server to find out if you
    have access permissions. The trust relationship between the
    workstation and the primary domain failed." message. I've tried
    disabling the firewall on one as a test, but still get the message, so
    I'm fairly convinced it's not a firewall issue.

    I think the issue here is the last part of the message!

    I CAN see the printers shared on the server and they appear in the
    directory. I CANNOT see ANY shared resource on a workstation from any
    PC - including the DC. When trying to view the WS from the DC, I get
    the same message as abover, but the last part says "There are
    currently no logon servers available to service the logon request"

    I think you are right in that this is a DC / AD issue, but have no
    ides where to start looking!

    Thanks for your help thus far!
     
    Tym, Mar 9, 2006
    #18
  19. In
    No problem Tym. Ihope to help you get this working, and it's really a simple
    basic function of Windows networking.

    Ok, now you said you completely wiped it out and reinstalled the domain
    controller under a new name or the same name?

    It sounds to me that you forgot to dis-join and re-join the workstations
    back to the domain. When you resintalled the domain, it now has a completey
    new SID. SIDs are used in trusts communications and relationships.

    Ace
     
    Ace Fekay [MVP], Mar 9, 2006
    #19
  20. In
    Yes, remove it from the domain, then re-join it. A join is establishing a
    trust between the machine and the domain. That's why you're getting
    permissions issues while browsing. It doesn't know who you are.

    Based on your questioning this, I feel you may not be familiar with this
    task? The machines were joined to the previous domain, weren't they? If they
    were, was it performed by someone else? Or weren't they?

    Because you reinstalled it with the same name, the domain is a completely
    different entitiy now. That's because domains and Windows in general, uses a
    SID (Security Identifier) that identifies the machine for the trust. They're
    like fingerprints. Machines use SIDS, we use names. When a machine is
    joined, it marries to it based on the domain name and the domain's SID, and
    reverse, the domain is aware of the workstation's name and SID.

    Actually this falls under basic networking as well. :)

    Step-by-Step Guide to a Common Infrastructure for Windows Server 2003
    Deployment
    Part 2: Installing a Windows XP Professional Workstation and Connecting It
    to a Domain:
    http://www.microsoft.com/technet/pr...tory/activedirectory/stepbystep/domxppro.mspx

    All machines will need to be dis-joined and re-joined.

    One caveat: Users will lose their existing profiles. You can copy them to
    the new profile inn System Properties, Advanced tab, User Profiles. But they
    will show up as SID numbers without names because it can't enumerate the old
    SIDs to a name because they belonged to the prior domain and it no longer
    exists.

    --
    Ace

    This posting is provided "AS-IS" with no warranties or guarantees and
    confers no rights.

    Having difficulty reading or finding responses to your post?
    Instead of the website you're using, I suggest to use OEx (Outlook Express
    or any other newsreader), and configure a news account, pointing to
    news.microsoft.com. This is a direct link to the Microsoft Public
    Newsgroups. It is FREE and requires NO ISP's Usenet account. OEx allows you
    to easily find, track threads, cross-post, sort by date, poster's name,
    watched threads or subject.

    It's easy:
    How to Configure OEx for Internet News
    http://support.microsoft.com/?id=171164

    Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
    Microsoft MVP - Directory Services
    Microsoft Certified Trainer

    Infinite Diversities in Infinite Combinations
    Assimilation Imminent. Resistance is Futile
    "Very funny Scotty. Now, beam down my clothes."

    The only thing in life is change. Anything more is a blackhole consuming
    unnecessary energy. - [Me]
     
    Ace Fekay [MVP], Mar 10, 2006
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.