uncommon Workstation Sharing

Discussion in 'Server Networking' started by Joe, Mar 14, 2005.

  1. Joe

    Joe Guest

    Hello,

    I have a small network which consists of 1 server and 2 XP Pro SP2 and I am
    successfully sharing what I need. However problem has just arrived in which
    I have not come accross.

    All machines including the server are in the same workgroup and I have "My
    Documents" from Both PC's targeted on the server.

    So when someone saves their documents it is automatically saved to the
    server and the mass confusion of duplicate files is minimized.

    Problem is:

    I want to encrypt the documents via windows but I cannot do this for some
    reason.

    E.G. If open My Documents from one of the XP machines I can go through the
    process of encrypting the document but when I save the changes it gives an
    error (The Logon Session is not in a state that is consistant with the
    requested operation)

    Ok so I decided to logon to the server and Then do the encryption it works
    of course, but now I cannot open it from the XP machines.

    I want to access the data on the server form the XP machines that are
    encrypted.

    Thanks for your help in advance
     
    Joe, Mar 14, 2005
    #1
    1. Advertisements

  2. Joe

    Todd J Heron Guest

    I'm afraid you'll need to setup a small AD domain to do the encryption the
    way you want. In a workgroup environment, you can only encrypt documents to
    the local machine - part of the encryption key resides in the user account
    token which has no meaning beyond the local machine in a workgroup
    environment. You can fool it by creating same username/password account on
    remote machine but this works for regular shared files not encrypted ones
    IIRC.
     
    Todd J Heron, Mar 14, 2005
    #2
    1. Advertisements

  3. Joe

    Joe Guest

    Thanks very much Tom for your reply,

    I have already done the "fooling" I forgot to tell you before.

    Can you direct me to a KB article or website to get this done please?


    Thanks Very Much

    Joe
     
    Joe, Mar 14, 2005
    #3
  4. Joe

    Todd J Heron Guest

    But do you have Active Directory or not?
     
    Todd J Heron, Mar 14, 2005
    #4
  5. Joe

    Joe Guest

    Hello Todd,

    Yes, I have Server 2003 Enterptise but it ia not a DC at this time Just web
    and mail and Workgroup with TS installed.

    Sorry this does help to say my OS.

    Thanks
    Joe
     
    Joe, Mar 14, 2005
    #5
  6. Joe

    Todd J Heron Guest

    You'll need to promote that server to an Active Directory DC to leverage the
    use of users encrypting files on machines other than the local workstation,
    unless you go with a third-party solution. Such as Entrust, for example.
     
    Todd J Heron, Mar 14, 2005
    #6
  7. Joe

    Joe Guest

    Hello Todd,

    I have been reading up on this Active Directory and I have a question about
    the DNS part. I see that DNA is going to be installed with Domain Controller
    anyhow if it is not already.

    My concern is this DNS going to be seen publically? My server is serving 5
    websites now. HOw do I just use this DNS locally?

    Thanks very Much
    Joe
     
    Joe, Mar 14, 2005
    #7
  8. Joe

    Todd J Heron Guest

    Put the server behind a router/firewall and forward just tcp port 80 to the
    machine. The server must point to itself only for it's preferred DNS server
    under TCP/IP properties of the network adapter. All internal AD domain
    clients must point only to the AD/DNS server for their preferred DNS server.
    On your DNS server, in the DNS MMC, add a Forwarder (which is the IP address
    of your ISP's DNS server). This way, only your internal clients will be
    using (and "see") your DNS. No one from the outside will.
     
    Todd J Heron, Mar 14, 2005
    #8
  9. Joe

    Joe Guest

    Thanks Todd for your reply,

    I began the Configure your server wizard and saw that the forwarder was
    asked for.
    Since I was unsure of this I cancelled my install and waited for your
    reply.(Good Thing)

    I also saw the server recommending I use the .local extension so I chose this?

    So as your are saying here I need to point the server to itself
    e.g preffered should be what IP or netbios name?

    I see this can't be done not being behind a router. Correct? I only have a
    public IP.

    I might be a little off track here can you get me on this because I can't
    put this behind a router right now.

    Thanks
    Joe
     
    Joe, Mar 14, 2005
    #9
  10. Joe

    Todd J Heron Guest

    You may use .local for your internal domain name. Microsoft used to
    recommend that, they don't currently but there's nothing wrong with it for
    small implementations like yours.

    Under the network adapter TCP/IP properties point the server to itself for
    it's preferred DNS server. This is an absolute must for AD (actually it can
    point to another DNS server supporting the same AD but for you just go ahead
    and point it to itself). The preferred DNS server IP should be either be
    the IP address of the server itself i.e. 192.168.0.1. Even 127.0.0.1 will
    work on Windows Server 2003.

    Best to do this *behind* a router. Let the malicious Internet traffic
    bounce off a hardware router rather then a NIC of an AD server.
     
    Todd J Heron, Mar 14, 2005
    #10
  11. Joe

    Joe Guest

    Hello Todd,

    I think I am lost in the forest : )

    Ok here is what I have done.

    1.) I have used configure my server wizrd to install AD under the custom
    selection there is no RRAS I have ICF enabled
    2. I have installed the DNS per wizard recommendation pointing to itself as
    it said in the step I chose.

    I do not know where to the forward seletion is in the DNS console to put my
    ISP DNS servers
    3.) AD was successfully installed however i cannot join the domain with my
    XP machine. I am getting an error that i cannot have two connections or
    shares at the same time. I also cannot find the users on the server anymore?

    You may remember that I had created the same user on the server as on the XP
    machines. This may be a problem?

    I have no router so I am "straight up" to the internet. What would the IP
    be now if it is not the 192.xxx.xxx.xxx also I have no router at all I have
    two nics in the server.

    Obviously I am need of some reconfig. here

    I am lost in the AD

    Thanks
    Joe
     
    Joe, Mar 14, 2005
    #11
  12. Joe

    Todd J Heron Guest

    Did you say the server had two network cards?
     
    Todd J Heron, Mar 14, 2005
    #12
  13. Joe

    Joe Guest

    Hello Todd,

    Yes, I did say two nics. However I am successfull I did it!

    Now I have two questions.

    1.) I am able to encrypt (cool!) Now when i delete a file it does not go to
    the recycle bin it just gets deleted. Can I prevent this to send it to the
    bin?

    2.) How neccessary is this DNA server in my enviroment? and ....
    what are my security issues with the DNS installed?

    Thanks That should do it
    Joe
     
    Joe, Mar 15, 2005
    #13
  14. Joe

    Todd J Heron Guest

    Ok, great. For a second there I was getting worried.

    1) Deleting over the network. Files deleted over the network do not go to
    any recycle bin. There is no utility in Win 2k3 to recover files deleted in
    this manner, unless you include the backup program. There are third party
    app that will send the file to a recycle bin when deleted over the network,
    but they have to be in
    place before the deletion.

    2) DNS is absolutely critical for a properly functioning Active Directory.
    Without DNS, clients will be unable to find domain controllers, global
    catalogs, and other things in AD. Here are some tips for your new AD
    network.

    All internal Active Directory domain clients should be configured to use
    only an internal DNS Server hosting the zone name for the Active Directory
    domain. This means no workstation or server, to include all DCs and DNS
    servers, on the network should be configured to use any external DNS for
    resolution, not even as a secondary DNS server. The reason all domain
    members and DCs must use the local DNS for DNS in TCP/IP properties, is
    because that is how clients find objects in Active Directory (e.g. domain
    controllers, global catalogs, etc). If you point domain clients (including
    domain controllers) to a DNS server which doesn't hold this information,
    expect:

    1) Long logon times (long waiting time for "Applying computer settings" or
    clients unable to logon at all)
    2) Slow boot times for DCs
    3) No Active Directory replication
    4) Administrators unable to manage parts of the domain
    5) Group policy errors or failing outright
    6) Poor (slow) network performance in general.

    The only place ISP DNS servers belongs in the network is under your DNS
    server's Forwarders tab, not anywhere in any place on internal AD domain
    clients.

    Best practices for DNS client settings in Windows 2000 Server and in Windows
    Server 2003:
    http://support.microsoft.com/default.aspx?scid=kb;en-us;825036

    HOW TO: Configure DNS for Internet Access in Windows Server 2003:
    http://support.microsoft.com/default.aspx?scid=kb;en-us;323380

    Best practices for DNS client settings in Windows 2000 Server and in Windows
    Server 2003:
    http://support.microsoft.com/default.aspx?scid=kb;en-us;825036
     
    Todd J Heron, Mar 15, 2005
    #14
  15. Joe

    Joe Guest

    Hello Todd : )

    Sorry for all the confusion : )

    Ok where is the forwarders tab please so I am sure I am at the right place
    please.

    What setting do I want the record updates to be? Dynamic or not at all ?

    as for Nic settings this is what I have

    Main server with AD DC
    IP from ISP
    static
    12.164.55.1xx
    255.255.255.0
    gtway 12.164.55.1

    DNS from ISP
    12.38.60.19
    12.38.60.20

    Second nic inside server
    192.168.0.1
    255.255.255.0
    no gtway
    no DNS

    XP machine (set manually)
    192.168.0.38
    255.255.255.0
    192.168.0.1
    Prefered DNS 12.164.55.1xx (of course this is my server IP)

    All seems to be working fine. I have internet access and no slow issues at
    this time.
    I will look at the articles right now thanks very much for your time it is a
    great help!!

    Joe
     
    Joe, Mar 15, 2005
    #15
  16. Joe

    Joe Guest

    Hello Todd,

    I guess i have another question here.

    Why do I see that my hard drives on My XP machines never stop running and my
    8 port switch is going nuts like data never stops? Also I cannot get the
    mapped drives to reconnect automatically on every boot.

    I never seen this before?

    Also On my other XP machine in the my Docs there is a tiny box at the bottom
    left corner of every file with two blue arrows on it WHat is this ? Do you
    know?
     
    Joe, Mar 15, 2005
    #16
  17. Joe

    Todd J Heron Guest

    On Main server with AD DC. You really do not want to expose this server to
    the Internet. What I would do is not use the ICF but instead enable RRAS
    and in the RRAS setup wizard tell it you want to setup NAT and enable a
    firewall on the external NIC. This will change your settings below but your
    server will be more protected.

    Ideally, if I were you I would buy a broadband firewall/router, for example
    a $80-$100 Linksys, and remove one network card from your AD DNS server.
    What you would do is plug your workstations and server into a switch and
    then uplink the switch into the broadband firewall/router, which in turn
    uplinks to your cable modem or router (or whatever it is you have). The
    server would run a lot better and would be more secure, since it would no be
    directly exposed to the Internet.

    After you do this, we can adjust your Forwarders settings and look at zone
    settings.
     
    Todd J Heron, Mar 15, 2005
    #17
  18. Joe

    Todd J Heron Guest

    Why do I see that my hard drives on My XP machines never stop running and
    mapped drives to reconnect automatically on every boot.

    Let's make the suggested changes in my other post before we address this.
    Disconnect the cable from the Internet/ISP first.
    know?

    That means the file is marked for offline use and is set to synchronize with
    the remote folder.
     
    Todd J Heron, Mar 15, 2005
    #18
  19. Joe

    Joe Guest

    Hello Todd,

    Thanks for your reply,

    I might have made this problem myself

    ##############################################
    Why do I see that my hard drives on My XP machines never stop running and
    mapped drives to reconnect automatically on every boot
    ###########################################
    I added a forward lookkup zone under my Timemachine.local for my XP
    machines is this what I shoulkd have done or should I delete this record?

    I cannot get to the server at this time but I will later tonight.

    I also set thePreffered DNS to the DNS AD server not the ISP and it works
    but I can only stop the data from constantly flowing unless I reboot my
    server then it all stops and all is normal again. Please excuse some of my
    ignorance here this setup is all very new to me.

    Thanks Todd
    Joe
     
    Joe, Mar 15, 2005
    #19
  20. Joe

    Joe Guest

    Hello Todd ,

    I am sorry I didn't see this post.

    I need to inform you I tried to install the router before with no success so
    I canned it and ran the server as the router. (per Se')

    I am somewhat familiar with RRAS and the ability to forward or open ports in
    RRAS. So I will also Configure NAT. What about DHCP? Can this be done
    without DHCP?
    For now I will have to use the 2 nics and later try the router again. I
    think I had a bad router. MS router not the best for me Linksys seems better.

    Thanks
    Joe
     
    Joe, Mar 15, 2005
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.