Active Directory Authentication Problem

  • Thread starter Thread starter Futrzak
  • Start date Start date
F

Futrzak

Hello!

I will try to explain my situation as clearly as possible. I've got 2
networks (A and B) in two different buildings. Trafffic between A and B
is routed thru Internet. On network B there is a DC called DC1. I need
to login to domain on DC1 from network A but I can't. When I try to
access DC1 shares (from A) by \\dc1\sharename I get the login prompt
but it won't let me in. If I use IP address instead of dc1 name login
prompt appears but I can login without any problem! What could be
wrong? DNS server is configured on DC1.Setting it's address on network
A client won't change a thing. Everything worked fine but suddenly it
stopped. I can't think of a reason. Could adding a NIC to DC1 influent
on that?

Kind regards,
Krzysztof Kiszewski
 
Hi

Suggestions, and keep in mind, when mentioning "other NICs", they are the
subnets that the NICs are on that your AD infrastructure is not on.

1. Insure that all the NICS only point to your internal DNS server(s) only
and none others.

2. In Network & Dialup properties, Advanced Menu item, Advanced Settings,
move the internal NIC (the network that AD is on) to the top of the binding
order (top of the list).

3. Disable NetBIOS on the other NICs. May want to take a look at this to
stop NetBIOS on teh RRAS interfaces: 296379 - How to Disable NetBIOS on an
Incoming Remote Access Interface
[Reg Entry]: http://support.microsoft.com/?id=296379

4. Disable File and Print services and disable MS Client on the other NICs.
Uncheck reg this connection in DNS tab of IP properties/Advanced. Now if you
need these for whatever reason for resource access from clients, then you
would probably have to keep them on.

5. In DNS, delete the other NIC references for the LdapIpAddress - the blank
domain FQDN - that looks like (same as parent). To stop it from registering
that info, use this method (taken from
http://support.microsoft.com/?id=295328)

To disable only the registration of the local IP addresses, set the
following registry value:
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic
es\Netlogon\Parameters

Registry value: DnsAvoidRegisterRecords
Data type: REG_MULTI_SZ
Value: LdapIpAddress
After you set this value, you must manually register your publicly available
IP addresses for your domain to appear as:
Same as parent folder Host "publicIP" DO that by just rt-clicking, new host,
leave the hostname blank, and enter the IP of the internal NIC


6. In DNS, _msdcs.gc, delete the IP addresses referencing the other NICs. I
would follow this article to stop the GC records from the other NICs
registering sine this is a major cause of concern for logons. You would need
to manually create the GC entry of the internal NIC.
Restrict the DNS SRV resource records updated by the Net Logon service
[including GC]: http://www.microsoft.com/technet/tr...no_rr_in_ad.asp

7. Since this is a DNS server, the IPs from all NICs will register, even if
you tell it not to in the NIC properties. See this to show you how to stop
that behavior (for W2K, but may work): 275554 - The Host's A Record Is
Registered in DNS After You Choose Not to Register the Connection's Address:
http://support.microsoft.com/defaul...B;en-us;275554&

I hope this is not overwhelming and is of help
 
Back
Top