Cannot Set Folder Share Permissions - No Objects

  • Thread starter Thread starter Chris
  • Start date Start date
C

Chris

My PC (XP SP1) is on a Windows 2000 domain with 2 DCs.
I can't set permissions (except Everyone, or, using the Shared Folders
Wizard, Administrators) on shared folders, as the objects (user,
group, computer names) do not show.

Help is very welcome..

I can access over the network shared folders on other PCs on the
domain, as appropriate.
Simple file sharing is not selected.
Using PCs on the same domain, I can set share permissions OK; the user
etc names appear and can be selected.

netdiag (version 5.1.2600.0 2001) is OK (appended) except :
[WARNING] You don't have a single interface with the <00> 'WorkStation
Servi
ce', <03> 'Messenger Service', <20> 'WINS' names defined. (I think
this is OK)
&
[FATAL] Kerberos does not have a ticket for
host/Tech.naitauba.local.(genuine?)
&
LDAP test. . . . . . . . . . . . . : Passed
[WARNING] Failed to query SPN registration on DC
'Mercury-2.naitauba.local'. (dont know about this).

One DC is an upgrade from an NT4 PDC, but I dont know when this fault
started.

I have hunted through the forums and have:
(to get browser service working:
HKLM\SYS\CCS\services\browser\param\maintainserverlist to Y
(to clear ID 1054 errors:
HKLM\SYS\CCS\services\tcpip\param\"DisableDHCPMediaSense" =1
(to get secure channel working: netdom reset tech /domain:naitauba
compared Local Security Policy to a good machine.
stopped my Zonealarm.
selected Simple File Sharing - rebooted - unchecked it.
netdiag /fix
done the registry mod to force TCP not UDP, from
http://support.microsoft.com/?kbid=244474
stopped/restarted KDC service on DC "zeus"
then ran netdiag /test:kerberos /v (appended) from client.
[FATAL] Kerberos does not have a ticket for host

My PCs boot messages look good:
no 1053 or 1054 errors
Event ID: 1704 Security policy in the Group policy objects has been
applied successfully.
Event ID: 35 The time service is now synchronizing the system time
with the time source zeus.naitauba.local

Is the Kerberos error genuine?
Is it a sidetrack from my sharing permissions issue?
DC "zeus" shows 672 and 673 success messages as I log on from my PC.

How can I restore access to those user etc names to set permissions on
my shared folders ???

Help very welcome. Im stuck at this point. First usenet post.
Thank you.

....

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
netdiag
Click to expand...
.........................................

Computer Name: TECH
DNS Host Name: Tech.naitauba.local
System info : Windows 2000 Professional (Build 2600)
Processor : x86 Family 15 Model 2 Stepping 9, GenuineIntel
List of installed hotfixes :
KB810217
KB821557
KB822603
KB823182
KB823559
KB823980
KB824105
KB824141
KB824146
KB825119
KB826939
KB828028
KB828035
KB828741
KB835732
KB837001
KB839643
KB839643-DirectX9
KB839645
KB840315
KB840374
KB841873
KB842773
Q147222
Q323255
Q328310
Q329048
Q329115
Q329170
Q329390
Q329441
Q329834
Q331953
Q810565
Q810577
Q810833
Q811493
Q811630
Q814033
Q815021
Q817287
Q817606
Q819696
Q828026

Netcard queries test . . . . . . . : Passed

Per interface results:

Adapter : Local Area Connection 2

Netcard queries test . . . : Passed

Host Name. . . . . . . . . : Tech
IP Address . . . . . . . . : 192.168.0.12
Subnet Mask. . . . . . . . : 255.255.255.0
Default Gateway. . . . . . : 192.168.0.1
Primary WINS Server. . . . : 192.168.0.14
Dns Servers. . . . . . . . : 192.168.0.14
192.168.0.3

AutoConfiguration results. . . . . . : Passed

Default gateway test . . . : Passed

NetBT name test. . . . . . : Passed
[WARNING] At least one of the <00> 'WorkStation Service', <03>
'Messenge
r Service', <20> 'WINS' names is missing.

WINS service test. . . . . : Passed

Global results:

Domain membership test . . . . . . : Passed

NetBT transports test. . . . . . . : Passed
List of NetBt transports currently configured:
NetBT_Tcpip_{6EB2378B-6CF6-4246-A240-806EAB92D8A1}
1 NetBt transport currently configured.

Autonet address test . . . . . . . : Passed

IP loopback ping test. . . . . . . : Passed

Default gateway test . . . . . . . : Passed

NetBT name test. . . . . . . . . . : Passed
[WARNING] You don't have a single interface with the <00>
'WorkStation Servi
ce', <03> 'Messenger Service', <20> 'WINS' names defined.

Winsock test . . . . . . . . . . . : Passed

DNS test . . . . . . . . . . . . . : Passed

Redir and Browser test . . . . . . : Passed
List of NetBt transports currently bound to the Redir
NetBT_Tcpip_{6EB2378B-6CF6-4246-A240-806EAB92D8A1}
The redir is bound to 1 NetBt transport.

List of NetBt transports currently bound to the browser
NetBT_Tcpip_{6EB2378B-6CF6-4246-A240-806EAB92D8A1}
The browser is bound to 1 NetBt transport.

DC discovery test. . . . . . . . . : Passed

DC list test . . . . . . . . . . . : Passed

Trust relationship test. . . . . . : Passed
Secure channel for domain 'NAITAUBA' is to
'\\zeus.naitauba.local'.

Kerberos test. . . . . . . . . . . : Failed
[FATAL] Kerberos does not have a ticket for
host/Tech.naitauba.local.

LDAP test. . . . . . . . . . . . . : Passed
[WARNING] Failed to query SPN registration on DC
'Mercury-2.naitauba.local'.

Bindings test. . . . . . . . . . . : Passed

WAN configuration test . . . . . . : Skipped
No active remote access connections.

Modem diagnostics test . . . . . . : Failed
[FATAL] Cannot initialize TAPI. Failed with error(0x80000048).

IP Security test . . . . . . . . . : Passed
Service status is: Started
Service startup is: Automatic
IPSec service is available, but no policy is assigned or active
Note: run "ipseccmd /?" for more detailed information

The command completed successfully

....

Kerberos test. . . . . . . . . . . : Failed

Find DC in domain 'NAITAUBA':
Found this DC in domain 'NAITAUBA':
DC. . . . . . . . . . . : \\zeus.naitauba.local
Address . . . . . . . . : \\192.168.0.14
Domain Guid . . . . . . :
{FCFC7584-0506-4211-B1AC-C61B1251FCC2}
Domain Name . . . . . . : naitauba.local
Forest Name . . . . . . : naitauba.local
DC Site Name. . . . . . : Default-First-Site-Name
Our Site Name . . . . . : Default-First-Site-Name
Flags . . . . . . . . . : PDC emulator GC DS KDC TIMESERV
WRITABLE DNS
C DNS_DOMAIN DNS_FOREST CLOSE_SITE 0x8
Cached Tickets:
Server: krbtgt/ART.NAITAUBA.LOCAL
End Time: 7/19/2004 2:39:46
Renew Time: 7/25/2004 16:39:46
Server: krbtgt/NAITAUBA.LOCAL
End Time: 7/19/2004 2:39:46
Renew Time: 7/25/2004 16:39:46
Server: krbtgt/NAITAUBA.LOCAL
End Time: 7/19/2004 2:39:46
Renew Time: 7/25/2004 16:39:46
Server: cifs/CLEOPATRA
End Time: 7/19/2004 2:39:46
Renew Time: 7/25/2004 16:39:46
Server: cifs/zeus.naitauba.local
End Time: 7/19/2004 2:39:46
Renew Time: 7/25/2004 16:39:46
Server: ldap/zeus.naitauba.local/naitauba.local
End Time: 7/19/2004 2:39:46
Renew Time: 7/25/2004 16:39:46
Server: LDAP/zeus.naitauba.local
End Time: 7/19/2004 2:39:46
Renew Time: 7/25/2004 16:39:46
[FATAL] Kerberos does not have a ticket for
host/Tech.naitauba.local.
....
 
In
Chris said:
My PC (XP SP1) is on a Windows 2000 domain with 2 DCs.
I can't set permissions (except Everyone, or, using the Shared Folders
Wizard, Administrators) on shared folders, as the objects (user,
group, computer names) do not show.

Help is very welcome..

I can access over the network shared folders on other PCs on the
domain, as appropriate.
Simple file sharing is not selected.
Using PCs on the same domain, I can set share permissions OK; the user
etc names appear and can be selected.
Click to expand...
<snip>

I saw that part saying time got synched. Just curious and want to establish
that the time wasn't changed (you can change the zone, but not the actual
clock) since Kerberos has a 5 minute time skew tolerance.

I couldn't find it in your post, but did you try to reset the computer
account in AD?

You can always opt to remove and re-join the machine.

--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services

HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.
 
Ace Fekay said:
In
<snip>

I saw that part saying time got synched. Just curious and want to establish
that the time wasn't changed (you can change the zone, but not the actual
clock) since Kerberos has a 5 minute time skew tolerance.

I couldn't find it in your post, but did you try to reset the computer
account in AD?

You can always opt to remove and re-join the machine.
Click to expand...
Ace

I compared times of DC and my PC, viewing DC with Remote
Desktop/Ternminal Services, and times are within a second.

Yes I did remove my PC from domain to a workgroup and later rejoined.
Later I removed it again, changed the PCs name, deleted my old PC
account from the AD, rejoined the domain (retested problem), finally
renamed my PC back to its old name. And in the midst of all that it
went from being a Computer object in the AD to being a Desktop object.
(i dont know the diff, except all other client PCs are Desktops)

I ran klist tgt and klist tickets and kerbtray on server DC and
on my PC and compared tickets, first time Ive done this but my tickets
look fine in comparison (i have more cos I have ones for the other DC
also).

Other user logons on my pc have the same issue, incl when logged on as
the domain administrator.

Im waiting for a DC reboot so kerberos auditing on it can start.

Ms article 280830 - "Kerberos authentication may not work if user is a
member of many groups". I'm a member of about ten groups. Didnt seem
from the article that this was too many.

When I reboot and logon my events incl an event ID 540 with package
NTLM, and then 538s and 528s.

my lsass.exe process is running

I downloaded/installed the Group Policy Management Console on my PC,
"specified DC could not be contacted..error:invalid syntax" (i hadnt
specified a DC at that stage). At the next option, to choose a
different DC, both DCs are listed but "Look in this domain" and its
domain name are grayed out, & still cant contact them. "The
naitauba.local forest could not be contacted and will be removed".

klist purge and purged all 7 tickets. klist now shows zero tickets.
Rebooted. now 5 tickets already. Retested, still cant set shared
folder permsiions as cant view any objects to share to.

Kerberos thing is looking like a sidetrack, despite the netdiag FATAL
error.

I dont know where to go from here.

Thanks
Chris
 
In
Chris said:
"Ace Fekay [MVP]"

Ace

I compared times of DC and my PC, viewing DC with Remote
Desktop/Ternminal Services, and times are within a second.

Yes I did remove my PC from domain to a workgroup and later rejoined.
Later I removed it again, changed the PCs name, deleted my old PC
account from the AD, rejoined the domain (retested problem), finally
renamed my PC back to its old name. And in the midst of all that it
went from being a Computer object in the AD to being a Desktop object.
(i dont know the diff, except all other client PCs are Desktops)

I ran klist tgt and klist tickets and kerbtray on server DC and
on my PC and compared tickets, first time Ive done this but my tickets
look fine in comparison (i have more cos I have ones for the other DC
also).

Other user logons on my pc have the same issue, incl when logged on as
the domain administrator.

Im waiting for a DC reboot so kerberos auditing on it can start.

Ms article 280830 - "Kerberos authentication may not work if user is a
member of many groups". I'm a member of about ten groups. Didnt seem
from the article that this was too many.

When I reboot and logon my events incl an event ID 540 with package
NTLM, and then 538s and 528s.

my lsass.exe process is running

I downloaded/installed the Group Policy Management Console on my PC,
"specified DC could not be contacted..error:invalid syntax" (i hadnt
specified a DC at that stage). At the next option, to choose a
different DC, both DCs are listed but "Look in this domain" and its
domain name are grayed out, & still cant contact them. "The
naitauba.local forest could not be contacted and will be removed".

klist purge and purged all 7 tickets. klist now shows zero tickets.
Rebooted. now 5 tickets already. Retested, still cant set shared
folder permsiions as cant view any objects to share to.

Kerberos thing is looking like a sidetrack, despite the netdiag FATAL
error.

I dont know where to go from here.

Thanks
Chris
Click to expand...

Boy, you've been busy!

I assume you uninstalled Zone Alarm? Sometimes it take a complete removal.

I remember you saing you didn't select Simple File sharing. Did you disable
F&P or MS Client or anything else?

Can I see an ipconfig /all from the DC and from this client please?

Thanks

--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services

Security Is Like An Onion, It Has Layers
HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.
 
I assume you uninstalled Zone Alarm? Sometimes it take a complete removal.
I remember you saing you didn't select Simple File sharing. Did you disable
F&P or MS Client or anything else?

Can I see an ipconfig /all from the DC and from this client please?
Click to expand...
....
Ace,

Your input is much appreciated.

I just now uninstalled Zonealarm and after rebooting, still have the
sharing issue.
File & Printer Sharing is enabled for client's Network Connection.
Client for Ms Networks (provider: Windows Locator) is checked.
ipconfigs are appended.

At various times I have disabled or uninstalled all kinds of things,
as performanmce tweaks, or to fit Ghost image system partition backup
on 2 CDs only. So I wouldnt be at all surprised if something necessary
is uninstalled or disabled.

I compared my local security policy and ControlPanel Network settings
with a good XP client.

My (client's) newly installed Group Policy Management Console is
interesting. Open it, no domain, rt-click, Add Forest, type in our
domain name, tells me it matches "Forest:naitauba.local.
Domain:naitauba.local". I select Yes to add it, error as described
earlier "the specified DC could not be contacted...Invalid syntax".
"Choose a different DC", several options all same issue. Have to
"Remove the Domain.." and then when close window. "Group Policy
Management. The RPC service is unavailable."

So I work thru Ms KB 224370 re RPC service :
net start rpcss ( hey, i knew my RPC & RPC Locator were running)

ping mercury-2 OK ping Zeus OK (the 2 DCs)

"C:..\chris.NAITAUBA>netdom verify tech /domain:naitauba
The secure channel from TECH to the domain NAITAUBA has been verified.
The connect is with the machine \\MERCURY-2.NAITAUBA.LOCAL.
The command completed successfully."

netdiag on Zeus is clean.
netdiag on client has 2 new errors:
DC list test . . . . . . . . . . . : Failed
'NAITAUBA': No DCs are up.
Trust relationship test. . . . . . : Failed
'NAITAUBA': No DCs are up (Cannot run test).
Secure channel for domain 'NAITAUBA' is to
'\\Mercury-2.naitauba.local'.

so : "C:\Documents and Settings\chris.NAITAUBA>netdom reset tech
/domain:naitauba
The secure channel from TECH to the domain NAITAUBA has been reset.
The connection is with the machine \\ZEUS.NAITAUBA.LOCAL.
The command completed successfully."

but netdiag still gives :
DC list test . . . . . . . . . . . : Failed
'NAITAUBA': No DCs are up.
Trust relationship test. . . . . . : Failed
'NAITAUBA': No DCs are up (Cannot run test).
Secure channel for domain 'NAITAUBA' is to
'\\zeus.naitauba.local'.

BTW, when I try to set permissions on my shared folder, window is
"Share Permissions", click "Add", window is "Select Users, Computers
or Groups" (this is where I never see any), click "Advanced"
get"...Unspecified Error". (had to mention it).

Have previously done ipconfig /release then /renew.

Ace, here's the ipconfigs :

CLIENT
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\chris.NAITAUBA>ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . : Tech
Primary Dns Suffix . . . . . . . : naitauba.local
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : naitauba.local

Ethernet adapter Local Area Connection 2:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Realtek RTL8139/810x
Family Fast Eth
ernet NIC #2
Physical Address. . . . . . . . . : 00-01-80-3C-C0-54
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.0.12
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.0.1
DHCP Server . . . . . . . . . . . : 192.168.0.14
DNS Servers . . . . . . . . . . . : 192.168.0.14
192.168.0.3
Primary WINS Server . . . . . . . : 192.168.0.14
Lease Obtained. . . . . . . . . . : Thursday, July 22, 2004
11:04:00 AM
Lease Expires . . . . . . . . . . : Saturday, August 21, 2004
11:04:00 A
M

DC :
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.
C:\Documents and Settings\Administrator>ipconfig /all

Windows 2000 IP Configuration

Host Name . . . . . . . . . . . . : zeus
Primary DNS Suffix . . . . . . . : naitauba.local
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : naitauba.local

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : 3Com EtherLink XL 10/100
PCI TX NIC (3C905B-TX)
Physical Address. . . . . . . . . : 00-10-5A-AC-27-75
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.0.5
Subnet Mask . . . . . . . . . . . : 255.255.255.0
IP Address. . . . . . . . . . . . : 192.168.0.4
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.0.1
DNS Servers . . . . . . . . . . . : 192.168.0.14
NetBIOS over Tcpip. . . . . . . . : Disabled

Ethernet adapter Local Area Connection 2:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : 3Com EtherLink XL 10/100
PCI TX NIC (3C905B-TX) #2
Physical Address. . . . . . . . . : 00-50-04-64-7E-65
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.0.14
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.0.1
DNS Servers . . . . . . . . . . . : 192.168.0.14
Primary WINS Server . . . . . . . : 192.168.0.14

C:\Documents and Settings\Administrator>
 
In
Chris said:
Ace,

Your input is much appreciated.

I just now uninstalled Zonealarm and after rebooting, still have the
sharing issue.
File & Printer Sharing is enabled for client's Network Connection.
Client for Ms Networks (provider: Windows Locator) is checked.
ipconfigs are appended.

At various times I have disabled or uninstalled all kinds of things,
as performanmce tweaks, or to fit Ghost image system partition backup
on 2 CDs only. So I wouldnt be at all surprised if something necessary
is uninstalled or disabled.

I compared my local security policy and ControlPanel Network settings
with a good XP client.

My (client's) newly installed Group Policy Management Console is
interesting. Open it, no domain, rt-click, Add Forest, type in our
domain name, tells me it matches "Forest:naitauba.local.
Domain:naitauba.local". I select Yes to add it, error as described
earlier "the specified DC could not be contacted...Invalid syntax".
"Choose a different DC", several options all same issue. Have to
"Remove the Domain.." and then when close window. "Group Policy
Management. The RPC service is unavailable."

So I work thru Ms KB 224370 re RPC service :
net start rpcss ( hey, i knew my RPC & RPC Locator were running)

ping mercury-2 OK ping Zeus OK (the 2 DCs)

"C:..\chris.NAITAUBA>netdom verify tech /domain:naitauba
The secure channel from TECH to the domain NAITAUBA has been verified.
The connect is with the machine \\MERCURY-2.NAITAUBA.LOCAL.
The command completed successfully."

netdiag on Zeus is clean.
netdiag on client has 2 new errors:
DC list test . . . . . . . . . . . : Failed
'NAITAUBA': No DCs are up.
Trust relationship test. . . . . . : Failed
'NAITAUBA': No DCs are up (Cannot run test).
Secure channel for domain 'NAITAUBA' is to
'\\Mercury-2.naitauba.local'.

so : "C:\Documents and Settings\chris.NAITAUBA>netdom reset tech
/domain:naitauba
The secure channel from TECH to the domain NAITAUBA has been reset.
The connection is with the machine \\ZEUS.NAITAUBA.LOCAL.
The command completed successfully."

but netdiag still gives :
DC list test . . . . . . . . . . . : Failed
'NAITAUBA': No DCs are up.
Trust relationship test. . . . . . : Failed
'NAITAUBA': No DCs are up (Cannot run test).
Secure channel for domain 'NAITAUBA' is to
'\\zeus.naitauba.local'.

BTW, when I try to set permissions on my shared folder, window is
"Share Permissions", click "Add", window is "Select Users, Computers
or Groups" (this is where I never see any), click "Advanced"
get"...Unspecified Error". (had to mention it).

Have previously done ipconfig /release then /renew.

Ace, here's the ipconfigs :

CLIENT
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\chris.NAITAUBA>ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . : Tech
Primary Dns Suffix . . . . . . . : naitauba.local
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : naitauba.local

Ethernet adapter Local Area Connection 2:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Realtek RTL8139/810x
Family Fast Eth
ernet NIC #2
Physical Address. . . . . . . . . : 00-01-80-3C-C0-54
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.0.12
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.0.1
DHCP Server . . . . . . . . . . . : 192.168.0.14
DNS Servers . . . . . . . . . . . : 192.168.0.14
192.168.0.3
Primary WINS Server . . . . . . . : 192.168.0.14
Lease Obtained. . . . . . . . . . : Thursday, July 22, 2004
11:04:00 AM
Lease Expires . . . . . . . . . . : Saturday, August 21, 2004
11:04:00 A
M

DC :
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.
C:\Documents and Settings\Administrator>ipconfig /all

Windows 2000 IP Configuration

Host Name . . . . . . . . . . . . : zeus
Primary DNS Suffix . . . . . . . : naitauba.local
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : naitauba.local

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : 3Com EtherLink XL 10/100
PCI TX NIC (3C905B-TX)
Physical Address. . . . . . . . . : 00-10-5A-AC-27-75
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.0.5
Subnet Mask . . . . . . . . . . . : 255.255.255.0
IP Address. . . . . . . . . . . . : 192.168.0.4
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.0.1
DNS Servers . . . . . . . . . . . : 192.168.0.14
NetBIOS over Tcpip. . . . . . . . : Disabled

Ethernet adapter Local Area Connection 2:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : 3Com EtherLink XL 10/100
PCI TX NIC (3C905B-TX) #2
Physical Address. . . . . . . . . : 00-50-04-64-7E-65
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.0.14
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.0.1
DNS Servers . . . . . . . . . . . : 192.168.0.14
Primary WINS Server . . . . . . . : 192.168.0.14

C:\Documents and Settings\Administrator>
Click to expand...



Thanks for the update. Been busy once again. Curious., 2 NICS in the DC? You
have two NICs, and one of the NICs has two IPs and the IPs and subnets from
both NICs are on the same physical subnet. On top of that, it's configured
for WINS on one of them and NetBIOS is disabled on the other.

These two NICs have the same gateway??
Are these two NICs teamed?
Which one is on the top of the binding order? I'm assuming Local Area 2 is
the top of the binding order since that is the one with WINS enabled and
what the XP machine uses for DNS.

Honestly I've never seen anything quite like this, so I'm sure there's a
solid reason for this. Can you briefly describe this arrangement and its
purpose please?

Now depending on what service or app is trying to connect to it, there seems
that there can be some confusion here, especially on what NIC is responding
and what IP when it gets resolved thru DNS. Usually we suggest to never
multihome a DC, so looking at this, I guess this falls under that category,
but not exactly sure what's happening here and if it will cause any issues.

Curious, don't remember if I asked, did you use Sysprep for the XP machine
or used a 3rd party SID changer or none at all? If none, I've seen issues
with duplicate SIDs on the network, and this *appears* to be taking on the
form of one of them, but not sure. There;s alot going on here!!

:-)

--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services

Security Is Like An Onion, It Has Layers
HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.
 
Curious, don't remember if I asked, did you use Sysprep for the XP machine
or used a 3rd party SID changer or none at all? If none, I've seen issues
with duplicate SIDs on the network, and this *appears* to be taking on the
form of one of them, but not sure. There;s alot going on here!!
Click to expand...

Ace,

No SID changer or Sysprep, the client was a unique install of 2000
back when it was an NT4 domain, then client upgraded to XP, then the
PDC (Merc-2) upgraded to 2000 and a clean build 2000 server added
(Zeus).

Will get back to you re the DC arrangement with NICs etc.

Regards
Chris
 
In
Chris said:
Ace,

No SID changer or Sysprep, the client was a unique install of 2000
back when it was an NT4 domain, then client upgraded to XP, then the
PDC (Merc-2) upgraded to 2000 and a clean build 2000 server added
(Zeus).

Will get back to you re the DC arrangement with NICs etc.

Regards
Chris
Click to expand...

Ok, would be curious of why you're using this configuration.

:-)

--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services

Security Is Like An Onion, It Has Layers
HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.
 
Ace,

No SID changer or Sysprep, the client was a unique install of 2000
back when it was an NT4 domain, then client upgraded to XP, then the
PDC (Merc-2) upgraded this year to 2000 and a clean build 2000 server added
(Zeus).

Will get back to you re the DC arrangement with NICs etc.

Regards
Chris
Click to expand...

Curious., 2 NICS in the DC? You
have two NICs, and one of the NICs has two IPs and the IPs and subnets
from
both NICs are on the same physical subnet. On top of that, it's
configured
for WINS on one of them and NetBIOS is disabled on the other.

These two NICs have the same gateway??
Are these two NICs teamed?
Which one is on the top of the binding order? I'm assuming Local Area
2 is
the top of the binding order since that is the one with WINS enabled
and
what the XP machine uses for DNS.

Honestly I've never seen anything quite like this, so I'm sure there's
a
solid reason for this. Can you briefly describe this arrangement and
its
purpose please?.
.....

Ace, hi you.

The DC has 2 NICs for historical reasons that no longer apply. We had
a proxy server and two internet links, hi & lo speed, and were
attempting to control what traffic connected over which link. Also it
seemed that two NICs would help throughput.

Nowdays the idea is that one NIC is Windows functions (DHCP,DNS,AD..)
and one is our email server (First Class).
We are a smallish domain; the second DC is a backup for the
first(Zeus), and originally was not intended to always be online
(nowdays it mostly is).
So the NICs are not teamed, or bound together.
They do have the same gateway.

ipconfig for the second DC Mercury-2 is attached.

Client has been getting lots of 1030 & 1058 events. For the last 3
days. Always a pair, against the same user. So at one moment one of
each against my user name, and then at another time, 30 - 90 mins
later, one of each for user SYSTEM. Always the same GPO #.

Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1058
Date: 7/23/2004
Time: 3:18:09 PM
User: NT AUTHORITY\SYSTEM (note: or NAITAUBA\chris)
Computer: TECH
Description:
Windows cannot access the file gpt.ini for GPO
CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=naitauba,DC=local.
The file must be present at the location
<\\naitauba.local\sysvol\naitauba.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini>.
(The network path was not found. ). Group Policy processing aborted.

So Ms KB 314494 :
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Mup
DisableDFS is 0 (I added this less than 3 days ago).
"The DFS client is turned on if the value in the Value data box is 0".
OK.
Also :
"This issue may also occur if "Everyone" has been removed from the
root drive NTFS file system permissions." - which it had been ! So I
enabled this (Hoping..). Rebooted. A pair (1030, 1058) against me and
a pair against user SYSTEM result.

BTW, Sysinternals File Monitor (all these new tools) has a few LDAP
errors:
4:16:25 PM explorer.exe:1456 OPEN C:\Program Files\Common
Files\System\Mapi\1033\NT\LDAP: NAME INVALID Options: Open Access:
All
And always simultaneous with an identical message saying FILE NOT
FOUND.

Thinking back, I believe I have never seen the objects to set share
permssions against, since we upgraded to AD. But this doesnt mean it
started then, as its not a task I need to do often.

Regards
Chris.
 
Fixed !!!!!!

Hi everyone!


I just thought I'd post that I had the same problem. (When trying to add users. groups or computers to NTFS Security, the list of Active Directory would not come up. Error: "The network path was not found" )

It was Zone Alarm. It was installed but not runing. When I uninstalled it, everything was back to normal.

Thanks for eveyone's time and effort on this one. Saved me from a re-install!!



Dave.
 
Back
Top