Child dc WIN98 issue

[mike]

Dear all,

I have a crap load of win98 boxes residing on a child
domain. I also have a load of xp machines residing
there. The xp machines are joined to the child domain and
work fine. The 98 machines wont log on to the child
domain at all. TARGET ACCOUNT NOT FOUND.

The 98 machines should log into the child an dbe able to
access all teh stuff on the child DC. Some 98 machines
(and i dont care if this works or not) should log on to
the parent and still access the child shares 9of course
setting permissions correctly).

A parent DC and the child are in teh same subnet. The
paretn gives out DHCP. both parent and child are runnign
DNS. Both are AD Integrated. DHCP allows dynamic
updates. The child DC shows all the XP machines in the
dns, but no 98 machines). The parent has the child
delegation in the dns records. The child has a SECODNARY
zone for the parent zone.


ANY HELP GREATLY APPRECIATED. FEEL TOTALLY FREE TO EMAIL
ME.

 

[Ace Fekay [MVP]]

In

Dear all,

I have a crap load of win98 boxes residing on a child
domain. I also have a load of xp machines residing
there. The xp machines are joined to the child domain and
work fine. The 98 machines wont log on to the child
domain at all. TARGET ACCOUNT NOT FOUND.

The 98 machines should log into the child an dbe able to
access all teh stuff on the child DC. Some 98 machines
(and i dont care if this works or not) should log on to
the parent and still access the child shares 9of course
setting permissions correctly).

A parent DC and the child are in teh same subnet. The
paretn gives out DHCP. both parent and child are runnign
DNS. Both are AD Integrated. DHCP allows dynamic
updates. The child DC shows all the XP machines in the
dns, but no 98 machines). The parent has the child
delegation in the dns records. The child has a SECODNARY
zone for the parent zone.


ANY HELP GREATLY APPRECIATED. FEEL TOTALLY FREE TO EMAIL
ME.

What version of AD is running?

Win98 machines do not use DNS. They are soley NetBIOS based.

Your delegation configuration is incorrect. To properly delegate, create the
delegation at the parent zone and specify the IPs and name for the child
domain's DNS servers that will be handling the zone. In the child DNS
servers, configure a forwarder back to the parent DNS servers. Do not make a
secondary zone of the parent zone on the child DNS server. That can cause
issues, such as looping.

For Win98 machines to register into DNS that are DHCP clients, in DHCP
properties, DNS tab (which is actually Option 081), set it to FORCE
registration for clients that cannot register (such as Win98 clients).

As for Target Account Not Found, indicates a NetBIOS issue. Is NetBIOS
disabled on the DCs? Win98 machines require NetBIOS.
You can use nbtstat to find out where the issue is with NetBIOS. Here's an
article I found that may be relevant to this issue:
http://www.experts-exchange.com/Operating_Systems/Q_21018430.html


--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services

Security Is Like An Onion, It Has Layers
HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.

 

[mike]

GOOD ANSWER...ill try that...in teh mean time...what about
the fact that i have DHCP on the PRIMARY controller and
not he child domain? shouldnt be an issue should it???

 

[Ace Fekay [MVP]]

In

GOOD ANSWER...ill try that...in teh mean time...what about
the fact that i have DHCP on the PRIMARY controller and
not he child domain? shouldnt be an issue should it???

Doesn't matter where you put DHCP. DHCP is not domain specific. It will give
addresses to anyone.

Ace

 

[Ace Fekay [MVP]]

In

let me revise that qestion...what should the dns paramters
be in the dhcp scope options as well as root domain name?

or am i over configuring stuff here.

Good question. The only issue here is if you want the child machines use
only the child DNS, then you need to setup a separate Scope for that subnet
and configure Scope Option 006 (not the Server Options) to use those DNS
servers, not the parent's DNS. In the scope option for the subnet that's
being used by the parent domain, configure Scope Option 006 to use those DNS
servers.

BUT>.... since all the machines are in the same subnet, then this method is
not feasible. You will either need to create a custom option or just have
all machines just use the parent DNS and forget about delegation (if using
it).

Either way, leave Option 015 blank, since you have two different domains
going on.

Ace

 

[mike]

Awesome. I am MIP on this issue right now and will
update within the next day or so.

 

[Ace Fekay [MVP]]

In

Awesome. I am MIP on this issue right now and will
update within the next day or so.

Sounds good. Post back with your results.

-- Ace

 

[mike]

WEll.........not totally unfavorable...
My first guess to all this is definately a netbios prob.
Let me knwo if you agree.

Heres what ive got diagnosed so far.

-I researched more on the forwarders for dns and set up
the way you said earlier.

-My DHCP scope now has only the root domain DNS servers
in its scope. The domain name option is left blank.

-I performed the nbtstat -a command on the child domain
controller and no conflicts. i performed the same comman
on the win98 machiens and it said host not found. I
didnt on XP machines.

-I sure can get to the child domain shares by entering
ip: \\xxx.xxx.xxx.xxx\share Of course, permissions wont
work becuase im not logged in. However, I allowed
EVERYONE group, and was able to get in.

-the current setting on teh root domain controller are:
(we'll call it ROOT)
IP 10.100.0.2/24
It runs DNS: root.domain.com
It has a delegation in there for the child domain. (ip
hope i did that right.....NEWDELGATION.....then add ip in
primary zone right?)
DHCP scope is set to hand out 10.100.0.0/24 wiht the
following options: 03 04 05 44 45 46 (i have wins
running in the network)

-the child is as follows:
(we'll call it CHILD)
IP 10.100.0.3/24
It runs DNS: CHILD.ROOT.domain.com it was created as a
STANDARD primary zone and not an AD integrated zone -
could this be a problem?/ (remember i have all OSs on my
network.)


so.....i feel im getting closer, but trying to nail down
the netbios problem is a pain.

And, ACE, your help is GREATLY GREATLY appreciated.

 

[Ace Fekay [MVP]]

In

WEll.........not totally unfavorable...
My first guess to all this is definately a netbios prob.
Let me knwo if you agree.

For the Win98 machines to logon? Most definitely. That's what I was saying
in my first response.

Heres what ive got diagnosed so far.

-I researched more on the forwarders for dns and set up
the way you said earlier.

-My DHCP scope now has only the root domain DNS servers
in its scope. The domain name option is left blank.

You mean for all machines in both subnets (in your case, both domains, since
each domain is on a separate subnet)?

-I performed the nbtstat -a command on the child domain
controller and no conflicts. i performed the same comman
on the win98 machiens and it said host not found. I
didnt on XP machines.

Is NetBIOS disabled anywhere? Since you have multiple subnets and are trying
to support legacy computers, and have the ability to perform UNCs based on
NetBIOS names, then WINS would handle that. I see later on that you do have
WINS running. That is confusing that the WIn98 machines cannot logon.

-I sure can get to the child domain shares by entering
ip: \\xxx.xxx.xxx.xxx\share Of course, permissions wont
work becuase im not logged in. However, I allowed
EVERYONE group, and was able to get in.

Can you get to them by NetBIOS names?

-the current setting on teh root domain controller are:
(we'll call it ROOT)
IP 10.100.0.2/24
It runs DNS: root.domain.com
It has a delegation in there for the child domain. (ip
hope i did that right.....NEWDELGATION.....then add ip in
primary zone right?)

You create a delegation by saying you want to delegate the child name, then
you provide the FQDN of the child DNS and its IP address.

But if you are only going to use the root DNS server by the parent domain
users and the child domain users , then that's ok with a delegation. But
just keep in mind with the delegation, that the child DCs will need to use
the child DNS servers so they can register their data into them. Ideally,
thechild DNS domain users in that other subnet should be using those DNS
servers. What will happen in your scenario, all child domain clients will be
using your parent DNS, and it will send the query to the child DNS, and the
answer comes back to the parent DNS and then sent to the client. There are
extra hops happening now, which we try to avoid.

DHCP scope is set to hand out 10.100.0.0/24 wiht the
following options: 03 04 05 44 45 46 (i have wins
running in the network)

We really do not need all these options. By default the time server is the
PDC Emulator in an AD Domain. Windows 2000 and newer clients will use that
by default. So we won't need 004. 044 is WINS, and 046 is the Node type,
which are both needed in your case. We won't need 045. That's a legacy
setting.

-the child is as follows:
(we'll call it CHILD)
IP 10.100.0.3/24
It runs DNS: CHILD.ROOT.domain.com it was created as a
STANDARD primary zone and not an AD integrated zone -
could this be a problem?/ (remember i have all OSs on my
network.)

No, AD integration is not a problem with this. There are mulitple ways to
store DNS data, such as a text file (.dns file in system32\dns), in the AD
database itself, or in an SQL, Sybase or Oracle database (if you can figure
out how to make that worlk). AD INtegration won't be an issue here.

so.....i feel im getting closer, but trying to nail down
the netbios problem is a pain.

And, ACE, your help is GREATLY GREATLY appreciated.

No problem. Its starting to get complicated. I try to push for simplicity.
If all your child machines just use the child DNS, and the parent machines
jsut use the parent DNS, and there's a delegation to the child, and there's
a forwarder from the child to the parent, and a forwarder from the parent to
the ISP, then your DNS infrastructure is in place. Let's try to put it back
in this fashion.

As for NetBIOS, it has nothing to do with DNS. As long as NetBIOS is not
disabled on any DCs, then any legacy machine can logon to the domain. I have
a feeling something is amiss in this area.

Can you connect by UNC using a Netbios name from a legacy client to a DC?
How is your WINS setup ? Is there a WINS server in the child and a WINS
server in the parent? If so, are they set to be replication partners with
each other? Did you alter any default domain security settings? Are there
any personal firewalls on any machines?

Ace

 

[mijke]

You mean for all machines in both subnets (in your case,
both domains, since each domain is on a separate subnet)?

The ROOT domain and the CHILD domain are in teh same
subnet.

Is NetBIOS disabled anywhere? Since you have multiple
subnets and are trying to support legacy computers, and
have the ability to perform UNCs based on NetBIOS names,
then WINS would handle that. I see later on that you do
have WINS running. That is confusing that the WIn98
machines cannot logon.

Not that i can tell. It appears fine (netbios). ONE
SUBNET for right now - recalling that i have the DHCP
scope for teh ONE subnet on the ROOT DC. WINS is in fact
running. Tomorrow when i get in ill check replication
partners for this. Im sur eits working fine though. as
for confusing....yeah....im RACKED...

Can you get to them by NetBIOS names?

NOPE, just by teh IP addy.

You create a delegation by saying you want to delegate
the child name, then you provide the FQDN of the child
DNS and its IP address.

Yeah....just making sure...I have that correct.

What will happen in your scenario, all child domain
clients will be using your parent DNS, and it will send
the query to the child DNS, and the answer comes back to
the parent DNS and then sent to the client. There are
extra hops happening now, which we try to avoid.

Isnt this a loop???

We really do not need all these options. By default the
time server is the PDC Emulator in an AD Domain. Windows
2000 and newer clients will use that by default. So we
won't need 004. 044 is WINS, and 046 is the Node type,
which are both needed in your case. We won't need 045.
That's a legacy setting.

I had to set option 04 for a reason outside this
prob...But shouldnt be affeting this situation.

If all your child machines just use the child DNS, and
the parent machines jsut use the parent DNS, and there's
a delegation to the child, and there's a forwarder from
the child to the parent, and a forwarder from the parent
to the ISP, then your DNS infrastructure is in place.

My dhcp scope is set to give out teh ROOT domain dns
servers only..nto the childs. Forwarder is in place.
Delagation is in place.

firewalls

NONE. ROOT DC and CHILD DC are in same subnet. NOw, thei
of course is part of a LARGER network, but ehre is a root
dc at the site where this is happening.

Did you alter

NOPE. no alterations...no firewalls....

...........sigh.....im guessing its time to call teh MS guys

 

[mike]

well, a phone call to MS sovled the issue. it had to do
with multiple wins partners.

Thanks so much for the help. I would not have been able
to work with MS as quickly as i did without your input
(ACE).


-mike

 

[Ace Fekay [MVP]]

In

well, a phone call to MS sovled the issue. it had to do
with multiple wins partners.

Thanks so much for the help. I would not have been able
to work with MS as quickly as i did without your input
(ACE).


-mike

Incorrect partnerships will always do it!
Sorry to hear you had to call MS PSS. I think we could have eventually got
to the WINS parntership issue since I started talking about that and was
heading in that direction once you mentioned that you could not get to the
UNC by NetBIOS names.

Glad you got it working.



Ace