RAS and mapped drives - no access

  • Thread starter Thread starter Mark
  • Start date Start date
M

Mark

After switching from an NT4 domain to Win2K active directory, my RAS users
(home PCs, not domain members) have a terrible time connecting to various
network resources. I'm the domain admin and my home access hasn't been a
problem so I suspect that it's a permissions thing.
Anyway, their Outlook2K says that they don't have permission to open their
folders and some "net use" scripts that mapped some network drives give
various permission errors.

Where can I look for help on dealing with this?

Many thanks,
Mark
 
Mark said:
After switching from an NT4 domain to Win2K active directory, my RAS users
(home PCs, not domain members) have a terrible time connecting to various
network resources. I'm the domain admin and my home access hasn't been a
problem so I suspect that it's a permissions thing.
Anyway, their Outlook2K says that they don't have permission to open their
folders and some "net use" scripts that mapped some network drives give
various permission errors.
Click to expand...

Most authentication problems (this appears to be) are
really name resolution problems.

Most NT4/9x and many non-Domain machine name
resolution problems are NetBIOS related.

(Yes, you NEED NetBIOS with even Win2003 domains
in almost all real world cases.)
Where can I look for help on dealing with this?
Click to expand...

Can we assume you can Ping, tracert, NSlookup, etc,
from all machines?

Do you (did you) have WINS server(s)?

Did you turn off NetBIOS on the NICs of any servers
especially, or other machines?

If so, are all machines, including ALL "servers", themselves
WINS clients.

Did you make sure the RRAS server is giving out the correct
WINS server address (not it will generally give it's OWN
and not one provided by DHCP.)
 
Most authentication problems (this appears to be) are
really name resolution problems.

Most NT4/9x and many non-Domain machine name
resolution problems are NetBIOS related.

(Yes, you NEED NetBIOS with even Win2003 domains
in almost all real world cases.)


Can we assume you can Ping, tracert, NSlookup, etc,
from all machines?

Do you (did you) have WINS server(s)?

Did you turn off NetBIOS on the NICs of any servers
especially, or other machines?

If so, are all machines, including ALL "servers", themselves
WINS clients.

Did you make sure the RRAS server is giving out the correct
WINS server address (not it will generally give it's OWN
and not one provided by DHCP.)
Click to expand...


Hi,
Yes, I can ping okay and WINS is running in my domain. RAS is giving out
the correct info too. A strange thing however are these two items:

1) On a Win2K Pro machine, I can dial in as myself and map a network drive,
but nobody else can - Account restriction errors.

2) On a WinXP Pro machine, the same users who have restrictions on the
Win2K Pro machines can map drives without any trouble.

I took one user as a test subject and made him part of the domain admins
group and that didn't change anything. This is VERY weird. I can't go out
and upgrade everybody's home PCs to XP Pro, but that seems to be what works
without a hitch in this situation.

Does that help at all? I'm stumped...

Mark
 
Hi,
Yes, I can ping okay and WINS is running in my domain.
the correct info too. A strange thing however are these two items:
Click to expand...

Running is the first step but it has to be setup correctly.
Does that help at all? I'm stumped...
Click to expand...

Then you should likely verify EACH of the
items I suggested in the last post:
???

???
Click to expand...

??? On the client do IPConfig /all when the client is connected.
It must show the WINS server.

You can also do this ON the RRAS server to see the value
the RAS Server uses for the WINS server.
1) On a Win2K Pro machine, I can dial in as myself and map a network drive,
but nobody else can - Account restriction errors.
Click to expand...

Is there only one domain involved and you aren't switching
to "computer account authentication", right?

Are you doing this explicitly from the command line?
(You should.)
This way you can try all of the following...

net use * \\ServerName\ShareName
net use * \\Ip.Address.Of.Server\ShareName
net use * \\ServerName\ShareName * /user:Domainname\Username
net use * \\Ip.Address.Of.Server\ShareName /user:Domainname\Username

Whenever "mapping a drive" fails and you don't know the
cause you should explicitly try each of these and record
the EXACT error (it's in text on the screen and you can
just copy and paste it to a notepad or message.)

You can also use "NBTStat -n" to see resolved names
and if your NetBIOS resolution works the ServerName
will appear in there -- if it doesn't after trying to map
then perhaps it is never being resolved.

2) On a WinXP Pro machine, the same users who have restrictions on the
Win2K Pro machines can map drives without any trouble.
Click to expand...

Likely the Pro machines are never authenticating the
user.
I took one user as a test subject and made him part of the domain admins
group and that didn't change anything. This is VERY weird. I can't go out
and upgrade everybody's home PCs to XP Pro, but that seems to be what works
without a hitch in this situation.
Click to expand...

You need to figure out the REASON for the failure and
not just say "cannot map".

Chances are you don't need to upgrade but have a very
simple yet common configuration error on the Pro
machines.
Does that help at all? I'm stumped...
Click to expand...

If you run through the above you will learn more.
 
Then you should likely verify EACH of the
items I suggested in the last post:
Click to expand...

Sorry - I didn't address each, but assumed that you knew that I was doing
this before replying.


???
Click to expand...

No. That's on by default and I've left it alone.


???
Click to expand...

Yes, I have static IP configurations on my servers and include the primary
and secondary WINS server for all.


???
Click to expand...

Yes. I'm getting both primary and secondary as viewed via ipconfig /all.

On the client do IPConfig /all when the client is connected.
It must show the WINS server.
Click to expand...

I did this - it does show both WINS servers.


You can also do this ON the RRAS server to see the value
the RAS Server uses for the WINS server.


Is there only one domain involved and you aren't switching
to "computer account authentication", right?
Click to expand...


Just the child domain and a root/parent, but we log into the child domain
and the parent is just a placekeeper for future upgrades. I don't know
about "computer account authentication."


Are you doing this explicitly from the command line?
(You should.)
This way you can try all of the following...

net use * \\ServerName\ShareName
net use * \\Ip.Address.Of.Server\ShareName
net use * \\ServerName\ShareName * /user:Domainname\Username
net use * \\Ip.Address.Of.Server\ShareName /user:Domainname\Username
Click to expand...

Actually, this is the key for the 2000 Pro machines - the second-to-last
entry is what finally worked... Thanks...


Mark
 
net use * \\ServerName\ShareName
Actually, this is the key for the 2000 Pro machines - the second-to-last
entry is what finally worked... Thanks...
Click to expand...

Then you have virtually proven a NAME RESOLUTION
problem on those machines.

Something is screwy in the name resolution.

Check the DNS and WINS resolution caches:

nbtstat -c

ipconfig /displayDNS

(after trying each of the relevent commands above)

You can also clear those caches before showing them
so that after the command only the differences will
appear and be easier to spot.
 
Back
Top