dcsimg
Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 24

Thread: GPO's and Security Policies

  1. #11
    Heh heh, bark and stuff.

    Let's see, of the three DCs, only two have access to domain security settings, but both do indeed suffer the same error.

  2. #12
    Senior Member
    Join Date
    Apr 2004
    Posts
    1,130
    thats odd....
    shall we go to basic troubleshooting?
    get one of the servers (lets suppose its Server1)
    go to DNS Server (that hold AD Structure) and see if A record is presented there
    ipaddress A server1.addomain.com
    check if ip adddress match if server1 ip address.
    At server1 ip configuration:
    be sure that domain name (dns property) is addomain.com (as you have defined on AD)

    but is really odd.
    a lot of things should not work too. not just snapin.

    that message use to be that thing. You misconfigured AD server and it cant contact itself. dont blame me. its a microsoft idea...
    Meu sítio

    FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
    If I die before I sleep, I pray the Lord my soul to encrypt.
    If I die before I wake, I pray the Lord my soul to brake.

  3. #13
    Ah, but odd problems have a tendancy of finding me.

    Well, all that checks out ok, except for one minor discrepency -- the domain (named HIFS) does not have the ".com" suffix. So nowhere in the network do you see "HIFS.com", only "HIFS". In other words, all machine names are "NAME.HIFS" as opposed to "NAME.HIFS.COM".

    I haven't thought that to be a big deal since it's been that way since the beginning, and has caused us no problems. However, I have read in MS articles in the past that lacking the ".com" can cause some communication problems. Could that be the culprit somehow? I doubt it since we've made it this far without it, but I'm open to anything.

  4. #14
    Senior Member
    Join Date
    Apr 2004
    Posts
    1,130
    I have been told about, but, like you, some AD structures that i have deployed use the same ideas as yours. The important thing is that AD domain name is connected to a DNS domain name (that use to be the same one) and servers domain name must match on that structure. When servers request AD (and other) functions, they locate those service thru DNS service (no more WINS - thanks GOD). If you have a discrepancy on that, you may experience some problems, such networks errors or lag.
    When your saying that domain name is "HIFS" you are refering to AD domain name, right? that one you can see on AD snap in..
    Meu sítio

    FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
    If I die before I sleep, I pray the Lord my soul to encrypt.
    If I die before I wake, I pray the Lord my soul to brake.

  5. #15
    Yes, it is indeed so with AD snap in.

    So I wasn't aware that there's a difference between DNS domain and AD domain. These are not necessarily one in the same? What's the difference?

  6. #16
    Senior Member
    Join Date
    Apr 2004
    Posts
    1,130
    my bad. i ve passed you a wrong idea.
    ____________________________________
    When you install AD, you are asked for 2 names:
    a) AD name, in the "dns" form - like abc.com <-- this name will be used to create a DNS zone, so AD NAME is EQUAL then DNS domain name
    b) a nt domain like, for compatibility with old versions domains (NT Domains). Usually, if AD name is "abc.net", nt domain will be "abc". But it may be diferent
    _______________________________________

    Now, back to to subject. I was talking about "server" domain name. it can be slighty different from AD dns name. I.E. you can put all servers in a subdomain.

    When u r acessing AD schema, all names are "resolved" thru DNS. Is that why i asked you about entried on DNS. If one is wrong, odd things happens
    __________________________________________
    Meu sítio

    FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
    If I die before I sleep, I pray the Lord my soul to encrypt.
    If I die before I wake, I pray the Lord my soul to brake.

  7. #17
    Gotcha, I get it now. Well first then, for simplicity's sake we only have one domain for the entire office (we're only working within the range of 20 computers give or take, so the one general domain is sufficient). So everything, servers and workstations, is on the HIFS domain.

    So second, I have been catching some DNS problems. I had a few workstations stop communicating with the others. For instance, one couldn't access the printer of another because access was denied. It took me a bit to figure out what was going on, but it turned out that the IP shown for the machine in DNS was different than the one shown as leased out to it in AD. Once I fixed that, it worked fine. There have been a few instances of that.

  8. #18
    I believe I may have found something else. In DNS Forward Lookup Zone, Host (A) has an IP address that is inactive (does not respond to ping nor is assigned to any server/workstation). What should that be set to? The DNS server's IP perhaps?

    /edit -- There are 8 other similar host files in there, all with different IPs. I'm kinda in foreign territory here, not sure what all of that means just yet.

    /edit -- Discovered something that definately is messed up. As it turns out. A number of machines have one IP shown in DNS, and another shown in DHCP. I'm trying to fix those right now.

  9. #19
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Make sure your machimes are set to dynamically update the DNS server and make sure the server is set to accept dynamic DNS updates. It sounds like some of them aren't. If you are using pre-Win2k you need to d/l an updater patch from M$, win2k & WinXP are able to do this natively.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  10. #20
    Do you mean set each machine to have it's IP automatically configured rather than manually assigned? We do indeed have some that have automatically detected IPs and others that are configured manually.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •