In-Depth
What's the Problem?
Our experts troubleshoot your technical problems.
Several months ago we invited you to submit your choicest
technical challenges. The questions came pouring in. Then we asked our
experts (read: Really Smart People) to help us answer them. To be honest,
many of your problems absolutely boggled and stumped our troubleshooting
pros. Others were a piece of cake. Here we present eight questions and
their solutions—plus, advice on how to become a troubleshooting expert
yourself.
I’m in a high school environment. I ran the Active Directory Migration
Tool as a trial to import our 3,000-plus users from a Windows NT primary
domain controller to our new Windows 2000 Active Directory child domain
controller. The tool said the operation was unsuccessful because our network
needs to be in Native mode. That seems somewhat useless, because we won’t
be in Native mode until we get those users over to the AD and take the
NT DCs offline.
That being the case, I need a tool to migrate my users in bulk without
the cumbersome Addusers utility and without the work of a huge comma-delimited
file dump. I’m looking for a tested, reliable user import tool that will
import my users from the NT box to the Win2K box, but will also hold its
value by enabling us to import users from a file each year into AD when
our student body changes. Any suggestions?
—Sandra L. Hacker
Annandale, New Jersey
Unfortunately, Microsoft’s ADMT tool requires the target domain to be
in Native mode. However, third-party tools will do what you want without
that requirement. In addition, they have many more sophisticated features
such as the ability to back out of the migration, configure a “project”
to test the migration, and clean up the old SIDs after the migration is
complete.
The ones I’m familiar with are produced by Quest Software (www.quest.
com), BindView (www.bindview.com),
Aelita Software (www.aelita.com)
and NetIQ (www.netiq.com). You can
get more information, including software evaluation copies, from their
Web sites.
—Gary Olsen
We ran DCPromo on a Win2K machine to add it to a domain with two other
domain controllers. Somehow, the default password became the Administrator
password, so users on the network could no longer access the server. When
people try to access files on the server, it comes back and asks for a
username and password. I figured out that if we put in the default administrator
account and password, people can access the server. Obviously, we don’t
want to hand out the admin password. We could change the username and
password for administrator, but it will still prompt users for a username
and password instead of just letting them in. We ran DCPromo to demote
it to a stand-alone server, and it looks like it wants to finish but doesn’t
like the password authentication to complete the demotion. I’ve tried
every username and password I can think of. This isn’t mission critical,
as we moved all the files to a new server, but I don’t like that we can’t
demote it. We don’t want to take it out of commission.
—Glen A. Johnson
Rockford, Illinois
Something obviously happened either when you ran DCPromo or soon after
changing the machine account. Hence, users could no longer access that
server as “set” with the old password. Two possible recovery scenarios
are described in Microsoft support article Q257288,
“How to Recover from a Deleted Domain Controller Machine Account in Windows
2000.” Because you then ran DCPromo a second time, your server can’t find
the proper machine account to do a full-scale demotion. (If this isn’t
what occurred, you’ll need to run a third-party password recovery tool,
something to which every enterprise should have access.)
As explained in Q257288,
you’ll need to run dcdiag. To confirm that this diagnosis is correct,
run:
dcdiag /s:localhost
An error message should alert you that your server is missing its machine
account. This is a rare event, as the account change had to occur during
the cancelable phase of DCPromo. The Q article says this can only happen
because of deliberate user action, but all it would take is someone with
administrative privileges accidentally deleting the server. I’ve seen
similar things happen in NT 4.0—servers moved, whole directories migrated
and the “user” with no recollection of doing any of these actions. (Slow
mouse or keyboard response on a computer can lead users to generate spurious
input.)
If you have a pre-promotion backup for the server, you’ll be able to
try the promotion process again. You probably won’t need to do an authoritative
restore, as, from what you say, that machine account didn’t initially
exist in your domain. If the account did exist in your domain, follow
the steps in Q257288, follow standard steps for an authoritative restore,
stop the key distribution center (net stop kdc), and use the Sites and
Services snap-in to do a Replicate Now, which forces the good controller
to replicate to the old, “bad” controller.
If you have no backup, try running dcdiag with this option:
dcdiag /s:localhost /repairmachineaccount
The Q article goes into more detail regarding error messages and possible
outcomes, but this should give you a good start.
If a similar problem occurs when adding an NT 4.0 server to a Win2K domain,
you may find articles Q242432,
"Cannot Add Windows NT 4.0 BDC to a Windows 2000 Domain," and
Q221826,
"Create a Computer Object in the Active Directory for a Windows NT
4.0 BDC,"helpful. They describe the use of ADSI Edit to change the
user AccountControl property and nltest to reset the server account password.
Nltest can force a new secure channel. Both these tools are found in the
Support\Tools folder on the Win2K Server CD-ROM.
—Douglas Mechaber
As someone with DBA responsibilities, I run into clients looking to improve
database speed by adding disk drives and separating various database objects
(data vs. log, tables vs. indexes, this table vs. that table and so on).
While this can be done through Enterprise Manager on an object-by-object
basis, I’m looking for a solution that would allow me to bulk move a set
of objects between file groups.
—Stephen Hendricks
Irvine, California
The ability to specify where specific database objects are stored is
a huge benefit for DBAs looking to improve performance. By reducing contention
for disk I/O and allowing multiple drives to efficiently service common
queries, you can significantly improve overall performance of database
applications—if you know what you’re doing. After creating tables, you
can move them between filegroups in several ways.
- Through Enterprise Manager, you can choose the Table Designer and
then “move” the table to another filegroup. Curious to see what this
was doing behind the scenes, I ran Profiler and watched the commands
Enterprise Manager executed. (This is a useful technique for figuring
out anything that EM is actually doing when you run an operation.) I
was surprised to find EM creates a new table, copies the existing data,
then drops the original table. So, although this isn’t efficient, it
gets the job done. The problem, as you mentioned, is that it’s not an
efficient way to do operations for multiple tables using the Enterprise
Manager GUI.
- If you want to stick with moving the table, you can use Data Transformation
Services to create a package that will perform the necessary tasks.
DTS might be a good solution if you want to do the process regularly
(for example, if you regularly receive a database backup from the corporate
office and want to redistribute tables to different filegroups every
time).
- You can use bulk copy to get all of an object’s data and store it
to a file. Drop or rename the original table and create a new table
on the second filegroup. Since bcp is designed mainly for transferring
raw data between systems, you’ll need to re-create any indexes, triggers
and other objects associated with the original table.
- Re-create the clustered index on a new filegroup. This might be the
most efficient way to “move” a table between filegroups. First drop
the existing clustered index on the table you want to move (if one exists),
then create a new clustered index for that table on the new filegroup.
You can do this in one step by using the CREATE INDEX command with the
DROP_EXISTING option. Because the data for a table always exists with
the clustered index, the table’s data will be moved to the new filegroup!
Space constraints keep me from listing the syntax or actual Transact-SQL
commands required to perform these actions. Get that information from
the SQL Server Books Online (or, if you can’t find it there, e-mail
me). Good luck!
—Anil Desai
I have an organizational unit filled with Contacts and Distribution Lists
(DLs). I only want one of my users to see them in the address list. I
gave him appropriate rights on the OU and removed all other permissions.
This resulted in no one seeing it. In the global address list, the user
gets blanks where the contacts would have been. This looks ugly. Can I
somehow hide the contents from the address lists,without having these
blank spaces?
—Mats Jungsand
Sweden
For Outlook and other MAPI clients, this can be accomplished by the following
method:
- Restricting access to the OU containing the Contacts and DLs will
hide the addresses from these objects from the default Global Address
List (GAL). This will restrict users without the appropriate permissions
from seeing the objects in the GAL via Outlook or from a Find People
query instantiated from the Start Menu from any Win2K, XP, or .NET machine
or any NT or 9x machine using the Directory Services Client. (Unfortunately,
this will also result in "blank spaces" in those places where a user
would typically see the display name of each restricted object. I resolve
this in step 4.)
- To filter the desired objects from the GAL, you must provide a value
(stored in an attribute) that's common to at least all of the objects
of a given type (i.e. all contacts must share a common value). To make
this manageable through common management interfaces, I like to use
the description attribute, but keep in mind that you could use any attribute.
While its value could be anything, I use the string Confidential in
my examples.
- The default GAL lists all mail-enabled objects in the forest. To
restrict the view to your users, create a new GAL with a Filter Rule
that excludes the desired objects from being shown. These objects should
have a description attribute with a value equal to Confidential (see
step 2). Here's an LDAP query that can be used within the Exchange System
Manager utility to define a Filter Rule of the Custom Search type:
(&(&(mailnickname=*)(|(&(objectClass=user)) (&(objectClass=contact)(!(description=Confidential)))
(&(objectCategory=group)(!(description=Confidential))) (objectCategory=publicFolder))))
Let's examine each component of the query:
&—An AND operator meaning that two or more operations
must be true for an object to match the query. (i.e. an email address
must exist and the object must be a user.)
mailnickname=*—Specifies the inclusion of objects with
a mailnickname attribute with a value defined, meaning they're mailbox-enabled.
|—An OR operator; at least one operation must be true
for an object to match the query (i.e. an email address must exist or
the object must be a user).
objectClass=user—The object being evaluated must be of
Class type "user" in order to match the query.
objectClass=contact—The object being evaluated must be
of Class type "contact" in order to match the query.
!(description=Confidential)—The description attribute
of the object being evaluated shouldn't equal Confidential in order
to match the query.
objectCategory=group—The object being evaluated must be
of Category "group" in order to match the query.
objectCategory=publicFolder—The object being evaluated
must be of Category "publicFolder" in order to match the query.
In plain English, this says: Provide a list of user, contact, group,
and public folder objects that are mailbox-enabled, except when the
object is a contact or group with a description field that is set to
Confidential.
- To force typical users to access the new GAL, secure the default
GAL by removing Authenticated Users from the Access Control List (ACL)
and by adding your user who should see all entries in the list with
the permissions of List object and Open Address List. Right-click on
the default Global Address List node in the Exchange System Manager
and select the Security tab, then Properties.
- Ensure that Authenticated Users have access to the new GAL you created
in step 3. While they should be able to find it by default, you can
verify this by right-clicking on the new GAL node in the Exchange System
Manager and selecting the Security tab, then properties.
- Because the All Contacts and All Groups address lists contain a non-modifiable
filter rule that includes all contacts and all groups, respectively,
you'll have to delete, recreate or modify these lists using a utility
like ADSI Edit. You can also recreate these lists with a Filter Rule
that excludes the appropriate object if the description field has a
value of Confidential, similar to that done in step 3. You can modify
the Filter Rule directly by accessing the objects for the All Contacts
and All Groups address list in the Configuration Naming Context and
entering a new value in the purportedSearch attribute. You can find
these objects in the Configuration Naming Context under:
Services\Microsoft Exchange\ExchangeOrganizationName\
Address Lists Container\All Address Lists
The ExchangeOrganizationName is equal to the name of the Exchange Organization,
which is typically equal to the name of the forest's root domain.
Outlook Web Access clients don't have the user-based Active Directory
rights applied to directory queries. By default, this will allow a user
attempting to search Active Directory using the OWA interface to obtain
results containing every mail-enabled object. To resolve this issue, enter
the Distinguished Name (DN) of the new GAL, from step 3, as the value
for the msExchQueryBaseDN attribute for every user object that should
receive access to the restricted GAL. This can be done manually using
a tool like ADSI Edit for each user who accesses a mailbox using OWA.
You could also use a variety of scripting techniques or other tools, such
as LDIFDE.EXE, that can export and import directory information.
As with any modification to your messaging infrastructure, test this
in a lab that closely resembles all facets of your production environment,
including front- and back-end servers as well as any applications that
use the messaging environment. While you might consider this method complex,
right now it's the best method we have to control this behavior in Exchange
2000.
—Aric Bernard
I have a test network of four subnets using mask 255.255.255.192. I’ve
segmented these subnets by using three NT 4.0 workstations, each with
two NICs and using IP forwarding. What’s the best way to set up routing
so that a workstation on the first subnet can ping a printer on the fourth
subnet? Do I need to add static routes to each NT router; can I just turn
on RIP; or do I have to do a mixture of default routes, static routes
and RIP?
—Mike Price
Fairfax, Virginia
This isn’t a robust network design. Your best bet would be to get an
actual router or dedicate a machine (probably not an NT box) to do the
job.
In any event, working within these parameters, you have many options.
But let’s think about the life of an IP packet—or at least a network device’s
perspective of the whole thing. In order to participate in an IP network,
a network device needs two things: An IP address, to uniquely identify
that device on the network and a subnet mask to determine who is local
to the network device. With those two things, basic communication is possible,
and things will work. Think of it like this: Moving to a new neighborhood,
you find the people local to you live on your own street.
Then we start adding some complexity to the equation. Perhaps I like
my neighbors and all, but there’s a whole big world out there. There’s
a larger organization around me, there’s lots to see and do. So how do
I get to “the great beyond”? If I were a PC or end-station, I’d need a
default gateway. If I were a router, I’d call this idea the “next hop
address”—or, which way do I go to get to a particular destination?
Let’s look at routers in general, as your NT workstations are acting
in that fashion. As a router, just like a PC in a neighborhood, I “know”
what I can touch. If it’s participating in two separate subnets, then
it very easily knows about both of those. So routing between those two
subnets is no big deal. You can have multiple workstations doing this,
and each may know separate networks (even having one in common).
Go back to the idea of moving into a new neighborhood. Each of your neighbors
may know about different parts of town, different ways to go and different
things to do. Each of these neighbors is separate.
So in order to broaden the scope of what a router knows, we use routing
protocols or static routes. This is a way of adding someone else’s knowledge
into our list of choices. A static route is a manual or administrative
way of saying “Go this way.” A routing protocol is a more dynamic way
of sharing information from different sources, giving everyone the ability
to choose the “best path” to a particular destination.
Routing tables must have an entry to match to an IP (basic, boring math),
or the packet will get dropped as unreachable. PCs have a default gateway
to take care of this. In the routing world, this is known as the 0.0.0.0/0
route, or the “everyplace else” path. Routers are generally more particular.
With respect to your workstations, you can take different approaches.
With static routes, it’s a quick and easy decision because there’s only
one path (obviously, the best) to get to each particular destination network.
With static routes, you also don’t have any overhead.
Having loops in your network and potentially multiple paths would be
a strong argument for RIP or OSPF (both of which can run on NT). Routing
protocols offer a dynamic approach to getting things done. This is good
if your “best path” changes from time to time, because it’s less of a
manual/administrative headache. The downside is additional overhead processing
and traffic. RIP sends out broadcasts (which means that every station
receives and processes them even if they don’t care) every 30 seconds.
OSPF converses via a multicast address; but, depending on your LAN architecture,
every station may still receive these packets. As routing updates are
received, the RIB or Routing Information Base (protocol database) is updated
and the routing table examined to see if changes are needed.
With that in mind, having both static routes and a dynamic routing protocol
exchanging the same information is pointless. Static routes usually win.
Each method has its good and bad points. A network design isn’t necessarily
right or wrong. There are just some better reasons to go in a particular
direction! But as with anything in networking, knowing the ramifications
of your choices is important!
—Scott Morris
My problem is with a Win2K member server running IIS 5.0, which is using
NTLM authentication rather than Kerberos. I need it to use Kerberos in
order to support pass-through authentication for access to a remote SQL
Server.
The setup:
- Three Win2K Server domain controllers.
- One Win2K Web server running IIS 5.0 installed as a member server
(it also happens to be running Exchange 2000).
- One Win2k SQL 2000 database on another member server.
- The domain is in Native mode and trusted for delegation.
When checking the authentication method used on the Web server, using
the Microsoft ASP code, it shows as NTLM. Interestingly, I’ve tried setting
up an IIS server on one of the DCs, and it uses Kerberos and supports
pass-through authentication. I just can’t find a way to make our Web server
use Kerberos.
I’d be grateful for any help.
—Phil Crombie
Manchester UK
There are a few possibilities. First, you must configure the computer
account—not the domain—to be trusted for delegation to enable the Web
server to request a Kerberos ticket on behalf of the user connecting to
the Web site. By default, domain controllers have the “Trust computer
for delegation” flag enabled. Member servers don’t have the flag enabled
by default. This is configured in the properties of the computer account
in Active Directory Users and Computers.
The final possibility is that the Web server doesn’t have its FQDN registered
in DNS or that the Service Principal Name of the Web server doesn’t match
the FQDN of the Web server. If the FQDN isn’t removable, Kereberos authentication
fails.
The second possibility is that you’re attempting to use an account in
the local SAM database of the Web server. Any authentication attempts
to the local SAM database will use NTLM. Kerberos is only used to authenticate
domain accounts.
—Brian Komar
This is a Win2K Professional question. From what I can tell, printers
are specific to the login. How can I create a printer and have it apply
to anyone who uses that machine? For example, I log in as Eric and create
a printer called Printer1. When John uses the machine, I want his printer
list to include Printer1.
—Eric Lanyon
San Jose, California
The answer eluded me for many months until an
enterprising attendee at a recent MCP TechMentor conference, Richard Zimmerman
of ABC Computers, provided me with most of a solution.
If you tried to create a Group Policy “Startup script” for a computer,
you likely noticed it didn’t work. This is because there’s no user environment
in which to house this newly created printer.
So, you have a paradox: How do you run a computer startup script for
every user who sits down at a machine, but run this startup script after
the user is logged on? You essentially want to solve the following problem:
“How can anyone who sits at a computer on the fourth floor be guaranteed
access to the printer on the fourth floor?”
To do what you want, you’ll need to pull out some serious group policy
big guns—specifically, a little known property called loopback processing
mode. Loopback processing mode has two different flavors: replace and
merge.
 |
| Figure 1. Using loopback processing mode forces
the computer to process site, domain and OU policies as if it were
a user—a handy technique for forcing certain settings. |
Group policy loopback replace mode is used with kiosks or lab machines,
when you want everyone who logs on to a specific machine (whether president
or janitor) to have the same “look and feel” on that machine, regardless
of what policies are directed to their individual user accounts.
The rarely used group policy merge mode is handy when you need to modify
a property in the user profile, but do it per computer. Merge mode runs
the Computer Policy again after the user has logged in.
In both loopback processing modes the computer doesn’t think it’s a computer.
It temporarily puts on a “user” hat and processes the site, domain and
OU policies as if it were a user.
With that in mind, you’ll need to do several things:
- Create a VB script that connects you to the printer you want. (I’ve
supplied an example called ASSIGNHP4.VBS.)
- Create an OU, say, “Fourth Floor Computers” and move the computers
on the Fourth floor into it.
- Create a new GPO on that OU and name it something like “All computers
get HPLJ4 Printer.”
- Drill down into the new GPO to Computer | Administrative Templates
| System | Group Policy | User Group Policy loopback processing mode
and specify it to be in MERGE mode.
- Drill down into User | Windows | Scripts | Logon. Click Add to add
a new file, click Browse to open the file requester, then copy in your
ASSIGNHP4.VBS script and add it to run.
Remember: In Loopback processing mode, the computer “thinks” it’s
a user, so use User/Logon scripts, not Computer/Startup scripts.
Now whenever you log in as any user to a computer in the “Fourth Floor
Computers” OU, the user’s policies will be evaluated and run; the computer
puts on a “user” hat and runs its own “logon” script; and you get the
printer assigned for every user on a computer.
—ASSIGNHP4.VBS
vbscript—
Set wshNetwork = CreateObject("WScript.Network")
PrinterPath = "\\server1\HPLJ4"
PrinterDriver = "HP LaserJet 4"
WshNetwork.AddwindowsPrinterConnection PrinterPath, PrinterDriver
WshNetwork.SetDefaultPrinter "\\server1\HPLJ4"
Wscript.Echo "Default Printer Created"
—Jeremy Moskowitz
Exclusively Online!
More of Your Troubleshooting Questions
Is there any way to change the default number of rings on Microsoft Remote
Access Server before pick-up? I'd like to use my single home phone line
to access my home network from any remote job with my laptop. I was hoping
to set the computer at home running Windows XP Professional to pick up
after four rings or so. This would enable me to have my answering machine
pick up as normal, but turn off the answering machine from the remote
location to allow connection to my home network with my laptop over the
existing phone line. I can't seem to find any information on the subject.
—Ken White
Hampton, Virginia
Windows NT 4.0, Win2K, and Windows XP Remote Access Service (RAS) answer
incoming dial-up connection attempts on the first ring. This is the default
behavior, and, unfortunately, there's no option in the interface to change
the number of rings that RAS will notice. However, the following registry
parameter can be used set the number of rings that RAS will answer incoming
connection attempts for NT, Win2K and XP. Open the Registry Editor and
add a REG_DWORD value called NumberOfRings to the following Registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
RasMan\Parameters
The data range for the NumberOfRings value can range from zero to 20.
A value of zero instructs RAS to ignore incoming calls; a value of 20
instructs RAS to notice the 20th ring. This registry change works for
Telephony Application Programing Interface (TAPI) modems-most of the modems
made for the past five years. If you have an older modem that doesn't
support TAPI, then edit modem.inf, located in %systemroot%\system32\ras\modem.inf.
Open the file and look for the section that relates to your modem and
edit the following line:
COMMAND_LISTEN=ATSO=1
Change the value to the number of rings that you require RAS to answer
incoming modem connection attempts on.
—Todd Logan
Help me if you can—I'm feelin' down. The hardware: NT 4.0 Server
with SP6; the services: WINS, DHCP and RAS; the client: a laptop running
Win2K. The details: The client accesses the network remotely using PPTP
Ms VPN. The client is given access and "assigned" an IP address of RAS
server. 192.168.100.100. The client ends the remote session by logging
off and closing the connection. The client comes into office and tries
to log on with the same laptop but gets the message, "A duplicate machine
name exists on the network" The client can log on but has no access to
network shares using the local logon. The event log shows: NACK issued
for client 65.96.xxx.xxx (assume this is the home ISP).
These are the things I've tried that don't work: ensuring that the client
does log off; using a reserved IP address for the client then taking the
reserve off and trying IP release/renew; different profiles docked/undocked;
DHCP leases renewed every 24 hours.
The band-aid solution that works: Deleting all mappings for the laptop
in the WINS database. But I can't live with this solution! What am I missing?
It's got to be a simple problem but my eyes have been blinded! Help!
—Frances Young
Bedford, Massachusetts
WINS is used for name resolution of NetBIOS computer names to IP addresses.
Before WINS, which appeared in NT 3.5, NT users had a choice of static
resolution-the infamous LMHOSTS file-or broadcasts, which are inefficient
and (as you remember from myriad exam questions) don't route. Name resolution
proceeds by modified H-node (hybrid node), as implemented by Microsoft.
As explained by Williams at http://williams.comp.ncat.edu/Networks/DHCP.htm
and in Q119493,
"NetBIOS over TCP/IP Name Resolution and WINS," when the IP stack is started,
the PC checks to see if the name is in the NetBIOS cache, where it remains
active for 10 minutes. If the name is in the cache, the PC uses that hardware
address. If the name isn't available, but a WINS server is, the PC queries
the server for the hardware IP address three times. If a positive response
is received, the PC ARPs the correct address. The next method in this
order is broadcasting; if the broadcast is successful, the destination
will ARP the PC's hardware address, and the destination returns the IP
address. If the LMHOSTS file exists, the system tries this method of resolution
next, using ARP to send the hardware address. Finally, NT and Win2K will
try the HOSTS file. If Enable DNS for Windows Resolution is checked, the
system will use DNS for the IP address and ARP the desired address.
WINS works mostly automatically. You can change the storage options and
so on to improve performance, but the WINS database is built by data sent
from the clients. When the computer logs off, the entry should be deleted.
As you noted, that seems to be the rub. There are other ways to confirm
this. You didn't mention the use of nbtstat, with any options, such as
-a serveripaddress to generate a list of NetBIOS names or -n to check
the name giving the error. This is described in Q315259,
"NetBT Event ID 4320 Appears in Event Viewer." Somehow, your WINS server
isn't releasing the name of your laptop. That exact problem is described
in Q140419,
"Name Release Notifications Not Sent to WINS on Shut Down"; but this should
have been fixed post-SP3 or SP4 (depending on whether you believe Microsoft
or BugTraq).
You might also read Q164016,
"Err Msg: Event ID: 4320 Duplicate Name on Network." Of course, you didn't
mention any error messages, and this sounds like the "band-aid solution"
you're already using. Other possible solutions to NetBIOS resolution problems
relate to the use of multihomed Master Browsers (Q135404).
From your description, it sounds like PPTP and WINS may be set up on
the same server, which could be a problem; or more likely, you can't connect
to network resources on the PPTP server, even though you can connect locally,
which would be equivalent to a local LAN login. Could there be a route
added to your PPTP client for the purpose of connection to your ISP? This
route may block UDP or TCP ports, which are needed for NetBIOS traffic.
An easy test for this is via the ShieldsUp! program by Steve Gibson, at
www.grc.com. This would explain why
the release, which was presumably sent, never worked when the laptop was
logged off.
Q176321,
"Unable to Resolve NetBIOS Names Through PPTP Connection," gives four
possible solutions: 1) Use NetBEUI instead of or in addition to TCP/IP,
so you don't require use of the blocked ports; 2) enable unicast (only)
traffic across the blocked ports, 137, 138, 139, which may be impossible
if this is through an ISP and may be a security risk; 3) move WINS to
a different server than the PPTP server; 4) finally, on the PPTP server,
create another IP interface. This IP interface doesn't have to be an additional
interface card-with differing IP address-that would access the WINS server
with the aforementioned ports enabled, but that may be the best solution.
Q176321
has additional details.
You may also wish to check Q150520,
"WINS Server Sporadically Loses Name Resolution," and Q185786,
Recommended Practices for WINS," which includes a good summary, with lots
of WINS references. Good luck!
—Douglas Mechaber
I have four NT 4.0 SP6a servers on the other side of a Cicso PIX 515
firewall from my domain. I would like these servers to be able to join
the domain for centrally managed security and other reasons. What do I
need to do on the firewall and on the servers (internal/external) to make
this happen? I don't want to have a BDC on the external zone unless it's
significantly easier that way. It's still firewall protected from the
Internet by the firewall, though at a lower security setting than my PDC
and other BDCs.
—Mark D. Allen
San Rafael, California
Pre-answer: What an ugly question! I wouldn't recommend this case.
I would suggest creating a client VPN connection from each member server
to the private network, allowing connectivity to the internal DCs. This
is preferable, because I would only have to open TCP port 1723 (PPTP)
and protocol ID 47 (GRE) at the PIX firewall. I could also set up specific
filters that would only allow the tunnels from the specific IP addresses
in the DMZ.
So, the firewall would require packet filters to allow the establishment
of the PPTP VPNs.
The clients must be configured with a PPTP VPN client. I would recommend
enabling MSChapv2 to use the strongest possible connection.
A PPTP VPN server must be created on the private network to accept the
VPN connections. I wouldn't recommend remote management of the servers;
but if you need this, additional packet filters could be defined to allow
connections from the private network to the DMZ by private network administrators.
—Brian Komar
I have a Win2K server (running Terminal Services) that I used to publish
an Access-based application. One of my NT 4.0 workstations (with SP6a)
can't access that server through Internet Explorer 6.0 or Client Manager.
The error message reads: "VB Scripts Unable to connect to terminal server:
junxure". I've tried different versions of IE-5.0 and 5.5-but with no
luck. Otherwise, the workstation in question enjoys a normal day-to-day
operation.
I researched the Knowledge Base and came up with Q282128,
which explains how you can test port 3389 on your terminal server. Even
though I don't have a firewall or other filters between my clients and
the server, I went ahead and conducted the test, which came back positive.
I can establish a telnet session with that server. I have no problem pinging
the server both by NetBIOS name and IP address. This problem isn't user-specific.
The other clients don't have problem connecting to this server and accessing
the published application. Can you think of a fix for this?
—Sam Pahlavan
Boca Raton, Florida
Whenever troubleshooting the kind of problems that can make me pull my
hair out, I like to try reducing the problem to its simplest components.
I suspect you have other workstations, similarly configured, that don't
show this inability to execute the Access application. I also assume that
Access was installed correctly for multiple users: using Add/Remove Programs
from the Control Panel. (See Q186515
for more information.)
You say the workstation in question is normal day to day, which probably
means that the user account for most privileges is appropriate.
I have to ask: Is the regular user able to execute your Access application
if he or she logs in from another workstation? From what you say, I'm
going to guess that the regular station user can use the application from
another location. You've verified that the workstation enjoys normal connectivity.
What's different about that user or machine? And what would cause the
Access application not to work, with an apparent internal error?
The application execution environment is the only possible explanation
I can think of. When I see that kind of error, I think of path, privileges
or rights. You've checked the user rights and privileges by having the
user log in from another computer, so the only thing remaining would be
the machine account. Check that carefully; users from that machine may
not be able to write temporary files, for example. Different versions
of IE shouldn't affect the outcome.
One last tip: Check out the following article , as it may present additional
hints or troubleshooting ideas, particularly tip six: http://certcities.com/editorial/tips/story.asp?EditorialsID=5
You've already checked Q282128,
which is a good start for general terminal services connectivity problems.
Since it appears that initial connectivity isn't affected (only that Access
application) you might also read Q194776,
"How To Install a Visual Basic Application on Terminal Server."
—Douglas Mechaber
When setting up IPSec policy rules, there's the potential to set different
and possibly conflicting rules. How can you determine the order in which
the rules are processed?
—Dave Mills
IPSec rules are processed so that the most specific ones are processed
first. For example, if you had a rule that said to encrypt all protocols
and another rule that would apply no encryption to packets destined to
TCP port 23, then the non-encrypted rule would take precedence for all
connections to the telnet service on the local computer
The key design point is to not implement conflicting rules. Try to limit
the total number of IPSec filters in an IPSec policy, and work them out
on paper to determine which filters and filter actions may be in conflict.
—Brian Komar
My problem is an interesting one. I open up Internet Explorer only to
find that when I click on File on the top menu there's no Send button
available. I've noticed that Adobe Acrobat 4.0, recently installed, is
the only change that has been made to the system. I wonder what could
be making this item on the file menu suddenly disappear?
—Michael
Worthylake
Newport Beach, California
You haven't specified the OS nor IE version. So I've checked the registry
in both Windows 95 and Win2K Server, but I could find no specific key
for that attribute. I looked in the obvious places: under Hkey_local_machine,
Hkey_user and Hkey_current_user/software/microsoft/internet explorer/
(and anything under that). That doesn't mean that the key doesn't exist.
I may have missed it or, more likely, there's a reference within a general
IE subkey to a hex key located elsewhere that describes the properties
within the toolbar.
But there's hope! I haven't seen the above problem, but I have seen aberrant
IE behavior, including windows that don't resize or move properly and
whole sections of the toolbar not appearing. The solution that worked
for me was to install a new version of IE.
—Douglas Mechaber