Administrator Can't log into a DC unless the DC can see a GC

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

My forest has three tree's, and the tree I'm interested in has a single
domain and three DC's. Two are GC's and one (with RID and Infrastructure) is
not. As long as the non-GC server can see a GC server then I can use the
administrator account and log in fine. If I pull the network cable out of
the main network and plug it into a simple isolated hub and try and log in as
administrator it gives the cannot connect to a dc message. As soon as the
network cable is plugged back into the main network it all logs in okay. All
DC's are DNS servers, and all DC's point to themselves as the first DNS
server to look at.

I haven't looked at any other tree in the forest at this time.

As a quick test I set up a clean domain with GC's and non GC's. In the
clean environment if the non-gc box couldn't see a GC the administrator could
still log in.

All the servers in the forest are W2k SP4. Replication is fine according to
both Sonar and Ultrasound. Any thoughts anyone?

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

By default, an administrator can log in without a GC present but this can be
changed via the registry so that even admins need a GC present. This is a
security setting which another admin on your network probably enabled. Have
a read of this, it should help.
http://support.microsoft.com/?id=241789

"Darryl Paterson" <DarrylPaterson@discussions.microsoft.com> wrote in
message news:C54D41F3-FD70-4E13-A21F-0E4B5CA5EDB7@microsoft.com...
> My forest has three tree's, and the tree I'm interested in has a single
> domain and three DC's. Two are GC's and one (with RID and Infrastructure)
> is
> not. As long as the non-GC server can see a GC server then I can use the
> administrator account and log in fine. If I pull the network cable out of
> the main network and plug it into a simple isolated hub and try and log in
> as
> administrator it gives the cannot connect to a dc message. As soon as the
> network cable is plugged back into the main network it all logs in okay.
> All
> DC's are DNS servers, and all DC's point to themselves as the first DNS
> server to look at.
>
> I haven't looked at any other tree in the forest at this time.
>
> As a quick test I set up a clean domain with GC's and non GC's. In the
> clean environment if the non-gc box couldn't see a GC the administrator
> could
> still log in.
>
> All the servers in the forest are W2k SP4. Replication is fine according
> to
> both Sonar and Ultrasound. Any thoughts anyone?

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

I believe that you have misunderstood this article. This has nothing to do
with an admin being denied access to a resource because a GC is unavailable.
This provides a situation where none admins can gain access to the network
after they have established access and then the GC is temp unavailable.

--

Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA

This posting is provided "AS IS" with no warranties, and confers no rights.



"Simon Geary" <simon_geary@hotmail.com> wrote in message
news:e2$AWmIPFHA.3372@TK2MSFTNGP10.phx.gbl...
> By default, an administrator can log in without a GC present but this can
be
> changed via the registry so that even admins need a GC present. This is a
> security setting which another admin on your network probably enabled.
Have
> a read of this, it should help.
> http://support.microsoft.com/?id=241789
>
> "Darryl Paterson" <DarrylPaterson@discussions.microsoft.com> wrote in
> message news:C54D41F3-FD70-4E13-A21F-0E4B5CA5EDB7@microsoft.com...
> > My forest has three tree's, and the tree I'm interested in has a single
> > domain and three DC's. Two are GC's and one (with RID and
Infrastructure)
> > is
> > not. As long as the non-GC server can see a GC server then I can use
the
> > administrator account and log in fine. If I pull the network cable out
of
> > the main network and plug it into a simple isolated hub and try and log
in
> > as
> > administrator it gives the cannot connect to a dc message. As soon as
the
> > network cable is plugged back into the main network it all logs in okay.
> > All
> > DC's are DNS servers, and all DC's point to themselves as the first DNS
> > server to look at.
> >
> > I haven't looked at any other tree in the forest at this time.
> >
> > As a quick test I set up a clean domain with GC's and non GC's. In the
> > clean environment if the non-gc box couldn't see a GC the administrator
> > could
> > still log in.
> >
> > All the servers in the forest are W2k SP4. Replication is fine
according
> > to
> > both Sonar and Ultrasound. Any thoughts anyone?
>
>