Archived from groups: microsoft.public.win2000.security (
More info?)
Steve,
Thanks for all your help... I did find out over the course of fixing
this problem that for netdiag to work, the Remote Registry Service has
to be enabled. I had it disabled based upon guidance from our
security folks.
Thanks,
--CW
"Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message news:<XkxPc.235884$Oq2.5412@attbi_s52>...
> Hi CW.
>
> See the link below for explaination. The first dc can point just to itself as the
> primary only. --- Steve
>
>
http://support.microsoft.com/default.aspx?scid=kb%3Ben-us%3B291382
>
> "corn29@ no_spam excite.com" <corn29@excite.com> wrote in message
> news:216bf30e.0408020937.695d809e@posting.google.com...
> > Steve,
> >
> > Thanks for the help so far!!! I have another question based upon your
> > last post. I have 2 DCs -- dc1 and dc2. dc1 and dc2 are both DNS
> > servers and both are domain controllers (with dc1 being the fsmo pdc).
> > dc1 is 10.10.0.10 and dc2 is 10.10.0.14. You wrote:
> >
> > > First thing to check is dns configuration in that domain controllers should
> > > point to the first domain controller in the domain [pdc fsmo]
> > > and themselves as second in the list of preferred dns.
> >
> > So in the case of dc1, are both the primary and seconday DNS addresses
> > 10.10.0.10 then?
> >
> > Thanks,
> >
> > --CW
> >
> > "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
> news:<wixOc.60065$eM2.45212@attbi_s51>...
> > > You certainly don't want to have computers with the same sid. SysInternals
> explains
> > > this and how to remedy it as shown in the link below.
> > >
> > >
http://www.sysinternals.com/ntw2k/source/newsid.shtml
> > >
http://www.sysinternals.com/ntw2k/freeware/psgetsid.shtml --- displays sids for
> a
> > > computer or local user
> > >
> > > The Event ID's. for 8021 and 8032 are usually caused by a master browser being
> > > multihomed. The fsmo pdc for the domain is usually the master domain browser and
> it
> > > is multihomed or used as a rras server [virtual adapter even if it has one nic]
> you
> > > can get those errors and experience problems with the browse list.
> > >
> > >
>
http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/q135/4/04.asp&NoWebContent=1
> > >
> > > Any fatal error is not good with netdiag. Running netdiag /v may give more info
> and
> > > dcdiag should also be run on domain controllers. First thing to check is dns
> > > configuration in that domain controllers should point to the first domain
> controller
> > > in the domain [pdc fsmo] and themselves as second in the list of preferred dns
> > > servers in tcp/ip properties. Domain members need to point to only domain
> controllers
> > > for their dns and never an ISP dns server on any domain computer. Dns problems
> can
> > > result in the unresolved sids you are seeing if they are domain groups on a
> domain
> > > computer. Also ipsec policies [client/respond/request] that involve the domain
> > > controller can also cause networking problems in the domain. --- Steve
> > >
> > > "corn29@ no_spam excite.com" <corn29@excite.com> wrote in message
> > > news:216bf30e.0407300813.7a3ab8ed@posting.google.com...
> > > > I thought it was very curious behavior as well... especially with
> > > > regard to Domain Users "changing" to a local group. Local groups and
> > > > accounts are not allowed on our system by the security folks either.
> > > > At any rate, we're having some of the SID issues you mentioned below
> > > > as well. I'm starting to wonder is this comes from cloning/ghosting a
> > > > machine... at least that's when I see these problems raise their ugly
> > > > head. I did follow Q262958 (even though we're not getting any 1000 or
> > > > 1053 errors) without any success.
> > > >
> > > > So with all of this said, do you have any insight on how to clean up
> > > > the "bunch of numbers that are the unresolved sid for the group"?
> > > >
> > > > Oh, BTW netdiag /fix fails on the DC with "[FATAL] Failed to get
> > > > system information of this machine". I'm NOT getting any DNS errors
> > > > (only browser errors - 8021 & 8032). Any ideas?
> > > >
> > > > Thanks again!
> > > >
> > > > --CW
> > > >
> > > >
> > > > "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
> news:<wq_Nc.174849$a24.97243@attbi_s03>...
> > > > > That's a new one on me. I have never seen a "none" group. The syntax also
> suggests
> > > > > that "none" is a local computer group. Try giving "users" from the local
> computer
> > > > > permissions to see if that works. The local users group on a domain computer
> contains
> > > > > the domain users group. Usually a group does not disappear, but instead you
> will
> see
> > > > > a bunch of numbers that are the unresolved sid for the group.
> > > > >
> > > > > It would be a good idea to give that computer a full virus scan with virus
> > > > > definitions up to date as of today since you are having unexplained behavior.
> Also
> > > > > run netdiag on it looking for any failed tests that may indicate a problem
> with
> > > > > domain access such as failed test/errors for dns, dc discover, kerberos, and
> domain
> > > > > membership-secure channel. nediag is part of the support tools on the install
> cdrom
> > > > > in the support/tools folder where you will need to run the setup program
> here. ---
> > > > > Steve
> > > > >
> > > > >
> > > > > "corn29@ no_spam excite.com" <corn29@excite.com> wrote in message
> > > > > news:216bf30e.0407281358.670a3d20@posting.google.com...
> > > > > > Hello,
> > > > > >
> > > > > > Having a problem here with giving the group Domain Users rights to
> > > > > > objects. For example, I have a \bin\ folder. I right click on this
> > > > > > folder and select the Security tab. Then I click Add..., choose
> > > > > > Domain Users from the Entire Directory, and give the group full
> > > > > > control from the checkboxes.
> > > > > >
> > > > > > Here's where the problem starts. Members of Domain Users still aren't
> > > > > > getting the access they need to \...\bin\. If I go back and check the
> > > > > > security settings for that folder, there's no Domain Users listing.
> > > > > > In its place is a "None" group. Its syntax is None(<<Local computer
> > > > > > name>>\None).
> > > > > >
> > > > > > How can I keep this from happening? No matter how many times I try to
> > > > > > add Domain users to an object, it always changes to the None group.
> > > > > >
> > > > > > Thanks,
> > > > > >
> > > > > > --CW