Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 715
  • Last Modified:

LDAP: XP-SP2 client access to W2K DC server

Hello experts,
I experienced the following problem:
In an XP-SP2 client I logon into a domain on a W2K-DC (SP4).
The logon is successful.
Now I execute the following statement on the client:
   Set rootDSE = GetObject("LDAP://rootDSE")
The response is:The domain does not exist or a connection cannot be established.
As far as I use a client with XP-SP1 (or W2K Profi) in the same context everything is working.
Does anyone know what I need to change (in XP-SP2?) to make the environment working?
Thank you for any help.
HStrix
0
HStrix
Asked:
HStrix
  • 19
  • 13
1 Solution
 
mdiglioCommented:
Hello,
First comapre that the DNS entries on your xp SP2 machine to the other machines that are working.
0
 
HStrixAuthor Commented:
Thanks, I created the XP2-SP2 from a copy of the XP-SP1.
So, what to compare?
The computername has changed and added to the DC.
A DNS server is not installed. I use DHCP from a host.
0
 
HStrixAuthor Commented:
On the network neighborhood of XP-SP2 I can access the DC's share.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
mdiglioCommented:
What are the lines around the one line you posted?

Generally I don't see or use this the way you are using it.
try something like

Set objRootLDAP = GetObject("LDAP://RootDSE")
strDomain = objRootLDAP.Get("DefaultNamingContext")

you have the same rootDSE to the left and right of the operator,
that could be causing the problem
0
 
HStrixAuthor Commented:
The caller ( a cmd file):
   cscript showInfo.vbs //NOLOGO
   pause >nul
The vbs file:
   on error resume next
   ' AD Domain:
   isADS = false
   Set rootDSE = GetObject("LDAP://rootDSE") ' <== here the error appears if I make the "On error" to comment
      actErr = Err.number
      If actErr = 0 Then
          isADS = true
       Else
         WScript.echo "AD does not exist"
      End If
      strADDomain = rootDSE.Get("defaultNamingContext")
   Set rootDSE = Nothing
   If isADS = true Then
       WScript.echo("AD:" + strADDomain)
   End If
   ...


0
 
mdiglioCommented:
test this out:


on error resume next
' AD Domain:

isADS = false
Set objRootLDAP = GetObject("LDAP://rootDSE") ' <== here the error appears if I make the "On error" to comment
actErr = Err.number
If actErr = 0 Then
      isADS = true
  Else
      WScript.echo "AD does not exist"
End If

strADDomain = objRootLDAP.Get("defaultNamingContext")
Set rootDSE = Nothing

If isADS = true Then
      WScript.echo("AD:" + strADDomain)
End If
0
 
HStrixAuthor Commented:
I get "AD does not exist"
0
 
HStrixAuthor Commented:
In addition I'm executing a logon script.
There the following appears:
...
C:\...\myadm>net send myserver "Hello from myadm on  clientXPSP2"
An error appeared during sending the message to myserver
The alias of the message on the network could not be found
For further help enter NET HELPMSG 2273
...
I think this situation has the same reason as the primary problem.
0
 
mdiglioCommented:
1) OK I have to get the DNS question out of my mind.
Can you run an ipconfig /all from the command line to verify?

2) Also in your script replace this line

   WScript.echo "AD does not exist"

with this

Wscript.echo err.number & vbtab & err.description

This will give a more detailed description.

3) check event viewer for errors on startup that might pertain to this situation

4) When you created this copy of the XP SP1 machine what utility did you use and do you use it often?
Basically want to see if you use something like GhostWalker to change the machine ID.

5) If this is a test machine then rejoin it to the domain using a different name
0
 
HStrixAuthor Commented:
Here is the ipconfig /all
---

C:\>ipconfig /all

Windows-IP-Konfiguration

        Hostname. . . . . . . . . . . . . : clientxpsp2
        Primäres DNS-Suffix . . . . . .: srvExchange.VMware
        Knotentyp . . . . . . . . . . . . . : Hybrid
        IP-Routing aktiviert. . . . . . . : Nein
        WINS-Proxy aktiviert. . . . . . : Nein
        DNS-Suffixsuchliste . . . . . .  : srvExchange.VMware
                                                   localdomain

Ethernetadapter LAN-Verbindung 2:

        Verbindungsspezifisches DNS-Suffix: localdomain
        Beschreibung. . . . . . . . . . . : VMware Accelerated AMD PCNet Adapter
        Physikalische Adresse . . . . .: 00-0C-29-9D-B4-5B
        DHCP aktiviert. . . . . . . . .  . : Ja
        Autokonfiguration aktiviert .  : Ja
        IP-Adresse. . . . . . . . . . .  .. : 192.168.146.147
        Subnetzmaske. . . . . . . . . .  : 255.255.255.0
        Standardgateway . . . . . . . . : 192.168.146.2
        DHCP-Server . . . . . . . . . . . : 192.168.146.254
        DNS-Server. . . . . . . . . . . . : 192.168.146.2
        Primärer WINS-Server. . . .  : 192.168.146.2
        Lease erhalten. . . . . . . . . . : Dienstag, 23. Mai 2006 22:10:09
        Lease läuft ab. . . . . . . .. . . : Dienstag, 23. Mai 2006 22:40:09

C:\>
---
0
 
HStrixAuthor Commented:
for 2) I get only -2147023541    <== no description
 

for 3) I get (translation from German):
--- System event:
The resource entries for Host(A) for the following network adapter couldn`t be registered:
   Adaptername : {61B348EB-5A5F-48DC-90FE-07492EB5A937}
   Hostname : clientxpsp2
   Primary Domain suffix : srvExchange.VMware
   DNS server list :
           192.168.146.2
   Server, to whom the Update has been send : <?>
   IP-Adresse(s) :
     192.168.146.147
The resource entries couldn't be registered because the DNS server has rejected the Update request.
Possible reasons are:
(a) You are not allowed to actualize the DNS domain name
(b) the authorized DNS server does not support dynamical DNS update
Further information can be received from http://go.microsoft.com/fwlink/events.asp.
--- Application event
The DC for your network could not be detected.
The given Domain does not exist or a connection couldn't be established.
The processing of the group directive has cancelled.

The automatic certificate registration for "local" Computer couldn't establish a connection to the Active Directory (0x8007054b).

The CRM protocol file has been created initially on a computer with another name. It has been actualized with the name of the current Computer.
If this warning is displayed after changing of a computername, no further action is required. clientxpsp1
---
0
 
HStrixAuthor Commented:
for 4) I'm using VMware, my process was as follows:
- copy the files of the VM containing XP-SP1
- start XP-SP1, change domain to workgroup
- start copied XP-SP1, change domain to workgroup, change computername, upgrade with SP2
  join XP-SP2 to domain
- join XP-SP1 to domain <== this VM one is working

for 5) it is a test machine so I could rejoin
  ==> then rejoin it to the domain using a different name
  What do you mean here?
0
 
mdiglioCommented:
Thanks-
Yes you were right the DNS Entries look fine

With this System Event you posted what is the Source and the EVENT ID ?

0
 
HStrixAuthor Commented:
The source is DnsApi, the Event ID is 11165.
0
 
mdiglioCommented:
Ooopps didn't see your last post...

I've never sued VMWare so I'm not sure about the procuderes.
Are you suppose to change the machines account ID somewhere in the process, the SID ?
Or is it done for you?

I wanted you to rejoin the computer using a different name to force a new object to be created in AD

sometimes I have better results with problems like this when I either
a) disjoin the computer from the domain and rename it so it joins the Domain as a new/different object
b) Disjoin the computer from the Domain then DELETE the computer in Active Directory Users and Computers

0
 
HStrixAuthor Commented:
What is disjoining a domain?
Is it equivalent to changing a domain to a workgroup?
I made using System-Computername on the client only.
0
 
HStrixAuthor Commented:
I cannot remember if I have been asked to change the SID?
0
 
mdiglioCommented:
Sorry about that, Yes that is right.
When I said disjoining it is the same as changing a domain to a workgroup
0
 
mdiglioCommented:
I've never used VMWare so only do what you are comfortable doing
0
 
HStrixAuthor Commented:
XP-SP2 client: I changed the domain to a workgroup
   restart
   logon
Server: I deleted the computer for XP-SP2
XP-SP2 client: the system is re-started
   the firewall is inactive
   I modified the computername to clientxp-sp2
   I rejoined the computer to the domain
   restart
   logon (not OK)
   logon (OK - without changes!)
   after this the new computername appears on the server in Computers
XP-SP2: the problem is still there
0
 
mdiglioCommented:
I've been trying to find info on that error message you posted. DnsApi, Event ID is 11165
Most articles say to make sure that your DNS is setup to allow dynamic updates

I can't imagine this being your problem but here is where to look...
Open DNS management > expand your server > forward lookup zones > you should see your dns zone.
Now right click on this > choose properties > on the General tab you will see 'Dynamic Updates'

There are plenty of articles out there that discuss this error message.
I'll try to find the better ones and post back. so far they all say the
same thing about allowing Dynamic Updates
0
 
HStrixAuthor Commented:

Dynamic Updates:  Only secured actualization  <== I could set this to Yes or No?

Typ:  Active Directory integrated

On the right side of the DNS window I see
  - the name of the server and its IP (DHCP one)
  - the name of the XP-SP1 client        ---  Host                  --- old IP
    old IP means that in the past the IP was fix and not DHCP based
 - (identical with higher-ranked folder) --- Host                  --- DHCP IP of the server
 - (identical with higher-ranked folder) --- Nameserver       --- AD-name
 - (identical with higher-ranked folder) --- Authority source --- AD-name, admin-AD-name
0
 
mdiglioCommented:
There should be 3 choices
1) None
2) non secure and secure
3) Secure

If you have it set for either 2 or 3 it should be fine
If you feel comfortable doing so choose number 2 for testing purposes

Is this the only XP SP2 machine in your environment?
Try this also
open 'network and internet connections' in control panel > click network connections >
right click your connection and choose 'repair'

When you were in DNS management what was the zone name where you saw the properties for Dynamic Updates... was it  srvExchange.VMware ?

In DNS Managemnt you will also see a DNS Event log under Event Viewer, is there anything in there that might help ?

Here is an article from MS that is pretty thorough but it seems a bit of an extreme step to take right now.

Information about configuring Windows for domains with single-label DNS names
http://support.microsoft.com/kb/300684

I would feel better if you can stop and restart the dns service for a test to see if that corrects anything before making any changes. Only if you can do so safely






0
 
mdiglioCommented:
In other words...do not follow the steps in that article yet.
Just read it and see if it applies to your situation
0
 
HStrixAuthor Commented:
Thank you mdiglio,
I'm checking the information you've supplied.
I'll keep you informed.
0
 
HStrixAuthor Commented:
In the meantime I made several checks
and - it is getting strange.
SP2 is still not working for LDAP.
SP1 works for a time and after a while it stops working for LDAP.
But now I changed also the W2K server (DNS, DHCP,...) ,
so I'm encountering problems having a usable environment;
fortunately the server still works as expected.
Because of this situation I'm going to close this question.
Your last comment looks good to me, so I'll accept this.
Sorry for the situation, and - thank you very much for your help.

HStrix
0
 
HStrixAuthor Commented:
FYI, I continued checking my environment
and I found the reason for the problem:
In my Tcp/IP properties I used "Obtain DNS server address automatically".
I changed this to "Use the following DNS server addresses"
and inserted the IP address of my W2K server.
And - voila it worked.
I don't understand why it worked for W2K clients before..
But I'm glad that it is now working.
Thank you again for your help.
0
 
mdiglioCommented:
Thats Great!
Was this the dns address that you used 192.168.146.2 ?
0
 
HStrixAuthor Commented:
That is the gateway address in the VMs.

On the host, the VMware8 IP is 192.168.146.1

On the VMs (it seems to be required using NAT)
 - the IPs are 192.168.146.x   (if they are based on DHCP)
 - the DHCP is 192.168.146.254
 - the Gateway is 192.168.146.2
0
 
mdiglioCommented:
Good job, I'm glad you got it figured out
0
 
HStrixAuthor Commented:
This also means
you've been right in thinking that the problem is DNS related!

I thought the system is doing it right,
but it didn't - it needed to be done manually.
So. I learned sonething,
and - it will not be the last one :-)
0
 
HStrixAuthor Commented:
Sorry, it looks that there was something in a clipboard ...
0

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

  • 19
  • 13
Tackle projects and never again get stuck behind a technical roadblock.
Join Now