[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Losing Domain

Posted on 2007-10-15
40
Medium Priority
?
1,433 Views
Last Modified: 2008-06-01
Xp 9SP2) Clients on Win 2003 keep getting kicked off domain; error message reads

Error: The system detected a possible attempt to compromise security. Please ensure that you can contact the server that authenticated you.

Code:  800704F1
0
Comment
Question by:rioja_robin
  • 18
  • 17
  • 4
  • +1
40 Comments
 
LVL 70

Expert Comment

by:KCTS
ID: 20076970
What is the error in the event log?
0
 
LVL 4

Expert Comment

by:BedouinDN
ID: 20077099
What sort of DNS setup do you have?
I assume your DC is your primary DNS server, however problems like this have been reported where conflicting DNS servers are present - I.E. the secondary DNS is a DSL router that is not routing internally and so client machines are not able to access internal resources etc.
0
 
LVL 9

Expert Comment

by:MSE-dwells
ID: 20077831
That's a result of Windows identifying what it refers to as a downgrade attack.  Veriy that your DNS configuration is as it should be.  Verify replication and ensure you don't have two or more computers using the same name?

Can you provide more details regarding your domain's configuration -- DCs, OS versions, domain mode/funcional levels, etc?
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 

Author Comment

by:rioja_robin
ID: 20078144
Secondary DNS server controls all internet traffic.

Domain is very simple, one DC, 2 shared drives, one administrator and multiple users,

Structure is very simple to match my knowledge which is why I am struggling when something goes wrong.

Cheers
0
 
LVL 9

Expert Comment

by:MSE-dwells
ID: 20078182
How many computers in total?

Can you verify that the time (and equally as important) and time zone on the DC and members is synchronized.

What is the IP address of the DC and what IP address or addresses do the clients DNS settings point toward?
0
 

Author Comment

by:rioja_robin
ID: 20078574
Between 50 and 70 computers.

Time on server and clients all synchronised to GNT
DC IP address 10.121.28.101

Clients DNS 212.85.15.40 and 212.85.15.10 (all through a third parties proxy server -proxy1.equinoxsolutions.com)
0
 
LVL 9

Expert Comment

by:MSE-dwells
ID: 20078868
I assume you're using Active Directory since it hasn't been specifically stated.  If so, it _REQUIRES_ a DNS zone named the same as it is stored on a DNS server (typically, that you own and control).  Most of the time, this is a (or the) Domain Controller.  The clients _MUST_ be configured to resolve against this DNS server alone (or this and another private DNS server that also holds the same zone) but they must NOT resolve against anything else.  Without this zone, clients will not function in a predictable fashion and, sometimes, not at all.  The private DNS server is then typically configured to forward requests to the ISP.
0
 
LVL 4

Expert Comment

by:BedouinDN
ID: 20082204
In other words, the DNS settings you have mentioned above are likely to be the cause of your problems.
Your client machines should only use your internal DNS server(s) and that DNS server should be configured to forward requests outside it's own zone to the external DNS servers you currently have set on your client machines.
0
 
LVL 9

Expert Comment

by:MSE-dwells
ID: 20082217
Was I not sufficently clear?  I'm interested since I find no additional content in your post ...
0
 
LVL 4

Expert Comment

by:BedouinDN
ID: 20082252
Apologies for sending you into a defensive stance, I claimed no additional content - merely attempting to clarify what I believed may be a bit confusing to some.
0
 
LVL 9

Expert Comment

by:MSE-dwells
ID: 20082273
Although I won't argue with the 'defensive stance' comment and I do appreciate your courtesy ... but I was serious, which aspect do think is confusing?
0
 
LVL 4

Expert Comment

by:BedouinDN
ID: 20082334
OK..
In that case, I thought that the line:
"If so, it _REQUIRES_ a DNS zone named the same as it is stored on a DNS server" may be a bit confusing to someone who does not know much more about DNS than how to get the Windows Server to set it up automatically for them.
DNS zones are something that I have found some users find a confusing topic.
Again I apologise if you believed I was attempting to steal your thunder, I certainly did not intend to do so..
0
 
LVL 9

Expert Comment

by:MSE-dwells
ID: 20082349
Fair comment ... I asked the wife, she too was confused ;0) ... appreciate the input.
0
 

Author Comment

by:rioja_robin
ID: 20083960
Thanks for all your help - am I right in interpreting this as meaning that on my client machines I should tick the "Obtain DNS server address automatically" box in TCP/IP settingswhich will automatically point DNS queries to the server which will then, in turn, redirect them to the secondary DNS server which is already specified?

If above is the case is there any specific advise as to how the secondary DNS server should be configured / set-up in Windoows Server 2003?

Very much appreciate all the help I am being given - I work in education and there is a zero budget for training (ironic really!)
0
 
LVL 9

Expert Comment

by:MSE-dwells
ID: 20085032
Not quite.  Ticking that box tells Windows to go and ask another computer for its configuration (specifically, a DHCP server).  It is typical to have a DHCP server but configurating it is an entirely manual process ... it won't just work by simply checking that box.

Could you logon at a client for me, select Start --> Run  ...  type 'CMD' and hit enter.  Then type 'ipconfig /all' without the single-quotes and paste back what it says (feel free to replace anything you feel should remain private).

PS - Are you a Domain Admin?
0
 

Author Comment

by:rioja_robin
ID: 20085241
Will do but not on site today, is tomorrow OK?
0
 
LVL 9

Expert Comment

by:MSE-dwells
ID: 20085302
Nod, of course - no rush on my end ;0)
0
 

Author Comment

by:rioja_robin
ID: 20091800
Have run ipconfig / all on both a client machine (that regularly drops off server and on server itself; details below:

Client Machine

C:\Documents and Settings\Palm17>ipconfig /all

Windows IP Configuration

               Host Name . . . . . . . . . . . . . . . . . . . . .  : Palm17
               Primary Dns Suffix . . . . . . . . . . . . . . . : Curriculum.local
               Node Type . . . . . . . . . . . . . . . . . . . . . .: Unknown
               IP Routing Enabled . . . . . . . . . . . . . . . .: No
               WINS Proxy Enabled . . . . . . . . . . . . . . : No
               DNS Sufix Search List . . . . . . . . . . . . .: Curriculum.local

Ethernet adapter Local Area Connection:

               Connection-specific DNS Suffix . . . . . :
               Description . . . . . . . . . . . . . . . . . . . . .  : Realtek RTL8139/810x Family Fast Ethernet NIC
               Physical Address . . . . . . . . . . . . . . . . .: 00-16-17-7C-0C-12
               Dhcp Enabled . . . . . . . . . . . . . . . . . . . .: Yes
               Autoconfiguration Enabled . . . . . . . . . .: Yes
               IP Address . . . . . . . . . . . . . . . . . . . . . . : 10.121.28.36
               Subnet Mask . . . . . . . . . . . . . . . . . . . . .: 255.255.255.0
               Default Gateway . . . . . . . . . . . . . . . . . .:
               DHCP Server . . . . . . . . . . . . . . . . . . . . .: 10.121.28.101
               DNS Server . . . . . . . . . . . . . . . . . . . . . . :212.85.15.40
                                                                                212.85.15.10
               Lease Obtained . . . . . . . . . . . . . . . . . . . : 17 October 2007 09:32:42
               Lease Expires . . . . . . . . . . . . . . . . . . . . .: 27 October 2007 12:32:42


Server

C:\Documents and Settings\Administrator.CTS-CURRICULUM>ipconfig /all

Windows IP Configuration

               Host Name . . . . . . . . . . . . . . . . . . . . .  : cts-curriculum
               Primary Dns Suffix . . . . . . . . . . . . . . . : Curriculum.local
               Node Type . . . . . . . . . . . . . . . . . . . . . .: Hybrid
               IP Routing Enabled . . . . . . . . . . . . . . . .: No
               WINS Proxy Enabled . . . . . . . . . . . . . . : No
               DNS Sufix Search List . . . . . . . . . . . . .: Curriculum.local

Ethernet adapter Local Area Connection:

               Connection-specific DNS Suffix . . . . . :
               Description . . . . . . . . . . . . . . . . . . . . .  : SMC EZ Card 10/100 Fast Ethernet PCI Network Adapter
               Physical Address . . . . . . . . . . . . . . . . .: 00-04-E2-18-38-8D
               Dhcp Enabled . . . . . . . . . . . . . . . . . . . .: No
               IP Address . . . . . . . . . . . . . . . . . . . . . . : 10.121.28.101
               Subnet Mask . . . . . . . . . . . . . . . . . . . . .: 255.255.255.0
               Default Gateway . . . . . . . . . . . . . . . . . .: 10.121.28.1
               DNS Server . . . . . . . . . . . . . . . . . . . . . . :10.121.28.101
               
Server Gateway address is for a web caching server which redirects all  web traffic through an educational proxy server (proxy1.equinoxsolutions.com)

Hope I have supplied sufficient information - have not bothered to disguise address details as no secure data stored on this network. Thanks again for all the help I am being given.
0
 
LVL 9

Expert Comment

by:MSE-dwells
ID: 20092252
Notice that the workstation's DNS server is configured to a public name server (equinoxIT), although based on the names you've provided that may well be under your control.  Regardless, though not impossible, it's likely your clients should have their DNS resolver configured to the same address as the server (this does assume that the DNS zone was setupin the first place).

PS - the ipconfig /all that you ran on the 'server', was that a Domain Controller?
0
 

Author Comment

by:rioja_robin
ID: 20092449
DNS zone was initially set up but quite possible not all that well - any advice?

Sadly we have only one server so yes it is the DC
0
 
LVL 9

Expert Comment

by:MSE-dwells
ID: 20092486
1. Logon to the DC as the Administrator
2. Select Start --> Run --> DNSMGMT.MSC
3. Expand <SERVER NAME> --> Forward Lookup Zone -
4. Is there a zone listed that named the same as your AD domain
5. If it's there, right click it and select Export List and paste the file here (again, feel free to change what you think is too revealing).

... your domain is almost certainly named 'Curriculum.local'.
0
 

Author Comment

by:rioja_robin
ID: 20092623
Domain name is Curriculum.local and this is listed in Forward Lookup Zones but when I right click there is no option to export, can I extract data and send another way? No issue in revealing data, this server holds pupils work files within a special needs school; any sensitive data stored on a wholly separate system.
0
 
LVL 9

Expert Comment

by:MSE-dwells
ID: 20092666
Try left clicking the zone first, then right click ...
0
 

Author Comment

by:rioja_robin
ID: 20092673
Notwithstanding my previous comment fiddling about a bit I managed to extract following data - hope helpful



13:49 17/10/2007Name      Type      Data
_msdcs            
_sites            
_tcp            
_udp            
DomainDnsZones            
ForestDnsZones            
TAPI3Directory            
(same as parent folder)      Start of Authority (SOA)      [1186], cts-curriculum.curriculum.local., hostmaster.
(same as parent folder)      Name Server (NS)      cts-curriculum.curriculum.local.
(same as parent folder)      Host (A)      10.121.28.101
cachepilot      Host (A)      10.121.28.200
cts-curriculum      Host (A)      10.121.28.101
LAPTOP-S-Mills      Host (A)      10.121.28.19
PC10      Host (A)      10.121.28.11
PC11      Host (A)      10.121.28.14
PC13      Host (A)      10.121.28.113
PC15      Host (A)      10.121.28.187
PC3      Host (A)      10.121.28.103
PC5      Host (A)      10.121.28.105
PC6      Host (A)      10.121.28.106
PC9      Host (A)      10.121.28.109
WILLOW1      Host (A)      10.121.28.14
0
 

Author Comment

by:rioja_robin
ID: 20092770
Our communications crossed, following your instructions exported following:

Name      Type      Status
_msdcs.Curriculum.local      Active Directory-Integrated Primary      Running
Curriculum.local      Active Directory-Integrated Primary      Running
Equinox Solutions      Secondary      Running
0
 
LVL 9

Expert Comment

by:MSE-dwells
ID: 20092970
You got it right the first time, apologies if my directions were slightly off.

The zone, from what I can tell, looks good.  Now, your clients are getting their IP addresses from  the Domain Controller/DNS server/DHCP server so we'll need to edit its scope and possibly reconfigure DNS to restore most of the current name resolution behaviors.  Let's start with DNS -

1. Run DNSMGMT.MSC
2. Right click 'cts-curriculum'
3. Select Properties
4. Select Forwarders

... what do you see?

Now let's move on to DHCP -

1. Run DHCPMGMT.MSC
2. Expand 'cts-curriculum'
3. Expand (something like) Scope [10.121.28.0]
4. Select Scope Options

... what do you see?
0
 

Author Comment

by:rioja_robin
ID: 20093115
DNS

No "Forwarders" tab in properties - sorry if I am being thick; as you've obviously realised i am way out of my depth here.

DHCP

002 Time Offset             Standard                       0x0
003 Router       t             Standard                       <None>
004 Time server             Standard                       <None>
003 Name server           Standard                        <None>
0
 
LVL 9

Expert Comment

by:MSE-dwells
ID: 20093165
DNS-

There has to be tab.  Let's try this again.  First, ensure you're logged on to the Domain Controller as the or an Administrator.  Run DNSMGMT.MSC, left click the computer's name, now right click it and select Properties.  The highlighted tab should be 'Interfaces', to its right is 'Forwarders'.

DHCP-

Run DHCPMGMT.MSC and expand per the previous instructions, this time, however, we want to expand 'Global options' not the scope ... what do you see in there?  In addiion, within the DHCP Manager, when you expand the server name, what do you see there?
0
 

Author Comment

by:rioja_robin
ID: 20093412
DNS

Sorry DNSMGMT.MSC was still in state I last accessed it in, have gone back up a couple of levels and found exactly what you told me; info is:

DNS domain
All other DNS domains

Selected domain's forwarder IP adddress list
212.85.15.40
212.85.15.10

Number of seconds before forward queries time out: 5

DHCP
Hoping you mean Server Options as this and Scope only options available to me - info though is identical to Scope with one additional column "Class" for which each entry is "None"


Expanding server name gives me:

cts-curriculum.local [10.121.28.101]
-Scope [10.121.28.0] Scope1
    -Address Pool
    -Address Leases
    -Reservations
              [10.121.28.200] cachepilot
    -Scope Options
-Server Options


0
 
LVL 9

Expert Comment

by:MSE-dwells
ID: 20093731
OK, the DNS server is already configured to forward name resolution requests it cannot answer itself.

As for DHCP, we're going to need to configure your DHCP server to provide the address of your Domain Controller for the DNS server instead of the 212.85.15.40 and 212.85.15.10 it's handing out right now.  My problem is this, we haven't yet determined where those addresses are coming from unless they're configured statically ... hmmm (thinking out loud [so to speak] now), you somewhat implied that they are in an earlier part of our conversation.  Let's work on that basis, we'll need to do the following -

1. Within the DHCP Manager, expand the Scope [10.121.28.0], select Scope Options, right click Scope Options and select Configure Options, scroll down to item #6 and check the box.  The dialog below becomes available, in the server name enter cts-curriculum.curriculum.local, click resolve, you should see the IP address appear below, click Add followed by OK.

2. Now, this will need to be done on every Windows client computer assuming it's not serving some specialized purpose beyond that of a general user workstation.  Each computer needs to have its TCPIP configuration's DNS server configured to 'Obtain DNS server address automatically'.  I'd suggest for now that we do that only one one test machine, once done ... reboot the box and let me know what happens.  I'll also need the ipconfig /all output of that client following the reboot.
0
 

Author Comment

by:rioja_robin
ID: 20094478
Thanks - unfortunately I am once again off site (I am employed as desktop support to several schools - reasonably competent at that but rapidly become lost supporting networks; schools fail to recognise my limitations and, the way UK state schools are funded, don't have budget to pay for suitable training nor for external support!).

Once back on site will do as you suggest and forward relevant output data to you.

By the way your assumptions are correct.

Thanks again
0
 

Author Comment

by:rioja_robin
ID: 20100708
OK now have data listed below and it seems to work perfectly. To further my education can you explain two points:

1)  IP Address of DHCP server has has changed from 10.121.28.10 to 10.121.28.252

                       and

2) Lease now expires after 1 hour.

Neither of these creates a problem for me but I would like to understand what is happening.

Client Machine

C:\Documents and Settings\Palm17>ipconfig /all

Windows IP Configuration

               Host Name . . . . . . . . . . . . . . . . . . . . .  : Palm17
               Primary Dns Suffix . . . . . . . . . . . . . . . : Curriculum.local
               Node Type . . . . . . . . . . . . . . . . . . . . . .: Unknown
               IP Routing Enabled . . . . . . . . . . . . . . . .: No
               WINS Proxy Enabled . . . . . . . . . . . . . . : No
               DNS Sufix Search List . . . . . . . . . . . . .: Curriculum.local

Ethernet adapter Local Area Connection:

               Connection-specific DNS Suffix . . . . . :
               Description . . . . . . . . . . . . . . . . . . . . .  : Realtek RTL8139/810x Family Fast Ethernet NIC
               Physical Address . . . . . . . . . . . . . . . . .: 00-16-17-7C-0C-12
               Dhcp Enabled . . . . . . . . . . . . . . . . . . . .: Yes
               Autoconfiguration Enabled . . . . . . . . . .: Yes
               IP Address . . . . . . . . . . . . . . . . . . . . . . : 10.121.28.110
               Subnet Mask . . . . . . . . . . . . . . . . . . . . .: 255.255.255.0
               Default Gateway . . . . . . . . . . . . . . . . . .:
               DHCP Server . . . . . . . . . . . . . . . . . . . . .: 10.121.28.252
               DNS Server . . . . . . . . . . . . . . . . . . . . . . :212.85.15.40
                                                                                212.85.15.10
               Lease Obtained . . . . . . . . . . . . . . . . . . . : 18 October 2007 14:12:22
               Lease Expires . . . . . . . . . . . . . . . . . . . . .: 18 October 2007 15:12:22

Finally, should I now manually change each machine to 'Obtain DNS server address automatically'? I assume so but given all the help you have given me I don't want to mar things by jumping the gun.

Best regards,

Robin
0
 

Author Comment

by:rioja_robin
ID: 20100734
Correction to DNS server addresses quoted above, second entry (212.85.15.10) does not exist; I cut and pasted from previous comment and was careless with my editing.
0
 
LVL 9

Expert Comment

by:MSE-dwells
ID: 20100776
It's still incorrect, the client's DNS configuration must point to 10.121.28.101 not the 212 address.
0
 
LVL 9

Expert Comment

by:MSE-dwells
ID: 20100847
... the new DHCP server address should NOT have occurred, I don't have an explanation as to why other than you have 2 competing DHCP servers servicing your clients.
0
 

Author Comment

by:rioja_robin
ID: 20100898
You're right it has just replicated original problem - have noticed (though I dont know how relevant this is) that in DNSMGMT forward lookup zones Equinox Solutions (Secondary DNS Server) has an exclamation mark over its icon which, if expanded, yeild message " Zone Not Loaded by DNS Server".

Does this have any bearing on this issue and if so do you have any guidance on how I can correct?
0
 

Author Comment

by:rioja_robin
ID: 20101347
Have just discovered someone has arbitrarily accessed one of the wireless access points on our network and set it up as a DHCP server - don't know what this is intended to acheive but I now have to track down which WAP has been fiddled with and once I have corrected its configuration will once again send you the data output from ipconfig /all. Sorry to have wasted your time
0
 

Author Comment

by:rioja_robin
ID: 20107639
Eureka!  I think success is looming; WAP was bought in by member of staff to enable wireless access on personal laptop (only needed to ask - but what the hell!). Output data is listed below and looks OK to me - but what do I know - is there anything further I need to do before implementing DNS changes on all workstations?

Client Machine

C:\Documents and Settings\Palm17>ipconfig /all

Windows IP Configuration

               Host Name . . . . . . . . . . . . . . . . . . . . .  : Palm17
               Primary Dns Suffix . . . . . . . . . . . . . . . : Curriculum.local
               Node Type . . . . . . . . . . . . . . . . . . . . . .: Unknown
               IP Routing Enabled . . . . . . . . . . . . . . . .: No
               WINS Proxy Enabled . . . . . . . . . . . . . . : No
               DNS Sufix Search List . . . . . . . . . . . . .: Curriculum.local

Ethernet adapter Local Area Connection:

               Connection-specific DNS Suffix . . . . . :
               Description . . . . . . . . . . . . . . . . . . . . .  : Realtek RTL8139/810x Family Fast Ethernet NIC
               Physical Address . . . . . . . . . . . . . . . . .: 00-16-17-7C-0C-12
               Dhcp Enabled . . . . . . . . . . . . . . . . . . . .: Yes
               Autoconfiguration Enabled . . . . . . . . . .: Yes
               IP Address . . . . . . . . . . . . . . . . . . . . . . : 10.121.28.36
               Subnet Mask . . . . . . . . . . . . . . . . . . . . .: 255.255.255.0
               Default Gateway . . . . . . . . . . . . . . . . . .:
               DHCP Server . . . . . . . . . . . . . . . . . . . . .: 10.121.28.101
               DNS Server . . . . . . . . . . . . . . . . . . . . . . :10.121.28.101
               Lease Obtained . . . . . . . . . . . . . . . . . . . : 19 October 2007 09:19:39
               Lease Expires . . . . . . . . . . . . . . . . . . . . .: 29 October 2007 12:19:39

Once again the time and help you have afforded me is really appreciated.
0
 
LVL 9

Accepted Solution

by:
MSE-dwells earned 2000 total points
ID: 20108363
Let's give it a try ...
0
 

Author Comment

by:rioja_robin
ID: 20114264
time difference makes life difficult to respond as quickly as I should but will implement on all machines next time I am on site. Thanks for the massive help you have given.

Best regards

Robin
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Let's recap what we learned from yesterday's Skyport Systems webinar.
Transferring FSMO roles is done when an admin wants to split roles between certain Domain Controllers or the Domain Controller holding the Roles has been forcefully demoted using dcpromo / forceremoval
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question