marksheeks
asked on
Why can't I get to batch files on new domain controller
I recently installed a new DC and DCPROMOed it. It looks like it took all of the accounts and policies. The problem is that when you go to edit the policie in Group Policy editor and "show files", you can't edit the batch that sits on "SYSVOL" You get a distinct "access denied", but you can browse to it and edit it that way. Some users are trying to get their policies off of this, and are not running the batch. Help.
Bradley Haynes
Check ownership in the Properties - Security tab...
ASKER
b haynes,
Thanks for the quick response. I've already been there. Upon further investigation I think this is a DNS error, as I can't run Window browser and browse to the domain. I can go there with a UNC path to any machine, but nothing shows up in the browser. Any DNS solutions are welcome.
Mark
Thanks for the quick response. I've already been there. Upon further investigation I think this is a DNS error, as I can't run Window browser and browse to the domain. I can go there with a UNC path to any machine, but nothing shows up in the browser. Any DNS solutions are welcome.
Mark
Use the explorer window after you do a ipconfig /flushdns to clear the buffer.
If you can get there use a browser to see if that works ... If not ...
Two areas I would check the Browser and possible firewall settings (which I doubt is the prob) and more probably dns as you stated.
You can download Bind and use dig.exe to get under the hood of dns and dns servers.
If you can get there use a browser to see if that works ... If not ...
Two areas I would check the Browser and possible firewall settings (which I doubt is the prob) and more probably dns as you stated.
You can download Bind and use dig.exe to get under the hood of dns and dns servers.
Go to the command prompt. Navigate to the folder these files you want to edit are in.
Type Attrib filename to find out what attirbutes this file has on it. If it is a system file, you may not be able to edit it. If it is a read only file, and inhereted the read only attribute from the sysvol folder, then you will not be able to edit it. I think this all has to do with the attributes of the file.
The path to the file is a different story.
Tell me if you are getting this error:
https://www.experts-exchange.com/questions/23351830/Admin-Permission-issue.html
Most folks don't refrence the UNC path by DNS name (FQDN). Instead they use the Netbios name of the computer. UNC can use netbios names, DNS names, or IP addresses. To determine if this is a DNS problem, type "NSlookup computername" at the command prompt where computername is the name of the computer you are trying to resolve a DNS query to.
Type Attrib filename to find out what attirbutes this file has on it. If it is a system file, you may not be able to edit it. If it is a read only file, and inhereted the read only attribute from the sysvol folder, then you will not be able to edit it. I think this all has to do with the attributes of the file.
The path to the file is a different story.
Tell me if you are getting this error:
https://www.experts-exchange.com/questions/23351830/Admin-Permission-issue.html
Most folks don't refrence the UNC path by DNS name (FQDN). Instead they use the Netbios name of the computer. UNC can use netbios names, DNS names, or IP addresses. To determine if this is a DNS problem, type "NSlookup computername" at the command prompt where computername is the name of the computer you are trying to resolve a DNS query to.
ASKER
ChiefIT,
Thank you for the response. I will try those things shortly. I may be barking up the wrong tree. I did a DNS diag and everything came back good except the KCC event log, which has a EVENTID 0x4000049D showing up about 25 times and fails on the KCC test. Also, I can't browse the network from this machine. It comes up with an access denied or network not available. I'm wondering if theres a leftover reference to this machine in DNS or SRV records someplace. Any help is appreciated. I have pressure to get this machine up right.
Mark
Thank you for the response. I will try those things shortly. I may be barking up the wrong tree. I did a DNS diag and everything came back good except the KCC event log, which has a EVENTID 0x4000049D showing up about 25 times and fails on the KCC test. Also, I can't browse the network from this machine. It comes up with an access denied or network not available. I'm wondering if theres a leftover reference to this machine in DNS or SRV records someplace. Any help is appreciated. I have pressure to get this machine up right.
Mark
ASKER
ChiefIT - yes sir, thats the error that I'm getting all right. I'll check the attributes, etc, but I think the root of this is the KCC error.
Mark
Mark
~~I'm wondering if theres a leftover reference to this machine in DNS or SRV records someplace.
metadata cleanup and verifying the SRV records should clean up any references to DNS.
~~Also, I can't browse the network from this machine
This sounds like a problem with the master browser. I assume you can't browse via My network places. This is consistent with a binding problem. Do you have multiple NICs or a VPN connection that could make the DC think it is multihomed?
~~came back good except the KCC event log, which has a EVENTID 0x4000049D showing up about 25 times and fails on the KCC test
Without the KCC operating 100%, you are not going to be able to authenticate and provide the proper Kerberos Access ticket to compare with the ACL of the file/folder.
Conclusion:
Sounds like you have two binding references and it is picking the wrong binding. You might have to go and configure remove records that reference the wrong NIC in DNS, prevent netbios from binding to the outside NIC or VPN connection, and also prevent DHCP from trying to give IP addresses to both bindings.
Quick tests:
NSLookup servername to DNS will not provide a solution if it is referencing the wrong binding
Browstat dumpnet will show two bindings that the browser service is bound to.
DHCP will be providing its clients an address on the outside NIC subnet.
Let me know if you need any how to prevents this from happening?
metadata cleanup and verifying the SRV records should clean up any references to DNS.
~~Also, I can't browse the network from this machine
This sounds like a problem with the master browser. I assume you can't browse via My network places. This is consistent with a binding problem. Do you have multiple NICs or a VPN connection that could make the DC think it is multihomed?
~~came back good except the KCC event log, which has a EVENTID 0x4000049D showing up about 25 times and fails on the KCC test
Without the KCC operating 100%, you are not going to be able to authenticate and provide the proper Kerberos Access ticket to compare with the ACL of the file/folder.
Conclusion:
Sounds like you have two binding references and it is picking the wrong binding. You might have to go and configure remove records that reference the wrong NIC in DNS, prevent netbios from binding to the outside NIC or VPN connection, and also prevent DHCP from trying to give IP addresses to both bindings.
Quick tests:
NSLookup servername to DNS will not provide a solution if it is referencing the wrong binding
Browstat dumpnet will show two bindings that the browser service is bound to.
DHCP will be providing its clients an address on the outside NIC subnet.
Let me know if you need any how to prevents this from happening?
If you are getting that error, it is almost 100% a problem with Internet Explorer Enhanced Security. But, I don't think that is your only problem. I still think you have a binding error. So, you can follow the fixes to IEES, but also look for the binding issues.
ASKER
CheifIT, NSlookup on any machine on the network resolves fine. Also the attributes on that file are only A. I can get to it outside of group policy and edit it just fine. Looks like this is a netbios error - I just don't know where to start to resolve it. Thanks for the suggestion. I have to keep digging.
Mark
Mark
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
ChiefIT - there's only on NIC in the machine, but I'm certain were heading the right way. A browstat dumpnet reveals the following Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
C:\Documents and Settings\msheeks>browstat dumpnet
List of transports currently bound to the browser
1 \Device\NetBT_Tcpip_{BCA72
C:\Documents and Settings\msheeks>
Next question is how do I figure out which device this is? Also, am I going to have to run NTDSUtil to clean this thing up, or is there some other shortcut.. Thank a bunch. Keep at it with me.
Mark
(C) Copyright 1985-2003 Microsoft Corp.
C:\Documents and Settings\msheeks>browstat dumpnet
List of transports currently bound to the browser
1 \Device\NetBT_Tcpip_{BCA72
C:\Documents and Settings\msheeks>
Next question is how do I figure out which device this is? Also, am I going to have to run NTDSUtil to clean this thing up, or is there some other shortcut.. Thank a bunch. Keep at it with me.
Mark
ASKER
ChiefIT, no, taking out the IE enhanced security did nothing. I'm checking the NetBT settings and seeing where its pointing. I'll get back shortly.
Mark
Mark
Let me clarify this.
IE enhanced security should be removed from the computer you are trying to access the share from, not the computer the share is on.
Then, after removal of IEES, I think you have to reboot.
IE enhanced security should be removed from the computer you are trying to access the share from, not the computer the share is on.
Then, after removal of IEES, I think you have to reboot.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Excellent,
I am glad you got that figured out.
I am glad you got that figured out.