Solved

Why can't I get to batch files on new domain controller

Posted on 2008-10-17
15
805 Views
Last Modified: 2010-08-05
I recently installed a new DC and DCPROMOed it.  It looks like it took all of the accounts and policies.  The problem is that when you go to edit the policie in Group Policy editor and "show files", you can't edit the batch that sits on "SYSVOL"  You get a distinct "access denied", but you can browse to it and edit it that way.  Some users are trying to get their policies off of this, and are not running the batch.  Help.
0
Comment
Question by:marksheeks
  • 7
  • 6
  • 2
15 Comments
 
LVL 8

Expert Comment

by:Bradley Haynes
Comment Utility
Check ownership in the Properties - Security tab...
0
 

Author Comment

by:marksheeks
Comment Utility
b haynes,

Thanks for the quick response.  I've already been there.  Upon further investigation I think this is a DNS error, as I can't run Window browser and browse to the domain.  I can go there with a UNC path to any machine, but nothing shows up in the browser.  Any DNS solutions are welcome.

Mark
0
 
LVL 8

Expert Comment

by:Bradley Haynes
Comment Utility
Use the explorer window after you do a ipconfig /flushdns to clear the buffer.
If you can get there use a browser to see if that works ... If not ...
Two areas I would check the Browser and possible firewall settings (which I doubt is the prob) and more probably dns as you stated.
You can download Bind and use dig.exe to get under the hood of dns and dns servers.
0
 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
Go to the command prompt. Navigate to the folder these files you want to edit are in.

Type Attrib filename to find out what attirbutes this file has on it. If it is a system file, you may not be able to edit it. If it is a read only file, and inhereted the read only attribute from the sysvol folder, then you will not be able to edit it. I think this all has to do with the attributes of the file.

The path to the file is a different story.

Tell me if you are getting this error:
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_23351830.html

Most folks don't refrence the UNC path by DNS name (FQDN). Instead they use the Netbios name of the computer. UNC can use netbios names, DNS names, or IP addresses. To determine if this is a DNS problem, type "NSlookup computername" at the command prompt where computername is the name of the computer you are trying to resolve a DNS query to.
0
 

Author Comment

by:marksheeks
Comment Utility
ChiefIT,
Thank you for the response. I will try those things shortly.  I may be barking up the wrong tree.  I did a DNS diag and everything came back good except the KCC event log, which has a EVENTID 0x4000049D showing up about 25 times and fails on the KCC test.  Also, I can't browse the network from this machine.  It comes up with an access denied or network not available.  I'm wondering if theres a leftover reference to this machine in DNS or SRV records someplace.  Any help is appreciated.  I have pressure to get this machine up right.
Mark
0
 

Author Comment

by:marksheeks
Comment Utility
ChiefIT - yes sir, thats the error that I'm getting all right.  I'll check the attributes, etc, but I think the root of this is the KCC error.  

Mark
0
 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
~~I'm wondering if theres a leftover reference to this machine in DNS or SRV records someplace.
metadata cleanup and verifying the SRV records should clean up any references to DNS.

~~Also, I can't browse the network from this machine
This sounds like a problem with the master browser. I assume you can't browse via My network places. This is consistent with a binding problem. Do you have multiple NICs or a VPN connection that could make the DC think it is multihomed?

~~came back good except the KCC event log, which has a EVENTID 0x4000049D showing up about 25 times and fails on the KCC test
Without the KCC operating 100%, you are not going to be able to authenticate and provide the proper Kerberos Access ticket to compare with the ACL of the file/folder.

Conclusion:
Sounds like you have two binding references and it is picking the wrong binding. You might have to go and configure remove records that reference the wrong NIC in DNS, prevent netbios from binding to the outside NIC or VPN connection, and also prevent DHCP from trying to give IP addresses to both bindings.

Quick tests:
NSLookup servername to DNS will not provide a solution if it is referencing the wrong binding
Browstat dumpnet will show two bindings that the browser service is bound to.
DHCP will be providing its clients an address on the outside NIC subnet.

Let me know if you need any how to prevents this from happening?
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
If you are getting that error, it is almost 100% a problem with Internet Explorer Enhanced Security. But, I don't think that is your only problem. I still think you have a binding error. So, you can follow the fixes to IEES, but also look for the binding issues.
0
 

Author Comment

by:marksheeks
Comment Utility
CheifIT,  NSlookup on any machine on the network resolves fine.  Also the attributes on that file are only A.  I can get to it outside of group policy and edit it just fine.  Looks like this is a netbios error - I just don't know where to start to resolve it.  Thanks for the suggestion.  I have to keep digging.

Mark
0
 
LVL 38

Assisted Solution

by:ChiefIT
ChiefIT earned 125 total points
Comment Utility
Good info coming in from you:

((here is the how to resolve your issues))

(((DNS)))
2003 server has a bug in it that registers both NIC's SRV records when the netlogon service is started. So, DNS binds to both NICs and you may experience intermittent domain authentication and DNS.

Step 1) To resolve these issues, Follow this link: (NOTE: By default, 2003 server registers both NICs SRV records in DNS)
 -- http://support.microsoft.com/?id=832478
Step 2) Once you prevent bot SRV records from registering in DNS when the netlogon service restarts, then you need to prevent it from registering its DNS A records in DNS. To do this go to the NIC configuration>> TCP/IP properties>>Advanced Button>>DNS tab and disable the ability of the NIC to register its DNS settings in DNS
Step3)) Once you have disabled the ability to register that outside NICs DNS address, then you must remove all HOST A, SRV, and cached records of that outside NIC. I assume you already know how to remove HOST A records. To remove DNS cache, go to the command prompt and type IPconfig /flushDNS. To remove the SRV records, pleas follow the advice on this link:

http://support.microsoft.com/kb/241515


(((DHCP:)))
DHCP may try to provide DHCP to all network bindings. This could be a VPN or second NIC to the outside world. You can prevent it from providing DHCP to any binding by following these simple steps:

DHCP snapin>>right click the server in question>>Select properties>>select the Advanced tab>>select binding

You can disable any binding from providing DHCP

(((NETBIOS)))
Preventing Netbios is a little more difficult to do on various types of Multihomed domain controllers. Not always does a DC use WINS when dealing with netbios. So, this is a bit more involved.

To prevent Netbios from binding to the outside binding or VPN connection binding, you must go to that binding and remove the ability of it to do ""Netbios over TCP/IP"" or ""Netbios over DHCP"".
For a VPN connection and Dual NICs:
Right click "My network Places">>select "properties">>right click "VPN connection" or the Second NIC>>Select "Properties" >>Select "TCP/IP">> Go to Properties>>Go to the "WINS" Tab>> and prevent it from providing "Netbios over TCP/IP" and also prevent it from performing "Netbios over DHCP"

Disabling File and Print sharing:
You may also wish to disable your outside NIC from broadcasting out your files and printers to the outside world. To do this, disable File and print sharing.

(((Default Gateway)))
Other things to look out for:
You should have one single gateway for your multihomed NICs. If you are routing over your server, it should be the outside NIC that has a gateway configured. If you have the second NIC to communicate with a few nodes on the network, your Domain, side NIC should have the gateway configured. So, this is domain specific.
______________________________________________________________________
((IEES, Internet Explorer Enhance Security))
Now for the other error.

You may be using enhanced internet explorer security. This has nothing to do with AD credentials. As a security measure All users, including administrators, will be denied from running Operating system entrusive files, (.exe, .bat, .msi, .reg as exampls) from remote sites.

This may seem odd, but add the UNC path of the server you are trying to use into internet explorer's trusted sites. If this works, let me know. I am working on three others that this work around works for and I am trying to develop a fix rather than a work around.

example of UNC path is:

//server name/share name

There are two fixes for this on a domain level.

You could create a GPO and add these UNC paths and other sites you trust as trusted sites.

The second is to reduce your security by simply disabling IE enhanced security in Control pannel Add/Remove programs Windows components. This renders the machine more vulnerable and is not the recommended way to fix this issue.

0
 

Author Comment

by:marksheeks
Comment Utility
ChiefIT -  there's only on NIC in the machine, but I'm certain were heading the right way.  A browstat dumpnet reveals the following  Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\Documents and Settings\msheeks>browstat dumpnet

List of transports currently bound to the browser

     1 \Device\NetBT_Tcpip_{BCA72655-718E-4204-95B3-CB5D8E1AFE99}

C:\Documents and Settings\msheeks>

Next question is how do I figure out which device this is?  Also, am I going to have to run NTDSUtil to clean this thing up, or is there some other shortcut..  Thank a bunch.  Keep at it with me.  

Mark
0
 

Author Comment

by:marksheeks
Comment Utility
ChiefIT, no, taking out the IE enhanced security did nothing.  I'm checking the NetBT settings and seeing where its pointing.  I'll get back shortly.

Mark
0
 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
Let me clarify this.

IE enhanced security should be removed from the computer you are trying to access the share from, not the computer the share is on.

Then, after removal of IEES, I think you have to reboot.
0
 

Accepted Solution

by:
marksheeks earned 0 total points
Comment Utility
Chief IT,  Sorry its taken so long to get back.  As it turns out, it was all WINS related.  One of the consultants DCPROMO'd it with the wrong IP, which went throughout WINS.  Once I found it all in WINS and cleaned it out, took out WINS, unpromoted it and DCPROMO'd again, it all worked.  The lesson here is don't DCPROMO until you have the right IP #.  I'm going to give you the points for pointing me in the right direction.  Thanks for your help and incredible effort.  Mark
0
 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
Excellent,

I am glad you got that figured out.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Starting in Windows Server 2008, Microsoft introduced the Group Policy Central Store. This automatically replicating location allows IT administrators to have the latest and greatest Group Policy (GP) configuration settings available. Let’s expl…
Installing a printer using group policy preferences is not that hard let’s take a look at it. First lets open up your group policy console and edit the policy you want to add it to. I recommend creating a new policy for each printer makes it a l…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now