Solved

Why can't I get to batch files on new domain controller

Posted on 2008-10-17
15
808 Views
Last Modified: 2010-08-05
I recently installed a new DC and DCPROMOed it.  It looks like it took all of the accounts and policies.  The problem is that when you go to edit the policie in Group Policy editor and "show files", you can't edit the batch that sits on "SYSVOL"  You get a distinct "access denied", but you can browse to it and edit it that way.  Some users are trying to get their policies off of this, and are not running the batch.  Help.
0
Comment
Question by:marksheeks
  • 7
  • 6
  • 2
15 Comments
 
LVL 8

Expert Comment

by:Bradley Haynes
ID: 22746128
Check ownership in the Properties - Security tab...
0
 

Author Comment

by:marksheeks
ID: 22746168
b haynes,

Thanks for the quick response.  I've already been there.  Upon further investigation I think this is a DNS error, as I can't run Window browser and browse to the domain.  I can go there with a UNC path to any machine, but nothing shows up in the browser.  Any DNS solutions are welcome.

Mark
0
 
LVL 8

Expert Comment

by:Bradley Haynes
ID: 22746345
Use the explorer window after you do a ipconfig /flushdns to clear the buffer.
If you can get there use a browser to see if that works ... If not ...
Two areas I would check the Browser and possible firewall settings (which I doubt is the prob) and more probably dns as you stated.
You can download Bind and use dig.exe to get under the hood of dns and dns servers.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 38

Expert Comment

by:ChiefIT
ID: 22756224
Go to the command prompt. Navigate to the folder these files you want to edit are in.

Type Attrib filename to find out what attirbutes this file has on it. If it is a system file, you may not be able to edit it. If it is a read only file, and inhereted the read only attribute from the sysvol folder, then you will not be able to edit it. I think this all has to do with the attributes of the file.

The path to the file is a different story.

Tell me if you are getting this error:
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_23351830.html

Most folks don't refrence the UNC path by DNS name (FQDN). Instead they use the Netbios name of the computer. UNC can use netbios names, DNS names, or IP addresses. To determine if this is a DNS problem, type "NSlookup computername" at the command prompt where computername is the name of the computer you are trying to resolve a DNS query to.
0
 

Author Comment

by:marksheeks
ID: 22760526
ChiefIT,
Thank you for the response. I will try those things shortly.  I may be barking up the wrong tree.  I did a DNS diag and everything came back good except the KCC event log, which has a EVENTID 0x4000049D showing up about 25 times and fails on the KCC test.  Also, I can't browse the network from this machine.  It comes up with an access denied or network not available.  I'm wondering if theres a leftover reference to this machine in DNS or SRV records someplace.  Any help is appreciated.  I have pressure to get this machine up right.
Mark
0
 

Author Comment

by:marksheeks
ID: 22760584
ChiefIT - yes sir, thats the error that I'm getting all right.  I'll check the attributes, etc, but I think the root of this is the KCC error.  

Mark
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 22760642
~~I'm wondering if theres a leftover reference to this machine in DNS or SRV records someplace.
metadata cleanup and verifying the SRV records should clean up any references to DNS.

~~Also, I can't browse the network from this machine
This sounds like a problem with the master browser. I assume you can't browse via My network places. This is consistent with a binding problem. Do you have multiple NICs or a VPN connection that could make the DC think it is multihomed?

~~came back good except the KCC event log, which has a EVENTID 0x4000049D showing up about 25 times and fails on the KCC test
Without the KCC operating 100%, you are not going to be able to authenticate and provide the proper Kerberos Access ticket to compare with the ACL of the file/folder.

Conclusion:
Sounds like you have two binding references and it is picking the wrong binding. You might have to go and configure remove records that reference the wrong NIC in DNS, prevent netbios from binding to the outside NIC or VPN connection, and also prevent DHCP from trying to give IP addresses to both bindings.

Quick tests:
NSLookup servername to DNS will not provide a solution if it is referencing the wrong binding
Browstat dumpnet will show two bindings that the browser service is bound to.
DHCP will be providing its clients an address on the outside NIC subnet.

Let me know if you need any how to prevents this from happening?
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 22760664
If you are getting that error, it is almost 100% a problem with Internet Explorer Enhanced Security. But, I don't think that is your only problem. I still think you have a binding error. So, you can follow the fixes to IEES, but also look for the binding issues.
0
 

Author Comment

by:marksheeks
ID: 22760689
CheifIT,  NSlookup on any machine on the network resolves fine.  Also the attributes on that file are only A.  I can get to it outside of group policy and edit it just fine.  Looks like this is a netbios error - I just don't know where to start to resolve it.  Thanks for the suggestion.  I have to keep digging.

Mark
0
 
LVL 38

Assisted Solution

by:ChiefIT
ChiefIT earned 125 total points
ID: 22760782
Good info coming in from you:

((here is the how to resolve your issues))

(((DNS)))
2003 server has a bug in it that registers both NIC's SRV records when the netlogon service is started. So, DNS binds to both NICs and you may experience intermittent domain authentication and DNS.

Step 1) To resolve these issues, Follow this link: (NOTE: By default, 2003 server registers both NICs SRV records in DNS)
 -- http://support.microsoft.com/?id=832478
Step 2) Once you prevent bot SRV records from registering in DNS when the netlogon service restarts, then you need to prevent it from registering its DNS A records in DNS. To do this go to the NIC configuration>> TCP/IP properties>>Advanced Button>>DNS tab and disable the ability of the NIC to register its DNS settings in DNS
Step3)) Once you have disabled the ability to register that outside NICs DNS address, then you must remove all HOST A, SRV, and cached records of that outside NIC. I assume you already know how to remove HOST A records. To remove DNS cache, go to the command prompt and type IPconfig /flushDNS. To remove the SRV records, pleas follow the advice on this link:

http://support.microsoft.com/kb/241515


(((DHCP:)))
DHCP may try to provide DHCP to all network bindings. This could be a VPN or second NIC to the outside world. You can prevent it from providing DHCP to any binding by following these simple steps:

DHCP snapin>>right click the server in question>>Select properties>>select the Advanced tab>>select binding

You can disable any binding from providing DHCP

(((NETBIOS)))
Preventing Netbios is a little more difficult to do on various types of Multihomed domain controllers. Not always does a DC use WINS when dealing with netbios. So, this is a bit more involved.

To prevent Netbios from binding to the outside binding or VPN connection binding, you must go to that binding and remove the ability of it to do ""Netbios over TCP/IP"" or ""Netbios over DHCP"".
For a VPN connection and Dual NICs:
Right click "My network Places">>select "properties">>right click "VPN connection" or the Second NIC>>Select "Properties" >>Select "TCP/IP">> Go to Properties>>Go to the "WINS" Tab>> and prevent it from providing "Netbios over TCP/IP" and also prevent it from performing "Netbios over DHCP"

Disabling File and Print sharing:
You may also wish to disable your outside NIC from broadcasting out your files and printers to the outside world. To do this, disable File and print sharing.

(((Default Gateway)))
Other things to look out for:
You should have one single gateway for your multihomed NICs. If you are routing over your server, it should be the outside NIC that has a gateway configured. If you have the second NIC to communicate with a few nodes on the network, your Domain, side NIC should have the gateway configured. So, this is domain specific.
______________________________________________________________________
((IEES, Internet Explorer Enhance Security))
Now for the other error.

You may be using enhanced internet explorer security. This has nothing to do with AD credentials. As a security measure All users, including administrators, will be denied from running Operating system entrusive files, (.exe, .bat, .msi, .reg as exampls) from remote sites.

This may seem odd, but add the UNC path of the server you are trying to use into internet explorer's trusted sites. If this works, let me know. I am working on three others that this work around works for and I am trying to develop a fix rather than a work around.

example of UNC path is:

//server name/share name

There are two fixes for this on a domain level.

You could create a GPO and add these UNC paths and other sites you trust as trusted sites.

The second is to reduce your security by simply disabling IE enhanced security in Control pannel Add/Remove programs Windows components. This renders the machine more vulnerable and is not the recommended way to fix this issue.

0
 

Author Comment

by:marksheeks
ID: 22760943
ChiefIT -  there's only on NIC in the machine, but I'm certain were heading the right way.  A browstat dumpnet reveals the following  Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\Documents and Settings\msheeks>browstat dumpnet

List of transports currently bound to the browser

     1 \Device\NetBT_Tcpip_{BCA72655-718E-4204-95B3-CB5D8E1AFE99}

C:\Documents and Settings\msheeks>

Next question is how do I figure out which device this is?  Also, am I going to have to run NTDSUtil to clean this thing up, or is there some other shortcut..  Thank a bunch.  Keep at it with me.  

Mark
0
 

Author Comment

by:marksheeks
ID: 22761211
ChiefIT, no, taking out the IE enhanced security did nothing.  I'm checking the NetBT settings and seeing where its pointing.  I'll get back shortly.

Mark
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 22774328
Let me clarify this.

IE enhanced security should be removed from the computer you are trying to access the share from, not the computer the share is on.

Then, after removal of IEES, I think you have to reboot.
0
 

Accepted Solution

by:
marksheeks earned 0 total points
ID: 22808537
Chief IT,  Sorry its taken so long to get back.  As it turns out, it was all WINS related.  One of the consultants DCPROMO'd it with the wrong IP, which went throughout WINS.  Once I found it all in WINS and cleaned it out, took out WINS, unpromoted it and DCPROMO'd again, it all worked.  The lesson here is don't DCPROMO until you have the right IP #.  I'm going to give you the points for pointing me in the right direction.  Thanks for your help and incredible effort.  Mark
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 22810390
Excellent,

I am glad you got that figured out.
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction You may have a need to setup a group of users to allow local administrative access on workstations.  In a domain environment this can easily be achieved with Restricted Groups and Group Policies. This article will demonstrate how to…
In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question