Unable to add client PCs to SBS 2003 domain

Hello horatio_too,

Have you ran ou of SBS CALS?
Administrative tools > Licensing

Regards,

PeteLong

Please paste your ipconfig /all results for each the server and a client PC here please.

Sounds like an ISA 2004 Problem to me.
check this resource for how to configure ISA 2004. they know best......
http://www.isaserver.org/

to me it sounds like you have not configured your internal/external networks properly.

Please confirm that each of the PC's and the users are still in their default OU's where the installer put them.
You should ALWAYS use the connectcomputer option to install clients to the SBS system.
Is this the ISA version supplied as part of SBS Premium as opposed to standard ISA?

Have you run the ISA bpa?
http://www.microsoft.com/downloads/details.aspx?FamilyID=D22EC2B9-4CD3-4BB6-91EC-0829E5F84063&displaylang=en

Open the ISA gui on the SBS box
Select monitoring - logging - start query
Try and connect with a client - what do you see appear in the logging window?

Keith
ISA MVP

Dear Experts

As always, thanks for your prompt replies.

PeteLong -
They only have the 5 "out-of-the-box" CALs, but so far a max of 1 has been used

MarkMichael - IPconfig files for client and SBS server attached

Tech Tonic - I am inclined to agree with you, but will be blowed if I can see what I am doing wrong ! Anyway, I thought that CEICW set up the basic ISA rules ?

Keith Alabaster -
(1) Computers are still in the same OU container as usual (MyBusiness/Computers/SBSComputers)
(2) Using ISA 2004 as supplied with the SBS Premium 2003 R2, with SP3 downloaded and applied
(3) Have run ISA BPA, but apart from telling me that a number of rules have (unsurprisingly) not been used, could not see anything abvious there
(4) Did  some ISA logging, but did not get any "denied" type (or "red") events listed.

Hope that this feedback helps. Once again thanks for the input.

Kind regards

Horatio_too
server-ip.txt
client-ip.txt

Just to be pedantic, you obviously don't need a wins server on the external nic.

Yes the ceicw sets up basic rules for config and connectivity.
two aspects to this issue then.
The first is that clients ARE talking quite happily to the SBS box else the internet connections wouldn't work - as ISA is on the SBS box and internet traffic has to be authenticated by SBS then this is one aspect.

The second aspect is clients talking directly to SBS where SBS is the destiantion.
Can you browse/view/see the clients from the SBS server - is the issue in one direction only?

Keith

Hi Keith
Thanks for your further response.
Your summary of the situation accords with my view and it's why I think that it may be as silly as a firewall rule being too protective. ISA is not an area that I have much experience of - normally we just run the wizard and, like most of SBS, 'it just works' !

Unfortunately, for productivity reasons, this morning all PCs were plugged straight into the router, to at least allow full POP and browser access until I get this resolved (these were working via ISA, but (a) Firefox 3 was continually asking for ISA authentication and (b) By avoiding the SBS box, I can meddle with it without interfering with office productivity).

Unfortunately, therefore, despite remote access onto the SBS box, I cannot immediately answer your question about whether it is a uni- or bi-directional problem. If we cannot get a quick resolution, then we will put in one of our own PCs as a client for testing purposes and see where that takes us.

PS "Pedantic" is fine ! (Although, in truth, we should not actually need need a WINS server on the LAN either - it was just a clutched straw

Kind regards

Horatio_too

Howdy Horatio_too.  This sounds like a job for "Norton Internet Security" or "some other 3rd party firewall on the workstations" <ta-da>

Uninstall it on one of the workstations (or configure it to allow everything on that local subnet access inbound and outbound)  and see if you can http://servername/connectcomputer

If that works, you can configure the 3rd party firewall to allow the computers to join to the server.

Good luck... Eric

Hi Eric
Thanks for your thoughts. Unfortunately, although the client PCs (Dell Vostro 220s) DID come with NIS, it was only a 30 day trial and so was immediately uninstalled even before attempting to add the clients to the domain - we already had purchased Endpoint to cover the whole network.

Thanks anyway

Horatio_too

lol - you dumped the cr*p NIS? Excellent. you have just jumped two notches in my estimation scale....

Howdy, horatio_too.  Glad you eliminated 3rd party firewalls as the culprit.  Next step is to either learn to configure ISA, or uninstall it.  Your choice.  If you want to configure ISA, then I can give you a quick (very quick) set of commands that will let you get your computers connected, but if you're going to support this network, you've got to make a decision - learn ISA, or dump it.  (Unless the customer requirements are to use ISA, if you haven't learned it yet, I'd recommend you uninstall it and make sure you have a good business-class firewall between the Internet and the internal network)

Let me know what you decide.  thanks, Eric

Uninstall it? Dump it? I'm out of here.

Keith

Hi Eric

Looks like it's a get up-to-speed-quick with ISA, then. Offered the client a Sonicwall to sit on the edge of their network, but they did not want to know.

Have some experience with ISA (created some basic rules to allow certain protocols through, etc), but up until now it has been generally "run the SBS wizards and it just works".

Time for the crash course !

Horatio_too

Howdy Horatio_too.  Ok, here you go.  
Actually, do this test before adding the ISA rule - can you reach companyweb from one of the workstations (after it's connected back on the internal network)?  It seems sort of weird that the proxy is already installed, since the connectcomputer wizard didn't run...
Oh wow, I forgot to ask, what is the OS of the workstations?  XP or Vista?  If they're Vista, you need to patch the SBS2003 server...
 
rut-roh?  Eric

Hi Eric

Proxy was a manual configuration of IE/Firefox/Thunderbird AFTER we were unable to connect the clients to domain.

(Although even then, Firefox 3 still repeatedly asks for the ISA username/password - perhaps 30-40 times depending on page visited !)

All PCs (only 3-4 at this stage) are running XP Pro SP3, although, for my future reference, what would we need to do differently for Vista ?

Any guidance for ISA rules appreciated at your convenience, although at present due to the reconfig detailed in message 23353219 , I can only access the SBS box and will not be able to test with a client PC until later in the week.

Thanks for your input.

Kind regards

Horatio_too

Howdy Horatio -
"for my future reference, what would we need to do differently for Vista ?"
http://www.microsoft.com/downloads/details.aspx?FamilyId=9BF2F1E4-1B2C-471B-A284-E0C8C169FAC3&displaylang=en
 
After you move a workstation to test "companyweb", let me know and we'll see what rule needs to be added to ISA.
 
best regards, Eric

Hi Eric

Earlier today we installed one of our own client PCs onto site as a test box.

Same problems as the other PCs, but we can now "play around" with this and the SBS box without causing any disruption to the business.

Two immediate tests have been carried out:-

This PC can happily access Companyweb (prompted for password, but that is all)

A share created on this PC IS accessible from the SBS box i.e. it was possible to save files into the share

Hope that this helps

Next steps ?

Horatio_too

Hello again, Horatio.  Got companyweb.  That's good.  Now try https://servername
-Eric

...and if that works, click on the Network Connection Wizard link.  -e-

Hi Eric

Thanks once again.

CAN browse to https://servername, but clicking on "Network Connection Wizard " (which seems to just be another route to //servername/ConnectComputer) starts the Wizard, but terminates with:-

"An error occured when configuring networking settings. See your network administrator."

i.e. The same message that we get when we previously ran the network connection wizard.

Do not know whether it is of value, but https://bs-alpha01.eeexample.local did NOT work (Internet Explorer cannot display the webpage), whereas https://bs-alpha01 displayed successfully.

Where to now ?

Horatio_too

Horatio - Is the test workstation still using servername as the proxy?  If so, remove the proxy setting from IE.  
 
is the test workstation a workgroup pc, or a domain pc?  Check Control Panel > System and click the Computer Name tab.  if it's a member or a domain, make it a workgroup pc, reboot, and try https://servername/connectcomputer again.  
 
I forgot to ask, has this ever worked?  On the SBS, open IIS Manager (Start > Administrative Tasks), expand the Default Website, right-click on connectcomputer, click the Virtual Directory tab, and see if the path is "c:\inetpub\ConnectComputer".  (you didn't move the inetpub directory during the server prep by any chance, did you?)
 
Hotay.  Eric

Hi Eric

PC is a workgroup PC and has never been on the domain (remember, it is one of our computers and was only installed on site today).

Removing the proxy allowed the client to connect to the FQDN as well as just servername.

Running ConnectComputer still fails.

IIS settings seem fine  - nothing was changed during server prep.

On balance, still believe that it is probably an ISA issue

HTH

Horatio

Hi Eric

Appreciate your help so far - anything else that you can suggest ?

Kind regards
Horatio_too

Have you tried adding the servername to the list of Trusted Hosts in IE?
Have you tried manually setting up the IP Address/DNS settings for a PC before connecting?
Just things to try to attempt to squeeze more information out of the OS.

Are the event logs mentioning anything related?

Dear All

Problem resolved. It finally turned out to be an issue with Symantec End Point Securitys own firewall being overly protective.

As soon as I turned off the firewall element, then I was able to add the client to the domain, browse shares etc. Apparently, according to Symantec, "By default, the ports required to browse shared network folders are blocked by default on an unmanaged device"

Spent many hours pointing the fingure at ISA 2004, messing around with Rules etc. It WAS afirewall issue, but I was looking in the wrong place !

Apologies to all concerned, but had always considered SEP to be merely an Anti-virus product and had never spotted its firewall.

As always thanks and respect to all Experts who offered their input

Horatio_too

PS What should I do with the points in this case ?

Ask for a PAQ - refund.

Keith

As per Keith's advice, please PAQ the points for this question.

Many thanks

Horatio_too

Use the request attention button

Hi Keith

Done - thanks !

Horatio_too