Accessing computers in a Windows 10 / Server 2016 domain one-to-another.

I'm setting up a domain using, for now, Windows Server 2016 Essentials.
So far, so good.
All of the computers on the network have "joined" the domain according to their computernames and domain.

Now I'm trying to do things that will allow more or less traditional workgroup behaviors so as to "ease into" using the Server more fully.
(Part of the rationale for this is that some other workstations will retain their roles in various "server" functions as file servers, SIEM monitors, and be able to access workstations with PowerShell, etc.)

Right now, computer "WIN10" (Windows 10 Pro) has PSRemoting / WinRM set up.
I can run from the Server:
dir \\WIN10\C$
with good results.
However, I can't run the same command from computer "i7".
So, there is something I don't understand yet.

I'd prefer to control this from the Server - but any manner will be helpful I believe.
LVL 27
Fred MarshallPrincipalAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JohnBusiness Consultant (Owner)Commented:
Make sure the server master browse service is running on the server and you can access from the server as you know.

https://en.wikipedia.org/wiki/Domain_Master_Browser

Then from the workstation, show the connections in Windows Explorer and see if the computer you want shows up. It does not always show up and so I use net use instead.

You may need to add the Discovery column to Windows Explorer
0
Cliff GaliherCommented:
When you are logged into the server, because it is a domain controller trolley  you are logging in with a domain account. When doing this test, make sure you are still logging on with a domain account. Also set up shares to test. Using c$, or any admin share is very bad security practice. Start forming good habits now or you'll fall back to bad habits whenever you are in a pinch  and never make real progress.
1
JohnBusiness Consultant (Owner)Commented:
Absolutely. We do not use C$ except for specialized Admin needs
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Fred MarshallPrincipalAuthor Commented:
OK.  Let me more more basic about this:
First, I want to be able to see files on other computers if they are suitably shared, etc.
Presumably, this would be done using permissions controlled on the server.

The Server AD doesn't show *any* computers in the Computer list.
If I ping a workstation, it goes public with the name??

Thanks
0
JohnBusiness Consultant (Owner)Commented:
Is the server master browser service running? Did you check that you are showing the network discovery column in Windows Explorer
0
JohnBusiness Consultant (Owner)Commented:
You may also have Network Discovery turned off on the Server (default). We leave it off and use NET USE to map a machine if we need to. Mostly we are going the other way around (Users map the server).

Server-2012-Network-Discovery.
0
Fred MarshallPrincipalAuthor Commented:
John and all: I'm sure I'll get the hang of it quickly enough but some of the ideas are just new to me is all.

John: It looks to me that the display you redacted shows that other computers are mapped ON the Server with Network Discovery turned off.  Is that the case?  Then what to do on the workstations to access these "drives"?
0
JohnBusiness Consultant (Owner)Commented:
The blacked out lines are file shares and cannot be identified. Without Network Discovery, it does not show other computers by default, but I can access the computers if need be with RDP.
0
Fred MarshallPrincipalAuthor Commented:
John:  Yes, I understand *why* they're redacted. The point of my question was that they are mapped network resources AT the SERVER file explorer interface.  Right?
RDP doesn't give computer-to-computer file access.

Let me simplify further:
I want to use a workstation as a file server.
How in this context?
0
JohnBusiness Consultant (Owner)Commented:
If you have a server, why?

Yes, you can use a workstation as a server, but maximum of 10 connections.

You will probably need to enumerate the 10 workstations (user name and password) on this Server. Then you can readily map the drive.  That will work
0
JohnBusiness Consultant (Owner)Commented:
that they are mapped network resources AT the SERVER file explorer interface.  Right?  <--- The resources are server folders

RDP doesn't give computer-to-computer file access.

Correct, it lets you access the computer.

You can get "server" access as I described above.
0
Fred MarshallPrincipalAuthor Commented:
John:
Thanks for that clarification.
that they are mapped network resources AT the SERVER file explorer interface.  Right?  <--- The resources are server folders
Well, if those are server-resident folders then I'm afraid I don't know why it's an example.
I need to use a workstation as a file server.  So....  ?
Sorry if I'm just dense.
0
JohnBusiness Consultant (Owner)Commented:
My post above (starting If you have a Server) tells you how to set up a workstation as a server. You can certainly do this.
0
Fred MarshallPrincipalAuthor Commented:
It appears that your "post above" happened at the same time.  I don't know why that would happen.  They all came at once.

Anyway, now that I see the post, I can respond more fully:

If you have a server, why?
This is a strictly "eyes only" matter which need not be of concern here.  Enough has been said in the original question: " so as to "ease into" using the Server more fully."  There is an existing architecture that's not going to be replaced wholesale.

Yes, you can use a workstation as a server, but maximum of 10 connections.
This is a Windows 10 Pro environment so the limit is 20.  But yes that's correct.  As above, the workstation "file servers" are already in service and not at the top of the list of things to replace.

You will probably need to enumerate the 10 workstations (user name and password) on this Server. Then you can readily map the drive.  That will work.  
So, once more I would like to confirm that all of your responses have alluded to mapping other network resources ON the Server.
Since my language ability re: Servers is emerging, what does one mean by "enumerate"?
And, isn't that what one would do on a DC anyway?
I can't see the computers listed in AD.
I can't see the DC listed either.
So, it appears there's some tweaking to be done on the Server at this early point of implementation.
0
Cliff GaliherCommented:
You can't see the computers or DC listed in "AD?"

If that is accurate (and I suspect it isn't) then that isn't tweaking. That is wholesale corruption of AD.
0
JohnBusiness Consultant (Owner)Commented:
I can't see the computers listed in AD.

You need Network Discovery ON (the Server). Did you turn it ON?
0
JohnBusiness Consultant (Owner)Commented:
Some questions:

1. Who built and set up your Server 2016?

2. The Windows 10 "server" is on your Domain, correct?

3. What is the server doing?  (Our main servers are DC, AD, DHCP, DNS and File/Print)  

4. Why do you need to look at your server and see member computers? I never needed to do this.

Please let us know.
0
yo_beeDirector of Information TechnologyCommented:
Are you trying to see the files on the Win 10 machine?
By default there are no public shares created on any machine (Servers or Workstations)
There on admin shares that ended $ (e.g. c$ or admin$)
Here is my Windows 10 machine.
shares.png
So if you need to access a computer on your domain you should be able to access this via \\computername\c$ or other drives on the computer.
This holds true for member servers as well.

If you are looking to share a network folder you will need to create the share with some name and give the proper permissions and NTFS security.  Once this is created you will be able to see the share by just typing \\servername
0
Fred MarshallPrincipalAuthor Commented:
Well, this is a first-off implementation for me and I'm trying to make sense of it.  I'd much more expect "operator error" than something more drastic.
I installed Windows Server 2016 Essentials on a bare machine and did my best to set it up.  It didn't seem to be that mysterious.
I have RDP working.
I have GoToAssist working.

The computers were added to the domain locally. i.e. at the workstations.

So far:
- it appears that the Server is in the domain.
- all of the computers on the network are in the domain.
- I expect the Server to be the DC and to support AD.  Is that a bad idea for a small network?
- When I look at "Active Directory Users and Computers":
     .. in Computers there is nothing.  But, if I "Find Computers", they are all found.  Haven't figured out how to go from "finding" to "adding" to the apparent list that might be there.
     .. in Domain Controllers there is nothing.  But, if I "Find Computer" in Domain Controllers, the Server is listed as a Writable Domain Controller and the Owner shown as corp.company.com.
     .. in Users, I see all the Users for the network listed.

As far as file access is concerned:

My going-in notion has been that the DC/AD can align shares with Users (i.e. permissions) and that the shares could be anywhere.  
Now, that's a technical notion and not a "best practice" notion.  So you and others may well do things differently.
Currently, I have a workstation "file server" that I don't want to mess with just now.  Yet, I need for it to continue to be accessible.
And, my notion is that access (and credentials) would be managed on the Server.
Otherwise one of the benefits of having the Server would be questionable. That is, if access were still controlled "workgroup-like".
I hope these notions lead to questions that I might ask or guidance I might be given.

Now, I'm sure that I've said things in a strange and naive way but this is where I am at the moment.
Your clarifications are really valuable to me!

Thanks!!
0
yo_beeDirector of Information TechnologyCommented:
I do not have time to respond to your last comment at the moment, but in a nutshell AD gives you central management to your entire Windows environment.

Files Shares
Printer shares
Various roles like Web servers, NPS, AD,  

If no one responds to your last comment I will try to answer your questions.
0
JohnBusiness Consultant (Owner)Commented:
- all of the computers on the network are in the domain.

Security increases over the years and your "workstation server" on the domain means you will have to enumerate the users on it to work as a server.

I installed Windows Server 2016 Essentials ...  It didn't seem to be that mysterious.

You need to make sure DNS is working right (somewhat complicated)

My going-in notion has been that the DC/AD can align shares with Users (i.e. permissions) and that the shares could be anywhere.

Anywhere on the real Server, not another workstation on the domain.
0
Fred MarshallPrincipalAuthor Commented:
yo-bee: In a nutshell, that's what I thought!  That's encouraging.

John:
Security increases over the years and your "workstation server" on the domain means you will have to enumerate the users on it to work as a server.
Well, mind you that this "file server" is already working just fine.  So I don't see what's different or added in this.  Actually the idea of enumerating the users on the "server" is something that's been done for many years in peer-to-peer networks.  I think that's well understood.  
- In order for a client to access a share, the client's local login would match the credentials of one of the users enumerated on the "file server".
And, for this to work, the particular client must be logged on locally - and there is no particular local user logon requirement at the "file server".
If the password change rules are frequent then they have to be changed on the workstation AND on the "file server".  That becomes rather inconvenient.
Alternately:
- In order for a client to access a share, the client's local profile must have Windows Credentials that match one of the users enumerated on the "file server".  To facilitate things like password management, a "non-human" user on the "file server" can be shared by many human users using Windows Credentials.
If the Credentials are kept unknown to the human users then password rules might be different.

One hopes (i.e. I hope) that having AD will alleviate some of the inconveniences in doing this and might help improve security.  But your response makes it sound like that isn't possible?

I gather that one approach is to map the "foreign file server" shares onto the Server so as to make them accessible to certain users.  Is that an accepted approach?
0
yo_beeDirector of Information TechnologyCommented:
Open ADUC search for one of your computers and right click on it. There should be an option to select Name a mapping.  Select that and you will see what OU the computer/computers are in.

By default the computer objects should be placed in the computer Container. I am using Container and not OU here because they are the default areas for users and computers objects. These are not OU's.
0
yo_beeDirector of Information TechnologyCommented:
Most unix base servers has some sort of AD integration. This integration is where the power of AD central management of file security starts to shine.  This is just the tip of the iceberg as you will become the learn.

Novell was the one if not the first to this central management ideology and MS said we will interstate it and AD was born.
0
JohnBusiness Consultant (Owner)Commented:
I gather that one approach is to map the "foreign file server" shares onto the Server so as to make them accessible to certain users.  Is that an accepted approach?

I have not tried this. We keep file shares on servers and member servers and none on workstations.
1
Fred MarshallPrincipalAuthor Commented:
John:
I have not tried this. We keep file shares on servers and member servers and none on workstations.
I'm not at all surprised.  It's one thing to say that "this is what we do" and another to say "you can't do anything else".  So I'm at a loss with this so far.
0
yo_beeDirector of Information TechnologyCommented:
What is your current file server?
0
Fred MarshallPrincipalAuthor Commented:
yo-bee:  I did what you suggested and there is some "improvement" if I understand it.  I guess I should ask, do these look normal?
.
ADUC Computers [empty] with Find.
ADUC Domain Controllers [empty] with Find..
ADUC Users [not blank] so no Find
0
JohnBusiness Consultant (Owner)Commented:
I can get that kind of list when I "Find"   ( not browsing under the Network tab ) . That looks like my computer list with "Find" . Different names of course.

Same with Users.  

That is standard for finding objects.
0
yo_beeDirector of Information TechnologyCommented:
So this is a sub-domain of msinc.org.  
First thing is I never create a domain with a public address like your.  I would have created a msinc.local  as your domain and with just starting with Windows Servers I would not have done a sub-domain.  

Do me a favor and to this. Search | Right your DC | Select Name Mapping |Post your X500 name path.
If you want to send me private message with this info please do.

 img1.png
img2.png
0
Cliff GaliherCommented:
It doesn't sound like anything is wrong with AD then.  Basically the computer container is empty, which is normal on an essentials box if yu use the connect wizard. It drops them in an OU instead.


My going-in notion has been that the DC/AD can align shares with Users (i.e. permissions) and that the shares could be anywhere.  
Now, that's a technical notion and not a "best practice" notion.

Terminology matters.  Shares can be anywhere, yes.  You  can grant permissions to specific domain accounts on a per-share and even a per-file basis.  You don't "align" anything. Which matters for answers below.

Currently, I have a workstation "file server" that I don't want to mess with just now.


Sorry. If you want to use a domain,  you have to "mess" with it.  That isn't optional.

Yet, I need for it to continue to be accessible.

Completely doable. But it requires changes on both client behavior and changes to the shares.

And, my notion is that access (and credentials) would be managed on the Server.
Otherwise one of the benefits of having the Server would be questionable.

Credentials are controlled on the server.  Access, however, is a collaboration of the server and the client.  You have to grant permissions on the share, and that does NOT happen on the server.  If you use groups, as recommended, then adding users to groups or removing them from groups, done on the server, effectively grants and revokes access.  So that part also happens on the server. But that core step of assigning permissions can't be done on the server.


The benefits of having a server are still innumerable.  However if you aren't familiar with AD and administering it, then you really should pull in someone who is.  We all have to learn somewhere, but I learned by reading many books across several years, and settting up test labs on my home servers. DO NOT LEARN ON A LIVE NETWORK! That is a disservice to both you and the entity you are setting this up for,  We live in an age where minor mistakes become major security breaches.
1

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
yo_beeDirector of Information TechnologyCommented:
Cliff answered your questions with valid answers.
0
Fred MarshallPrincipalAuthor Commented:
I'm going to launch a new question as I realize the file access question can be addressed later.
Thank you all for the help!!

This *is* on an office test lab network and I need to get it working first.
It all looks pretty reasonable in view of your answers.
0
Fred MarshallPrincipalAuthor Commented:
Thanks again!!
0
JohnBusiness Consultant (Owner)Commented:
You are very welcome Fred and I will look for your questions
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2016

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.