nos

I'm going through the CBT training videos for Active directory these days and I've managed to setup a domain controller on a Win3K server (read as "next next next and finish" ) The DNS server has been configured appropriately and it seems to work when i ping the DNS entry for the domain controller and other PCs on the network. The problem is that I'm unable to join my XP pro laptop to the domain. I get an error saying that "A domain controller for the domain mar-labs.com could not be contacted. Ensure that the domain name is typed correctly". When I click on details, the following is what I get:

DNS was successfully queried for the service location (SRV) resource record used to locate a domain controller for domain mar-labs.com:

The query was for the SRV record for _ldap._tcp.dc._msdcs.mar-labs.com

The following domain controllers were identified by the query:

debunk.mar-labs.com

Then it just lists the possible causes for the error etc.

My miniture network is setup as follows:
I've got three systems interconnected via a wireless ADSL router - The first system is a laptop and the second system is the Win3K AD/DNS server that is running on the laptop via VirtualPC (yes, its free now). The third system is a desktop, which is basically doing nothing at the moment. I've got a firewall running on the laptop and i've allowed it to permit all traffic headed for the Win3K system. Same is the case with the Win3K system, I've allowed incoming DNS traffic on TCP and UDP port 53. Is there any other traffic that I have to permit?

Any idea any I'm unable to connect to the domain? yelp me !

TofiBaba

Hey NOS, I somehow missed this question. How is the XP machine getting its IP? Do you have DHCP setup somewhere. For the PC to be able to join the domain it should have the servers DNS IP as its primary DNS. and that should kick in. Also, if the NetBIOS name is what you are trying also try typing out the whole domain name "mar-labs.com" when you specify the domain name. Let me know if it still doesn't work.

You are ahead of our times, dude!

nos

oh, I forgot to update on this one. The problem was with the firewall on the AD server as I was blocking port 137. Once that was opened, along with other ports, it was working fine.

And yeh, I had specified the IP of the DNS server as the primary, which is why the basic queries for the SRV records were working. Whlie we are at this, I'll post another question that came to my mind while I was adding computers to the domain. The thing is, whenever I add a PC to a domain, I have to enter the credentials of the domain admin. While this is not a problem for a LAN with few PC, on a large network, it can cause quite a lot of distrubance in the sense that the admin has to add each PC manually. I know something is amiss here, but don't know exactly what. How do I automate the process of adding PCs to a domain without having to enter the credentials of the domain admin?

Secondly, do I have to enter a the name of a PC as well as the username in the domain? ya phir the mere user name will suffice?

nos

oh, the questions just seem to flow now tofi For my setup, I had to enable a number of ports on the AD server, which brought up a security concern. In total, I had a number of ports opened - 88 for kerberos, TCP/UDP 53 for DNS, TCP 389 for LDAP, TCP 3268 (i think) for Global catalogue, 137 for NetBIOS ... that's just ... mad really! Is this the same for all setups? Okay, so if I separate my DNS and LDAP then i've got two ports less but why do I need NetBIOS? I'm not running a legacy clients that require WINS translation ....

TofiBaba

1. Yeah, you have to enter the admin credentials for each machine as you enter it in the domain. I heard there was a utility or 2 available out there, but haven't used any. You can, technically, enter the PC names on the server itself, I believe, and then when you enter the domain on the PC it won't ask for user credentials.

2. You don't really use port-blocking on a LAN for security, specially not to the DC's. If you really want security use VLAN's. But this selective port opening can really be scripted, so you just run it as the initial server deployment.

Another thought, if you are opening all those ports what else is there to protect

3. No, you don't really need NetBIOS, just DNS should suffice, unless you're into LAN browsing.

TofiBaba

I didn't understand this question. Do you mean do both user account and pc account have to put in the AD? If so, then yes. If the PC is a member you can still use domain resources by providing the user credentials (e.g. domain\username + password).

TofiBaba

Here, found this article but can't make heads or tails of it:
http://www.microsoft.com/technet/pro...ep/adbulk.mspx

Maybe I need to read it with more patience.

coOoLBreeze

well,, you can go to a computer container or any OU on the DC> and right click, then select NEW COMPUTER.. you can make a new computer there, and then assign the privilige on the username who can join that computer to the domain. this username can be anything, the least privilged user as well.

then you go to the client machine ( make sure the machine name is same as the computer you created in the DC). and then just join, it will ask for a username and you put the particular uesr you gave while creating the computer in the OU.


secondly, I dont recall the exact settings, but there is security setting named as " Join computer to the domain " , that privilge cna be assigned to any user and then he can add computers. you have assign the privilege to the Computer Container I guess.
by default any user can add 10 work stations to the domain.
if you need ore details, then wait till saturday, ill be in office and guide you through more..

cheers..
and TB have you seed my reply to the Cisco Certs. I need your fedback there.

nos

My point exactly! I mean, if port 137 is open tou phir pechay kya bach gaya! lol...

Yaar, I was just trying to implement the 'best' practices as you are most vulnerable on the inside ... as the UK DTI statistics for 2004-5 indicate.

Yes, I meant adding both a user account and pc account in the OU. But I tried this and it still requires that i enter admin credentials to enter the domain. Warna it will give me 'Access denied' message. Acha chorou, mittie pao ...

Yup, that's what I did ...

Is that for Win3K server?

yup, thats what I was looking for really ... I'll try locating it, thanks chief :--)

Thanks for the input guys, really appreciate it .... you guys are simply cudable [from cuddle, if that's a word ... lol]

nos

haha ... nahee yaar, its just the 180 days evaluation copy that was included in an MS Press book that I bought. Warna hum tou Pakistan say "original" copies khareednay walay lougoun may say hain ...

TofiBaba

Get with the program mang.

coOoLBreeze

read carefully,, tehre are three different ways, all answering the same questions
http://support.microsoft.com/kb/251335

TofiBaba

CB, the prob is that this lazy person doesn't want to provide any credentials to add the PC to domain. And doesn't matter who has permission somebody's name has to be typed in to get that darned PC in the AD.

coOoLBreeze

if thats the case then

anyway, try using netdom.exe try u will find many options there..

waissay ask the wizard of oz, may be he has something to with it.

nos

T'm talking about the problem that 'all' system admins would have to face, its not about one lazy bugger who's not happy with it. And as it is, I ain't no system admin so it you lot who have to put up with such BS .... 100 PCs hain, her aik kay liyah credentials provide kerou; What the ... eeeeet! [sensored]

TofiBaba

^^ We as sys admins have accepted the fact. Its been like this since day 1 of NT. If you have a 100 PC deployment u just get more people to help u, that's all. Or just take that many more days to deploy.

nos

Lagta hai thaykay per bohat kaam kiya hai aap nay ...

TofiBaba

Oye, don't be calling me names, its called "consulting".

coOoLBreeze

oyaay try netdom.exe make the batch file ONCE, copy it on floopy and double clicks..

try ghost or other imaging systems with SYSPREP utility for deploying domain joined machines to the network

nos

^ oh, excellento! .... GOD bless you cheif