Win2K Sever setup Help Please!

Discussion in 'Windows Desktop Systems' started by drdoug26, Oct 24, 2002.

  1. drdoug26

    drdoug26 Guest

    Hi All,

    I'm trying to get the 'bugs' out of win2k server. (I'm pretty good with old NT 4.0 server but our office application has just switched over to win2k server.)

    Could someone please tell me what Windows components I need and which subcomponents I need in 'networking services' to make this work.

    SetUp: Server(win2k server), 5 workstations (winXP pro)
    Domain: Chiro
    DHCP: is already dished out by our dsl router.
    We do NOT have a web site or own a name.

    I've got it running right now but the workstaion logon is very long. Sometime up to five minutes! I must be doing something wrong! I'm thinking that I do not need the ISS installed but I'll wait for some advice.

    In the event log I'm getting 15 - 20 errors per hour all saying:
    Event 5774, Source Net log on,

    I ran that active directory wizard and this is how it set up the server for me. (Setup to be 1st domain controller, Then answered the following:

    - create new domain tree (yes)
    - Create new Forest (yes)
    - Give a full DNS name (Call it Chiro.COM)
    - Domain Net Bios Name (yes)
    - Database & log locations (c:\Winnt\ntds)
    - sysvol folder (c:\winnt\sysvol)

    These are the networking subcomponents installed (checked)

    1) COM internet Service Proxy
    2) DNS
    3) DHCP (which I just un installed but problems continue)
    4) Internet Authentication Service
    5) QoS Admission Control Service
    6) Simple TCP/IP Service
    7) Wins (Windows Internet Name Service

    These are the Windows Components installed

    1) Indexing service
    2) Internet information service (IIS)
    3) Networking Service
    4) Script Debugger

    Sorry to put this mess up here but I'm getting desperate.

  2. funky dredd

    funky dredd Moderator

    Try here, this may help you.
    Event ID
  3. Rootz

    Rootz Guest

    You miss some important config...
    (I assume all devices have correct IP and subnet mask configuration)
    Active Directory allows domain logon to workstation users, to do so you must first join workstations to the domain by adding computer accounts in the Directory. User accounts reside on the server and not on workstations.
    Active Directory is based on DNS which gets integrated in the directory services by default with protected updates (notify the mapping of workstations names and corresponding IP address). If workstations are not registered on the Directory DNS when fired up then domain logon might fail saying *Domain is not available* after a long negotiation.
    Also DNS can be updated by client request (TCP/IP settings) or by the DHCP server. In this scenario DNS will not accept updates from an external DHCP (dsl router, which may also pass incorrects DNS registration parameters), W2K Domains need the DHCP server to be authorized in the directory service for both IP address assingment and DNS updates.
    Solution is one of the following:
    1. Install and configure DHCP on the Windows Server and authorize it to the Directory Service while stopping the DSL router DHCP service.
    2. Allow non secure updates on your DNS server. In this case you must be sure external DHCP passes the correct directory DNS to requesting clients.

    In brief this is what happens with Active Directory:
    Workstation Logon -> Domain checks the workstation is registered on the domain -> Server provides authorized DHCP address assignment -> DNS dynamic registration/update -> User is allowed to logon to the domain and workstation -> Access Granted

    Assure each step is executed correctly to avoid failure or long negotiations.
    You don't need that. You use this feature in case you need supporting pre-windows2000 workstations (W9x, NT40). Since you have all XP wks you can ignore netbios name resolution (and have more security).
    If possible put each of the above directories on separate disks/volumes.

    (IIS) No you don't unless you need to configure a web site or internet printing. Anyway this does not cause logon problems.

    Logon authentication failed. Accounts login are correct but secure logon can't be allowed for the above reason. No security settings are passed in this case, you keep getting access denied to resources... and very long timeout attempts when finally an error gets registered (Netlogon services keeps trying on a regular basis). All network gets so damn slow.

    Good it's required
    Required to run Active Directory Services
    As I told you in case you don't want to get mad with maual IP configuration of all workstations you need DHCP. DHCP configurations are allowed in the directory service ONLY if they are registered on the Domain DNS and authorized to do so. You may also use an external DHCP with unprotected Domain DNS updates but you loose a big part of the AD security, make difficult server authentication, unuseful long and failed negotiations (Netlogon and other network services errors).

    Cut that out, you need this service only if clients have to logon to the domain through external dialup connections.
    This may be useful only in case your network devices (nics, hubs, switches...) support it, otherwise you see an error in the system event registry (in this case uninstall it).
    This is one of the most unuseful services. OUT!
    You use WINS to call machines by name on a netbios network environment. If you use DNS, WINS is a waste of resources for DNS allows reaching machines with both *\\* (DNS mode) and *\\machinename* (WINS mode) syntax.

    Used for enhanced full text searching on indexed resources. Sucks a lot of memory to run properly, unless you work with tons of text documents cut that out.
    Used for internet web hosting or intranet applications, newsgroup hosting, internet printing, email services and FTP hosting. This is the most buggy and potentially unsecure Windows Service. Use only if you need it and in that case lock it up as much as you can.
    I'm not going to comment this =)
    Useful only for developers.

    IMHO on top of this. You would workaround most of your problems if you use the W2K server as a simple DNS or file server without Active Directory. AD is a very complex, powerful and delicate service where a simple misconfiguration or component error can screw up all your network and in some case it gets very hard to fix.
    You would say goodbye to authenticated network logon, a lot of security restrictions but you'll get an easier life especially in such a little network environment.
    Hope this helps.
  4. drdoug26

    drdoug26 Guest

    Thanks Rootz,

    That was awful nice of you to post that. It helped me tremendously!

    One question:

    If I want to share a printer off the server do I need IIS installed? I noticed you said I need this service for "internet printing"? Not sure what internet printing is.


  5. Rootz

    Rootz Guest

    Great! Happy it helped =)
    Active Directory almost killed me on my first configuration. I still remember how frustrating Netlogon errors were. Then *Userenv* and *Scecli* errors showed up but that's another story...

    On with your question:
    Internet printing can be an alternate way for users to reach shared printers on the network but it's not required for network printer sharing. It allows printing through the web browser using the address *http://servername/printers*
    It can be useful when you have several printers scattered all over network locations bacause it can give you a single access point to all domain printers, it can save you time for you don't need to connect each shared printer to every single workstation.
    IIS manages this service, when you install IIS it comes with a *printers* virtual directory on the default website which lists automatically any shared network on the server IIS is installed on.
    Consider you wouldn't like to have a web site open and running just for internet printing especially on a dsl connection exposure. Besides internet printing has at least two serious security holes, in case you decide to use this service assure you have installed at least Service Pack 2.
    Anyway if you install IIS remember to keep only the features you need and have them well patched. Worms and well known attacks to IIS waits for you out there. They will assault your web server with any way in a few hours.

    The common way of sharing printers on a domain is instead give them a share name as you do with folders, publish the in the Directory, install on the server all drivers for needed systems and then connect them to each workstation (the server will pass the appropriate printer driver) by installing network printers on each client machine. You then reach the printers by typing *\\servername\printersharename* or by browsing the directory. In your scenario XP clients will like 2000 drivers so you don't need extra driver support. No IIS pains this way...