Jump to content

Domain troubles

Guest Huston

By Guest Huston
in Windows 2003 Server

 Share

Recommended Posts

Guest Huston

Guest Huston

Posted
Posted

I have two groups of machines. One group(A) is on a domain, and the other

group(B) is not. Both groups are behind the same firewall. There is a

program that I have that needs access to a specific site. The group that is

not on the domain works...... The group that is on the domain doesn't.

Where can I start looking? What might cause this? Ask questions if you

need more information, or point me in the right direction if I am in the

wrong group. Any help is appreciated...

 

Thanks

 

Shawn Huston

  • Replies 6
  • Created
  • Last Reply

Popular Days

Popular Days

Guest Phillip Windell

Guest Phillip Windell

Posted
Posted

Re: Domain troubles

 

"Huston" <shawn_huston@hotmail.com> wrote in message

news:eHW3AsdDJHA.5196@TK2MSFTNGP04.phx.gbl...

>I have two groups of machines. One group(A) is on a domain, and the other

>group(B) is not. Both groups are behind the same firewall. There is a

>program that I have that needs access to a specific site. The group that

>is not on the domain works...... The group that is on the domain doesn't.

>Where can I start looking? What might cause this? Ask questions if you

>need more information, or point me in the right direction if I am in the

 

Unless the Firewall is using Rules based on user accounts,...the "Domain"

means absolutely nothing.

A "domain" is an administrative boundary,...it has nothing to do with the

Network Structure.

Re-analyze the situation with that in mind.

 

--

Phillip Windell

http://www.wandtv.com

 

The views expressed, are my own and not those of my employer, or Microsoft,

or anyone else associated with me, including my cats.

-----------------------------------------------------

Guest Huston

Guest Huston

Posted
Posted

Re: Domain troubles

 

Alright.... Here is some more information... Any machine that is not on

the domain can contact the site. Any machine that has been on the domain

cannot. If the machine is switched to a different domain, it can connect,

but if it is just removed from the original domain, it can not connect. If

the machine is taken out of the building, and is or has been on the domain

and used, it cannot connect. That is just some more information. You are

suggesting that the next step would be to check router settings and see if

it differentiates between the two types of users with rule sets?

 

"Phillip Windell" <philwindell@hotmail.com> wrote in message

news:uMc3I7dDJHA.524@TK2MSFTNGP06.phx.gbl...

> "Huston" <shawn_huston@hotmail.com> wrote in message

> news:eHW3AsdDJHA.5196@TK2MSFTNGP04.phx.gbl...

>>I have two groups of machines. One group(A) is on a domain, and the other

>>group(B) is not. Both groups are behind the same firewall. There is a

>>program that I have that needs access to a specific site. The group that

>>is not on the domain works...... The group that is on the domain doesn't.

>>Where can I start looking? What might cause this? Ask questions if you

>>need more information, or point me in the right direction if I am in the

>

> Unless the Firewall is using Rules based on user accounts,...the "Domain"

> means absolutely nothing.

> A "domain" is an administrative boundary,...it has nothing to do with the

> Network Structure.

> Re-analyze the situation with that in mind.

>

> --

> Phillip Windell

> http://www.wandtv.com

>

> The views expressed, are my own and not those of my employer, or

> Microsoft,

> or anyone else associated with me, including my cats.

> -----------------------------------------------------

>

>

Guest ThePro

Guest ThePro

Posted
Posted

Re: Domain troubles

 

"Huston" <shawn_huston@hotmail.com> wrote:

>I have two groups of machines. One group(A) is on a domain, and the other

>group(B) is not. Both groups are behind the same firewall. There is a

>program that I have that needs access to a specific site. The group that

>is not on the domain works...... The group that is on the domain doesn't.

>Where can I start looking? What might cause this? Ask questions if you

>need more information, or point me in the right direction if I am in the

>wrong group. Any help is appreciated...

>

> Thanks

>

> Shawn Huston

>

I guess the 2 groups do not have the same DNS server settings.

 

Does the "domain" group uses a local DNS server ? It could be the first

place to look.

 

ThePro

Guest Phillip Windell

Guest Phillip Windell

Posted
Posted

Re: Domain troubles

 

"Huston" <shawn_huston@hotmail.com> wrote in message

news:OOo5sArDJHA.2476@TK2MSFTNGP06.phx.gbl...

> Alright.... Here is some more information... Any machine that is not on

> the domain can contact the site. Any machine that has been on the domain

> cannot. If the machine is switched to a different domain, it can connect,

> but if it is just removed from the original domain, it can not connect.

> If the machine is taken out of the building, and is or has been on the

> domain and used, it cannot connect. That is just some more information.

> You are suggesting that the next step would be to check router settings

> and see if it differentiates between the two types of users with rule

> sets?

 

I think the problem is (for the moment) in defining "on the domain" and "off

the domain". Being "on the domain" means the Machine's Windows OS was

joined to the Domain and has an account in active directory,..being "off the

domain" means the Windows OS was moved out of Active Directory into a

Workgroup administrative environment and the machine account in Active

Directory was deleted. But being on the same physical network or the same

physical or virtual subnet doesn't have anything to do with domains.

 

Now there are situations where it can "indirectly" matter,..and that is what

I am trying to sort out. Here are two ways the domain can matter,...but

anything beyond these two things and the Domain is really irrelevant and it

becomes a "networking issue".

 

1. If you have a Firewall that only allow access to certain user accounts

and a non-domain machine tries to gain access it will be denied because the

Domain Account is not being used. This of course is the opposite of your

situation and is likely not to be the problem. It is also rare to have a

firewall that works at this level of detail. The only ones I know of are

all MS products (MS Proxy2, All ISA versions, and the new Forefront TMG).

 

2. Another possiblity is that the Active Directory DNS cannot resolve the

name to that one site. If Domain Members uses that DNS (and they will) then

they will fail,...but other non-domain machines which [might] possibly use a

differnet DNS may succeed. This is an unlikely situation but is

possible,..it also is not really a domain issue but is loosely related to

the domain due to AD being dependent on using the correct DNS,...so it is a

situaiton as I said where a domain is "indirectly" related.

 

A possible cause that would be a networking problem (not a domain thing)

would be if putting a machine "on the domain" means moving it to a different

subnet,...and if that subnet is arbitrarily using a Public IP Range [that

they don't own] instead of an RFC Private IP Range then there is almost

certainly going to be an IP Address Conflict.

 

For example if you built a network segment and abitrarily choose

72.14.207.0/24 your LAN would function fine within itself but would fail to

contact a large portion of locations own by Google.com including the main

Google site of http://www.google.com.

 

So this should be enough to indicate that a lot of *detailed* information is

required to solve something as "strange" as this.

 

 

--

Phillip Windell

http://www.wandtv.com

 

The views expressed, are my own and not those of my employer, or Microsoft,

or anyone else associated with me, including my cats.

-----------------------------------------------------

Guest Huston

Guest Huston

Posted
Posted

Re: Domain troubles

 

I will give as much detail as I can as things are figured out. Being on

and off the domain is the most obvious factor involved at the moment, and

yes the machines are on a domain, or off a domain. All machines do share

the same network, but that doesn't seem to make a difference. Once the

machine has been on the domain, it will not connect to the site, unless it

is put on another domain, and yes I do know what domains are..... I do know

what networks and subnets, and such are.... All I know is that being on or

off the domain is the least common denominator to the equation at the

moment..... What changes on the machine when it is put on the domain that

doesn't allow the connection is what I am trying to figure out.

 

Shawn

 

"Phillip Windell" <philwindell@hotmail.com> wrote in message

news:uy23gyrDJHA.4132@TK2MSFTNGP03.phx.gbl...

> "Huston" <shawn_huston@hotmail.com> wrote in message

> news:OOo5sArDJHA.2476@TK2MSFTNGP06.phx.gbl...

>> Alright.... Here is some more information... Any machine that is not on

>> the domain can contact the site. Any machine that has been on the domain

>> cannot. If the machine is switched to a different domain, it can

>> connect, but if it is just removed from the original domain, it can not

>> connect. If the machine is taken out of the building, and is or has been

>> on the domain and used, it cannot connect. That is just some more

>> information. You are suggesting that the next step would be to check

>> router settings and see if it differentiates between the two types of

>> users with rule sets?

>

> I think the problem is (for the moment) in defining "on the domain" and

> "off the domain". Being "on the domain" means the Machine's Windows OS

> was joined to the Domain and has an account in active directory,..being

> "off the domain" means the Windows OS was moved out of Active Directory

> into a Workgroup administrative environment and the machine account in

> Active Directory was deleted. But being on the same physical network or

> the same physical or virtual subnet doesn't have anything to do with

> domains.

>

> Now there are situations where it can "indirectly" matter,..and that is

> what I am trying to sort out. Here are two ways the domain can

> matter,...but anything beyond these two things and the Domain is really

> irrelevant and it becomes a "networking issue".

>

> 1. If you have a Firewall that only allow access to certain user accounts

> and a non-domain machine tries to gain access it will be denied because

> the Domain Account is not being used. This of course is the opposite of

> your situation and is likely not to be the problem. It is also rare to

> have a firewall that works at this level of detail. The only ones I know

> of are all MS products (MS Proxy2, All ISA versions, and the new Forefront

> TMG).

>

> 2. Another possiblity is that the Active Directory DNS cannot resolve the

> name to that one site. If Domain Members uses that DNS (and they will)

> then they will fail,...but other non-domain machines which [might]

> possibly use a differnet DNS may succeed. This is an unlikely situation

> but is possible,..it also is not really a domain issue but is loosely

> related to the domain due to AD being dependent on using the correct

> DNS,...so it is a situaiton as I said where a domain is "indirectly"

> related.

>

> A possible cause that would be a networking problem (not a domain thing)

> would be if putting a machine "on the domain" means moving it to a

> different subnet,...and if that subnet is arbitrarily using a Public IP

> Range [that they don't own] instead of an RFC Private IP Range then there

> is almost certainly going to be an IP Address Conflict.

>

> For example if you built a network segment and abitrarily choose

> 72.14.207.0/24 your LAN would function fine within itself but would fail

> to contact a large portion of locations own by Google.com including the

> main Google site of http://www.google.com.

>

> So this should be enough to indicate that a lot of *detailed* information

> is required to solve something as "strange" as this.

>

>

> --

> Phillip Windell

> http://www.wandtv.com

>

> The views expressed, are my own and not those of my employer, or

> Microsoft,

> or anyone else associated with me, including my cats.

> -----------------------------------------------------

>

>

  • 1 month later...
Guest Huston

Guest Huston

Posted
Posted

Re: Domain troubles

 

Figured out this problem. Machines on the domain were forced to use the NTP

server within the domain, and the time was wrong on it. Machines not on

the domain had the time set off the internet and were correct. The head

network guy never corrected it since who knows when, and it was killing the

authentication from the site........

 

"Huston" <shawn_huston@hotmail.com> wrote in message

news:eHW3AsdDJHA.5196@TK2MSFTNGP04.phx.gbl...

> I have two groups of machines. One group(A) is on a domain, and the other

> group(B) is not. Both groups are behind the same firewall. There is a

> program that I have that needs access to a specific site. The group that

> is not on the domain works...... The group that is on the domain doesn't.

> Where can I start looking? What might cause this? Ask questions if you

> need more information, or point me in the right direction if I am in the

> wrong group. Any help is appreciated...

>

> Thanks

>

> Shawn Huston

>

>

>

 Share
Go to topic listing
×
×
  • Create New...