Configuring 2k3 server

[anderground]

also, i've created one shared folder on each machine (2k3 and xp).

in security tab of 2k3 shared folder, i added the (admin) user of the xp client called 'house', actually house(house@testdomain1.local) (since that user has been included in AD)

in security tab of the xp shared folder, i added the administrator of the domain - Administrator(TESTDOMAIN1\Administrator)

i can open that folders on both sides, but i cannot put files and folders in there - Access denied.

how to set up shared folders? :(

[+BudMan MVC]

Ok -- for your remote disk problem.. I tried to duplicate it but can not.. New xp box just setup, used for win7 sharing thread.. Anyway joined it to my test domain.

On the 2k3 server box logged in as the domain admin - connect to xp box it just fine and can see remote disk management. This is with the xp firewall off.

As to shares on 2k3 servers, share permissions default to READ ONLY.. You understand there are both share and ntfs permissions? I just checked with my xp sp3 box, and I do not recall this -- but normally your not sharing files in domain setup on xp boxes (clients), but just checked and xp sp3 in a domain will default its shares to read only as well.

You need to change those - unless you have some really weird sharing thing you need to do, share permissions can normally be left with everyone - ntfs permissions is where you lock down the permissions how you want.

edit I just checked a share I had created before I had joined it to the domain, and its shares are listed as change. So yeah you need to verify your share permissions.

Edited June 1, 2010 by BudMan

[anderground]

yes, it was about sharing permissions. thanks (Y)

is there any difference between checking "full control" or just "change" and "read" ?

one more thing, when i open the 2k3 share on xp box, i firstly get a login prompt.

there i have to put user: administrator and password: admin pass on 2k3 DC.

where do i manage that access control (if i want to get that prompt among client machines users in order to set a password on some of their shares)?

also, how do i allow immediate access to 2k3 share without the prompt (just curious)?

as for remote disk management, i have no clue whats the problem.

i tried even with both anti-viruses off, to no avail.

lets say its just about windows :)

[sc302 Veteran]

yes, it was about sharing permissions. thanks (Y)

is there any difference between checking "full control" or just "change" and "read" ?

one more thing, when i open the 2k3 share on xp box, i firstly get a login prompt.

there i have to put user: administrator and password: admin pass on 2k3 DC.

where do i manage that access control (if i want to get that prompt among client machines users in order to set a password on some of their shares)?

also, how do i allow immediate access to 2k3 share without the prompt (just curious)?

as for remote disk management, i have no clue whats the problem.

i tried even with both anti-viruses off, to no avail.

lets say its just about windows :)

"is there any difference between checking "full control" or just "change" and "read" ?"

1. Yes, it is what you think, one just gives them just read access over the share, the other gives read, modify access, the other gives them read/write/create.

"where do i manage that access control (if i want to get that prompt among client machines users in order to set a password on some of their shares)?"

2. You give access to the shares on your server for the individual users, those users have access to those shares nothing else. There are no prompts, there is access (by sharing and managing what they can do), or there is nothing. Once you attach to the server as a user you can't attach or reconnect as another user. This is by design.

"also, how do i allow immediate access to 2k3 share without the prompt (just curious)?".

3. You give them access to it

"as for remote disk management, i have no clue whats the problem."

4. there are many issues that this issue can be a result from, type in the exact error in google and you will see about a million hits or so.

[anderground]

im so sorry for not answering for a while.

i wasn't able to deal with this...

"where do i manage that access control (if i want to get that prompt among client machines users in order to set a password on some of their shares)?"

2. You give access to the shares on your server for the individual users, those users have access to those shares nothing else. There are no prompts, there is access (by sharing and managing what they can do), or there is nothing. Once you attach to the server as a user you can't attach or reconnect as another user. This is by design.

hypotheticaly anybody could sit at a workstation which has access to a share located on 2k3 server.

is there a way to get password prompt when user tries to access the share?

thanks

[+BudMan MVC]

"hypotheticaly anybody could sit at a workstation which has access to a share located on 2k3 server."

There was a password when the user logged onto the domain.. But sure if you leave your workstation logged in, and you leave I can come in and so ANYTHING on the network as you.. What does this have to do with a share prompt?? is the user disconnecting from the share when they leave?? If not same thing -- does not matter if the user was prompted when they logged into the computer, or when they access the share.

If your worried about people sitting down to other workstations -- users should always lock their stations when they leave, you can also setup up group policy that has stations lock on idle say 5 or 10 minutes, etc..

[sc302 Veteran]

as budman said. Lock your computer that is what everyone else in the world does. even on a secured workstation, if you leave your workstation and someone else comes along and you leave yourself logged in anyone would have access to what you have. Don't leave yourself logged in or lock your workstation, put policies in place to lock the workstation after so many minutes of inactivity. On the servers I administer I have after 1 min of inactivity to lock the station, annoying yes but it is better than allowing some random person come in and screw with crap.

[anderground]

yes, you have your points there. thanks.

i have 2 questions:

1) can i put group policy for locking workstations from the server or i have to do it locally on each workstation?

2) can i run netdom command on the server in order to join a new xp workstation to domain?

(dont know did i use the right syntax before, but when i did it the xp comp showed itself in AD as a domain member, but nothing actually happened on that xp machine itself, it remained workgroup machine)

[+BudMan MVC]

Sure you can create a group policy in AD to lock machines on idle - screensaver.

netdom will create the computer account in the domain - but to actually join the computer, it has to be done on the computer itself from what I remember. If you install the tool on the xp box, then I do believe it will actually join the computer.

This tool is more used to create the accounts, once the account exists for the computer - the user can join the machine without having to have permissions to join/create an account in the domain.

[anderground]

what if server is physically separated from workstations (say in other building or even other city) ? (it would be inconvenient to physically go from computer to computer)

in general, what kind of network communication is there when it comes to distributed networks?

if say several portions of the domain (subnets) are located in different cities behind nat routers, is it needed to apply a VPN or.. ?

[+BudMan MVC]

behind nat routers?? Those are not going to be using the domain..

You can RDP to a computer to join it to the domain, by default normal users can join like 10 computers to the domain - unless you have changed these permissions? So the normal user could just join the machine.. Or if the computer account is already created they can join. If you looking for a mass way to join computers to a domain, there lots of tools out there to do that sort of thing.

But if your computers are behind NATs -- your going to have more issues then how to join a machine to the domain.

Not sure what apply for a VPN means?? All you need to create site to site vpns is the hardware that supports it.. If you wanting for remote sites to be a part of your domain, then your going to need them to be on your network - not behind NATs. Sure they can be on different subnets/segments - but NAT is going to be an issue. Your routers at the core location, and the remote locations should support the ability to create site to site vpns.. Many cheap soho routers support this even.. Say a linksys rv042 retails for about $150 US.

edit: In distributed setups, remote sites when either bandwidth or connectivity is an issue its quite common to place a DC at the location. But that is not going to remove the issues of machines behind NATs...

[anderground]

But that is not going to remove the issues of machines behind NATs...

i think this is one of things which i always wanted to know but was afraid to ask :)

can you tell me of some other way to connect a site to the internet except through nat ?

thanks

[+BudMan MVC]

Your machines connection to the internet is going to be NAT - that is fine. But you can not do nat (1 to many) between your sites and expect AD to work correctly..

You need to setup a site to site vpn between your locations for AD to work.

[sc302 Veteran]

As budman stated, a vpn over internet is going to be your best bet. As far as price points go VPN over internet will be your best bet. Next would be a mpls network where the telco manages your connection between locations.

[anderground]

Your machines connection to the internet is going to be NAT - that is fine. But you can not do nat (1 to many) between your sites and expect AD to work correctly..

but site is composed of computers.

can someone put some drawing about the situation here?

tx

edit:

how can machines be behind nat and in the same time their site dont be behind it?

[sc302 Veteran]

Your computers are connected via nat which to everyone in the world is 1 ip address. you are trying to setup active directory on a remote site, active directory wants to see individual machines not a bunch of machines behind 1 ip address. for active directory to properly communicate to each machine and for each machine to communicate with active directory they need to be on an addressable network where each machine has a unique number and can be addresses by this unique ip. Being that ad is intertwined with dns, everything pc must be recognizable in dns.

There is nothing to draw out, you need to understand how active directory functions. If behind a vpn, it looks as if the remote network is attached to the primary site, this goes with understanding how vpn works and nothing to really draw out.

edit: your edit is confusing, I am not sure what you are trying to say. vpn gets around nat.

[+BudMan MVC]

"how can machines be behind nat and in the same time their site dont be behind it? "

At a loss to how your not understanding this -- but here, here is a attempt to make it clearer for you with a drawing.

So your routers create a TUNNEL between their public IPs -- when computer in site A (192.168.1.14) wants to talk to server in site B (192.168.2.100) The router routes the traffic over the tunnel to the other router.. It does NOT nat the IP to your public -- it encapsulates the traffic (depending on what vpn is used this is done in a few different ways) and sends it to the other end of the tunnel.. The router on the other end decrypts and strips off the encapsulation and says oh you want to talk to 192.168.2.100 and puts the traffic on the wire on the private side to that server.. When server talks back it reverses the processes.

The routers know that to talk to 192.168.1 or 192.168.2 network to use the tunnel.. If talking to the internet they send the traffic to your ISP router, but peforms a nat on it ie for example you were talking to neowin.net:80 from 192.168.1.14:4567, changes it to publicIP:6666 to neowin.net:80 -- when neowin talks back it sends traffic back to publicip:6666 -- your router knows this traffic to port 6666 on its public IP is meant for 192.168.1.14:4567

This is NAPT, and is how most soho NAT routers work - they are really doing Network Address Port Translation (NAPT)

I think your way lacking in your understanding of even the basics of how simple networking protocols work.. You might want to take a look at

http://en.wikipedia.org/wiki/Network_address_translation

http://en.wikipedia.org/wiki/Virtual_private_network

http://en.wikipedia.org/wiki/Routing

Does this make it easier?? If not let me know what your not understanding and will try a different approach.

[anderground]

thanks a lot, it's much clearer now. (Y)

i know the basics of nat and vpn tunneling, but really didnt know that they can be combined that way.

i will look at those links either and i would ask you if i need some help.

thanks again for your drawing and your time.

[+BudMan MVC]

Glad to help -- just let me know if there is something you don't understand, and try my best to explain it so you can.

[anderground]

you are trying to setup active directory on a remote site, active directory wants to see individual machines not a bunch of machines behind 1 ip address.

also thanks to sc302 for this explanation, which as well makes the process clearer. (Y)

[anderground]

hi

after a while i have continued to learn about 2k3 and i'm back again with my novice problems with it..

i have added one more client xp computer to my small domain network, so i have now 2 xp clients and the server.

the problem is i can't access shared folders of these clients from each other, although i can access them from the server.

when i try to 'add a network place' a prompt for username and password pops up, and putting there correct data doesnt let me in:

"The folder you entered does not appear to be valid"

i can do ping but i can't access shared folders.

all firewalls off :)

[anderground]

i have managed to solve the problem.

on one of the client xp users i didnt have a password at all, and since i've set one i'm able to get into that computer after filling the prompt (user & pass).

on the other one, it seems that when putting password, i was making a mistake with one character (2 languages on the keyboard).

(besides, i have installed netbios on the both machines, so maybe that resolved the problem, i dont know.)

edit:

also, sc302 has been pretty right regarding firewalls.. :yes:

when i turn on comodo on one machine its slowing down access substantially.

if i turn on pctools on the other one, it totally nails it.

[sc302 Veteran]

Software firewalls = big fat piece of unnecessary crap. I was playing with the new mcafee firewall pos on a network I was helping someone out with and in its "open" mode it was still blocking communication between computers even though the pcs were "trusted". What a piece of rotting poo on a hot summer day.....ended up disabling the pos firewall. Really why bother "trusting" the pcs that also run mcafee if you aren't going to be able to connect to shares, what is the point of "trusting"? I shouldn't have to manually add ports to open. Maybe it is to add an extra step. F U software firewalls, F U up the goat ass. I am going to strangle the person who thought that the would be a good idea on home metworks behind nat. I am going to boil the poor ****** in oil.

That is where I stand with software firewalls. They can all rot in hell.

[+BudMan MVC]

"Software firewalls = big fat piece of unnecessary crap."

Agree with you on a trusted private network, but networks are not always so trustworthy. And in some cases having a software firewall makes sense - but agree on trusted private network, with no machines on it that need to be treated as hostile.. They make little sense and cause the users nothing but grief if you ask me.

A firewall belongs at your trust borders..

[sc302 Veteran]

Get a switch and block it there. If you require that level of security on your network use hardware. F the stupid software crap. Give me a scenerio where software is beneficial over a managed layer switch. Imo if you are big enough to worry about different non secure areas of your network, you are going to have hardware protecting you.