cancel
Showing results for 
Search instead for 
Did you mean: 

Networking - cannot join domain - using ADSL Router

N/A

Networking - cannot join domain - using ADSL Router

Hi there

Recently purchased NetGear ADSL Router DG834.

Network :-
1.Server - win 2000 server
2.Server - SQL 2000 server
3.Client - win 2000 pro
4.Client - Norton Firewall

IP Addressing
1.Router - 192.168.0.1
2.Server - 192.168.0.2 (DHCP client - reserved IP address)
3.Client - DHCP client

Working
1.Internet - both
2.SQL 2000 server on server - works (based fixed IP address)
3.Can ping from Server vs Local Domain of client - ok

Users + Domain
1.Administrator - network
2.imak - network
3.Domain - IMRANE0

Problem
1.Trying to log onto domain from client, first : using 'Administrator', second, using 'imak' users.

To join domain
A.
1.My network Places
2.Properties
3.Computer name - Workstation1
Member of workgroup - WORKGROUP
4.Changed to domain - Imrane0
5.Added - Administrator + password
6.Restarted
7.Logged on to domain - windows message - creating user profile - nothing happens..................
B.
1.Tried wizard - gone threw entire process - at the end message appears - access denied.

Is that due to firewall in router ? even both sides pings ok...

What I'm I missing....

Thanks in advance.
39 REPLIES
N/A

Networking - cannot join domain - using ADSL Router

No -- the firewall in the ADSL router doesn't come into the picture for local host-host traffic. One way of understanding the (I assume) 4-port switch built in to the router is to imagine it as an entirely separate 5-port switch, but where one of the ports has already been used to connect the switch (internally) to the network interface of the router, leaving you with the four available ports you can see on the outside. Just as an external switch wouldn't impose a firewall for host-to-host traffic, the internal one won't either.

Have you tried this with the Norton firewall switched off? I believe SMB networking uses ports 137, 138 and 139 with both tcp and udp on the first two.

I don't know much about Windows systems, but isn't the server supposed to show a machine account for the client when you add it to the domain -- did the request to join the domain get to the server (is it shown as a domain workstation at the server?)
N/A

Networking - cannot join domain - using ADSL Router

Hi there

Interesting points....have a look tonight.
mssystems
Rising Star
Posts: 269
Thanks: 33
Fixes: 1
Registered: 10-08-2007

Networking - cannot join domain - using ADSL Router

Couple points.

Windows uses the NetBIOS over TCP (NBT) protocol (well in simple terms anyway). NetBIOS lives way above IP but relies on TCP, UDP and IP working. From Win2K onwards you can bypass NetBIOS altogether but there is no point on a small LAN.

The best way to test NBT is doing its stuff is
1. ping an address
2. ping a host name
3. in cmd prompt
net view \\computername
Error 53 - file not found; means it can't communicate
Error 5 - access denied; means it is communicating but your login failed.

You can force an administrator login attempt using
net use \\computername\admin$ /user:domain\administrator password

In the above procedure the previous step MUST work for the subsequent step to work (it is a dependancy).

It actually sounds like NBT is working, because the Domain join got to the restart, you should have seen a 'Welcome to domain' dialog prior to the restart. indicating that the DC has added the client's machine accounbt to its SAM.

The Network ID wizard will only work if you have a correctly configured internal DNS server and the clients DNS settings are absolutely correct. IMHO it is easiest to ignore the wizard altogether.

It also looks like you are being authenticated on the restart login. The 'Createing user profile message' happens after the DC has authorised you. The PC creates a new profile directory and copies the contents of the %Profile%\Default User directory, then merges the HKU\.Default registry key. For a large default profile this can take a very long time, go make a cup of coffee.

You can check if your system has in fact joined the domain by looking in the Local Users and Groups\Administrators or Users groups. During domain joining the Domain Admins and Domain Users groups get added.

Don't forget to have a look in the Event Viewer System log, it can tell you exactly what is going wrong.

HTH

Regards
Matt
www.mssystems.co.uk
N/A

Networking - cannot join domain - using ADSL Router

Thanks for your comments - give it a try tonight.
N/A

Networking - cannot join domain - using ADSL Router

Thanks for comments - greatly appreciated.

Situration Recap:-
1.Server+ Client - internet => ok
2.SQL Server (on server) => ok
3.Been able add client pc to domain => ok
3.User logging onto network domain => ok (now)
(administrator or standard user) (created user profile (first time took age's..... => ok)

But, not working
1.Network where folders are shared not been able access from both sides.
2.SQL Database on client (assuming get 1. working, rest ok)

Tried:-
1.ping from both sides => ok
2.net view from server to client = > ok
3.net view from client to server => system error 5 has occured. Access is denied.

Config of Router Firewall Rules
Outbound - Any service, Allow always, any user
Inbound - Any(TCP), Allow always, IP address of Server (192.168.0.2), Any LAN , WAN user.

Do I need config inbound rules ? or is there something else. Checked event log - nothing.

Any ideas - mosr welcomed.

[Moderator note (by acarr) : Removed duplicated reply]
N/A

Networking - cannot join domain - using ADSL Router

I don't think your ADSL Router's settings come into this at all -- traffic between hosts on your local network only uses the switch component of the Router, not the router component, and do not touch the router's own network interface.

When you log on at your client system, which log on screen do you see -- the "domain" log-on screen (with three fields, username, password, and domain selector), or the "workgroup" log-on screen (with just two fields, username and password)? If you see the "three-field" log-on screen, what is set in the third field when you log on -- the name of the domain, or the name of the client? (IE are you actually logging on to the domain, or merely logging on to the client itself?) If you are logging on to the domain, do you get any error message saying a domain controller could not be found, or does the log-on complete normally? If you really have logged on to the domain, then I'm surprised you're getting an error 5, access denied, from the net view command.

It would be interesting to see the output from these commands:[list=1]
  • At the server:[list=a]
  • nbtstat -n
  • nbtstat -a <client name>
  • nbtstat -A <client IP address>[/listShocked]
  • At the client:[list=a]
  • nbtstat -n
  • nbtstat -a <server name>
  • nbtstat -A <server IP address>[/listShocked][/listShocked]As an example, here's the nbtstat -n output at my local machine (the only machine currently powered up on my network):
                    NetBIOS Local Name Table
    

    Name Type Status
    ---------------------------------------------
    MICKEY <00> UNIQUE Registered
    MOUSENET <00> GROUP Registered
    MICKEY <03> UNIQUE Registered
    MICKEY <20> UNIQUE Registered
    MOUSENET <1E> GROUP Registered
    MOUSENET <1D> UNIQUE Registered
    ..__MSBROWSE__.<01> GROUP Registered

    (MICKEY is the hostname, and MOUSENET is the workgroup name.)
  • mssystems
    Rising Star
    Posts: 269
    Thanks: 33
    Fixes: 1
    Registered: 10-08-2007

    Networking - cannot join domain - using ADSL Router

    Taskforce9 is correct, this has nothing to do with your router.

    Error 5. Access denied can only be caused by, funnily enough, user account permissions denying access. The fact you get Error 5 indicates that the underlying transport is working fine.

    To get access you need
    1. An authorised user account
    2. Share permissions
    3. File permissions (on NTFS partitions)

    It sounds like the account you have logged on with either does not exist in the domain or does not have permissions. To check which account you have logged ini with; type ctrl+alt+del and look in the Logon Information it should say domain-name\user-name. If it just has user-name or workstation-name\user-name you have logged in using the local workstation account, which is not authorised to access domain resources.

    Remember that your domain user account is completely separate from your workstation user account. Joining a domain simply allows you to use domain accounts on your workstation. The user account still needs to exist in the domain and must have permissions granted for the various server and workstation resources.

    There are some caveats for domain and workstation user accounts which have the same name. For fault finding purposes it is best to use a uniquely named account.

    Try Taskforce's Options button suggestion first and make sure you are in fact logging into the domain.

    To fault find further;
    1. Create a new user account on the server, use an unusual name.
    2. Try and logon to your client using the new user account.
    3. Now try and access the server.

    Regards
    Matt
    www.mssystems.co.uk
    N/A

    Networking - cannot join domain - using ADSL Router

    Thanks again for comments - you guys maybe right. Try that tonight, if I can sort the problem below.

    I did something very "Silly", out of frustration => decided to start from scratch.

    1.Changed Inbound + Outbound rules of firewall to default.
    2.While on client, still on network domain, decided to change, domain back to workgroup. Result, generated error message.

    "DNS error problem generated"

    -->Should had been on local domain on the client.

    Result - if I ping from client to server => time out, which I did not have before.

    Any ideas most welcomed GREATLY.............
    mssystems
    Rising Star
    Posts: 269
    Thanks: 33
    Fixes: 1
    Registered: 10-08-2007

    Networking - cannot join domain - using ADSL Router

    Aaaaarrrrrggggghhhhh!

    Now there could be all sorts of things wrong.

    The first thing to check is the IP addressing. The server, the Client and the router LAN interface must all be on the same IP subnet. You may have only one DHCP server on the ethernet segment. The DHCP server may not offer any fixed IP address that is in use on the subnet. The DHCP server must supply the correct DNS, WINS, Gateway settings.

    What comes to mind is that if you have reset the router it will start a DHCP server, which will stop any DHCP server that was running on the Server. Also it may have changed it's LAN interface IP address, but will still stop any DHCP server on the same ethernet segment as the requests are broadcast.

    Next. Whilst Taskforce was right in his earlier post in that the switch should not interfere with Ethernet (layer 2) traffic on the segment. Some firewall/routers can prevent ping requests on the LAN interface subnet by replying Address Unreachable (Layer3). Check that your router is set to allow ping on the LAN interface.

    Finally. To fault find comms links you HAVE to work progressively step by step. If you can find a hub it would be easier to initially remove the router from the equation. Get the client and server talking and only then complicate the routing further. I suggest you disable or uninstall any application level firewall that may be on the client.

    Regards
    Matt
    www.mssystems.co.uk
    N/A

    Networking - cannot join domain - using ADSL Router

    Thanks for comments mssystems

    Got back ALMOST to where I was.

    Situration :- Client -> Server => from client (workgroup1) --> Server ==> system 5 error

    ************************DHCP1**********************************
    C:\>PING 192.168.0.1

    Pinging 192.168.0.1 with 32 bytes of data:

    Reply from 192.168.0.1: bytes=32 time<10ms TTL=255
    Reply from 192.168.0.1: bytes=32 time=10ms TTL=255
    Reply from 192.168.0.1: bytes=32 time=20ms TTL=255
    Reply from 192.168.0.1: bytes=32 time=20ms TTL=255

    Ping statistics for 192.168.0.1:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
    Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 20ms, Average = 12ms

    ************************LAN Server**********************************
    C:\>PING 192.168.0.2

    Pinging 192.168.0.2 with 32 bytes of data:

    Reply from 192.168.0.2: bytes=32 time<10ms TTL=128
    Reply from 192.168.0.2: bytes=32 time<10ms TTL=128
    Reply from 192.168.0.2: bytes=32 time<10ms TTL=128
    Reply from 192.168.0.2: bytes=32 time<10ms TTL=128

    Ping statistics for 192.168.0.2:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
    Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

    ************************Client**********************************
    C:\>NET VIEW
    Server Name Remark

    -------------------------------------------------------------------------------
    \\WORKSTATION1
    The command completed successfully.

    C:\>NET VIEW \\192.168.0.2
    System error 5 has occurred.

    Access is denied.

    ************************Commands**********************************

    C:\>NBTSTAT -n

    Local Area Connection:
    Node IpAddress: [192.168.0.3] Scope Id: []

    NetBIOS Local Name Table

    Name Type Status
    ---------------------------------------------
    WORKSTATION1 <00> UNIQUE Registered
    WORKGROUP1 <00> GROUP Registered
    WORKSTATION1 <20> UNIQUE Registered
    WORKGROUP1 <1E> GROUP Registered
    WORKSTATION1 <03> UNIQUE Registered
    INet~Services <1C> GROUP Registered
    IS~WORKSTATION1<00> UNIQUE Registered
    WORKGROUP1 <1D> UNIQUE Registered
    ..__MSBROWSE__.<01> GROUP Registered

    C:\>NBTSTAT -a IMRANE

    Local Area Connection:
    Node IpAddress: [192.168.0.3] Scope Id: []

    NetBIOS Remote Machine Name Table

    Name Type Status
    ---------------------------------------------
    IMRANE <00> UNIQUE Registered
    IMRANE <20> UNIQUE Registered
    IMRANE0 <00> GROUP Registered
    IMRANE0 <1C> GROUP Registered
    IMRANE0 <1B> UNIQUE Registered
    IMRANE0 <1E> GROUP Registered
    IMRANE <03> UNIQUE Registered
    IMRANE0 <1D> UNIQUE Registered
    ..__MSBROWSE__.<01> GROUP Registered
    INet~Services <1C> GROUP Registered
    IS~IMRANE......<00> UNIQUE Registered
    ADMINISTRATOR <03> UNIQUE Registered

    MAC Address = 00-40-95-30-C2-BE


    C:\>NBTSTAT -a 192.168.0.2

    Local Area Connection:
    Node IpAddress: [192.168.0.3] Scope Id: []

    NetBIOS Remote Machine Name Table

    Name Type Status
    ---------------------------------------------
    IMRANE <00> UNIQUE Registered
    IMRANE <20> UNIQUE Registered
    IMRANE0 <00> GROUP Registered
    IMRANE0 <1C> GROUP Registered
    IMRANE0 <1B> UNIQUE Registered
    IMRANE0 <1E> GROUP Registered
    IMRANE <03> UNIQUE Registered
    IMRANE0 <1D> UNIQUE Registered
    ..__MSBROWSE__.<01> GROUP Registered
    INet~Services <1C> GROUP Registered
    IS~IMRANE......<00> UNIQUE Registered
    ADMINISTRATOR <03> UNIQUE Registered

    MAC Address = 00-40-95-30-C2-BE
    N/A

    Networking - cannot join domain - using ADSL Router

    From SERVER

    C:\>NET VIEW \\192.168.0.3
    System error 5 has occurred.

    Access is denied.

    Did not get this before.

    Checked :-
    1.Section "Active Directory of Users + Computers" - checked if computer belonged to domain - yes
    2.Firewall be removed from client

    What I'm I missing ??

    Thanks in advance...
    N/A

    Networking - cannot join domain - using ADSL Router

    My interpretation of your nbtstat output is that it shows your client ("WORKSTATION1") and server ("IMRANE") are in different workgroups/domains (client in "WORKGROUP1" and server in "IMRANE0").

    You cannot have done a domain logon at the client, but rather a logon at the local machine. I think you should repeat the process of adding the client system to the IMRANE0 domain (Control Panel -> System -> Computer Name tab, use the option to change the workgroup/domain, and then reboot).

    Have you defined any shares at the two computers? Define a share on each computer (eg right click on some innocuous folder, and use the Sharing option to make it available as a shared resource, with access to "Domain Users"). On the server, identify the name of a domain user (imak?), and then, at the client, log on to the domain with that user name. As "mssystems" has pointed out, if that user has not been defined as a local user on the client machine, then to log on at the client with that user name, you must be doing a domain log on. You should then be able to see the server and access the resource you have shared.

    Similarly, if you create a shared resource on the client, and make it available to "domain users", then anyone logged on at the server who is a member of the domain users group should be able to see and access the resource.
    mssystems
    Rising Star
    Posts: 269
    Thanks: 33
    Fixes: 1
    Registered: 10-08-2007

    Networking - cannot join domain - using ADSL Router

    Looks like you are getting closer. Network transport stuff appears to be working. Your problem is with account authorisation.

    The security authorisation works at the Application layer (7). It relies on the lower level protocols which your network settings make up. To be frank I am saying, do not mess with your network settings, they are correct otherwise you would not be getting this far.

    Task is correct (well almost). But I think you should take it one small step at a time, so don't add your workstation into the domain just yet.

    First
    At the client
    1. In My Computer\Computer Name Change the workgroup name from WORKGROUP1 to IMRANE0 (yes make the worgroup name the same as the domain name)
    2. In Users and Groups create a new user 'TestUser' with the password 'test' Check the User cannot change password and Password never expires options.
    3. Add the TestUser to the Power Users group.

    At the Server In Active Directory Users and Computers
    1. Create a new user 'TestUser' with the password 'test' Check the User cannot change Password and Password Never expires options.

    At the client
    1. Log in as TestUser. A new profile is created.
    2. Start a cmd prompt and type
    Net view \\imrane
    You should get a list of shares

    Notes: What we have just done is utilised a feature called password passthrough in order to demonstrate that there are two separate accounts; the domain account and the local workstation account. When the workgroup name matches the domain name AND the local user name matches the domain user name AND the local user password matches the domain user password, the local and domain accounts are deemed equal. It should be obvious that this feature can cause a great deal of confusion when fault finding access denied errors.


    Second
    At the client
    1. Log in as Administrator
    2. In Users and Groups change the Admininstrator password to 'localadmin'
    3. Delete the TestUser account.
    4. In My Computer\Computer Name, click the Change button. Select the Member of Domain option and type IMRANE0 in the edit box. Click OK. When prompted for a user name and password, enter user name Administrator and the domain administrators password (not localadmin)
    5. You get a welcome to domain message and the workstation restarts

    Note. If you do not get the Welcome to domain message, At the server check in Active Directory Users and Computers for a computer named WORKSTATION1 and delete the machine account. Now at the client try adding the computer to the domain again.


    At the client login prompt
    1. Ensure the Logon to field says IMRANE (the computer name)
    2. Enter user name 'Administrator' password 'localadmin'
    3. In Users and groups ensure the Administrators group includes 'Domain Admins'
    4. By default the Users group will contain 'Domain Users' I like to move 'Domain Users' to the 'Power Users' group.
    5. Logout

    At the client (still)
    1. Change the Logon to field to IMRANE0 (the domain name)
    2. Enter the user name 'TestUser' password 'test'
    3. Wait while the profile is created.
    4. You should now be logged onto the IMRANE0 domain using the 'TestUser' account which only exists in the domain.
    5. Open a cmd prompt. Type
    Net view \\imrane
    You should get a list of shares on the server

    Note. Initially the local Administrator account has full access on the workstation but no access on the domain. Similarly the domain Administrator account has full access in the domain but no access on the worksation. We used different local admin and domain admin passwords to distinguish the two separate accounts. The last step was to log in as a user account which does not exist on the workstation to demonstrate a domain login.

    Finally
    You should be getting your head around the fact that there are two sets of user and groups involved and where those sets live. Now secure the local Administrator account and sort out your user account so you can access the shares you need.

    If you have a problem at any stage, stop and we can try to sort it out without introducing new problems.

    Regards
    Matt
    www.mssystems.co.uk
    N/A

    Networking - cannot join domain - using ADSL Router

    Hi there

    Appreciate your comments - mssystems.

    Got to this point ;---
    A."5. You get a welcome to domain message and the workstation restarts" - ok

    Next..
    At the client login prompt
    B."1. Ensure the Logon to field says IMRANE (the computer name)" - click on it, popup screen appears saying creating list

    IMRANE0
    WORKSTATION1 (this computer)

    C."2. Enter user name 'Administrator' " - ok
    D."password" - 'localadmin' ==> does not accept this, if I choose IMRANE0 !!!

    What would you suggest ?