What's the Problem? -- Microsoft Certified Professional Magazine Online

What's the Problem?

Our experts troubleshoot your technical problems.

By Gary Olsen et al.
07/01/2002

Several months ago we invited you to submit your choicest technical challenges. The questions came pouring in. Then we asked our experts (read: Really Smart People) to help us answer them. To be honest, many of your problems absolutely boggled and stumped our troubleshooting pros. Others were a piece of cake. Here we present eight questions and their solutions—plus, advice on how to become a troubleshooting expert yourself.

I’m in a high school environment. I ran the Active Directory Migration Tool as a trial to import our 3,000-plus users from a Windows NT primary domain controller to our new Windows 2000 Active Directory child domain controller. The tool said the operation was unsuccessful because our network needs to be in Native mode. That seems somewhat useless, because we won’t be in Native mode until we get those users over to the AD and take the NT DCs offline.

More Troubleshooting

More of your questions, exclusively online.

9 Troubleshooting Tactics

Peers Helping Peers: Got an answer for these other reader troubleshooting questions?

That being the case, I need a tool to migrate my users in bulk without the cumbersome Addusers utility and without the work of a huge comma-delimited file dump. I’m looking for a tested, reliable user import tool that will import my users from the NT box to the Win2K box, but will also hold its value by enabling us to import users from a file each year into AD when our student body changes. Any suggestions?
—Sandra L. Hacker
Annandale, New Jersey

Unfortunately, Microsoft’s ADMT tool requires the target domain to be in Native mode. However, third-party tools will do what you want without that requirement. In addition, they have many more sophisticated features such as the ability to back out of the migration, configure a “project” to test the migration, and clean up the old SIDs after the migration is complete.

The ones I’m familiar with are produced by Quest Software (www.quest. com), BindView (www.bindview.com), Aelita Software (www.aelita.com) and NetIQ (www.netiq.com). You can get more information, including software evaluation copies, from their Web sites.
—Gary Olsen

We ran DCPromo on a Win2K machine to add it to a domain with two other domain controllers. Somehow, the default password became the Administrator password, so users on the network could no longer access the server. When people try to access files on the server, it comes back and asks for a username and password. I figured out that if we put in the default administrator account and password, people can access the server. Obviously, we don’t want to hand out the admin password. We could change the username and password for administrator, but it will still prompt users for a username and password instead of just letting them in. We ran DCPromo to demote it to a stand-alone server, and it looks like it wants to finish but doesn’t like the password authentication to complete the demotion. I’ve tried every username and password I can think of. This isn’t mission critical, as we moved all the files to a new server, but I don’t like that we can’t demote it. We don’t want to take it out of commission.
—Glen A. Johnson
Rockford, Illinois

Something obviously happened either when you ran DCPromo or soon after changing the machine account. Hence, users could no longer access that server as “set” with the old password. Two possible recovery scenarios are described in Microsoft support article Q257288, “How to Recover from a Deleted Domain Controller Machine Account in Windows 2000.” Because you then ran DCPromo a second time, your server can’t find the proper machine account to do a full-scale demotion. (If this isn’t what occurred, you’ll need to run a third-party password recovery tool, something to which every enterprise should have access.)

As explained in Q257288, you’ll need to run dcdiag. To confirm that this diagnosis is correct, run:

dcdiag /s:localhost

An error message should alert you that your server is missing its machine account. This is a rare event, as the account change had to occur during the cancelable phase of DCPromo. The Q article says this can only happen because of deliberate user action, but all it would take is someone with administrative privileges accidentally deleting the server. I’ve seen similar things happen in NT 4.0—servers moved, whole directories migrated and the “user” with no recollection of doing any of these actions. (Slow mouse or keyboard response on a computer can lead users to generate spurious input.)

If you have a pre-promotion backup for the server, you’ll be able to try the promotion process again. You probably won’t need to do an authoritative restore, as, from what you say, that machine account didn’t initially exist in your domain. If the account did exist in your domain, follow the steps in Q257288, follow standard steps for an authoritative restore, stop the key distribution center (net stop kdc), and use the Sites and Services snap-in to do a Replicate Now, which forces the good controller to replicate to the old, “bad” controller.

If you have no backup, try running dcdiag with this option:

dcdiag /s:localhost /repairmachineaccount

The Q article goes into more detail regarding error messages and possible outcomes, but this should give you a good start.

If a similar problem occurs when adding an NT 4.0 server to a Win2K domain, you may find articles Q242432, "Cannot Add Windows NT 4.0 BDC to a Windows 2000 Domain," and Q221826, "Create a Computer Object in the Active Directory for a Windows NT 4.0 BDC,"helpful. They describe the use of ADSI Edit to change the user AccountControl property and nltest to reset the server account password. Nltest can force a new secure channel. Both these tools are found in the Support\Tools folder on the Win2K Server CD-ROM.
—Douglas Mechaber

As someone with DBA responsibilities, I run into clients looking to improve database speed by adding disk drives and separating various database objects (data vs. log, tables vs. indexes, this table vs. that table and so on). While this can be done through Enterprise Manager on an object-by-object basis, I’m looking for a solution that would allow me to bulk move a set of objects between file groups.
—Stephen Hendricks
Irvine, California

The ability to specify where specific database objects are stored is a huge benefit for DBAs looking to improve performance. By reducing contention for disk I/O and allowing multiple drives to efficiently service common queries, you can significantly improve overall performance of database applications—if you know what you’re doing. After creating tables, you can move them between filegroups in several ways.

Through Enterprise Manager, you can choose the Table Designer and then “move” the table to another filegroup. Curious to see what this was doing behind the scenes, I ran Profiler and watched the commands Enterprise Manager executed. (This is a useful technique for figuring out anything that EM is actually doing when you run an operation.) I was surprised to find EM creates a new table, copies the existing data, then drops the original table. So, although this isn’t efficient, it gets the job done. The problem, as you mentioned, is that it’s not an efficient way to do operations for multiple tables using the Enterprise Manager GUI.
If you want to stick with moving the table, you can use Data Transformation Services to create a package that will perform the necessary tasks. DTS might be a good solution if you want to do the process regularly (for example, if you regularly receive a database backup from the corporate office and want to redistribute tables to different filegroups every time).
You can use bulk copy to get all of an object’s data and store it to a file. Drop or rename the original table and create a new table on the second filegroup. Since bcp is designed mainly for transferring raw data between systems, you’ll need to re-create any indexes, triggers and other objects associated with the original table.
Re-create the clustered index on a new filegroup. This might be the most efficient way to “move” a table between filegroups. First drop the existing clustered index on the table you want to move (if one exists), then create a new clustered index for that table on the new filegroup. You can do this in one step by using the CREATE INDEX command with the DROP_EXISTING option. Because the data for a table always exists with the clustered index, the table’s data will be moved to the new filegroup!

Space constraints keep me from listing the syntax or actual Transact-SQL commands required to perform these actions. Get that information from the SQL Server Books Online (or, if you can’t find it there, e-mail me). Good luck!
—Anil Desai

I have an organizational unit filled with Contacts and Distribution Lists (DLs). I only want one of my users to see them in the address list. I gave him appropriate rights on the OU and removed all other permissions. This resulted in no one seeing it. In the global address list, the user gets blanks where the contacts would have been. This looks ugly. Can I somehow hide the contents from the address lists,without having these blank spaces?
—Mats Jungsand
Sweden

For Outlook and other MAPI clients, this can be accomplished by the following method:

Restricting access to the OU containing the Contacts and DLs will hide the addresses from these objects from the default Global Address List (GAL). This will restrict users without the appropriate permissions from seeing the objects in the GAL via Outlook or from a Find People query instantiated from the Start Menu from any Win2K, XP, or .NET machine or any NT or 9x machine using the Directory Services Client. (Unfortunately, this will also result in "blank spaces" in those places where a user would typically see the display name of each restricted object. I resolve this in step 4.)
To filter the desired objects from the GAL, you must provide a value (stored in an attribute) that's common to at least all of the objects of a given type (i.e. all contacts must share a common value). To make this manageable through common management interfaces, I like to use the description attribute, but keep in mind that you could use any attribute. While its value could be anything, I use the string Confidential in my examples.
The default GAL lists all mail-enabled objects in the forest. To restrict the view to your users, create a new GAL with a Filter Rule that excludes the desired objects from being shown. These objects should have a description attribute with a value equal to Confidential (see step 2). Here's an LDAP query that can be used within the Exchange System Manager utility to define a Filter Rule of the Custom Search type:

(&(&(mailnickname=*)(|(&(objectClass=user)) (&(objectClass=contact)(!(description=Confidential))) (&(objectCategory=group)(!(description=Confidential))) (objectCategory=publicFolder))))

Let's examine each component of the query:

&—An AND operator meaning that two or more operations must be true for an object to match the query. (i.e. an email address must exist and the object must be a user.)
mailnickname=*—Specifies the inclusion of objects with a mailnickname attribute with a value defined, meaning they're mailbox-enabled.
|—An OR operator; at least one operation must be true for an object to match the query (i.e. an email address must exist or the object must be a user).
objectClass=user—The object being evaluated must be of Class type "user" in order to match the query.
objectClass=contact—The object being evaluated must be of Class type "contact" in order to match the query.
!(description=Confidential)—The description attribute of the object being evaluated shouldn't equal Confidential in order to match the query.
objectCategory=group—The object being evaluated must be of Category "group" in order to match the query.
objectCategory=publicFolder—The object being evaluated must be of Category "publicFolder" in order to match the query.

In plain English, this says: Provide a list of user, contact, group, and public folder objects that are mailbox-enabled, except when the object is a contact or group with a description field that is set to Confidential.
To force typical users to access the new GAL, secure the default GAL by removing Authenticated Users from the Access Control List (ACL) and by adding your user who should see all entries in the list with the permissions of List object and Open Address List. Right-click on the default Global Address List node in the Exchange System Manager and select the Security tab, then Properties.
Ensure that Authenticated Users have access to the new GAL you created in step 3. While they should be able to find it by default, you can verify this by right-clicking on the new GAL node in the Exchange System Manager and selecting the Security tab, then properties.
Because the All Contacts and All Groups address lists contain a non-modifiable filter rule that includes all contacts and all groups, respectively, you'll have to delete, recreate or modify these lists using a utility like ADSI Edit. You can also recreate these lists with a Filter Rule that excludes the appropriate object if the description field has a value of Confidential, similar to that done in step 3. You can modify the Filter Rule directly by accessing the objects for the All Contacts and All Groups address list in the Configuration Naming Context and entering a new value in the purportedSearch attribute. You can find these objects in the Configuration Naming Context under:

Services\Microsoft Exchange\ExchangeOrganizationName\
Address Lists Container\All Address Lists

The ExchangeOrganizationName is equal to the name of the Exchange Organization, which is typically equal to the name of the forest's root domain.

Outlook Web Access clients don't have the user-based Active Directory rights applied to directory queries. By default, this will allow a user attempting to search Active Directory using the OWA interface to obtain results containing every mail-enabled object. To resolve this issue, enter the Distinguished Name (DN) of the new GAL, from step 3, as the value for the msExchQueryBaseDN attribute for every user object that should receive access to the restricted GAL. This can be done manually using a tool like ADSI Edit for each user who accesses a mailbox using OWA. You could also use a variety of scripting techniques or other tools, such as LDIFDE.EXE, that can export and import directory information.

As with any modification to your messaging infrastructure, test this in a lab that closely resembles all facets of your production environment, including front- and back-end servers as well as any applications that use the messaging environment. While you might consider this method complex, right now it's the best method we have to control this behavior in Exchange 2000.
—Aric Bernard

I have a test network of four subnets using mask 255.255.255.192. I’ve segmented these subnets by using three NT 4.0 workstations, each with two NICs and using IP forwarding. What’s the best way to set up routing so that a workstation on the first subnet can ping a printer on the fourth subnet? Do I need to add static routes to each NT router; can I just turn on RIP; or do I have to do a mixture of default routes, static routes and RIP?
—Mike Price
Fairfax, Virginia

This isn’t a robust network design. Your best bet would be to get an actual router or dedicate a machine (probably not an NT box) to do the job.

In any event, working within these parameters, you have many options. But let’s think about the life of an IP packet—or at least a network device’s perspective of the whole thing. In order to participate in an IP network, a network device needs two things: An IP address, to uniquely identify that device on the network and a subnet mask to determine who is local to the network device. With those two things, basic communication is possible, and things will work. Think of it like this: Moving to a new neighborhood, you find the people local to you live on your own street.

Then we start adding some complexity to the equation. Perhaps I like my neighbors and all, but there’s a whole big world out there. There’s a larger organization around me, there’s lots to see and do. So how do I get to “the great beyond”? If I were a PC or end-station, I’d need a default gateway. If I were a router, I’d call this idea the “next hop address”—or, which way do I go to get to a particular destination?

Let’s look at routers in general, as your NT workstations are acting in that fashion. As a router, just like a PC in a neighborhood, I “know” what I can touch. If it’s participating in two separate subnets, then it very easily knows about both of those. So routing between those two subnets is no big deal. You can have multiple workstations doing this, and each may know separate networks (even having one in common).

Go back to the idea of moving into a new neighborhood. Each of your neighbors may know about different parts of town, different ways to go and different things to do. Each of these neighbors is separate.

So in order to broaden the scope of what a router knows, we use routing protocols or static routes. This is a way of adding someone else’s knowledge into our list of choices. A static route is a manual or administrative way of saying “Go this way.” A routing protocol is a more dynamic way of sharing information from different sources, giving everyone the ability to choose the “best path” to a particular destination.

Routing tables must have an entry to match to an IP (basic, boring math), or the packet will get dropped as unreachable. PCs have a default gateway to take care of this. In the routing world, this is known as the 0.0.0.0/0 route, or the “everyplace else” path. Routers are generally more particular.

With respect to your workstations, you can take different approaches. With static routes, it’s a quick and easy decision because there’s only one path (obviously, the best) to get to each particular destination network. With static routes, you also don’t have any overhead.

Having loops in your network and potentially multiple paths would be a strong argument for RIP or OSPF (both of which can run on NT). Routing protocols offer a dynamic approach to getting things done. This is good if your “best path” changes from time to time, because it’s less of a manual/administrative headache. The downside is additional overhead processing and traffic. RIP sends out broadcasts (which means that every station receives and processes them even if they don’t care) every 30 seconds. OSPF converses via a multicast address; but, depending on your LAN architecture, every station may still receive these packets. As routing updates are received, the RIB or Routing Information Base (protocol database) is updated and the routing table examined to see if changes are needed.

With that in mind, having both static routes and a dynamic routing protocol exchanging the same information is pointless. Static routes usually win.

Each method has its good and bad points. A network design isn’t necessarily right or wrong. There are just some better reasons to go in a particular direction! But as with anything in networking, knowing the ramifications of your choices is important!
—Scott Morris

My problem is with a Win2K member server running IIS 5.0, which is using NTLM authentication rather than Kerberos. I need it to use Kerberos in order to support pass-through authentication for access to a remote SQL Server.

The setup:

Three Win2K Server domain controllers.
One Win2K Web server running IIS 5.0 installed as a member server (it also happens to be running Exchange 2000).
One Win2k SQL 2000 database on another member server.
The domain is in Native mode and trusted for delegation.

When checking the authentication method used on the Web server, using the Microsoft ASP code, it shows as NTLM. Interestingly, I’ve tried setting up an IIS server on one of the DCs, and it uses Kerberos and supports pass-through authentication. I just can’t find a way to make our Web server use Kerberos.

I’d be grateful for any help.
—Phil Crombie
Manchester UK

There are a few possibilities. First, you must configure the computer account—not the domain—to be trusted for delegation to enable the Web server to request a Kerberos ticket on behalf of the user connecting to the Web site. By default, domain controllers have the “Trust computer for delegation” flag enabled. Member servers don’t have the flag enabled by default. This is configured in the properties of the computer account in Active Directory Users and Computers.

The final possibility is that the Web server doesn’t have its FQDN registered in DNS or that the Service Principal Name of the Web server doesn’t match the FQDN of the Web server. If the FQDN isn’t removable, Kereberos authentication fails.

The second possibility is that you’re attempting to use an account in the local SAM database of the Web server. Any authentication attempts to the local SAM database will use NTLM. Kerberos is only used to authenticate domain accounts.
—Brian Komar

This is a Win2K Professional question. From what I can tell, printers are specific to the login. How can I create a printer and have it apply to anyone who uses that machine? For example, I log in as Eric and create a printer called Printer1. When John uses the machine, I want his printer list to include Printer1.

—Eric Lanyon
San Jose, California

The answer eluded me for many months until an enterprising attendee at a recent MCP TechMentor conference, Richard Zimmerman of ABC Computers, provided me with most of a solution.

If you tried to create a Group Policy “Startup script” for a computer, you likely noticed it didn’t work. This is because there’s no user environment in which to house this newly created printer.

So, you have a paradox: How do you run a computer startup script for every user who sits down at a machine, but run this startup script after the user is logged on? You essentially want to solve the following problem: “How can anyone who sits at a computer on the fourth floor be guaranteed access to the printer on the fourth floor?”

To do what you want, you’ll need to pull out some serious group policy big guns—specifically, a little known property called loopback processing mode. Loopback processing mode has two different flavors: replace and merge.

Figure 1. Using loopback processing mode forces the computer to process site, domain and OU policies as if it were a user—a handy technique for forcing certain settings.

Group policy loopback replace mode is used with kiosks or lab machines, when you want everyone who logs on to a specific machine (whether president or janitor) to have the same “look and feel” on that machine, regardless of what policies are directed to their individual user accounts.

The rarely used group policy merge mode is handy when you need to modify a property in the user profile, but do it per computer. Merge mode runs the Computer Policy again after the user has logged in.

In both loopback processing modes the computer doesn’t think it’s a computer. It temporarily puts on a “user” hat and processes the site, domain and OU policies as if it were a user.

With that in mind, you’ll need to do several things:

Create a VB script that connects you to the printer you want. (I’ve supplied an example called ASSIGNHP4.VBS.)
Create an OU, say, “Fourth Floor Computers” and move the computers on the Fourth floor into it.
Create a new GPO on that OU and name it something like “All computers get HPLJ4 Printer.”
Drill down into the new GPO to Computer | Administrative Templates | System | Group Policy | User Group Policy loopback processing mode and specify it to be in MERGE mode.
Drill down into User | Windows | Scripts | Logon. Click Add to add a new file, click Browse to open the file requester, then copy in your ASSIGNHP4.VBS script and add it to run.

Remember: In Loopback processing mode, the computer “thinks” it’s a user, so use User/Logon scripts, not Computer/Startup scripts.

Now whenever you log in as any user to a computer in the “Fourth Floor Computers” OU, the user’s policies will be evaluated and run; the computer puts on a “user” hat and runs its own “logon” script; and you get the printer assigned for every user on a computer.

—ASSIGNHP4.VBS vbscript—
Set wshNetwork = CreateObject("WScript.Network")

  PrinterPath = "\\server1\HPLJ4"
  PrinterDriver = "HP LaserJet 4"
  WshNetwork.AddwindowsPrinterConnection PrinterPath, PrinterDriver
  WshNetwork.SetDefaultPrinter "\\server1\HPLJ4"
  Wscript.Echo "Default Printer Created"

—Jeremy Moskowitz

Exclusively Online!
More of Your Troubleshooting Questions

Is there any way to change the default number of rings on Microsoft Remote Access Server before pick-up? I'd like to use my single home phone line to access my home network from any remote job with my laptop. I was hoping to set the computer at home running Windows XP Professional to pick up after four rings or so. This would enable me to have my answering machine pick up as normal, but turn off the answering machine from the remote location to allow connection to my home network with my laptop over the existing phone line. I can't seem to find any information on the subject.

—Ken White
Hampton, Virginia

Windows NT 4.0, Win2K, and Windows XP Remote Access Service (RAS) answer incoming dial-up connection attempts on the first ring. This is the default behavior, and, unfortunately, there's no option in the interface to change the number of rings that RAS will notice. However, the following registry parameter can be used set the number of rings that RAS will answer incoming connection attempts for NT, Win2K and XP. Open the Registry Editor and add a REG_DWORD value called NumberOfRings to the following Registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
RasMan\Parameters

The data range for the NumberOfRings value can range from zero to 20. A value of zero instructs RAS to ignore incoming calls; a value of 20 instructs RAS to notice the 20th ring. This registry change works for Telephony Application Programing Interface (TAPI) modems-most of the modems made for the past five years. If you have an older modem that doesn't support TAPI, then edit modem.inf, located in %systemroot%\system32\ras\modem.inf. Open the file and look for the section that relates to your modem and edit the following line:

COMMAND_LISTEN=ATSO=1

Change the value to the number of rings that you require RAS to answer incoming modem connection attempts on.
—Todd Logan

Help me if you can—I'm feelin' down. The hardware: NT 4.0 Server with SP6; the services: WINS, DHCP and RAS; the client: a laptop running Win2K. The details: The client accesses the network remotely using PPTP Ms VPN. The client is given access and "assigned" an IP address of RAS server. 192.168.100.100. The client ends the remote session by logging off and closing the connection. The client comes into office and tries to log on with the same laptop but gets the message, "A duplicate machine name exists on the network" The client can log on but has no access to network shares using the local logon. The event log shows: NACK issued for client 65.96.xxx.xxx (assume this is the home ISP).

These are the things I've tried that don't work: ensuring that the client does log off; using a reserved IP address for the client then taking the reserve off and trying IP release/renew; different profiles docked/undocked; DHCP leases renewed every 24 hours.

The band-aid solution that works: Deleting all mappings for the laptop in the WINS database. But I can't live with this solution! What am I missing? It's got to be a simple problem but my eyes have been blinded! Help!
—Frances Young
Bedford, Massachusetts

WINS is used for name resolution of NetBIOS computer names to IP addresses. Before WINS, which appeared in NT 3.5, NT users had a choice of static resolution-the infamous LMHOSTS file-or broadcasts, which are inefficient and (as you remember from myriad exam questions) don't route. Name resolution proceeds by modified H-node (hybrid node), as implemented by Microsoft. As explained by Williams at http://williams.comp.ncat.edu/Networks/DHCP.htm and in Q119493, "NetBIOS over TCP/IP Name Resolution and WINS," when the IP stack is started, the PC checks to see if the name is in the NetBIOS cache, where it remains active for 10 minutes. If the name is in the cache, the PC uses that hardware address. If the name isn't available, but a WINS server is, the PC queries the server for the hardware IP address three times. If a positive response is received, the PC ARPs the correct address. The next method in this order is broadcasting; if the broadcast is successful, the destination will ARP the PC's hardware address, and the destination returns the IP address. If the LMHOSTS file exists, the system tries this method of resolution next, using ARP to send the hardware address. Finally, NT and Win2K will try the HOSTS file. If Enable DNS for Windows Resolution is checked, the system will use DNS for the IP address and ARP the desired address.

WINS works mostly automatically. You can change the storage options and so on to improve performance, but the WINS database is built by data sent from the clients. When the computer logs off, the entry should be deleted. As you noted, that seems to be the rub. There are other ways to confirm this. You didn't mention the use of nbtstat, with any options, such as -a serveripaddress to generate a list of NetBIOS names or -n to check the name giving the error. This is described in Q315259, "NetBT Event ID 4320 Appears in Event Viewer." Somehow, your WINS server isn't releasing the name of your laptop. That exact problem is described in Q140419, "Name Release Notifications Not Sent to WINS on Shut Down"; but this should have been fixed post-SP3 or SP4 (depending on whether you believe Microsoft or BugTraq).

You might also read Q164016, "Err Msg: Event ID: 4320 Duplicate Name on Network." Of course, you didn't mention any error messages, and this sounds like the "band-aid solution" you're already using. Other possible solutions to NetBIOS resolution problems relate to the use of multihomed Master Browsers (Q135404).

From your description, it sounds like PPTP and WINS may be set up on the same server, which could be a problem; or more likely, you can't connect to network resources on the PPTP server, even though you can connect locally, which would be equivalent to a local LAN login. Could there be a route added to your PPTP client for the purpose of connection to your ISP? This route may block UDP or TCP ports, which are needed for NetBIOS traffic. An easy test for this is via the ShieldsUp! program by Steve Gibson, at www.grc.com. This would explain why the release, which was presumably sent, never worked when the laptop was logged off.

Q176321, "Unable to Resolve NetBIOS Names Through PPTP Connection," gives four possible solutions: 1) Use NetBEUI instead of or in addition to TCP/IP, so you don't require use of the blocked ports; 2) enable unicast (only) traffic across the blocked ports, 137, 138, 139, which may be impossible if this is through an ISP and may be a security risk; 3) move WINS to a different server than the PPTP server; 4) finally, on the PPTP server, create another IP interface. This IP interface doesn't have to be an additional interface card-with differing IP address-that would access the WINS server with the aforementioned ports enabled, but that may be the best solution. Q176321 has additional details.

You may also wish to check Q150520, "WINS Server Sporadically Loses Name Resolution," and Q185786, Recommended Practices for WINS," which includes a good summary, with lots of WINS references. Good luck!
—Douglas Mechaber

I have four NT 4.0 SP6a servers on the other side of a Cicso PIX 515 firewall from my domain. I would like these servers to be able to join the domain for centrally managed security and other reasons. What do I need to do on the firewall and on the servers (internal/external) to make this happen? I don't want to have a BDC on the external zone unless it's significantly easier that way. It's still firewall protected from the Internet by the firewall, though at a lower security setting than my PDC and other BDCs.
—Mark D. Allen
San Rafael, California

Pre-answer: What an ugly question! I wouldn't recommend this case.

I would suggest creating a client VPN connection from each member server to the private network, allowing connectivity to the internal DCs. This is preferable, because I would only have to open TCP port 1723 (PPTP) and protocol ID 47 (GRE) at the PIX firewall. I could also set up specific filters that would only allow the tunnels from the specific IP addresses in the DMZ.

So, the firewall would require packet filters to allow the establishment of the PPTP VPNs.

The clients must be configured with a PPTP VPN client. I would recommend enabling MSChapv2 to use the strongest possible connection.

A PPTP VPN server must be created on the private network to accept the VPN connections. I wouldn't recommend remote management of the servers; but if you need this, additional packet filters could be defined to allow connections from the private network to the DMZ by private network administrators.
—Brian Komar

I have a Win2K server (running Terminal Services) that I used to publish an Access-based application. One of my NT 4.0 workstations (with SP6a) can't access that server through Internet Explorer 6.0 or Client Manager. The error message reads: "VB Scripts Unable to connect to terminal server: junxure". I've tried different versions of IE-5.0 and 5.5-but with no luck. Otherwise, the workstation in question enjoys a normal day-to-day operation.

I researched the Knowledge Base and came up with Q282128, which explains how you can test port 3389 on your terminal server. Even though I don't have a firewall or other filters between my clients and the server, I went ahead and conducted the test, which came back positive. I can establish a telnet session with that server. I have no problem pinging the server both by NetBIOS name and IP address. This problem isn't user-specific. The other clients don't have problem connecting to this server and accessing the published application. Can you think of a fix for this?
—Sam Pahlavan
Boca Raton, Florida

Whenever troubleshooting the kind of problems that can make me pull my hair out, I like to try reducing the problem to its simplest components. I suspect you have other workstations, similarly configured, that don't show this inability to execute the Access application. I also assume that Access was installed correctly for multiple users: using Add/Remove Programs from the Control Panel. (See Q186515 for more information.)

You say the workstation in question is normal day to day, which probably means that the user account for most privileges is appropriate.

I have to ask: Is the regular user able to execute your Access application if he or she logs in from another workstation? From what you say, I'm going to guess that the regular station user can use the application from another location. You've verified that the workstation enjoys normal connectivity.

What's different about that user or machine? And what would cause the Access application not to work, with an apparent internal error?

The application execution environment is the only possible explanation I can think of. When I see that kind of error, I think of path, privileges or rights. You've checked the user rights and privileges by having the user log in from another computer, so the only thing remaining would be the machine account. Check that carefully; users from that machine may not be able to write temporary files, for example. Different versions of IE shouldn't affect the outcome.

One last tip: Check out the following article , as it may present additional hints or troubleshooting ideas, particularly tip six: http://certcities.com/editorial/tips/story.asp?EditorialsID=5

You've already checked Q282128, which is a good start for general terminal services connectivity problems. Since it appears that initial connectivity isn't affected (only that Access application) you might also read Q194776, "How To Install a Visual Basic Application on Terminal Server."
—Douglas Mechaber

When setting up IPSec policy rules, there's the potential to set different and possibly conflicting rules. How can you determine the order in which the rules are processed?
—Dave Mills

IPSec rules are processed so that the most specific ones are processed first. For example, if you had a rule that said to encrypt all protocols and another rule that would apply no encryption to packets destined to TCP port 23, then the non-encrypted rule would take precedence for all connections to the telnet service on the local computer

The key design point is to not implement conflicting rules. Try to limit the total number of IPSec filters in an IPSec policy, and work them out on paper to determine which filters and filter actions may be in conflict.
—Brian Komar

My problem is an interesting one. I open up Internet Explorer only to find that when I click on File on the top menu there's no Send button available. I've noticed that Adobe Acrobat 4.0, recently installed, is the only change that has been made to the system. I wonder what could be making this item on the file menu suddenly disappear?
—Michael Worthylake
Newport Beach, California

You haven't specified the OS nor IE version. So I've checked the registry in both Windows 95 and Win2K Server, but I could find no specific key for that attribute. I looked in the obvious places: under Hkey_local_machine, Hkey_user and Hkey_current_user/software/microsoft/internet explorer/ (and anything under that). That doesn't mean that the key doesn't exist. I may have missed it or, more likely, there's a reference within a general IE subkey to a hex key located elsewhere that describes the properties within the toolbar.

But there's hope! I haven't seen the above problem, but I have seen aberrant IE behavior, including windows that don't resize or move properly and whole sections of the toolbar not appearing. The solution that worked for me was to install a new version of IE.
—Douglas Mechaber

Register! Top 5 Hybrid AD Management Mistakes and How to Avoid Them