Domain Troubleshooting and Planning

Q: Why do I get an "access denied" message when I try connectingto resources on a Windows NT system, although I set up shared permissions withFull Control to everyone?

In the validation algorithm, a client tries to connect to an NT-basedcomputer by transmitting domain name, username, and password user credentials.If the username has the user right to access the NT computer from the network,the system compares the user credentials with its local user account database.If the system finds a match, it allows access.

If the system doesn't find a match and if the computer the client is tryingto access is a member of a domain, the system passes the client's usercredentials to a domain controller in the computer's domain. If the passeddomain name matches the domain controller's domain, the domain controllercompares the client's user credentials with information in the controller'saccount database. If the domain controller finds a match, it allows access.

If the domain controller doesn't find a match, it checks whether theclient's domain name is a trusted domain. If so, the domain controller passesthe client's user credentials to a domain controller in that trusted domain;this process of passing the client's credentials to a trusted domain is calledpassthrough authentication.

If no match or trusts exist, the system checks the guest account of thecomputer the client is trying to access. If the guest account is active, thesystem allows access.

After the client establishes a session with the NT computer, share and NTFile System (NTFS) file permissions play an important role in controllingresource access. The combined access rights of the shared resource are mostrestrictive. So even if the file permissions grant access to everyone, if theusers don't have permission, they won't get in.

Some clients such as Windows for Workgroups (WFW) 3.1, Workgroup Connection1.0, MS-DOS LAN Manager 2.0, and Microsoft OS/2 LAN Manager 2.0, 2.1, and 2.2send null domain names when establishing a session. Only the server theseclients are trying to connect to can handle these session requests because thenull domain will cause passthrough authentication to fail.

To fix this problem, make sure the passwords and usernames at each stageare correct, that accounts in the domain exist, that trusts are enabled, andthat appropriate access rights and permissions are associated with the desiredresources. For information on network security, refer to the Windows NTResource Kit, Volume 2, Chapter 4.

Q: I can't set up a trust or join or synchronize my domain, although I canbrowse and connect to it. Why won't a domain controller validate me across arouter?

The usual reason for this problem is that network protocol communication isnot functioning properly. With TCP/IP, you can use the ping utility to verifycommunication with the router and the remote domain controller. Also the tracertutility can help determine whether client requests are reaching the other sideof the WAN device and whether a domain controller response is returning to theclient side of the WAN device.

You can browse and connect to the remote resource, so the problem isprobably related to NetBIOS name resolution. Most system administrators don'tset up routers to forward broadcasts. With TCP/IP, you can forward broadcasts bydisabling b-node broadcasts (User Datagram Protocol--UDP--ports 137 and 138). Ifyou disable these ports, you still need to be able to send a directed datagram(a packet directed toward a specific destination NetBIOS name) to the domaincontroller to communicate across a router. You can send directed datagrams witha NetBIOS Name Resolution, such as the Windows Internet Name Service (WINS), oran lmhosts file.

If you use WINS, make sure you have a registered domain name and includethe respective domain controllers' TCP/
IP addresses. Most Domain NameSystems (DNSs) strip the NetBIOS extension in the sixteenth byte of the name, sosimply enabling DNS might not correctly resolve the domain name. If you'veconfigured your client for WINS, make sure it can query the WINS server toresolve the remote domain controllers' IP addresses.

If your client doesn't use WINS, you can configure a WINS client on thesame subnet as a WINS proxy to forward UDP name resolution broadcasts to aremote WINS server. If WINS isn't in your environment, you can send directeddatagrams by including a dom statement in an lmhosts file. For syntax, refer tosystemroot%system32drivers
etclmhosts.sam on your NT-based system. Savethis file as lmhosts without an extension. lmhosts file locations for non-NTclients are win95 for Windows 95, windows for WFW, et for Microsoft NetworkClient, and lanman.dosetc for LAN Manager.

To communicate with a remote domain controller using Internet PacketeXchange (IPX) and Sequenced Packet eXchange (SPX), configure a router toforward Type 20 packets. For detailed information on networking with TCP/IP,refer to the Windows NT Resource Kit, Volume 2, Chapter 12.

Q: Why can I administer the domain but receive an "access denied"message when performing local administrative functions?

The credentials you supplied probably don't have sufficient permissions onyour local machine. In a domain, a member of the Domain Admins, orAdministrators, group on your NT domain controller can perform administrativefunctions such as managing the user account database, managing shares, andmanaging services on the domain controllers. However, having these domain rightsdoesn't imply you have administrative rights on your local machine.

If your local machine is a domain controller in the domain, you canadminister your local machine because domain controllers have only one useraccount database for verifying permissions. Each NT workstation and nondomaincontroller server has its own user account database, separate from the domainaccount database. Because of this separate account database, a user logged on tothe network must be a member of the local Administrators group to administer thelocal machine. If users log on to the network with a domain account, they mustbe members of the local Administrators group to perform local administration. Toadd a domain user to the local Administrator's group, follow these steps:

By default, when an NT Workstation or Server that is not a domaincontroller joins a domain, the system adds a Domain Admins global group to thecomputer's Administrators local group to let the domain administrators managethat computer. The system also adds the Domain Users group to the computer'sUsers local group.

Q: How can I administer my NT domain from a non-NT-based client?

You can use the respective Windows NT Server Tools to administer useraccounts, machine services, Dynamic Host Configuration Protocol (DHCP) and WINSservers, and Remote Access Servers. For WFW and NT Workstation, these tools areon the NT Server 3.51 CD in the clientssrvtools directory. To install thetools, run the Setup program or batch file from the respective directory.Windows NT Server Tools for Win95 are on the NT 3.51 Resource Kit CD inthe w95admin directory. To install the tools, double-click Add/RemovePrograms from the Control Panel. To install and run License Manager on an NTworkstation, copy llsmgr.hlp, llsmgr.exe, and llsrpc.dll from a computer runningNT Server 3.51 to any directory on the NT workstation.

Q: What's a Security Identifier (SID), and what's the big secret?

An SID is a unique value that combines a domainwide ID and a relativeidentifier (RID) to identify each object in the domain (user, group, andcomputer accounts). The system assigns an SID to each user at logon.

That SID becomes part of the access token that accompanies any process theuser starts. Except for the logon SID, an SID is unique--you can't reuse an SIDafter you use it to identify a user or group.

To identify users to the system, a system administrator creates useraccounts by assigning usernames to new user accounts. NT generates an SID foreach new account. The system stores this information in the Security AccountsManager (SAM) database in the NT Registry.

An SID contains a 48-bit identifier authority value, a revision level, anda variable number of subauthority values (relative identifiers). The identifierauthority, which is the most important piece of an SID, contains two values: onethat identifies the agency that issued the SID, usually a Microsoft serverdomain, and a 32-bit RID that uniquely identifies the user or group in thatagency. Joining these values ensures that no two SIDs will be the same, even iftwo different SID-issuing authorities issue the same RID. Each SID-issuingauthority issues a given RID only once.

S-R-I-S is a standardized shorthand notation to help visualize an SID'scomponents. In this notation, "S" identifies the series of digits asan SID, "R" is the revision level, "I" is theidentifier-authority value, and "S" is the subauthority value. You canwrite an SID in this notation as S-1-4138-86. In this example, the SID has arevision level of 1, an identifier-authority value of 4138, and a subauthorityvalue of 86.

getsid is a utility in the Windows NT Resource Kit for comparingthe domain SID of one controller with another. The system acquires a domaincontroller's domain SID only during installation. All controllers in a domainneed the same domain SID.

Q: How do I know which license mode to choose for my server?

Applications such as NT File and Print Services, Systems Management Server(SMS), SQL Server, and SNA use a license logging service. Such applications canregister in one of two modes: per server and per seat. Use the per-server modeto control concurrent connections to the application and the per-seat mode totrack each seat connection to the application. A seat allocation differsdepending on the application it registers with. For example, NT File and PrintServices register a seat as a user account, and SMS registers a seat as an SMSID. The per-seat mode is more cost effective in many system configurationsbecause a seat is typically connecting to multiple servers at once. If youconfigure per server, this seat occupies multiple licenses.

Administering an application's licenses in per-server mode consists ofupdating the license count on any server you purchase additional licenses for.You can update this count remotely through the License Manager application.

Administering applications' licenses in per-seat mode requires moreattention than per-server mode. When purchasing additional per-seat licenses,you add the licenses to an application. This addition applies to any server inthe domain. Because you are purchasing per-seat licenses for applications andcan't specify the seat that you want a license associated with, you must controlthe seat allocation of licenses after the license logging service has recordedthe connection. You use License Manager when you're looking at seat propertiesin the per-seat tab (that is, the user account for Windows NT File and PrintServices or the ID for SMS). You can revoke seats that you deem not allocated tothe licenses you have purchased.

Microsoft didn't intend to provide this level of management, and it becomesproblematic in large environments, especially when a nonintuitive value, such asSMS ID, identifies the seat. If several SMS IDs change, the system will log themas new seats.

To solve this problem, the system administrator must run a report on allexisting systems, print a list of current SMS IDs, and go into the LicenseManager application to revoke all the old SMS IDs.

Q: How can I use the %servername% environment variable?

The %servername% variable lets you improve load balancing and performance.A systems administrator can spread the load of processing user profiles toanother server by setting the %SERVERNAME% environment variable to the name of adomain controller close to the workstation. When users log in to the domain, thedomain controller directs them to the appropriate server, \%servername%.

To expedite logon, the profile server needs to be near the client'scomputer (not across a slow link). For example, for all workstations in Phoenix,Arizona, set the variable to a server name in Phoenix. On workstations inSeattle, Washington, set the variable to a server name in Seattle. That way,when users are in Phoenix, their profile loads from a domain controller inPhoenix. When users visit Seattle, their profile loads from a controller inSeattle.

When you configure a user's profile path in User Manager for Domains on adomain controller, the entry is

UserProfiles

User Profile Path: \%SERVER NAME%profilesuser1.usr

You need to set the environment variable on the workstation computer, notthe domain controller.

The profiles must reside in a shared directory. In this example, the sharename of the directory profiles is "share." You must perform thesesteps for every server that participates. This example involves only one server(server1).

Q: Why do I received Error 3013, "The redirector has timed out toSERVERNAME," in my System Log?

Possible causes are that the server you are trying to connect to isunavailable, very busy, or too far away to respond before the redirector timedout; the physical network cable is unavailable or very busy; or the network hasa bottleneck.

The first step in troubleshooting such a problem is to verify that networkprotocol communication is functioning properly. With TCP/IP, you can use theping utility to determine response time and Time to Live (TTL) and the tracertutility to evaluate specific routing characteristics.

After you verify the network protocol communication, you can test theconnections between the client and the server. You can perform a network traceof the packets on the network to locate the root of the problem (look at theamount of time it takes for the server to respond to the workstation). You canalso use Perfmon on the server (see the Windows NT Resource Kit, Volume4, Chapter 7 to see how to detect network bottlenecks). You can try undoing anyrecent changes in network configuration. Also, if you were connecting to MachineB from Machine A, try connecting to Machine A from Machine B. Or you can haveanother client try to connect to the same server to see whether both redirectorshave the same problem connecting.

After exhausting all troubleshooting options, you can try to increase thesesstimeout Registry parameter underhkey_local_machinesystemcurrentcontrolsetserviceslanmanworkstationparameters.sesstimeout specifies the maximum time the redirector lets a short-termoperation be outstanding. The redirector uses this value to establish the extratime to wait for the Server Message Block (SMB) response. You can roughlycalculate the time that the redirector actually waits for a server to respond toan SMB. The following formula will produce that value.

[(SMBsize + size of data sent or received) / bytes per second] +sesstimeout

This systemwide parameter applies to all protocols, including TCP/IP.However, sesstimeout doesn't apply to certain types of SMBs such as transactioncommands that have their own timeout variable in the SMB.

Q: What are the hardware recommendations for a domain controller?

The following recommendations are for systems that function only as logonservers. If the system will run server-based applications or act as a file orprint server, consider the additional resources those processes will require.

Table 1 shows guidelines for selecting a computer for use as a PrimaryDomain Controller (PDC) or Backup Domain Controller (BDC). For information onPDCs and BDCs, see Ed Tittel and Mary Madden, "PDCs, BDCs, andAvailability," on page 75.

Q: How many user accounts can a domain support?

A domain consists of built-in and custom user accounts, machine accounts,and group accounts. Each object occupies space in the SAM file. The practicallimit for the size of the SAM file depends on the type of computer processor andamount of memory available in the machine that administers the domain. Microsofthas successfully tested SAM files in excess of 40MB and recommends 40MB as theupper limit (larger SAM files can take several minutes to load into memory foradministration purposes). Different types of objects require different amountsof space in the SAM file. Table 2 shows examples of how to distribute objects inone domain. For more information on domain planning, refer to http://www.
microsoft.com/backofficeor the NT Server Forum on the Microsoft Network (GO WORD: MSNTS).

[Editor's Note: For more on these issues, see Windows NT Magazinetechnical support forums at http://www.winntmag.com, Microsoft TechNet,CompuServe's WINNT forum, America Online's Windows NT area, The MicrosoftNetwork, and Microsoft's Internet servers--http://www.microsoft.com andftp://ftp.microsoft.com. The Microsoft Knowledge Base is athttp://198.105.232.4:80/isapi/fts.dll?db=KB_winnt&qu=&qu=nt&mh=20.]