David
Wed Sep 24 11:02:49 CDT 2003
Joe,
If the client is XP you could install the Support tools from the XP cd
\support\tools directory.. which would then allow you to run netcap from the
client.. (does a netmon trace) And see if it is sending the DNS query out..
Might also check for things such as IP packet filters on the client
(Properties of TCP/IP, click on the Advanced button, then the Options tab
TCP/IP filtering.
--
Hope that helps,
David Copeland
Microsoft Small Business Server Support
This posting is provided "AS IS" with no warranties, and confers no rights.
"Joe Smith" <jrjsmith@ward-kirkwood.com> wrote in message
news:ddb501c3829b$9aa4cfe0$a601280a@phx.gbl...
> David
>
> Sorry but the last update is not completely accurate and
> can be misleading.
>
> The NetMon results (or lack of) only applies to a lack of
> and DNS traffic when entering nslookup at the laptop.
> There are ICMP entries for the pings from the laptop.
>
> Otherwise, the update is correct.
>
> Thanks
> Joe.
>
> >-----Original Message-----
> >David
> >
> >Thanks again for your helpful response.
> >
> >I tried the following from the laptop using the wireless
> >card:
> >- ping x.x.x.x (the server's IP address)
> >+ received 4 good replies
> >- ping server_name
> >+ received 4 good replies
> >- ping FQDN
> >+ received Unknown host FQDN
> >- nslookup
> >+ *** Can't find server name for address x.x.x.x: No
> >response from server
> >+ *** Default servers are not available
> >+ Default Server: Unknown
> >+ Address: x.x.x.x
> >+
> >- >set q=srv
> >- >_ldap._tcp.FQDN
> >+ Server: Unknown
> >+ Address: x.x.x.x
> >+
> >+ *** Unknown can't find _ldap._tcp.FDQN: No response
> >from server
> >- >exit
> >
> >I then tried the same from one of the wired client
> >workstations
> >- ping x.x.x.x (the server's IP address)
> >+ received 4 good replies
> >- ping server_name
> >+ received 4 good replies
> >- ping FQDN
> >+
> >+ Pinging FQDN {x.x.x.x} with 32 bytes of data
> >+ received 4 good replies
> >- nslookup
> >+ Default Server: server_name.FQDN
> >+ Address: x.x.x.x
> >+
> >- >set q=srv
> >- >_ldap._tcp.FQDN
> >+ Server: server_name.FQDN
> >+ Address: x.x.x.x
> >+
> >+ _ldap._tcp.FQDN SRV service location:
> >+ priority =0
> >+ weight =100
> >+ port =389
> >+ svr hostname = server_name.FQDN
> >- >exit
> >
> >So, I acquired a PCMCIA Ethernet adapter for the laptop
> >and tried the test for the laptop again with exactly the
> >same results.
> >
> >Running NetMon at the server shows trafic from the
> >working wired client workstation but nothing from the
> >laptop, either wireless or wired.
> >
> >I'm beginning to suspect the TCP stack on the laptop.
> >
> >Have you any other ideas before I bite the bullet and re-
> >install Windows on the laptop?
> >
> >Thanks
> >Joe.
> >
> >
> >
> >>-----Original Message-----
> >>Joe,
> >>
> >>While you are connected.. from a command prompt are you
> >able to use nslookup
> >>to resolve any names via your dns server? You may want
> >to install/use
> >>Network Monitor from the server to see if the packets
> >are even making it to
> >>the server.. or if the server is replying, but the
> >packets are not making it
> >>back to the client.. or if the server for some reason
> >isn't replying at
> >>all..
> >>
> >>
> >>
> >>--
> >>
> >>Hope that helps,
> >>David Copeland
> >>Microsoft Small Business Server Support
> >>
> >>This posting is provided "AS IS" with no warranties,
> and
> >confers no rights.
> >>
> >>
> >>"Joe Smith" <jrjsmith@ward-kirkwood.com> wrote in
> message
> >>news:009401c37c60$a8536c50$a101280a@phx.gbl...
> >>> David,
> >>>
> >>> Well, I'm totally confused now.
> >>>
> >>> Couldn't find a workstation to use to perofrm the test
> >>> that I was planning.
> >>>
> >>> However, the wireless adapter in the laptop has the
> >>> following TCP/IP configuration:
> >>> - DHCP Enabled - No
> >>> - IP Address - unique IP address in the same subnet as
> >>> the server.
> >>> - Subnet Mask - same as the server's.
> >>> - Default Gateway - the server's internal NIC address
> >>> - DNS Servers - the server's internal NIC address
> >>> - Primary WINS Server - the server's internal NIC
> >address
> >>>
> >>> If I tracert from the laptop to a known Internet
> name,
> >I
> >>> get the message - Unable to resolve target system
> name.
> >>>
> >>> If I tracert from the laptop to the same target using
> >its
> >>> IP address, the trace completes without error.
> >>>
> >>> This implies that the problem is with DNS resolution.
> >>>
> >>> However, the wired workstations have the same TCP/IP
> >>> configuration as the wireless laptop's with only the
> IP
> >>> Address element differing. They have no problem!
> >>>
> >>> The SSID of the AP was the same as the domain name, so
> >>> I've tried changing that to a different value on the
> AP
> >>> and the laptop's card - no change.
> >>>
> >>> In desperation, I tried changing laptop's default
> >gateway
> >>> address to that of the AP - maybe the AP was acting
> as
> >a
> >>> gateway/router - situation much worse - couldn't ping
> >the
> >>> server or other wired workstations from the laptop.
> >>> Quickly changed that back.
> >>>
> >>> Any ideas?
> >>>
> >>> Thanks
> >>> Joe.
> >>>
> >>>
> >>>
> >>> >-----Original Message-----
> >>> >David,
> >>> >
> >>> >Thanks again for your response.
> >>> >
> >>> >1. The laptop's TCP/IP settings give it a unique
> >address
> >>> >in the same subnet as the server, the same subnet
> >mask,
> >>> >and its DNS, WINS and Gateway addresses are the
> >server's
> >>> >internal NIC address.
> >>> >2. The clock is within 1 minute of the servers and
> >their
> >>> >date, time and timezone are the same.
> >>> >3. It does not have a Firewall/Proxy client
> installed.
> >>> >4. The personal firewall is disabled currently - it
> >has
> >>> >been removed from the startup folder for the time
> >being.
> >>> >5. Any attempt to map a drive on the server gets the
> >>> >message The network path "\\ipaddress\share" could
> not
> >>> be
> >>> >found.
> >>> >6. There are no relevant entries in the server's
> event
> >>> >logs nor any messages at the server.
> >>> >7. Attempting to join the domain from the laptop
> >results
> >>> >in the message from Network Identification:
> >>> >The following error occurred validating the
> >>> >name "domainname".
> >>> >This could be caused by a DNS lookup problem. For
> >>> >information about troublshooting common DNS lookup
> >>> >problems, please see the following Microsoft Web
> site:
> >>> >
http://go.microsoft.com/fwlink/?LinkID=5171
> >>> >The specified domain either does not exist or could
> >not
> >>> >be contacted.
> >>> >8. Although the laptop can ping the server and any
> >other
> >>> >workstation on the LAN, none of the devices on the
> LAN
> >>> >(including the server) can ping the laptop. The
> >laptop
> >>> >is, of course, in a workgroup at the moment because
> it
> >>> >cannot connect to the domain but I would have
> expected
> >>> to
> >>> >have been able to ping its IP address successfully.
> >>> >9. Regrettably, there is nothing else in the
> workgroup
> >>> >that I can try to ping the laptop from - it is the
> >only
> >>> >device in the workgroup.
> >>> >10. The server and the workstations can ping the AP
> >>> >successfully.
> >>> >
> >>> >Re: 9 above, I'll configure a spare workstation into
> >the
> >>> >workgroup if I can find one.
> >>> >
> >>> >Thanks again
> >>> >Joe.
> >>> >
> >>> >>-----Original Message-----
> >>> >>Joe,
> >>> >>
> >>> >>Since the laptop is able to ping the server.. then I
> >>> >would check the
> >>> >>following
> >>> >>
> >>> >>1) Verify that it is pointing to the IP address of
> >the
> >>> >SBS server for DNS
> >>> >>2) Verify to make sure it's time is within 5
> minutes
> >of
> >>> >the SBS server's
> >>> >>time (be sure to verify date/time/timezone etc)
> >>> >>3) If the laptop has the Firewall/Proxy client
> >>> installed
> >>> >you may want to
> >>> >>uninstall it at least until you get joined into the
> >>> >domain
> >>> >>4) Does the laptop have any Personal firewall/AV
> >>> >software enabled that may
> >>> >>be blocking ports/connectivity to the server?
> >>> >>5) Can you map a drive to the server?
> >>> >>
> >>> >>Any error messages received on the client and/or on
> >the
> >>> >server in event logs
> >>> >>etc would help as well.
> >>> >>
> >>> >>--
> >>> >>
> >>> >>Hope that helps,
> >>> >>David Copeland
> >>> >>Microsoft Small Business Server Support
> >>> >>
> >>> >>This posting is provided "AS IS" with no warranties,
> >>> and
> >>> >confers no rights.
> >>> >>
> >>> >>
> >>> >>"Joe Smith" <jrjsmith@ward-kirkwood.com> wrote in
> >>> message
> >>> >>news:4dfc01c37655$8e4fad70$a401280a@phx.gbl...
> >>> >>> David,
> >>> >>>
> >>> >>> Thanks for your response. From it, I infer that
> my
> >>> >>> original plan to connect the wireless AP to the
> >>> >internal
> >>> >>> network (LAN) was the right way to go. It was
> when
> >>> >that
> >>> >>> didn't work, that I read the white papers, etc.
> and
> >>> >>> assumed that I was going down the wrong route.
> >>> >>>
> >>> >>> Currently, the laptop uses a fixed IP address in
> >the
> >>> >same
> >>> >>> subnet as the SBS server (the same IP address as
> >was
> >>> >used
> >>> >>> on the wired Ethernet switch) and the server can
> be
> >>> >>> pinged successfully when the laptop is connected
> to
> >>> the
> >>> >>> AP. The AP is not trying to do 802.1x
> >>> authentication -
> >>> >>> I'm not sure that it is capable - it is a Netgear
> >>> WG602
> >>> >>> and seems pretty limited in its security
> capability
> >>> >other
> >>> >>> than WEP and limiting access to specific MAC
> >>> addresses.
> >>> >>>
> >>> >>> On the original laptop connected to the wired
> >Ethernet
> >>> >>> switch, I joined the laptop to the domain and,
> from
> >>> >then
> >>> >>> on, the user login screen included the Username,
> >>> >Password
> >>> >>> and Domain fields. I removed the computer entry
> >in AD
> >>> >>> Users and Computers on the server so that I could
> >join
> >>> >>> the new laptop to the domain. However, I have
> been
> >>> >>> unable to get it to join the domain although the
> >>> server
> >>> >>> can be pinged successfully. When I'm next at the
> >>> >>> customer, I shall try it again to see what
> >messages I
> >>> >get.
> >>> >>>
> >>> >>> Does this give you any clues, though?
> >>> >>>
> >>> >>> Thanks
> >>> >>> Joe.
> >>> >>>
> >>> >>> >-----Original Message-----
> >>> >>> >Joe,
> >>> >>> >
> >>> >>> >If they are wanting to logon to the domain then
> >the
> >>> >>> Access Point (AP)
> >>> >>> >should be on the internal side of the SBS
> server..
> >>> >>> otherwise, once they got
> >>> >>> >connected they would then need to VPN into the
> SBS
> >>> >>> server to logon to the
> >>> >>> >domain.. With your access point once they are
> >>> >connected
> >>> >>> to the AP are they
> >>> >>> >getting assigned an IP address? if so, is it
> from
> >the
> >>> >>> same subnet as the SBS
> >>> >>> >server? can they ping the SBS server by IP
> >address?
> >>> >>> >
> >>> >>> >Just to check the AP is not trying to do 802.1x
> >>> >>> authentication correct?
> >>> >>> >
> >>> >>> >--
> >>> >>> >
> >>> >>> >Hope that helps,
> >>> >>> >David Copeland
> >>> >>> >Microsoft Small Business Server Support
> >>> >>> >
> >>> >>> >This posting is provided "AS IS" with no
> >warranties,
> >>> >and
> >>> >>> confers no rights.
> >>> >>> >
> >>> >>> >
> >>> >>> >"Joe Smith" <jrjsmith@ward-kirkwood.com> wrote in
> >>> >message
> >>> >>> >news:473f01c37619$249a5560$a501280a@phx.gbl...
> >>> >>> >> My customer has a dual-homed server running
> >Windows
> >>> >>> Small
> >>> >>> >> Business Server 2000 with one NIC connected to
> >the
> >>> >LAN
> >>> >>> >> and the other connected to the Internet via a
> >>> >hardware
> >>> >>> >> firewall. ISA Server 2000 is also used with
> >some
> >>> IP
> >>> >>> >> filters for Blaster, etc.
> >>> >>> >>
> >>> >>> >> This customer wants to access his domain user
> >>> >account
> >>> >>> on
> >>> >>> >> his laptop via a wireless access point - until
> >>> now,
> >>> >he
> >>> >>> >> has been using a wired connection into his old
> >>> >laptop's
> >>> >>> >> nic.
> >>> >>> >>
> >>> >>> >> Wiring the wireless access point into the
> >Ethernet
> >>> >>> >> switch, assigning it a LAN IP address and
> using
> >MAC
> >>> >>> >> address to control acces works with getting the
> >>> >laptop
> >>> >>> to
> >>> >>> >> work to the WAP but domain authentication is
> not
> >>> >>> working -
> >>> >>> >> he cannot access his user and company shared
> >>> >folder,
> >>> >>> etc.
> >>> >>> >>
> >>> >>> >> Reading the various white papers, etc., I think
> >>> that
> >>> >>> the
> >>> >>> >> WAP needs to be wired to the hardware firewall
> >and
> >>> >be
> >>> >>> >> given an IP address in the subnet used by the
> >>> >internal
> >>> >>> >> connection of the hardware firewall and the
> >>> external
> >>> >>> >> connection of the server - effectively, the
> DMZ.
> >>> We
> >>> >>> >> would need Certificate services running on the
> >>> >server
> >>> >>> >> along with RRAS, etc. so that the user
> >>> authenticates
> >>> >>> with
> >>> >>> >> the server via Remote Access.
> >>> >>> >>
> >>> >>> >> Is this correct?
> >>> >>> >>
> >>> >>> >> Or is it possible to configure the WAP on the
> >LAN
> >>> >and
> >>> >>> >> obtain domain authentication on this internal
> >>> >subnet?
> >>> >>> If
> >>> >>> >> so, how can this be achieved, please?
> >>> >>> >>
> >>> >>> >> Thanks in anticipation.
> >>> >>> >> Joe.
> >>> >>> >
> >>> >>> >
> >>> >>> >.
> >>> >>> >
> >>> >>
> >>> >>
> >>> >>.
> >>> >>
> >>> >.
> >>> >
> >>
> >>
> >>.
> >>
> >.
> >