Here's an interesting one....

[HarU 0]

Clutch, i require your expertise. And of course, all other net admins.

 

Anyway, Im having a problem with win2k machines logging in with cached profiles and trying to share with each other while not connected to a Domain Controller. Here is the situation:

 

2 accountants in the office use laptops. While they are in the office, they log into our domain and everything is fine of course. But when they leave to go on an audit, they take the laptops with them. While they are off site they have to be able to replicate some databases over the internet. The get put on the other company's network, but we want to keep them on a little peer to peer by themselves. In other words, we don't want them joining the other company's domain. The way we do this is by having them enter their user name, password, and OUR domain when they log in. The SAM has their profiles and accounts cached, so they log in perfectly fine. (so they are now on a workgroup with the same name as our domain in the office. This seperates them from the other company's domain, but enables them to share with each other...or so you would assume) Here's where the problem comes....when they go to browse the network, they see each other, and only each other...which is fine...thats what we want, but when they try to access each other's computers, they get an error saying "there are no available login servers to service the logon request."

 

I was wondering, if you, clutch, or anyone else knew how to fix this without changing any other network settings. I was fiddling around with security policies, but i still couldn't get it to work. Any help/ideas would be greatly appreciated. Thanks guys..

[clutch 1]

Has each accountant logged on to one another's laptop, so that both account's credentials are on *both* laptops? I know what you are talking about, but I haven't had a need to setup laptops so that they can share files between themselves. If I get a chance here, I'll dig up a couple and take a look.

[HarU 0]

Hmmm, no i haven't...i will try that..

 

Thanks for the quick reply. If you find anything out, please enlighten me. Thanks again man.

[clutch 1]

NP. Normally the authentication chain will start with local authentication, and then escalate up to BDCs (AD DCs without a GC), and then to PDCs (AD DCs with a GC, or DCs set to act as PDCs for legacy and 3rd party OSs/applications such as Linux/Samba). If both accounts are valid on the hosting laptop, it should allow the connecting one "in".

[CUViper 0]

What if you programmed the lmhosts file to identify the IP address of the DC? Of course, this assumes they have inet access from the other network. But at least then their computers would know where to look for the authentication, right?

 

"%windir%\system32\drivers\etc\lmhosts.sam" has the basic documentation and examples for this.

[clutch 1]

Quote:

What if you programmed the lmhosts file to identify the IP address of the DC? Of course, this assumes they have inet access from the other network. But at least then their computers would know where to look for the authentication, right?

"%windir%\system32\drivers\etc\lmhosts.sam" has the basic documentation and examples for this.

That would be great (I have done this to allow remote workstations to get to Exchange servers in the past), but it sounds like he doesn't have a DC setup on the edge of his network to handle authentication (not to mention that would be a major security risk). It's a sound idea, but I'm not sure that's what he's looking for.

[HarU 0]

Yeah, that is a good idea viper, thx for posting. But, unfortunately, Clutch is right.

 

This is such a wierd issue...ive never had to deal with anything like this and im completely stumped. Ive been reading technet and win2k admin books all day long. lol

 

I found a slight workaround...having them log in locally and mapping drives to their static ips...but these people are so anal and very computer iliterate that i know they would b|tch about multiple profiles and the fact that they would actually have to think before doing anything. Plz continue to inform me of any ideas, i really appreciate your help. I am beginning to think that this is impossible to do...but i don't want to give up yet. Thanks again guys.