I figured it out, the Domain Users group from the Child Domain needed to be added to the RAS Servers local users group. Child Domain users can now login.
-----Original Message----- From: Salandra, Justin A. [mailto:jasalandra@;chcsnet.org] Sent: Thursday, October 31, 2002 9:28 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] RAS I as a administrator or any regular user in the parent domain where the RRAS server is located do not have difficulty access or dialing up to the RAS server. However all users have a problem access the RAS Server that have user accounts in the child domain. I already added the RRAS Server computer account to all the RAS and IAS Server groups in all domains. This has not helped the situation. I appreciate all your help on this subject, but what I have done so far has not resolved the problem. According to what someone else posted I need to have a child domain controller in the same site as the RRAS Server which is in the parent. That would mean that I would have one site with the parent and child DCs together but separated physically by a WAN Link. I do not want to have to do that. -----Original Message----- From: Rick Kingslan [mailto:rkingsla@;cox.net] Sent: Thursday, October 31, 2002 1:49 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] RAS All three of these events lead me to believe that there is an authentication problem at the RRAS server - not the authentication of the user, but that the RRAS server is not able to authenticate them. This very well could be due to a credential problem at the RRAS server, authentication method chosen, (i.e. WinMe or NT 4.0 cannot authenticate to Kerberos) or that the RRAS server needs to be registered with credentials that it can operate with. I'm assuming that the users that are logging in are not administrators (do you have a problem using the RRAS server?), hence the credential problem discussed in MS Q 227747. Look at these and see if they help, Justin. For event 20187, see http://www.eventid.net/display.asp?eventid=20187&source= For event 20073, see http://support.microsoft.com/default.aspx?scid=kb;en-us;Q227747 However, I am convinced that: 1. You don't need RADIUS or IAS and 2. Your WAN between domains is not the problem (timeout or otherwise) Good luck! Rick Kingslan - Microsoft MVP [Windows NT/2000] Microsoft Certified Trainer MCSA, MCSE+I - Windows NT / 2000 "Any sufficiently advanced technology is indistinguishable from magic." --- Arthur C. Clarke > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:ActiveDir-owner@;mail.activedir.org] On Behalf Of > Salandra, Justin A. > Sent: Wednesday, October 30, 2002 8:29 PM > To: '[EMAIL PROTECTED]' > Subject: RE: [ActiveDir] RAS > > > Here look at these > > Event Type: Warning > Event Source: RemoteAccess > Event Category: None > Event ID: 20187 > Date: 10/30/2002 > Time: 4:24:51 PM > User: N/A > Computer: CHCS56KRAS > Description: > The user jlevine failed an authentication attempt due to the following > reason: There was an authentication failure because of an > unknown user name or a bad password. > > Event Type: Error > Event Source: RemoteAccess > Event Category: None > Event ID: 20073 > Date: 10/30/2002 > Time: 4:25:06 PM > User: N/A > Computer: CHCS56KRAS > Description: > The following error occurred in the Point to Point Protocol > module on port: COM4, UserName: CRNH\jlevine. The > authentication server did not respond to authentication > requests in a timely fashion. > Data: > 0000: a2 03 00 00 c... > > Event Type: Warning > Event Source: RemoteAccess > Event Category: None > Event ID: 20014 > Date: 10/30/2002 > Time: 4:23:52 PM > User: N/A > Computer: CHCS56KRAS > Description: > The user JCostello has connected and failed to authenticate > on port COM4. The line has been disconnected. > > I have verified that all these users have the dial in > property set and that their passwords are correct. > > Justin > > > -----Original Message----- > From: Rick Kingslan [mailto:rkingsla@;cox.net] > Sent: Wednesday, October 30, 2002 6:45 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] RAS > > > Justin, > > Please re-read the Q article that you cited. This makes the > distinct statement that you are already using IAS (Microsoft > Internet Authentication Service), so this has nothing to do > with the problem that you're experiencing. > > Unless, however, you are using IAS on your RAS server to set > up authentication / auditing. > > And, you should NOT have to set up RADIUS, IAS or any other > complex mechanisms to allow users to access the child domain > if they are authenticating to the parent, WAN or not. Linton > is absolutely correct in his statements. > > Clearly there is another problem here, and it has nothing to > do with RADIUS or IAS. What else do you have in the event > logs of the RAS server that might help? > > Rick Kingslan - Microsoft MVP [Windows NT/2000] > Microsoft Certified Trainer > MCSA, MCSE+I - Windows NT / 2000 > > "Any sufficiently advanced technology > is indistinguishable from magic." > --- Arthur C. Clarke > > > > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:ActiveDir-owner@;mail.activedir.org] On Behalf Of > > Salandra, Justin A. > > Sent: Wednesday, October 30, 2002 5:09 PM > > To: '[EMAIL PROTECTED]' > > Subject: RE: [ActiveDir] RAS > > > > > > I am getting a error message that says Error 930; The > > Authentication Server Did Not Respond to Authentication > > Requests in a Timely Fashion > > > > According to this error message on this Q article Q299684 - > > Error Message: Error 930; The Authentication Server Did Not > > Respond to Authentication Requests in a Timely Fashion they > > say to setup RADIUS, do I need to do that? Does anyone know > > how to configure a RADIUS Server so that it will authenticate > > users in a child domain in the child domain and the rest of > > the users against the parent domain? -----Original Message----- > > From: Linton Smith (WBTQ) [mailto:GWLLES@;Weston.ca] > > Sent: Wednesday, October 30, 2002 6:00 PM > > To: '[EMAIL PROTECTED]' > > Subject: RE: [ActiveDir] RAS > > > > That's why I'm suggesting you put a DC for the child domain > > in the site with the RAS server in it. Otherwise, the > > authentication traffic will have to go over the WAN. For a > > RAS user, the performance hit may be negligible given that > > his connection speed is probably less than available on the > > WAN link, but there are other considerations as well - i.e. > > what resources will the dialed-in user be accessing, and > > where will they be located? How many concurrent RAS users do > > you wish to support? > > > > All of this will work (assuming DNS is working properly) over > > a WAN without a DC or the accessed resources being in the > > same site as the RAS server, but performance may be > > constrained by available bandwidth on the WAN link. You can > > eliminate the authentication traffic from the WAN if there is > > a local DC for the child domain in the site with the RAS server. > > > > HTH, > > > > Linton > > > > -----Original Message----- > > From: Salandra, Justin A. [mailto:jasalandra@;chcsnet.org] > > Sent: Wednesday, October 30, 2002 5:35 PM > > To: '[EMAIL PROTECTED]' > > Subject: RE: [ActiveDir] RAS > > > > > > But the RAS server and the Child Domain are separated by a WAN Link > > > > -----Original Message----- > > From: Linton Smith (WBTQ) [mailto:GWLLES@;Weston.ca] > > Sent: Wednesday, October 30, 2002 5:28 PM > > To: '[EMAIL PROTECTED]' > > Subject: RE: [ActiveDir] RAS > > > > Yes, but you will want to have a DC for the child domain in > > the same site as the RAS server to ensure rapid authentication. > > > > Linton > > > > -----Original Message----- > > From: Salandra, Justin A. [mailto:jasalandra@;chcsnet.org] > > Sent: Wednesday, October 30, 2002 5:09 PM > > To: ActiveDir (E-mail) > > Subject: [ActiveDir] RAS > > > > > > If I have a domain tree with a RAS Server in the Parent, can > > a user dial in to that RAS server and login as a user in the > > child domain? > > > > Justin A. Salandra, MCSE > > Senior Network Engineer > > Catholic Healthcare System > > 914.681.8117 office > > 646.483.3325 cell > > [EMAIL PROTECTED] <mailto:jasalandra@;chcsnet.org> > > > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > List info : > > http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > List info : > > http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > List info : > > http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > List info : > > http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > List info : > http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
