Thanks -----Original Message----- From: Rick Kingslan [mailto:rkingsla@;cox.net] Sent: Thursday, October 31, 2002 5:45 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] RAS
Congrats on figuring it out, and good work. Rick Kingslan - Microsoft MVP [Windows NT/2000] Microsoft Certified Trainer MCSA, MCSE+I - Windows NT / 2000 "Any sufficiently advanced technology is indistinguishable from magic." --- Arthur C. Clarke > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:ActiveDir-owner@;mail.activedir.org] On Behalf Of > Salandra, Justin A. > Sent: Thursday, October 31, 2002 8:59 AM > To: '[EMAIL PROTECTED]' > Subject: RE: [ActiveDir] RAS > > > I figured it out, the Domain Users group from the Child > Domain needed to be added to the RAS Servers local users > group. Child Domain users can now login. > > -----Original Message----- > From: Salandra, Justin A. [mailto:jasalandra@;chcsnet.org] > Sent: Thursday, October 31, 2002 9:28 AM > To: '[EMAIL PROTECTED]' > Subject: RE: [ActiveDir] RAS > > I as a administrator or any regular user in the parent domain > where the RRAS server is located do not have difficulty > access or dialing up to the RAS server. However all users > have a problem access the RAS Server that have user accounts > in the child domain. > > I already added the RRAS Server computer account to all the > RAS and IAS Server groups in all domains. This has not > helped the situation. I appreciate all your help on this > subject, but what I have done so far has not resolved the problem. > > According to what someone else posted I need to have a child > domain controller in the same site as the RRAS Server which > is in the parent. That would mean that I would have one site > with the parent and child DCs together but separated > physically by a WAN Link. I do not want to have to do that. > > -----Original Message----- > From: Rick Kingslan [mailto:rkingsla@;cox.net] > Sent: Thursday, October 31, 2002 1:49 AM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] RAS > > All three of these events lead me to believe that there is an > authentication problem at the RRAS server - not the > authentication of the user, but that the RRAS server is not > able to authenticate them. This very well could be due to a > credential problem at the RRAS server, authentication method > chosen, (i.e. WinMe or NT 4.0 cannot authenticate to > Kerberos) or that the RRAS server needs to be registered with > credentials that it can operate with. > > I'm assuming that the users that are logging in are not > administrators (do you have a problem using the RRAS > server?), hence the credential problem discussed in MS Q 227747. > > Look at these and see if they help, Justin. > > For event 20187, see > http://www.eventid.net/display.asp?eventid=20187&source= > For event 20073, see > http://support.microsoft.com/default.aspx?scid=kb;en-us;Q227747 > > However, I am convinced that: > > 1. You don't need RADIUS or IAS and > 2. Your WAN between domains is not the problem (timeout or otherwise) > > Good luck! > > Rick Kingslan - Microsoft MVP [Windows NT/2000] > Microsoft Certified Trainer > MCSA, MCSE+I - Windows NT / 2000 > > "Any sufficiently advanced technology > is indistinguishable from magic." > --- Arthur C. Clarke > > > > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:ActiveDir-owner@;mail.activedir.org] On Behalf Of > > Salandra, Justin A. > > Sent: Wednesday, October 30, 2002 8:29 PM > > To: '[EMAIL PROTECTED]' > > Subject: RE: [ActiveDir] RAS > > > > > > Here look at these > > > > Event Type: Warning > > Event Source: RemoteAccess > > Event Category: None > > Event ID: 20187 > > Date: 10/30/2002 > > Time: 4:24:51 PM > > User: N/A > > Computer: CHCS56KRAS > > Description: > > The user jlevine failed an authentication attempt due to > the following > > reason: There was an authentication failure because of an > > unknown user name or a bad password. > > > > Event Type: Error > > Event Source: RemoteAccess > > Event Category: None > > Event ID: 20073 > > Date: 10/30/2002 > > Time: 4:25:06 PM > > User: N/A > > Computer: CHCS56KRAS > > Description: > > The following error occurred in the Point to Point Protocol > > module on port: COM4, UserName: CRNH\jlevine. The > > authentication server did not respond to authentication > > requests in a timely fashion. > > Data: > > 0000: a2 03 00 00 c... > > > > Event Type: Warning > > Event Source: RemoteAccess > > Event Category: None > > Event ID: 20014 > > Date: 10/30/2002 > > Time: 4:23:52 PM > > User: N/A > > Computer: CHCS56KRAS > > Description: > > The user JCostello has connected and failed to authenticate > > on port COM4. The line has been disconnected. > > > > I have verified that all these users have the dial in > > property set and that their passwords are correct. > > > > Justin > > > > > > -----Original Message----- > > From: Rick Kingslan [mailto:rkingsla@;cox.net] > > Sent: Wednesday, October 30, 2002 6:45 PM > > To: [EMAIL PROTECTED] > > Subject: RE: [ActiveDir] RAS > > > > > > Justin, > > > > Please re-read the Q article that you cited. This makes the > > distinct statement that you are already using IAS (Microsoft > > Internet Authentication Service), so this has nothing to do > > with the problem that you're experiencing. > > > > Unless, however, you are using IAS on your RAS server to set > > up authentication / auditing. > > > > And, you should NOT have to set up RADIUS, IAS or any other > > complex mechanisms to allow users to access the child domain > > if they are authenticating to the parent, WAN or not. Linton > > is absolutely correct in his statements. > > > > Clearly there is another problem here, and it has nothing to > > do with RADIUS or IAS. What else do you have in the event > > logs of the RAS server that might help? > > > > Rick Kingslan - Microsoft MVP [Windows NT/2000] > > Microsoft Certified Trainer > > MCSA, MCSE+I - Windows NT / 2000 > > > > "Any sufficiently advanced technology > > is indistinguishable from magic." > > --- Arthur C. Clarke > > > > > > > > > > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] > > > [mailto:ActiveDir-owner@;mail.activedir.org] On Behalf Of > > > Salandra, Justin A. > > > Sent: Wednesday, October 30, 2002 5:09 PM > > > To: '[EMAIL PROTECTED]' > > > Subject: RE: [ActiveDir] RAS > > > > > > > > > I am getting a error message that says Error 930; The > Authentication > > > Server Did Not Respond to Authentication Requests in a Timely > > > Fashion > > > > > > According to this error message on this Q article Q299684 - Error > > > Message: Error 930; The Authentication Server Did Not Respond to > > > Authentication Requests in a Timely Fashion they say to setup > > > RADIUS, do I need to do that? Does anyone know how to configure a > > > RADIUS Server so that it will authenticate users in a > child domain > > > in the child domain and the rest of the users against the parent > > > domain? -----Original Message----- > > > From: Linton Smith (WBTQ) [mailto:GWLLES@;Weston.ca] > > > Sent: Wednesday, October 30, 2002 6:00 PM > > > To: '[EMAIL PROTECTED]' > > > Subject: RE: [ActiveDir] RAS > > > > > > That's why I'm suggesting you put a DC for the child > domain in the > > > site with the RAS server in it. Otherwise, the authentication > > > traffic will have to go over the WAN. For a RAS user, the > > > performance hit may be negligible given that his > connection speed is > > > probably less than available on the WAN link, but there are other > > > considerations as well - i.e. what resources will the > dialed-in user > > > be accessing, and where will they be located? How many > concurrent > > > RAS users do you wish to support? > > > > > > All of this will work (assuming DNS is working properly) > over a WAN > > > without a DC or the accessed resources being in the same > site as the > > > RAS server, but performance may be constrained by available > > > bandwidth on the WAN link. You can eliminate the authentication > > > traffic from the WAN if there is a local DC for the child > domain in > > > the site with the RAS server. > > > > > > HTH, > > > > > > Linton > > > > > > -----Original Message----- > > > From: Salandra, Justin A. [mailto:jasalandra@;chcsnet.org] > > > Sent: Wednesday, October 30, 2002 5:35 PM > > > To: '[EMAIL PROTECTED]' > > > Subject: RE: [ActiveDir] RAS > > > > > > > > > But the RAS server and the Child Domain are separated by > a WAN Link > > > > > > -----Original Message----- > > > From: Linton Smith (WBTQ) [mailto:GWLLES@;Weston.ca] > > > Sent: Wednesday, October 30, 2002 5:28 PM > > > To: '[EMAIL PROTECTED]' > > > Subject: RE: [ActiveDir] RAS > > > > > > Yes, but you will want to have a DC for the child domain > in the same > > > site as the RAS server to ensure rapid authentication. > > > > > > Linton > > > > > > -----Original Message----- > > > From: Salandra, Justin A. [mailto:jasalandra@;chcsnet.org] > > > Sent: Wednesday, October 30, 2002 5:09 PM > > > To: ActiveDir (E-mail) > > > Subject: [ActiveDir] RAS > > > > > > > > > If I have a domain tree with a RAS Server in the Parent, > can a user > > > dial in to that RAS server and login as a user in the > child domain? > > > > > > Justin A. Salandra, MCSE > > > Senior Network Engineer > > > Catholic Healthcare System > > > 914.681.8117 office > > > 646.483.3325 cell > > > [EMAIL PROTECTED] <mailto:jasalandra@;chcsnet.org> > > > > > > List info : http://www.activedir.org/mail_list.htm > > > List FAQ : http://www.activedir.org/list_faq.htm > > > List archive: > > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > > > List info : > > > http://www.activedir.org/mail_list.htm > > > List FAQ : http://www.activedir.org/list_faq.htm > > > List archive: > > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > > > List info : > > > http://www.activedir.org/mail_list.htm > > > List FAQ : http://www.activedir.org/list_faq.htm > > > List archive: > > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > > > List info : > > > http://www.activedir.org/mail_list.htm > > > List FAQ : http://www.activedir.org/list_faq.htm > > > List archive: > > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > > > List info : > > > http://www.activedir.org/mail_list.htm > > > List FAQ : http://www.activedir.org/list_faq.htm > > > List archive: > > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > > > > > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > List info : > > http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > List info : > http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > List info : > http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
