Windows 2000 Professional on Microsoft Networks
After you have added the Windows 2000 Professional–based computer to the domain or workgroup, you need to verify that the move was successful. To do so, restart the computer. After you perform the Ctrl+Alt+Del key combination, check the Log on to list. If you have joined a domain, the list should include the logon domain and any of its trusted domains. This is the first step to verify that you have successfully added the computer account to the logon domain.
To test a valid user account, log on to the logon or trusted domain. If you can log on to the domain by using the logon credentials located at the domain controller, then access to user accounts at the selected domain has been successfully granted. If a message is displayed indicating that you are connected by using cached credentials, it is an indication that the domain controller could not be contacted during the account authentication process. Verify that the physical connection (network adapter and cables) and logical connection (transport protocol configuration) permits access to the domain controller.
The Nltest.exe utility included with the Windows 2000 Professional Resource Kit CD is a command-line utility that can be used to test the logical connection between a Windows 2000 Professional computer and a Windows 2000 or Windows NT domain controller. Nltest.exe can also be used to determine if a user account can be successfully authenticated by a domain controller, to determine which domain controller will perform the authentication, and provide a list of trusted domains.
The logical connection between the Windows 2000 Professional computer and the domain controller is known as a secure channel. Secure channels are used to authenticate Windows 2000 and Windows NT computer accounts and to authenticate user accounts when a remote user connects to a network resource and the user account exists in a trusted domain (pass-through authentication). A secure channel must exist in order for account authentication to be performed. Nltest.exe can test secure channels and reset them if necessary.
The syntax of Nltest.exe is:
nltest [/OPTIONS]
Table 23.5 contains a list of options that are useful in determining authentication and secure channel status.
Table 23.5 Nltest.exe Options and Functions
Nltest Option |
Function |
|---|
System.Char[] |
|
|---|---|
/SERVER:< ServerName > |
|
/SC_QUERY:< DomainName > |
Queries secure channel for < Domain > on < ServerName >. |
/DCLIST:< DomainName > |
Obtains list of domain controllers for < DomainName >. |
/DCNAME:< DomainName > |
Obtains the PDC name for < DomainName >. |
/DCTRUST:< DomainName > |
Obtains name of DC is used for trust of < DomainName >. |
/WHOWILL:< DomainName >* < User > [< Iteration >] |
Displays which < DomainName > will log on < User >. |
/FINDUSER:< User > |
Displays which trusted < Domain > will log on < User >. |
/USER:< UserName > |
Queries User info on < ServerName >. |
/TRUSTED_DOMAINS |
Queries names of domains trusted by workstation. |
The following examples show a Windows 2000 Professional computer, Client1, that is a member of the Windows NT 4.0 domain Main_dom. The account User1 has been created within the domain.
To determine the domain controllers in the Main_dom domain:
C:\>nltest /dclist:Main_dom
List of DCs in Domain Main_dom
\\NET1 (PDC)
The command completed successfully
To determine if the domain controller Net1 can authenticate the user account User1:
C:\>nltest /whowill:Main_dom User1
[20:58:55] Mail message 0 sent successfully (\MAILSLOT\NET\GETDC939)
[20:58:55] Response 0: S:\\NET1 D:Main_dom A:User1 (Act found)
The command completed successfully
S: indicates the domain controller that will authenticate the account, D: indicates the domain the account is a member of, and A: indicates the account name.
To determine if the workstation Client1 has a secure connection with a domain controller within the Main_Dom domain:
C:\>nltest /server:Client1 /sc_query:Main_Dom
Flags: 0
Connection Status = 0 0x0 NERR_Success
Trusted DC Name \\NET1
Trusted DC Connection Status Status = 0 0x0 NERR_Success
The command completed successfully
For more information about the Nltest.exe utility, including all option parameters, see the Windows 2000 Professional Resource Kit CD.
After computer and user account authentication has been verified, make sure all logon scripts perform as expected. Check to see that network shares, batch files, and utilities have been configured as indicated by the logon script.
Check to see if existing local Group Policy causes unexpected results when it is configured with a Windows NT system policy or Windows 2000 domain Group Policy. For example, if local Group Policy is configured to remove entries from the Start menu, they will be overridden by the Windows 2000 domain Group Policy when the user logs on to the domain. For more information about local Group Policy coexistence with Windows 2000 domain Group Policy settings or Windows NT system policy, see Group and System Policies in this chapter.
To test workgroup membership, log on to the local computer by using a valid user name and password. You should be able to access all local computer resources as well as see other workgroup computers in My Network Places .