Welcome Services Getting Started Support and Tools Documentation  
 
 

CalNetAD Frequently Asked Questions (FAQ)

Updated 9/13/2005

 

  
 

  1. Why should I join CalNetAD?

  2. I want to add a machine (NETBIOS name "REASON", DNS name "reason.law.berkeley.edu") as a machine account in my OU. Do I need to change the NETBIOS name or the name in campus DNS?

  3. Can I use DHCP to hand out IP addresses?

  4. Assume that after joining AD I receive a lease for a different IP address that resolves to "boalt366-1.law.berkeley.edu". That wouldn't affect anything unless I were providing resources, right? Would I still show up as LAW-REASON in AD?

  5. How do I move a CalNetID to my OU?

  6. I see many options for the "Log on to:" in the "Logon On to Windows" dialog box that is displayed at logon: CAMPUS, HAAS, UC, BERKELEY.EDU (Kerberos Realm), etc. Which one should I be using?

  7. I used my UPN (mycalnetid@BERKELEY.EDU) and passphrase to logon, but when I try to access some resources (maybe an NT4 file server, for example) I receive another user name and password prompt. How can I avoid this?

  8. My OU admin has reset the passphrase for my CAMPUS shadow account (CAMPUS\mycalnetid) to a known value. How do I change this passphrase to match my CalNetID passphrase?

  9. I just upgraded my CalNet ID from my employee number to a more friendly name. When will that change appear in Active Directory?

  10. I am unable to join a Windows 2000/XP machine to my OU in the campus.berkeley.edu domain of CalnetAD. What could be wrong?

  11. How do I assign student accounts a logon script and other user configuration settings using a GPO if I do not have access to the Student OU?

  12. I have a Windows XP Professional machine joined to the campus domain. When the machine is offline or disconnected from the network, cached credentials don't work as I am unable to log on using my CalNet ID. What could be wrong?

  13. How can I have my Mac, Linux, or non-member Windows workstation access resources on the domain?

  14. When managing users from a Windows 2000 Server using Active Directory Users and Computers I get an error message stating "Object Picker Cannot open because no locations from which to choose objects could be found". Is there a workaround for this?

  15. I frequently get an error message after logging in that states, " Windows needs your current credentials. Please lock this computer, then unlock it using your most recent password or smart card." However, after re-authenticating, I get another message that state that my credentials have expired. How can I fix this?

  16. When trying to connect to a Windows 2003 SP1 server via Remote Desktop with the @BERKELEY.EDU username, I get the error message "The specified domain either does not exist or could not be contacted." What is wrong?

  
     
 

Why should I join CalNetAD?

  1. Centrally funded and supported infrastructure of Active Directory Domain Controllers (DCs). There are currently 6 Dell servers acting as Domain Controllers for the two central domains, uc.berkeley.edu and campus.berkeley.edu. CCS-SDA engineers provide 24x7 support for the hardware, including intrusion detection software, OS upgrades, OS patches, and backup services. CalNetAD Enterprise Administrators monitoring Acitve Directory performance and provide Active Directory help-desk support for OU administrators. This directly benefits campus departments by freeing them from the hardware and staffing costs associated with supporting the core infrastructure of an Active Directory forest.

  2. Central support for the interoperability of Active Directory with campus DNS and Kerberos services. This frees local administrators from troubleshooting these issues individually with the DNS and Kerberos services.

  3. Support for the CalNetID single sign-on environment and improved security at the desktop level. Over 60,000 CalNetID user accounts are automatically synchronized in CalNetAD. This frees local administrators from having to perform these mundane account tasks.

  4. Easier cooperation, coordination, and sharing of computing resources with other departments in CalNetAD. Transitive, two-way trusts are automatically established within the CalNetAD forest. Through the use of locally controlled security groups, departments can control access to their resources for users and machines in the forest.

  5. Local administrators can focus on the resources and the services they need to provide to their users. This local level of support can be simple or complex depending on the mix of services offered, the number of users, and the operating systems involved. For example, providing simple file and printer sharing between Windows machines has been made even easier in Active Directory. Active Directory makes it easier than it was in NT4 to centrally manage large number of users and machines. Group Policy Objects (GPOs) can be used to simplify management tasks. GPOs can be used to establish minimum security standards; to configure the desktop; to remotely install software; to implement Distributed File Systems; and to run startup, logon, logoff, and shutdown, scripts. This means you can provide more services with fewer staff, but the staff providing these services must have a thorough understanding of the technology.

 
     
 

I want to add a machine (NETBIOS name "REASON", DNS name "reason.law.berkeley.edu") as a machine account in my OU. Do I need to change the NETBIOS name or the name in campus DNS?

There is no technical need to change either the host name or the DNS record unless the short (NetBIOS) version, "REASON", already exists in the CAMPUS domain (first come, first served). However, if you want to be extra polite to any potential future "REASON"s, you could change to a name less likely to collide, for example "LAW-REASON". In that case, for best results given the potential need to run a service such as peer-to-peer sharing, etc., you would update the DNS name to match.

If you decide to change the name of a machine before joining it to the CalNetAD forest, you must:

  • rename the machine
  • reboot the machine
  • join the machine to the domain
  • reboot the machine
  
     
 

Can I use DHCP to hand out IP addresses?

You can continue to use DHCP to assign IP addresses, but to avoid name collisions, we recommend that you use DNS-based host names for computer accounts and store this information in the AD at the time of computer object creation using the script we provide (or similar). It really only matters what the computer name is if you need to access a host by name for services, in which case either DNS will resolve the name, or you would have to resort to using WINS or LMHOST files, as is the case now.

 
     
 

Assume that after joining AD I receive a lease for a different IP address that resolves to "boalt366-1.law.berkeley.edu". That wouldn't affect anything unless I were providing resources, right? Would I still show up as LAW-REASON in AD?

Correct, the AD "dNSHostName" and "servicePrincipalName" attributes are not dynamic (and would not be unless we were to use AD-integrated DHCP and DDNS). However, these AD values must match the host name as locally configured on the computer for AD logon authentication to succeed, so the local values also must be stable. Neither value actually has to match reality (at least from the DNS perspective) but they must match between AD and the local system for AD logons to work.

And again, correct that this (potential) mismatch would not affect anything unless the host in question were offering services for clients depending on DNS for name resolution. Ideally, if possible, one would configure DHCP to hand out the same IP to the same MAC address each time. This is what the campus LIPS DHCP service does for one's machine homebase IP address, i.e., when you are not roaming with your laptop off of your normal (homebase) subnet.

In this scenario, clients are dynamically configured for IP addresses, but typically obtain the same IP address, and thus remain accessible via DNS. It is true that laptop users might wander into a different subnet and thus violate this accessibility rule, but as long as their local configurations for hostname remain constant, AD logons would still work.

  
     
 

How do move a CalNetID to my OU?

You can move CalNet IDs from the default Faculty, Staff, Affiliate OU container to your OU container using the Move User page. Instructions can be found here.

  
     
 

I see many options for the "Log on to:" in the "Logon On to Windows" dialog box that is displayed at logon: CAMPUS, HAAS, UC, BERKELEY.EDU (Kerberos Realm), etc. Which one should I be using?

For simplicity, we recommend that you use your CalNetID-based User Principal Name (UPN) for logon to the CalNetAD. This means that you would enter:

mycalnetid@BERKELEY.EDU

into the "User name:" field and enter your CalNetID passphrase into the "Password:" field. The "Log on to:" field is disabled when you use a UPN for the user name.

  
     
 

I used my UPN (mycalnetid@BERKELEY.EDU) and passphrase to logon, but when I try to access some resources (maybe an NT4 file server, for example) I receive another user name and password prompt. How can I avoid this?

Some, mostly older, Windows services do not understand the newer user credentials (UPN and Kerberos tickets) that Windows 2000 uses by default. In these cases, Windows 2000 supports using older user credentials based on NTLM and NTLMv2 technology. However, for this to work seamlessly, the CalNetID passphrase and the passphrase for the proxy (shadow) CAMPUS domain user account (CAMPUS\mycalnetid) must be synchronized to be the same. Since by default, the shadow account passphrase is randomized and not known to the user, your OU admin must reset this passphrase to a known value before you can change it to match your CalNetID passphrase.

  
     
 

My OU admin has reset the passphrase for my CAMPUS shadow account (CAMPUS\mycalnetid) to a known value. How do I change this passphrase to match my CalNetID passphrase?

While logged on, from your Windows 2000/XP desktop use the "Ctrl-Alt-Delete" keyboard sequence to bring up the Windows Security dialog box. Select "Change Password...", fill in the "User name:" field with your CalNetID (mycalnetid), select "CAMPUS" for the "Log on to:" field and make the passphrase changes in the remaining fields.

  
     
 

I just upgraded my CalNetID from my employee number to a self-selected ID. When will that change appear in Active Directory?

The new self-selected ID is automatically synchronized overnight with Active Directory. If this overnight processing delay is acceptable, then nothing else needs to be done. However, if there is a need to immediately use the self-selected ID before the automatic nightly process, your local windows administrator can make a manual synchronization of the user attributes in Active Directory.

 
     
 

I am unable to join a Windows 2000/XP machine to my OU in the campus.berkeley.edu domain of CalnetAD. What could be wrong?

There are many factors that can cause errors when joining a machine to the domain. For detailed instructions and requirements when joining machines to CalnetAD, refer to the Kerberos Member Server and Workstation Setup document.

  
     
 

How do I assign student accounts a logon script and other user configuration settings using a GPO if I do not have access to the Student OU?

The solution is to configure loopback processing. With loopback processing, you can configure user settings in a GPO linked to the computer OU and during user logon, the user configuration node settings will also be applied. An illustration of how loopback processing can be used to assign logon scripts is shown in the Assigning a Logon Script to Student Accounts document.

 
     
 

I have a Windows XP Professional machine joined to the campus domain. When the machine is offline or disconnected from the network, cached credentials don't work as I am unable to logon using my CalNet ID. What could be wrong?

This is a known issue for which MS has released a hotfix. There is an associated knowledge base article, KB 825081: Cannot Use an MIT Kerberos Realm User's Cached Credentials to Log On to a Windows XP Client for this issue.

  
     
 

How can I have my Mac, Linux, or non-member Windows workstation access resources on the domain?

Please see our interoperability page for the instructions on how to get your Mac, Linux, or non-member Windows workstation to work with CalNetAD.

  
     
 

When managing users from a Windows 2000 Server using Active Directory Users and Computers I get an error message stating "Object Picker Cannot open because no locations from which to choose objects could be found". Is there a workaround for this?

This is a known issue with Windows 2000 servers and a Windows 2003 domain. You must connect to the PDC emulator in the domain as a workaround. To do this, right click on "campus.berkeley.edu" in Active Directory Users and Computers and select "Connect to Domain Controller". Select "actdir04.campus.berkeley.edu" and click OK.

 
     
 

I frequently get an error message after logging in on my Windows XP workstation that states, "Windows needs your current credentials. Please lock this computer, then unlock it using your most recent password or smart card." However, after re-authenticating, I get another message that state that my credentials have expired. How can I fix this?

This can sometimes result from using cached credentials to authenticate. An easy workaround is to force the system to wait for the network to become available before completing authentication. See KB 305293: Windows XP Fast Logon Optimization Feature for a description on how to set this via a GPO.

 
     
 

When trying to connect to a Windows 2003 SP1 server via Remote Desktop with the @BERKELEY.EDU username, I get the error message "The specified domain either does not exist or could not be contacted." What is wrong?

This is related to the changes introduced by SP1 for Windows 2003. Use the registry hack workaround mentioned in KB815266.

  
Contact Us