or novell network shares

Just so long as you're not still running IPX/SPX?? :-)

IPX/SPX had one huge advantage not shared by NetBIOS over TCP/IP: it's drop-dead simple.

Our "modern" windows networks were born as an IBM product designed for networks around five nodes, and have been continually kluged to make them "scale" to the size of an enterprise. "Browsers" to cut down on broadcasts, "Master Browsers" to cut down on browser traffic, Domain Controllers to layer better security, WINS to map NetBIOS names to IP addresses, then the DNS kluge to replace WINS (and put internal and external resolution into the same pile) and finally Active Directory.

All of that while IPX just worked.

If I remember my networking history correctly NetBIOS over TCP/IP is really just a hack.

In the begining Windows used NetBEUI and Browse Masters/Domain Controllers (pre-Active Directory) basically provided a mechinism for replicating computer names across logical ethernet segments. NetBEUI networks were also drop dead easy. The only requirement was a unique computer name.

NetBEUI wasn't a routable protocol. NetBEUI was also a very chatty protocol, I remember one installation where we had a thick net backbone and 100 nodes, network utilization at night (machines idle) was something like 15%. Thick net was a 10 MBit network.

IPX/SPX was routable, and primarily used in Novell Netware environments.

Basically both Novell and Microsoft saw the writing on the wall with TCP/IP becoming the standard and changed directions.

Microsoft created WINS as a way to migrate name resolution of computer names from a NetBIOS/NETBEUI centric environment to the longer term DNS name resolution scheme.

I haven't tried lately, but I believe in the Active Directory/DNS world, you can do away with WINS. Both the UNC spec and the SMB/CIFS spec support DNS name resolution. The computer browser lists are handled via UDP I believe.

---

----- Rom
BOINC Development Team, U.C. Berkeley
My Blog

I like this post best, I was working to stay away from "Anything Policy." As there are Nasty things that can bite you... The Good News is that "policy" can be exported and carried to "another machine" and imported. Once again that adds a layer of complexity. I have connected remote resources TCP/IP only with authenication. There are tools that will allow you to do that.

Well, I work in an environment where I have an older Samba server offering some shares I need access to that I couldn't access when I upgraded to Windows 7 on my laptop. What I found that worked was to dumb the Windows 7 system down to the older NTLM. I found this on the Web and it worked perfectly fine for me:

On the Windows 7 Laptop:

Control Panel - Administrative Tools - Local Security Policy
Local Policies - Security Options
Network Security: LAN Manager Authentication Level
"Send LM & NTLM Responses"

Minimum session security for NTLM SSP
Disable "Require 128-bit encryption"

This should let your Windows 7 client access shares from a Samba or older Windows based Server. The caveat being that you have now downgraded your Windows 7 client to a much less secure security environment. If your file sharing is all at home and behind a firewall, it's less of a concern. But tighter security is always a good thing in the world of computers these days...

This covers your concerns about being able to access the shares, with your stated issues being the NTLMv2 and 128-bit encryption. But even when I couldn't access my Samba shares, I could still list them. It just couldn't negotiate a secure connection to access them. So your ultimate problem may be different.

In the world of SMB shares, there's normally a BrowseMaster that keeps the list of resources available. And by default, the newest version MS O/S is going to want to take that role. Maybe there's your problem then... As I understand it, the installation of A/D will actually trump the O/S version card. The A/D Domain Controller wins over the latest O/S. And should by default enable the BrowseMaster functionality, whereas your workstation level installation on the Laptop may not have offered to be part of the BrowseMaster elections. Which would leave your older server offering the shares as the BrowseMaster. Which, oh by the way, you can't establish a secure connection to to access the list. Maybe that is the issue. (My Samba server is a member of an A/D Domain so it wouldn't have been the BrowseMaster. So my Win7 Laptop *could* get the list from the network, even when it couldn't authenticate to access the shares...)

When I setup my Win7 RC1, I setup simple sharing on the network. I went into the Network adapter settings and under Advanced setting, "WINS" ENABLED NetBIOS over TCP/IP (My home router does not provide that). The net result is that NetBOIS Ports 136-139 are enabled for NetBOIS traffic (on the Private Network). My Server handles the master Browser information. My first connection to my Server File share was from an Adminsitrative Command pronter withe simple statement.

net use z: //servername/sharename /U:administrator *

The net effect was this contacted the server and asked it there was a share there by the name that I could connect to at the Lowest Protocol level. It prompted me for the "password" which I typed in. I connected.

So on my home network, I Do Not have DNS setup, I Do No have WINS setup and I Do Not have Active Directory setup.. The Server takes care of the Master Browser. I do have the very "chatty" NetBIOS installed.

Important: In my Router Firewall I DO Block ports 135 through 139 and 445 which prevents the outside world from seeing my NetBIOS Traffic. Or just "ANYONE" trying to connect. Many inexspenive routers can leave these ports open to teh world... That is why I HATE Linksys! After rebuilding a machine actually saw someone attempting to break via NetBIOS. Before those ports were specifically blocked. They danced me around until the router was out of warranty and then told me to have a nice life.

I will say that I really like the improvements in the Win7 Firewall compared to Vista. Vista's was Braindead. But then, I have managed firewalls before and have and idea of what they should look like.


Regards

---

Please consider a Donation to the Seti Project.

... and when I see "mycompany.com" I frequently find that the server was sold by a consultant who is a Microsoft Certified Systems Engineer.

... {sigh} lots of those guys can't architect their way out of a paper bag.

That's because it wasn't part of the MCSE class.

Actually, I think the root cause is the lack of a robust NCTP as part of the IP protocol suite.

We've got SMTP, and SNMP, and NTP, and NNTP, and TFTP, but there are no implementations of NCTP, and no RFC describing it.

---

First mistake is when someone sets up a network, and uses a valid internet domain when they set up the server. I have more than a few customers who cannot access their own web sites because AD uses DNS, and we have the same name space used for two purposes.

Hi Ned, you mean if someone names their AD tree "MyCompany.COM" instead of bumping it a level such as "Corp.MyCompany.COM" ?? Does DCPromo really let you do that?

Or... you can seperate them completely by using MyCompany.LOCAL, though Microsoft Best Practices do prefer the method you described.

The trouble with corp.mycompany.com:

If I control the "public" DNS for mycompany.com (as a service provider) then the IT staff at "mycompany" has to either mirror my infrastructure, or they need me to delegate (one or more NS records pointed at their name server(s)) the "corp" subdomain so that queries that end up outside end up back inside.

That does two things: it means there is a path from the dot all the way to every desktop on the LAN, and it means some extra coordination (which I'm fine with, after all I'm a service provider) but it does add a little complexity to what could have been two completely separate namespaces.

My main complaint about DNS as a replacement for WINS is that these issues didn't exist when there was one method for finding names on the LAN and another for accessing resources in the rest of the world. They could have accomplished that by using DNS, but just changing the port -- so the DNS resolvers could tell if they needed the internal database or the external database (with recursion).

---

... and when I see "mycompany.com" I frequently find that the server was sold by a consultant who is a Microsoft Certified Systems Engineer.

... {sigh} lots of those guys can't architect their way out of a paper bag.

That's because it wasn't part of the MCSE class.

---

SETI@home classic workunits: 93,865 CPU time: 863,447 hours
Join the BP6/VP6 User Group today!

... and when I see "mycompany.com" I frequently find that the server was sold by a consultant who is a Microsoft Certified Systems Engineer.

... {sigh} lots of those guys can't architect their way out of a paper bag.

First mistake is when someone sets up a network, and uses a valid internet domain when they set up the server. I have more than a few customers who cannot access their own web sites because AD uses DNS, and we have the same name space used for two purposes.

Hi Ned, you mean if someone names their AD tree "MyCompany.COM" instead of bumping it a level such as "Corp.MyCompany.COM" ?? Does DCPromo really let you do that?

I see AD trees named "mycompany.com" all the time.

... but if you've got one named "corp.mycompany.com" and "mycompany.com" is hosted elsewhere, you still have issues.

You either need to make the internal name servers secondary for mycompany.com (so it can resolve things at the ISP) and then get "corp" delegated. This can be exceedingly difficult if you're dealing with a commodity-ISP who can't edit a zone file.

... or, and IMO this is far better, make the internal infrastructure mycompany.local.

At least that way you don't have any confusion over which "mycompany.com" is which.

... and when I see "mycompany.com" I frequently find that the server was sold by a consultant who is a Microsoft Certified Systems Engineer.

---

Al saw it immediately. Why didn't you?

Why? Well, sorry, but Ozzie Osbourne is spotty at best in communication. Now then, moving forward, 'Gracious interpretation' is a 2-way street ;-)

PS: And whomever is still running WfW 3.11 should probably consider turning that off before advising others to not consider AD.

Aw, c'mon, I liked Windows 3.11.

---

@Mumps
Thanks you have the answer on how to configure my win 7 laptop to see my shares on my 2000 Advanced Server and it is good that you explained it very well. But the Active Directory solution did work without having to edit my registry and/or security policies on my laptop win 7.

Paul

PS I just know a lot of people are having this problem, because searches I done for solutions and I found out about win 7 default is ntlmv2 it should or given a choice of one ntlmv2 or the other ntlm or both ntlmv2 + ntlm.
And does ntlmv2 mean NT logon manager ver 2?

First mistake is when someone sets up a network, and uses a valid internet domain when they set up the server. I have more than a few customers who cannot access their own web sites because AD uses DNS, and we have the same name space used for two purposes.

Hi Ned, you mean if someone names their AD tree "MyCompany.COM" instead of bumping it a level such as "Corp.MyCompany.COM" ?? Does DCPromo really let you do that?

Or... you can seperate them completely by using MyCompany.LOCAL, though Microsoft Best Practices do prefer the method you described.

---

To avoid using NTLM and running into compatibility issues, don't use Active Directory.

... the above is the actual pinpoint, and the irony is there for any who care.

Please don't dismiss any technical dissection as "one-upsmanship." It's not. On this questions, there are complexities and many many layers to consider, far more than the typical S@H question. And we have lots of knowledgable people here with direct experience on Interoperability and the history & innards of AD, so if they have something to bring to the table, I prefer they do that rather than limit the conversation to the lowest common denominator.

What you quoted wasn't exactly the context I meant it in. The fact that this couldn't be easily seen by those who are in the know - or more likely that you did know what context but chose to dissect it technically is what makes me waive it off as one-upsmanship.

If someone has something to bring to the table, I'd rather them focus on the actual question at hand instead of focusing on out-of-context comments that weren't written directly from a book and was given in brevity to explain why I believe the advice was bad in the first place.

Al saw it immediately. Why didn't you?

---

First mistake is when someone sets up a network, and uses a valid internet domain when they set up the server. I have more than a few customers who cannot access their own web sites because AD uses DNS, and we have the same name space used for two purposes.

Hi Ned, you mean if someone names their AD tree "MyCompany.COM" instead of bumping it a level such as "Corp.MyCompany.COM" ?? Does DCPromo really let you do that?

To avoid using NTLM and running into compatibility issues, don't use Active Directory.

... the above is the actual pinpoint, and the irony is there for any who care.

Please don't dismiss any technical dissection as "one-upsmanship." It's not. On this questions, there are complexities and many many layers to consider, far more than the typical S@H question. And we have lots of knowledgable people here with direct experience on Interoperability and the history & innards of AD, so if they have something to bring to the table, I prefer they do that rather than limit the conversation to the lowest common denominator.

Well, I work in an environment where I have an older Samba server offering some shares I need access to that I couldn't access when I upgraded to Windows 7 on my laptop. What I found that worked was to dumb the Windows 7 system down to the older NTLM. I found this on the Web and it worked perfectly fine for me:

On the Windows 7 Laptop:

Control Panel - Administrative Tools - Local Security Policy
Local Policies - Security Options
Network Security: LAN Manager Authentication Level
"Send LM & NTLM Responses"

Minimum session security for NTLM SSP
Disable "Require 128-bit encryption"

This should let your Windows 7 client access shares from a Samba or older Windows based Server. The caveat being that you have now downgraded your Windows 7 client to a much less secure security environment. If your file sharing is all at home and behind a firewall, it's less of a concern. But tighter security is always a good thing in the world of computers these days...

This covers your concerns about being able to access the shares, with your stated issues being the NTLMv2 and 128-bit encryption. But even when I couldn't access my Samba shares, I could still list them. It just couldn't negotiate a secure connection to access them. So your ultimate problem may be different.

In the world of SMB shares, there's normally a BrowseMaster that keeps the list of resources available. And by default, the newest version MS O/S is going to want to take that role. Maybe there's your problem then... As I understand it, the installation of A/D will actually trump the O/S version card. The A/D Domain Controller wins over the latest O/S. And should by default enable the BrowseMaster functionality, whereas your workstation level installation on the Laptop may not have offered to be part of the BrowseMaster elections. Which would leave your older server offering the shares as the BrowseMaster. Which, oh by the way, you can't establish a secure connection to to access the list. Maybe that is the issue. (My Samba server is a member of an A/D Domain so it wouldn't have been the BrowseMaster. So my Win7 Laptop *could* get the list from the network, even when it couldn't authenticate to access the shares...)

@ozzfan
Hi
What is wrong advice about active directory.
Just want to know.
If I understand right ntlmv2 is default on win 7 and ntlm is used default on win 2000 and 2003. How do I enable ntlm and ntlmv2 on my win 7 laptop.
Or should I de enable ntlm on my win 2000 or enable ntlmv2 on my win 2000.
A lot of people are having trouble see shares from their server from win 7 including linux servers.

Paul

Active Directory uses the NTLM protocol to authenticate computer or user accounts, with NTLM being used on older versions of Windows and Windows Server, and NTLMv2 being used in Server 2008/Vista/7.

Nope. Active Directory uses DNS to resolve names and Kerberos to authenticate computer and user objects.

I don't recall saying anywhere about resolving names. Kerberos is used to authenticate, along with NTLM depending on what services are installed.

I mentioned DNS.

There are two potential serious mistakes that follow from using DNS (or at least using DNS with the same name spaces and with the servers on the same ports).

First mistake is when someone sets up a network, and uses a valid internet domain when they set up the server. I have more than a few customers who cannot access their own web sites because AD uses DNS, and we have the same name space used for two purposes.

Second mistake: if you do bring your external DNS and internal DNS together (and I've seen this) then anyone anywhere can learn all kinds of interesting things about your internal network.

---

@ozzfan
Hi
What is wrong advice about active directory.
Just want to know.
If I understand right ntlmv2 is default on win 7 and ntlm is used default on win 2000 and 2003. How do I enable ntlm and ntlmv2 on my win 7 laptop.
Or should I de enable ntlm on my win 2000 or enable ntlmv2 on my win 2000.
A lot of people are having trouble see shares from their server from win 7 including linux servers.

Paul

The simple reason is, it adds a layer of "complexity" that did not solve your problem (or others).

So while the discussion has drifted away...........

Regards

Thank you Al. That's exactly what I was getting at.

---

PS: And whomever is still running WfW 3.11 should probably consider turning that off before advising others to not consider AD.

I'll take that as a direct comment to me since I'm the only one in this thread having admitted to running WfW 3.11 - perhaps you should consider what motives I may have before suggesting that I turn it off. Further, AD is not needed on every Windows network. I never said that it shouldn't be considered, I stated that it wasn't the best solution for PaulDHarris's situation if he's only running one server, or more specifically, against previous advice that was given to him as mentioned in his message earlier in the thread:

...I got my win 7 laptop I could not open any shares on my server because of ntlmv2 in win 7 and pre win 7 uses ntlm and so win 7 does not see the earlier server shares. I was told to install active directory which is domain controller and now I can see my shares on my win 7 laptop but BOINC won't install on my server because it is now a domain controller...

It wasn't necessary to install AD to access his shares, or to even see them for that matter.

Perhaps those of you with a little knowledge of the situation could offer better advice instead of trying to play this game of one-upsmanship that is so often rift on these boards with techies.

---

@ozzfan
Hi
What is wrong advice about active directory.
Just want to know.
If I understand right ntlmv2 is default on win 7 and ntlm is used default on win 2000 and 2003. How do I enable ntlm and ntlmv2 on my win 7 laptop.
Or should I de enable ntlm on my win 2000 or enable ntlmv2 on my win 2000.
A lot of people are having trouble see shares from their server from win 7 including linux servers.

Paul

Active Directory uses the NTLM protocol to authenticate computer or user accounts, with NTLM being used on older versions of Windows and Windows Server, and NTLMv2 being used in Server 2008/Vista/7.

Nope. Active Directory uses DNS to resolve names and Kerberos to authenticate computer and user objects.

I don't recall saying anywhere about resolving names. Kerberos is used to authenticate, along with NTLM depending on what services are installed.

---

@ozzfan
Hi
What is wrong advice about active directory.
Just want to know.
If I understand right ntlmv2 is default on win 7 and ntlm is used default on win 2000 and 2003. How do I enable ntlm and ntlmv2 on my win 7 laptop.
Or should I de enable ntlm on my win 2000 or enable ntlmv2 on my win 2000.
A lot of people are having trouble see shares from their server from win 7 including linux servers.

Paul

The simple reason is, it adds a layer of "complexity" that did not solve your problem (or others).

So while the discussion has drifted away...........

Regards

---

Please consider a Donation to the Seti Project.