[Today’s post comes to us courtesy of Shawn Sullivan]
You may have noticed that some of your computer accounts are not showing “online” in the SBS Console. The purpose of this post is to shed some light on why you may see this and how this information is obtained by the server.
Status information for your machines is displayed under the Network > Computers sub-tab in the SBS console.
The console will only display status information for domain-joined computers from the following three OUs:
- OU=Domain Controllers,DC=Domain,DC=local
Note: Replace domain and local with your domain name.
Regardless of whether you join a client or a server computer to the domain, by default it will always appear in the SBSComputers OU. Machine accounts for servers must be manually moved to the SBSServers OU .For more information, please visit: http://blogs.technet.com/sbs/archive/2008/09/24/why-does-my-sbs-2008-premium-second-server-display-as-a-client-computer.aspx
What SBS 2008 Checks For
The server first queries DNS for the host A or AAAA record of the machine; IPv4 is preferred over IPv6 in this scenario. If an A record is found, the server will test this with an ARP request (ARP is used instead of Ping since many firewalls will block ICMP by default). However, if the machine is in a different subnet, the server will attempt to ping it. If only an AAAA record is found, the server will ping the IPv6 address for a response (IPv6 does not support ARP). Possible failures include
- The machine account is disabled: Unknown/Account is disabled
- No DNS record exists for the machine: Unknown/No DNS entry
- No response from ARP request: Offline
- No response from the IPv6 client to the Ping: Unknown/Unable to detect computer on the network
If the server receives a response from either the ARP request or the Ping, then a NetApi call is made to the machine for NetGetJoinInformation. This requires that “Client for Microsoft networks” and “File and Print Sharing” are enabled on the NIC and the proper exceptions are configured in Windows Firewall. Possible failures at this point included:
- Unable to make an RPC connection to the machine: Online/Unable to query computer information
- The NetApi call receives an access denied: Online/No access to query computer information
- The machine is not in the domain: Online/Not joined to domain
|Status||What does it mean|
|Online||Computer is online and joined to the domain|
|Offline||No response from ARP|
|Unknown – Computer account is disabled||Computer AD object is disabled|
|Unknown – No DNS entry||Unable to find DNS entry for the computer|
|Unknown – Unable to detect computer on network||Unable to ping computer using FQDN|
|Online – Not joined to domain||Computer is online, but not in the domain anymore|
|Online – Unable to query computer information||Computer is online, but NetApi can’t connect to target RPC machine|
|Online – No access to query computer information||Computer is online, but NetApi returns an access denied|
- Make sure the machine account is enabled, and exists in the proper OU (Domain Controllers, SBSComputers, or SBSServers), and that it is currently domain-joined.
- Check DNS for the Host A or AAAA record. Ensure the machine is properly updating DNS with their IP address.
- Enable “Client for Microsoft Networks” and “File and Print Sharing” on the NIC if they are not already.
- From the server, run net view \\workstationname and note any errors you may receive.
- Review the IP configuration settings on the machine. Make sure that it is pointing only to the SBS server for DNS, it can properly communicate with the server (login to the domain, access shares) and that It can apply group policy from the SBS server.
- Ensure that the “Windows Vista Policy” and the “Windows XP Policy” have not been removed from the SBSComputers OU. These GPOs contain the necessary Windows Firewall restrictions. Run “gpresult” on the client to ensure they are applying either GPO. Note: If the client is not running XP SP2 or above, they will not receive these policy settings.
- If an XP SP2 or higher client is in a different subnet than the server, the NetApi call may be blocked by Windows Firewall due to the default settings in the Windows XP Policy GPO, which only allows file and printer sharing connections from the local subnet. To fix this, you must change the GPO settings for this exception to include the server’s subnet in the scope. For more information, please visit: http://support.microsoft.com/default.aspx?scid=kb;EN-US;957713
- If a 3rd party firewall is installed on the machine, check its firewall exceptions.