Active Directory Help.!!!
20 July 2001, 12:42 AM
#1
Scooby Regular
Thread Starter
Join Date: Dec 1998
Posts: 1,046
Likes: 0
Received 0 Likes
on
0 Posts
Hi Mega
I have administered Site Server ( LDAP / ADSI ) through mmc extensively, hence the question.
Just getting to grips with W2K admin tools and my lack of experience in them would probably result in me being no help what so ever.
sorry.
I have administered Site Server ( LDAP / ADSI ) through mmc extensively, hence the question.
Just getting to grips with W2K admin tools and my lack of experience in them would probably result in me being no help what so ever.
sorry.
20 July 2001, 10:22 AM
#2
Scooby Regular
Join Date: May 2001
Location: Scotland
Posts: 4,580
Likes: 0
Received 0 Likes
on
0 Posts
Can anyone help me on the following.??
Any 2000 admin tools used remotely do not work, Active Directory users and computers for example. It was working fine, now wont work on my pc and its 50/50 on the other support pc's, all of which are w2k and in the same domain.
Nothing has changed, on security or domain etc.
When the mmc opens after the error occurs I have a red cross over the tree, if I select connect to domain I am able to browse to the domain but it wont let me connect as it states the server is not operational.
All appears to be fine working on the pdc directly, no event log errors.
Thanks for any suggestions, I'm stuck.
Any 2000 admin tools used remotely do not work, Active Directory users and computers for example. It was working fine, now wont work on my pc and its 50/50 on the other support pc's, all of which are w2k and in the same domain.
Nothing has changed, on security or domain etc.
When the mmc opens after the error occurs I have a red cross over the tree, if I select connect to domain I am able to browse to the domain but it wont let me connect as it states the server is not operational.
All appears to be fine working on the pdc directly, no event log errors.
Thanks for any suggestions, I'm stuck.
20 July 2001, 11:56 AM
#4
Scooby Regular
Join Date: May 2001
Location: Scotland
Posts: 4,580
Likes: 0
Received 0 Likes
on
0 Posts
Neil,
Just the usual user admin tools, active directory stuff, usual tools found on the server itself but for us lazy bods who wanna control the enterprise from your comfy chairs.!!
Cheerz
Just the usual user admin tools, active directory stuff, usual tools found on the server itself but for us lazy bods who wanna control the enterprise from your comfy chairs.!!
Cheerz
20 July 2001, 03:41 PM
#5
Scooby Regular
Join Date: Dec 2001
Posts: 436
Likes: 0
Received 0 Likes
on
0 Posts
Check your clients' DNS is pointing at a DNS server that can resolve all the components of the ADS domain.
One assumes that all the tools work when used locally on a DC ??
ps, controlling the AD from your client is a dangerous thing to do, use Terminal Server ...
Regards
One assumes that all the tools work when used locally on a DC ??
ps, controlling the AD from your client is a dangerous thing to do, use Terminal Server ...
Regards
21 July 2001, 03:53 PM
#7
Scooby Regular
Join Date: May 1999
Posts: 424
Likes: 0
Received 0 Likes
on
0 Posts
You can use to tools on any machine provided you install the 'same' (ie Service Pack version) as the server - find adminpak.msi on the service pack cd and install it....
As Gazza says make sure you are using the same DNS server - i found that even if the client is in a workgroup with the same NetBios (pre Win 2K) name as the AD and you use the same username and password - it will still work
The Terminal Services route is a good way of doing it, especially if the servers are the other side of a firewall as the packets are encrypted and you only have to open 1 tcp port (3389 if i remember) - also its one of the main routes Monkeysofts going with XP/Windows 2002 Server and admin...
Need any more help - mail me
Ids
[This message has been edited by ids (edited 21 July 2001).]
As Gazza says make sure you are using the same DNS server - i found that even if the client is in a workgroup with the same NetBios (pre Win 2K) name as the AD and you use the same username and password - it will still work
The Terminal Services route is a good way of doing it, especially if the servers are the other side of a firewall as the packets are encrypted and you only have to open 1 tcp port (3389 if i remember) - also its one of the main routes Monkeysofts going with XP/Windows 2002 Server and admin...
Need any more help - mail me
Ids
[This message has been edited by ids (edited 21 July 2001).]
Trending Topics
21 July 2001, 07:05 PM
#8
Scooby Regular
Join Date: Dec 2001
Posts: 436
Likes: 0
Received 0 Likes
on
0 Posts
Ok, the reason behind using TS for admin is thus....
With NT the exposure to the infrastructure is minimium, basically the most damage you can generally do is at the domain level.
With AD if your a DA in the root domain and your logging on to your normal client with this account and doing your daily work you exposure to damage covers the whole infrastructure.
Obvousily this risk is drammitically smaller if you have delegated priviledges only on a small part of the tree.
Generally any admin that needs to be done outside the scope of an OU should be done on a TS server with an account specifically for admin purposes. This account should have only just enough rights to do what it needs.. The TS server should only have the tools needed for the task, that means no Office/Outlook and IE disabled/proxied out.
Why you may ask ?, well think about it.. What is avenue is the common risk to damage and destruction in the MS world ?? Macros/ActiveX and Viruses..
The AD is exposed via LDAP and ADSI... Two powerful tools/processess that are easily delivered by simplistic tools, all the viruses/damaging code needs is the right user context to run in..
So there you are using your account that has DA over the root on a standard client because it easier that way.. Run IE or open a mail that has a malicous ActiveX using ADSI that deletes or corrupts the Config NC... Wave good by to your AD, and get out the tapes..
Sound like scaremongering ??? Wish it was, I proved this ability in a pre-production design. The TS admin method was validated and delivered to a previous customer who is now using the AD across 120 sites and 55K seats globally...
Any more advice please feel free to ask !!
With NT the exposure to the infrastructure is minimium, basically the most damage you can generally do is at the domain level.
With AD if your a DA in the root domain and your logging on to your normal client with this account and doing your daily work you exposure to damage covers the whole infrastructure.
Obvousily this risk is drammitically smaller if you have delegated priviledges only on a small part of the tree.
Generally any admin that needs to be done outside the scope of an OU should be done on a TS server with an account specifically for admin purposes. This account should have only just enough rights to do what it needs.. The TS server should only have the tools needed for the task, that means no Office/Outlook and IE disabled/proxied out.
Why you may ask ?, well think about it.. What is avenue is the common risk to damage and destruction in the MS world ?? Macros/ActiveX and Viruses..
The AD is exposed via LDAP and ADSI... Two powerful tools/processess that are easily delivered by simplistic tools, all the viruses/damaging code needs is the right user context to run in..
So there you are using your account that has DA over the root on a standard client because it easier that way.. Run IE or open a mail that has a malicous ActiveX using ADSI that deletes or corrupts the Config NC... Wave good by to your AD, and get out the tapes..
Sound like scaremongering ??? Wish it was, I proved this ability in a pre-production design. The TS admin method was validated and delivered to a previous customer who is now using the AD across 120 sites and 55K seats globally...
Any more advice please feel free to ask !!
Thread
Thread Starter
Forum
Replies
Last Post