Hi Mega

I have administered Site Server ( LDAP / ADSI ) through mmc extensively, hence the question.

Just getting to grips with W2K admin tools and my lack of experience in them would probably result in me being no help what so ever.

sorry.

Can anyone help me on the following.??

Any 2000 admin tools used remotely do not work, Active Directory users and computers for example. It was working fine, now wont work on my pc and its 50/50 on the other support pc's, all of which are w2k and in the same domain.
Nothing has changed, on security or domain etc.
When the mmc opens after the error occurs I have a red cross over the tree, if I select connect to domain I am able to browse to the domain but it wont let me connect as it states the server is not operational.

All appears to be fine working on the pdc directly, no event log errors.

Thanks for any suggestions, I'm stuck.

Hi

Which admin tool are you using.

Regards

Neil,

Just the usual user admin tools, active directory stuff, usual tools found on the server itself but for us lazy bods who wanna control the enterprise from your comfy chairs.!!

Cheerz

Check your clients' DNS is pointing at a DNS server that can resolve all the components of the ADS domain.

One assumes that all the tools work when used locally on a DC ??

ps, controlling the AD from your client is a dangerous thing to do, use Terminal Server ...

Regards

Ga22er

Thanks I'll try that on Monday..
Why do you no recommend using the tools?

Cheerz

You can use to tools on any machine provided you install the 'same' (ie Service Pack version) as the server - find adminpak.msi on the service pack cd and install it....

As Gazza says make sure you are using the same DNS server - i found that even if the client is in a workgroup with the same NetBios (pre Win 2K) name as the AD and you use the same username and password - it will still work http://bbs.scoobynet.co.uk/smile.gif

The Terminal Services route is a good way of doing it, especially if the servers are the other side of a firewall as the packets are encrypted and you only have to open 1 tcp port (3389 if i remember) - also its one of the main routes Monkeysofts going with XP/Windows 2002 Server and admin...

Need any more help - mail me http://bbs.scoobynet.co.uk/smile.gif

Ids

[This message has been edited by ids (edited 21 July 2001).]

Ok, the reason behind using TS for admin is thus....

With NT the exposure to the infrastructure is minimium, basically the most damage you can generally do is at the domain level.

With AD if your a DA in the root domain and your logging on to your normal client with this account and doing your daily work you exposure to damage covers the whole infrastructure.

Obvousily this risk is drammitically smaller if you have delegated priviledges only on a small part of the tree.

Generally any admin that needs to be done outside the scope of an OU should be done on a TS server with an account specifically for admin purposes. This account should have only just enough rights to do what it needs.. The TS server should only have the tools needed for the task, that means no Office/Outlook and IE disabled/proxied out.

Why you may ask ?, well think about it.. What is avenue is the common risk to damage and destruction in the MS world ?? Macros/ActiveX and Viruses..

The AD is exposed via LDAP and ADSI... Two powerful tools/processess that are easily delivered by simplistic tools, all the viruses/damaging code needs is the right user context to run in..


So there you are using your account that has DA over the root on a standard client because it easier that way.. Run IE or open a mail that has a malicous ActiveX using ADSI that deletes or corrupts the Config NC... Wave good by to your AD, and get out the tapes..


Sound like scaremongering ??? Wish it was, I proved this ability in a pre-production design. The TS admin method was validated and delivered to a previous customer who is now using the AD across 120 sites and 55K seats globally...

Any more advice please feel free to ask !!