Solved

Unable to pull active directory information from a Windows 2000 domain to a Windows 2003 Terminal Server

Posted on 2004-10-20
7
268 Views
Last Modified: 2010-04-19
We have just added a new Windows 2003 Enterprise server to an existing Domain run by a Windows 2000 server.  We are able to log into the domain and connect to the network, but we are unable to pull users directly from the 2000 server active directory to create local permissions and/or profiles.

How can we draw directly from the active directory?  Currently we have to enter the 2000 server's admin user/pass in to verify the ability to add the user.

Thanks for the assistance.

Fred
0
Comment
Question by:fdarkow
  • 3
  • 3
7 Comments
 
LVL 15

Expert Comment

by:harleyjd
ID: 12363857
Not sure I follow.

If the server is a member of the domain, then you will need to use a Domain Admin account to do anything that tries to look at Active Directory. If you're still logging on as the W2k3 local admin, then there's your problem. The local admin will look to the local SAM database for account validations. A domain account will always look to AD first - even a non-domain admin who has local admin priviledge will do the trick.

Your second line seems to indicate that if you log in as a domain admin all is fine. This is exactly what we expect, if I read you right...

0
 

Author Comment

by:fdarkow
ID: 12366076
Good points - I need to clarify a bit.

When we log into the W2k3 server, we are logging into the Domain with an account that has Local Admin rights.  So from what you are saying is that we need to log onto the server with an Account that has Domain Admin rights in order for us to easily add users locally from the AD.  Is this correct?  Just making sure.

To clarify the second line, we are logged in as the Local Admin and try to add a person from AD to assign rights.  When we try to do so, We are asked for a User/Pass that has Domain rights and the name gets added in just fine.

Another interesting issue is that anyone who uses the Terminal Server for a remote connection seems to require the permissions for a Domain Admin or they cannot connect to the Terminal.  Obviously this is not very secure.  Do you have any tips on configuring the Terminal Server so the remote users do not have to have Domain Admin permissions?

Finally, a third issue that has recently surfaced is that the W2k3 Server will not connect to the Internet.  We have a static IP set for the server connected directly to a switch and the IP of the Win2K Domain server as the DNS server entry.  Initially, there was no difficulty, but for the past 24 hours, it will not connect.  

The IP settings are:
IP - Static
Subnet - Class C
Default Gateway - External Router IP
DNS Server - Domain Server Static IP

Any assistance would be appreciated.  Even to just get my brain going in the right direction.

0
 
LVL 15

Accepted Solution

by:
harleyjd earned 500 total points
ID: 12366138
"in order for us to easily add users locally from the AD.  Is this correct?  Just making sure."

Yes, precisely. The user/pass response is exactly what to expect if not a domain user account.

"Terminal Server for a remote connection seems to require the permissions for a Domain Admin "

Not so. You need to make sure in Group Policy Default Domain settings that the users are allowed Local Logon rights, and Access from network rights. Without these you'll have problems. It should have these by default, but check anyway. If they can log on to the console but not the RDP then let me know.

"Finally, a third issue that has recently surfaced is that the W2k3 Server will not connect to the Internet."

I'd ask that you create a new question for that, but in basic terms - maybe group policy set a proxy server, maybe there W2k3 firewall is acting up, maybe the router is acting up. Is it just web traffic, or is it everything? Does the DNS server on the w2k box use forwarders? If that doesn't help, then a new Q is the go...


0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:fdarkow
ID: 12366249
Thanks for the input.  It is making sense.

Could you please clarify a bit for me?

"make sure in Group Policy Default Domain settings that the users are allowed Local Logon rights, and Access from network rights."

Just to make sure - the Group Policy Default Domain settings - this is located in the Win2K server AD and not on the W2k3 server.  Is there a default Group Policy is created automatically for this?  If not, how would I create it or find it in the exisiting AD?

Thanks.
0
 
LVL 15

Expert Comment

by:harleyjd
ID: 12366263
Yes, the "default domain policy" in AD on the w2k boxshould have it, and it will override any local policy set on the w2k3 box.

Just open ADUC, right click the domian name, then group policy tab then edit the DDP link...
0
 
LVL 6

Expert Comment

by:Casca1
ID: 12366291
First, lets define a couple of things; Not to say the definitions aren't already known, but it's confusing me a little, so I want to clarify, and hopefully find a solution for the issue.
When you log on to the system with a domain admin account, you are getting local admin permissions by default. Therefore, if you are logging into the server with a local administrator account, you have to access the domain with different credentials, as the local account is not a domain account.
Let me ask you a silly question, but one I have been caught on enough to make me blink. 8-)
What is the logon to box set for? THe local server, or the domain. I will assume you checked that silly thing, but still...
Now, since the aforementioned is an obvious given, we need to discuss the possibilty of a GPO that ma be using restricted groups that may be tagged that prevents something, but since I'm not real familiar with it, I won't go there, except to get it on the table.
If the account you are using is a local only account, there is the cause of the credentials box prompt.
Hmm, while harleyjd gave the most liekly cause, there can also be some settings in other palces that effect this, as well. Like in RRAS. How are the permissions for access applied? Via GPO, or granted per user under dial-in permissions?
I suspect the internet issue might be related to the other issues, but only if your machine is having DNS issues. That could cause all of the issues, but should also have other effects.
However, it might not be immediately obvious, under certain circumstances. Are you using WINS? That would assist (partially) in name resolution, which would help the server find the DC, but things AD related would be problematic. This sounds like it might be involved, possibly.
Check name resolution, as that seems to be at the heart of the matter.
Sorry for being so long winded, and I swear I meant nothing about any of the comments other than as observation and clarification to ensure we are sharing the same definitions. Lord knows, I'm SOOOO guilty of the "Thing-a-ma-bob" syndrome... 8-)
Good Luck!
0
 

Author Comment

by:fdarkow
ID: 12377307
1)  We can now add people directly from the Domain AD.  I think we had it by default previously after removing it from the Domain and then Adding it again.  Works fine.

2)  We have also configured the Terminal Server to accept logins that do not have the Domain Admin permissions.  We went to the Administrative tools > Terminal Server configuration > right clicked on the RDP and went to properties > Clicked on the Permissions tab and added each person/profile/group as needed.  It worked out well.

3)  The Internet issue is still a concern.  It will need to be another post however.  It is very intermittent and we are trying hardware replacement next to see if we have a bad cord or NIC.  If that does not work, a new post will appear.

Thanks for all your help.  I appreciate all the input.


0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

Many of us need to configure DHCP server(s) in their environment. We can do that simply via DHCP console on server or using MMC snap-in on each computer with Administrative Tools installed in a network. But what if we have to configure many DHCP ser…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now