Unable to pull active directory information from a Windows 2000 domain to a Windows 2003 Terminal Server

Posted on 2004-10-20
Last Modified: 2010-04-19
We have just added a new Windows 2003 Enterprise server to an existing Domain run by a Windows 2000 server.  We are able to log into the domain and connect to the network, but we are unable to pull users directly from the 2000 server active directory to create local permissions and/or profiles.

How can we draw directly from the active directory?  Currently we have to enter the 2000 server's admin user/pass in to verify the ability to add the user.

Thanks for the assistance.

Question by:fdarkow
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
LVL 15

Expert Comment

ID: 12363857
Not sure I follow.

If the server is a member of the domain, then you will need to use a Domain Admin account to do anything that tries to look at Active Directory. If you're still logging on as the W2k3 local admin, then there's your problem. The local admin will look to the local SAM database for account validations. A domain account will always look to AD first - even a non-domain admin who has local admin priviledge will do the trick.

Your second line seems to indicate that if you log in as a domain admin all is fine. This is exactly what we expect, if I read you right...


Author Comment

ID: 12366076
Good points - I need to clarify a bit.

When we log into the W2k3 server, we are logging into the Domain with an account that has Local Admin rights.  So from what you are saying is that we need to log onto the server with an Account that has Domain Admin rights in order for us to easily add users locally from the AD.  Is this correct?  Just making sure.

To clarify the second line, we are logged in as the Local Admin and try to add a person from AD to assign rights.  When we try to do so, We are asked for a User/Pass that has Domain rights and the name gets added in just fine.

Another interesting issue is that anyone who uses the Terminal Server for a remote connection seems to require the permissions for a Domain Admin or they cannot connect to the Terminal.  Obviously this is not very secure.  Do you have any tips on configuring the Terminal Server so the remote users do not have to have Domain Admin permissions?

Finally, a third issue that has recently surfaced is that the W2k3 Server will not connect to the Internet.  We have a static IP set for the server connected directly to a switch and the IP of the Win2K Domain server as the DNS server entry.  Initially, there was no difficulty, but for the past 24 hours, it will not connect.  

The IP settings are:
IP - Static
Subnet - Class C
Default Gateway - External Router IP
DNS Server - Domain Server Static IP

Any assistance would be appreciated.  Even to just get my brain going in the right direction.

LVL 15

Accepted Solution

harleyjd earned 500 total points
ID: 12366138
"in order for us to easily add users locally from the AD.  Is this correct?  Just making sure."

Yes, precisely. The user/pass response is exactly what to expect if not a domain user account.

"Terminal Server for a remote connection seems to require the permissions for a Domain Admin "

Not so. You need to make sure in Group Policy Default Domain settings that the users are allowed Local Logon rights, and Access from network rights. Without these you'll have problems. It should have these by default, but check anyway. If they can log on to the console but not the RDP then let me know.

"Finally, a third issue that has recently surfaced is that the W2k3 Server will not connect to the Internet."

I'd ask that you create a new question for that, but in basic terms - maybe group policy set a proxy server, maybe there W2k3 firewall is acting up, maybe the router is acting up. Is it just web traffic, or is it everything? Does the DNS server on the w2k box use forwarders? If that doesn't help, then a new Q is the go...

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.


Author Comment

ID: 12366249
Thanks for the input.  It is making sense.

Could you please clarify a bit for me?

"make sure in Group Policy Default Domain settings that the users are allowed Local Logon rights, and Access from network rights."

Just to make sure - the Group Policy Default Domain settings - this is located in the Win2K server AD and not on the W2k3 server.  Is there a default Group Policy is created automatically for this?  If not, how would I create it or find it in the exisiting AD?

LVL 15

Expert Comment

ID: 12366263
Yes, the "default domain policy" in AD on the w2k boxshould have it, and it will override any local policy set on the w2k3 box.

Just open ADUC, right click the domian name, then group policy tab then edit the DDP link...

Expert Comment

ID: 12366291
First, lets define a couple of things; Not to say the definitions aren't already known, but it's confusing me a little, so I want to clarify, and hopefully find a solution for the issue.
When you log on to the system with a domain admin account, you are getting local admin permissions by default. Therefore, if you are logging into the server with a local administrator account, you have to access the domain with different credentials, as the local account is not a domain account.
Let me ask you a silly question, but one I have been caught on enough to make me blink. 8-)
What is the logon to box set for? THe local server, or the domain. I will assume you checked that silly thing, but still...
Now, since the aforementioned is an obvious given, we need to discuss the possibilty of a GPO that ma be using restricted groups that may be tagged that prevents something, but since I'm not real familiar with it, I won't go there, except to get it on the table.
If the account you are using is a local only account, there is the cause of the credentials box prompt.
Hmm, while harleyjd gave the most liekly cause, there can also be some settings in other palces that effect this, as well. Like in RRAS. How are the permissions for access applied? Via GPO, or granted per user under dial-in permissions?
I suspect the internet issue might be related to the other issues, but only if your machine is having DNS issues. That could cause all of the issues, but should also have other effects.
However, it might not be immediately obvious, under certain circumstances. Are you using WINS? That would assist (partially) in name resolution, which would help the server find the DC, but things AD related would be problematic. This sounds like it might be involved, possibly.
Check name resolution, as that seems to be at the heart of the matter.
Sorry for being so long winded, and I swear I meant nothing about any of the comments other than as observation and clarification to ensure we are sharing the same definitions. Lord knows, I'm SOOOO guilty of the "Thing-a-ma-bob" syndrome... 8-)
Good Luck!

Author Comment

ID: 12377307
1)  We can now add people directly from the Domain AD.  I think we had it by default previously after removing it from the Domain and then Adding it again.  Works fine.

2)  We have also configured the Terminal Server to accept logins that do not have the Domain Admin permissions.  We went to the Administrative tools > Terminal Server configuration > right clicked on the RDP and went to properties > Clicked on the Permissions tab and added each person/profile/group as needed.  It worked out well.

3)  The Internet issue is still a concern.  It will need to be another post however.  It is very intermittent and we are trying hardware replacement next to see if we have a bad cord or NIC.  If that does not work, a new post will appear.

Thanks for all your help.  I appreciate all the input.


Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Recently, I had the need to build a standalone system to run a point-of-sale system. I’m running this on a low-voltage Atom processor, so I wanted a light-weight operating system, but still needed Windows. I chose to use Microsoft Windows Server 200…
On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
In a recent question ( here at Experts Exchange, a member asked how to run an AutoHotkey script (.AHK) directly from Notepad++ (aka NPP). This video…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question