Go Premium for a chance to win a PS4. Enter to Win


Unable to pull active directory information from a Windows 2000 domain to a Windows 2003 Terminal Server

Posted on 2004-10-20
Medium Priority
Last Modified: 2010-04-19
We have just added a new Windows 2003 Enterprise server to an existing Domain run by a Windows 2000 server.  We are able to log into the domain and connect to the network, but we are unable to pull users directly from the 2000 server active directory to create local permissions and/or profiles.

How can we draw directly from the active directory?  Currently we have to enter the 2000 server's admin user/pass in to verify the ability to add the user.

Thanks for the assistance.

Question by:fdarkow
  • 3
  • 3
LVL 15

Expert Comment

ID: 12363857
Not sure I follow.

If the server is a member of the domain, then you will need to use a Domain Admin account to do anything that tries to look at Active Directory. If you're still logging on as the W2k3 local admin, then there's your problem. The local admin will look to the local SAM database for account validations. A domain account will always look to AD first - even a non-domain admin who has local admin priviledge will do the trick.

Your second line seems to indicate that if you log in as a domain admin all is fine. This is exactly what we expect, if I read you right...


Author Comment

ID: 12366076
Good points - I need to clarify a bit.

When we log into the W2k3 server, we are logging into the Domain with an account that has Local Admin rights.  So from what you are saying is that we need to log onto the server with an Account that has Domain Admin rights in order for us to easily add users locally from the AD.  Is this correct?  Just making sure.

To clarify the second line, we are logged in as the Local Admin and try to add a person from AD to assign rights.  When we try to do so, We are asked for a User/Pass that has Domain rights and the name gets added in just fine.

Another interesting issue is that anyone who uses the Terminal Server for a remote connection seems to require the permissions for a Domain Admin or they cannot connect to the Terminal.  Obviously this is not very secure.  Do you have any tips on configuring the Terminal Server so the remote users do not have to have Domain Admin permissions?

Finally, a third issue that has recently surfaced is that the W2k3 Server will not connect to the Internet.  We have a static IP set for the server connected directly to a switch and the IP of the Win2K Domain server as the DNS server entry.  Initially, there was no difficulty, but for the past 24 hours, it will not connect.  

The IP settings are:
IP - Static
Subnet - Class C
Default Gateway - External Router IP
DNS Server - Domain Server Static IP

Any assistance would be appreciated.  Even to just get my brain going in the right direction.

LVL 15

Accepted Solution

harleyjd earned 1500 total points
ID: 12366138
"in order for us to easily add users locally from the AD.  Is this correct?  Just making sure."

Yes, precisely. The user/pass response is exactly what to expect if not a domain user account.

"Terminal Server for a remote connection seems to require the permissions for a Domain Admin "

Not so. You need to make sure in Group Policy Default Domain settings that the users are allowed Local Logon rights, and Access from network rights. Without these you'll have problems. It should have these by default, but check anyway. If they can log on to the console but not the RDP then let me know.

"Finally, a third issue that has recently surfaced is that the W2k3 Server will not connect to the Internet."

I'd ask that you create a new question for that, but in basic terms - maybe group policy set a proxy server, maybe there W2k3 firewall is acting up, maybe the router is acting up. Is it just web traffic, or is it everything? Does the DNS server on the w2k box use forwarders? If that doesn't help, then a new Q is the go...

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!


Author Comment

ID: 12366249
Thanks for the input.  It is making sense.

Could you please clarify a bit for me?

"make sure in Group Policy Default Domain settings that the users are allowed Local Logon rights, and Access from network rights."

Just to make sure - the Group Policy Default Domain settings - this is located in the Win2K server AD and not on the W2k3 server.  Is there a default Group Policy is created automatically for this?  If not, how would I create it or find it in the exisiting AD?

LVL 15

Expert Comment

ID: 12366263
Yes, the "default domain policy" in AD on the w2k boxshould have it, and it will override any local policy set on the w2k3 box.

Just open ADUC, right click the domian name, then group policy tab then edit the DDP link...

Expert Comment

ID: 12366291
First, lets define a couple of things; Not to say the definitions aren't already known, but it's confusing me a little, so I want to clarify, and hopefully find a solution for the issue.
When you log on to the system with a domain admin account, you are getting local admin permissions by default. Therefore, if you are logging into the server with a local administrator account, you have to access the domain with different credentials, as the local account is not a domain account.
Let me ask you a silly question, but one I have been caught on enough to make me blink. 8-)
What is the logon to box set for? THe local server, or the domain. I will assume you checked that silly thing, but still...
Now, since the aforementioned is an obvious given, we need to discuss the possibilty of a GPO that ma be using restricted groups that may be tagged that prevents something, but since I'm not real familiar with it, I won't go there, except to get it on the table.
If the account you are using is a local only account, there is the cause of the credentials box prompt.
Hmm, while harleyjd gave the most liekly cause, there can also be some settings in other palces that effect this, as well. Like in RRAS. How are the permissions for access applied? Via GPO, or granted per user under dial-in permissions?
I suspect the internet issue might be related to the other issues, but only if your machine is having DNS issues. That could cause all of the issues, but should also have other effects.
However, it might not be immediately obvious, under certain circumstances. Are you using WINS? That would assist (partially) in name resolution, which would help the server find the DC, but things AD related would be problematic. This sounds like it might be involved, possibly.
Check name resolution, as that seems to be at the heart of the matter.
Sorry for being so long winded, and I swear I meant nothing about any of the comments other than as observation and clarification to ensure we are sharing the same definitions. Lord knows, I'm SOOOO guilty of the "Thing-a-ma-bob" syndrome... 8-)
Good Luck!

Author Comment

ID: 12377307
1)  We can now add people directly from the Domain AD.  I think we had it by default previously after removing it from the Domain and then Adding it again.  Works fine.

2)  We have also configured the Terminal Server to accept logins that do not have the Domain Admin permissions.  We went to the Administrative tools > Terminal Server configuration > right clicked on the RDP and went to properties > Clicked on the Permissions tab and added each person/profile/group as needed.  It worked out well.

3)  The Internet issue is still a concern.  It will need to be another post however.  It is very intermittent and we are trying hardware replacement next to see if we have a bad cord or NIC.  If that does not work, a new post will appear.

Thanks for all your help.  I appreciate all the input.


Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I guess it is not common knowledge to most Wintel engineers/administrators: If you have an SNMP-based monitoring system in your environment (and it's common to have SNMP or Syslog) it's reasonably easy to enable monitoring of the Windows Event logs,…
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
Video by: ITPro.TV
In this episode Don builds upon the troubleshooting techniques by demonstrating how to properly monitor a vSphere deployment to detect problems before they occur. He begins the show using tools found within the vSphere suite as ends the show demonst…
How to fix incompatible JVM issue while installing Eclipse While installing Eclipse in windows, got one error like above and unable to proceed with the installation. This video describes how to successfully install Eclipse. How to solve incompa…

886 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question