Administrating a win2k DC from a win2k pro

[Woodie]

You haven't solved the permissions thing:

You said you're the DC Admin. That's NOT the same as a DOMAIN Admin (in W2K). DC Admin is just a local admin account, doesn't give you rights to the AD.

Next time, try running usrstat against the "Back level Domain name" for your W2K domain, but as a Domain Admin.

eg: With W2K domain 4cp.net, type:
usrstat 4CP

That should get you all local IDs, and may get you domain IDs as well--I'm not sure how that second part works.

--Woodie

 

[jaywallen]

Oh yeah, good point, Woodie. I did mention the need for logging onto the domain as a domain admin much earlier in the thread, but didn't pay attention when Dark said "DC admin".

Does that do it for you, Dark?

Regards,
Jim

 

[sentania]

<< Terminal services is NOT an option cos I don't wanna physically access the server. I installed adminpak.msi but I need to access the domain security policy to enable auditing of login events. If you know how to do that using a command line that would be great. I know of the little proggy that comes with winnt resource kit userstat.exe but that doesn't work with win2k...plz help. I need to list the users with their last logon.
This urgent...any msce or sys admin out there??? >>


right click my computer(win2k pro WSK)-> manage-> right click computer management->connect to remote computer.
then type in the name of the machine, as long as the account you are logged in on has administrative privliges onthe DC, you'll be able to manage it remotely with MMC.

 

[Dark]

Hi guys. I should have been clearer. I am the domain admin and I loggin using the supreme domain admin account .
Sentania: I installed the adminpak.msi from the win2k server on my win2k pro machine and I can use those MMC to remotely manage the DC but when I try to access group policy I get the msg that the domain controller couldn't be found (I need that to turn auditing on). So my alternative was to use usrstat to get a listing of users and their last logon attempt.

 

[Woodie]

What are your SP levels? And which admin pak do you have? There is one specifically for SP1.

Sounds like a focus bug in the MMC product (we've seen that type of thing in two other tools).

Forgive me for being dense, but why can't you TS to the DC, and run the MMC/GPO editor there? That would be for the initial GPO setting. O can see why long-term that isn't as handy.

Could you explain where the GPO fails the domain browsing again?
MMC, add/remove snap-ins, Add, Group Policy Editor, Browse, Domains/sites/etc.. Select place, highlight GPO to edit, OK, OK, OK...

--Woodie

 

[Dark]

Woodie: Regarding TS, I just don't want to drive all the way to the place to set it up one more time. What is weird is that I can add users or remove them or change their infos just fine but I am unable to access group policy (always the can't find the DC).
I have SP2 on win2k pro and SP1 on the DC. The admin pak was installed from a win2k server with SP1 integrated.
Regarding the GPO failing. Two ways: AD users and computer...select a group and try to access the tab group policy. Failure with the msg &quot;unable to find the DC&quot;.
MMC->add->group policy->I don't use local computer, I enter the IP of the remote one-> it's accepted->then the only options I have on the MMC are the IPSec ones...I have no local account or auditing...Just the IPSec settings.
The reason why we didn't install TS the first time was because first the Dc is behind a NAT and packet filtering firewall (so not state of the art protection). The second reason is that you can almost do anything using the command line...

 

[Woodie]

I understand about not installing TS--I think it will be worth the trip at some point, to enable the TS for Administrative use. I have a feeling you'll be wanting it at some point anyway.

On the MMC/GPO stuff...do I understand that the DC is protected from where you are (the rest of the network) by a &quot;firewall&quot;?
If so: We're just now enabling some servers/applications to talk to our DC from a DMZ (across a firewall) and finding that we need to have like 10+ ports open, and we need to lock down the DC RPC ports--there's a Q article on this. See M$ Q224196
If not: hmmmm. will have to think some more.

--Woodie

 

[Dark]

The firewall shouldn't be an issue because I use a vpn connection to administer the DC. I get a local ip address from the DHCP so from the DC point of view I am on the local network. Besides this is what MS advise to use

<< NOTE: Note that this article does not imply that replication can occur through a firewall. For example, there are a number of ports that must be opened (for kerberos, and so on) to make it work. If you need to do so, use Virtual Private Networking. >>

 

[Woodie]

<< MMC->add->group policy->I don't use local computer, I enter the IP of the remote one-> it's accepted->then the only options I have on the >>



I think I have something:
When I try to add the GPOEd to the MMC, I get a computer selection window, where I can't type in IP address--must hit Browse. Then I get a tabbed box, and I can only type in an IP address when I'm on the Computer tab. This makes sense to me, because that's trying to edit the Local Policy at that IP address. The first tab has Domains/OUs...I think you need to use this tab, and navigate through the Domain &amp; OU structure until you find the GPO you want to edit.

Does yours look different?

edit: I just tried with the IP address, pointed to my w/s..and as you say, only the IPSec portion is available under Security.

LMK!

--Woodie

 

[Dark]

Woodie: I am using the DC as a DNS (we all know AD and DNS bound) so when I ping the DC using the name of the DC, I get an echo reply but when I enter the name instead of the ip in the GPO I can't find the DC unless I use the IP. So what do we do now? I am going to try the tools you mentionned b4...well see if it works.

 

[Marqui]

<< Woodie: I am using the DC as a DNS (we all know AD and DNS bound) so when I ping the DC using the name of the DC, I get an echo reply but when I enter the name instead of the ip in the GPO I can't find the DC unless I use the IP. So what do we do now? I am going to try the tools you mentionned b4...well see if it works. >>



Hmm... been looking at this one. I still think its a permissions issue as stated before. If you are using 'enterprise admin' account you shouldn't be having a problem. But in any case, I duplicated the steps you took and it worked just fine for me. I was able to bring up all the auditing options with the gp editor. Are you using the 'Default Domain Policy' or did you save as a custom domain policy? You should be trying to access this thru the 'Domains/OUs' tab, where the group policy file is located. If you are finding this file, you can do a right click and check the permissions for this file. Also hit the 'advanced' tab once in the properties and check the 'Access Control List' for this object. I am not sure how much tweaking you have done the the GPO and if there are conflicting permissions.

 

[Dark]

Marqui: I don't have a domain policy in the adminpak I installed so I have to use MMC to manage the domain policy. I tweaked a little bit the GPO but nothing drastic. I dunno if there is an option to prevent GPO from being viewed or modified when not locally accessed...I would remember it if I set something like that...


<< You should be trying to access this thru the 'Domains/OUs' tab, where the group policy file is located. >>

I'm not sure to follow you on this one

 

[Marqui]

<< Marqui: I don't have a domain policy in the adminpak I installed so I have to use MMC to manage the domain policy. I tweaked a little bit the GPO but nothing drastic. I dunno if there is an option to prevent GPO from being viewed or modified when not locally accessed...I would remember it if I set something like that...


<< You should be trying to access this thru the 'Domains/OUs' tab, where the group policy file is located. >>

I'm not sure to follow you on this one >>



I am using the MMC as well thru a normal 2k Pro Workstation. I don't even have the adminpak installed. If you added the snap-in for the group policy editor, then clicked your 'browse' should have listed your 'Domains/OUs' there. From there you should see the location of your GPO. There are permissions regarding accessing/modifying GPO settings as with any other type of A.D. Ojbect. If you right-click your GPO goto properties then the advanced button then to the auditing tab, there you will see all the permissions and access rights for the GPO. Assumming you didn't change any of those settings, you should have been able to activate auditing on the Domain Controller. Did you create any type of security templates for your domain or use any of the pre-configured ones? Maybe the conflict is there. The only other thing I can think of is the VPN. I've only tested this in the local domain. I don't think VPN should affect you once you established your session.

 

[Woodie]

<< Woodie: I am using the DC as a DNS (we all know AD and DNS bound) so when I ping the DC using the name of the DC, I get an echo reply but when I enter the name instead of the ip in the GPO I can't find the DC unless I use the IP. So what do we do now? I am going to try the tools you mentionned b4...well see if it works. >>



How do you enter a name into the GPO selection box? I think this is our problem: Dark is trying to type in a name, but the way the Domain GPO's work is that you have to browse the AD, not a server (or DC). The point is that the tool is different, and the only way to access a domain GPO is to access the AD.

If you can't ping the DC by name, I would suspect there's a DNS problem, possible related to your VPN setup. If you can ping the DC by name, then it may not be DNS, but something is still blocking your ability to browse the (forest) AD structure.

BTW, I don't think it's permissons. I can get to the browse screen, and select any GPO to edit. It's not until I try to click Finish, that I get a permissions error.

Are you planning to create a new GPO or edit one of the existing ones? (Either way, you still have to browse the AD )

You mentioned that you tweaked a few settings? Where? What GPO? in a OU? Or was it on a server? Was it one of thoseo MS Default ones?


--Woodie

 

[Dark]

Damn my vpn is down and I can't make it work. I've tried everything.
To answer woodie's question, I just tweaked GPO using the Ms templates like disabling network neighborhood for users etc. That kind of stuff. Nothing major