Re: SIDS show instead of user names
- From: "Paul Bergson" <pbergson@xxxxxxxxxxxxxxxxx>
- Date: Fri, 23 Jun 2006 15:48:24 -0500
Load up LDP from the resource utilities and see if your server can attach to
the dc.
If you don't have the tools installed load them from your install disk.
d:\i386\adminpak.msi (Server tools for remote management of servers)
d:\support\tools\setup.exe (Server Utilities)
Try and query a user object from this web server and from the workstation
you stated can get to the DC. I have included a link on how to use LDP
below.
http://support.microsoft.com/?kbid=224543
PS: Just because a machine on the same subnet can get to the DC it doesn;t
guarantee that other machines can get to it. The firewall may be blocking
by (Allowing only specific ip addresses through) ip address.
--
Paul Bergson MCT, MCSE, MCSA, Security+, CNE, CNA, CCA
http://www.pbbergs.com
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.
"Charlie" <baboon@xxxxxxxxxxxxxx> wrote in message
news:372AF495-C433-4F1C-8218-C291DFE31500@xxxxxxxxxxxxxxxx
All valid points and thanks for the suggestions. If I do rebuild the
server
on a different box, it would be with 2003 R2, so ADAM would be readily
available.
As for port blockages, I confirmed that a Windows XP box in the same
subnet
on the same domain doesn't have this SID-instead-of-user problem. The
other
server that I checked earlier on the same subnet is actually still in an
NT4
resource domain, so it wasn't a real good comparison, since it can't use
Kerberos to authenticate to the DC. (All user accounts are in the AD
domain.)
To clarify, the problem server IS on the AD domain (which is the only AD
domain and is where the all user accounts live).
"Paul Bergson" wrote:
Typo but I would avoid a web server that is part of an Active Directory
environment. That being said we do this but we have a third party
managing
all permissions via AD. A better solution would be a reverse proxy with
ISA. I am working on getting this accomplished. A possible other
solution
would be to port over your users to ADAM and authenticate against ADAM.
As far as being in the domain. If the server is hacked it has domain
level
security whereas if it is a stand alone then the break in is only to this
box.
These are my thoughts but they were built via experience and course work.
--
Paul Bergson MCT, MCSE, MCSA, Security+, CNE, CNA, CCA
http://www.pbbergs.com
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no
rights.
"Charlie" <baboon@xxxxxxxxxxxxxx> wrote in message
news:E73FDDCE-7353-472C-A25B-7BD6C6DB61AC@xxxxxxxxxxxxxxxx
Thanks for the response.
This is just one of many Windows servers on our large LAN, no WAN
involved.
This is the only server on the LAN that is having this problem. I
checked
another W2K server that is sitting in the same closet and it doesn't
have
this problem. Port blockage is unlikely to be the problem since it
appears
to only affect this box, but there are a couple of caveats that I won't
mention for the sake of brevity. Until I check on those, I won't
completely
rule this out.
You said "I would recommend against having a public web server
available
to
the general public that is your AD".
Did you mean to say "... is in your AD"?
I assume that is what you meant to say unless you misunderstood that a
DC
is
the Web server. This is important to me, because I am trying to get
management to put the Web server on a different box. This will help me
make
that point. I argued that a file server shouldn't be a Web server, but
I
never really thought that a Web server shouldn't be a domain member.
The
only real problem with that would be for administration. They might
even
be
using domain accounts for access, I'm not sure. (I'm not actually the
Administrator for the server.)
"Paul Bergson" wrote:
If this is a public web server in a domain, I'm guessing you have a
firewall
that is blocking the name resolution for the sid that comes from AD.
Which ports are open between the file server and AD? Also I would
recommend
against having a public web server available to the general public
that
is
your AD.
--
Paul Bergson MCT, MCSE, MCSA, Security+, CNE, CNA, CCA
http://www.pbbergs.com
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no
rights.
"Charlie" <baboon@xxxxxxxxxxxxxx> wrote in message
news:D97EA440-62A7-48DF-85BF-76B2082048E5@xxxxxxxxxxxxxxxx
I have a Windows 2000, SP4 member server in a single 2003 AD Domain.
The
machine is a file server and IIS public Web server.
I log on to the server with my domain account, which has
administrator
rights on the server and when I look at either a group's membership,
or
the
ACL on a folder, I see the SID rather than the user name.
It doesn't appear as though anyone is being denied access. If I add
a
user
to a group or ACL, I can browse through the domain list of users,
but
once
they are added and I click OK, they show as only a SID.
I get the same behavior if I try this from a remote machine, either
by
using
explorer to look at ACLs or Computer Management to look at group
membership.
I tried using the showacls command line utility and as long as it is
used
remotely, I DO then see the friendly names in ACLs. Also, when
logged
onto
the server I can see the name of my own domain account, but it is
followed
by
the SID.
This problem began to happen suddenly for no apparent reason. I see
nothing
in the Event Logs that gives any clue.
Does anyone have any suggestions about fixing this?
Thanks.
.
- Follow-Ups:
- Re: SIDS show instead of user names
- From: Charlie
- Re: SIDS show instead of user names
- References:
- Re: SIDS show instead of user names
- From: Paul Bergson
- Re: SIDS show instead of user names
- From: Charlie
- Re: SIDS show instead of user names
- From: Paul Bergson
- Re: SIDS show instead of user names
- From: Charlie
- Re: SIDS show instead of user names
- Prev by Date: Re: Orphaned 2000 DC
- Next by Date: Re: EmployeeID Field in ADUC
- Previous by thread: Re: SIDS show instead of user names
- Next by thread: Re: SIDS show instead of user names
- Index(es):
Relevant Pages
|
