Re: DC added to workgroup now has problems


"Fran >" <<fran> wrote in message
news:n1um7114uidqhnm6fphq02g4v9vqg3h7ei@xxxxxxxxxx
> Perhaps I'm nuts (my coworkers can add to this...) but I cannot seem
> to get our department AD server to work properly on this new network.
> Here's the scenario:
>
> We have a general workgroup network at the office. After consolidating
> two offices I added office #2's AD server to the LAN. Since the main
> office has a DHCP server I set up our clients to use static IP
> addresses (as we need to have the clients point to the AD server for
> DNS) I manually configured DNS and addresses for our part of the LAN.
> But now I get all sorts of errors on the server (like cannot determine
> the name of a computer or user, sometimes the Backup Exec service just
> shuts down.)
>
> Is there something I'm missing on adding this to the network properly?
> Are there changes I need to make to have this operate properly in a
> workgroup LAN?
>
> I'm lost...
>
> -Fran-

There is a certain level of confusion raised by your questions. An AD server
is a domain controller that manages a domain, not a workgroup. You can't
append an AD server to a domain since both represent unique security
principles with an authoritative hierarchy. What you could do is create a
Trust relationship between the two domains.

A trust relationship essentially says: I, the trusting domain, is giving the
trusted domain the right to authenticate on my behalf. So in your case, set
up 2 trust relationships to and fro the domains at both offices. Which now
gets us into the murky waters of Groups and how they should cross a trust.

Never give permissions to a global group, only global groups are exportable
(accross a trust). Local groups are a)not exportable b)can't cross a trust
c)but should be given rights and/or permissions to resources. Never give a
user membership to a local group if that user comes from a trusted domain.
Instead, place the user in a global group within his own domain and make
that global group a member of a local group at the remote location(the
global group crosses the trust relationship). The remote domain
administrator now controls the permissions simply by modifying the local
group. All within inherit.

UGLP

http://windows.microsoft.com/windows2000/en/advanced/help/domadmin_concepts_und.htm



.

Relevant Pages

  • Re: Problem with distribution groups
    ... Create a universal group that contains those three global group. ... Double-click Server object. ... Click the server you want to enable Message Tracking on, ... Microsoft Online Partner Support ...
    (microsoft.public.exchange.admin)
  • Re: Native Mode vs Mixed Mode
    ... domain administrators group and have full control of the ... software application process, the global group creation ... to native mode, but that did not change the error. ... >> The server is unwilling to process the request. ...
    (microsoft.public.win2000.security)
  • Re: Primary Site Installation, Computer Account can not connect to SQL
    ... Have you rebooted the site server after adding it to the global group? ... > have Admin privileges on the SQL Server." ...
    (microsoft.public.sms.setup)
  • local group / global group permissions problem
    ... Windows 2003 file server in an Active Directory domain ... The local group has full rights to the share. ... contains a global group from the Active Directory domain. ... User in global group should be able to access the shared folder based on the ...
    (microsoft.public.windows.server.security)
  • Re: Allowing a Helpdesk User, or Group, to add users to a specific gro
    ... Add the Global Group to the Local Group on the server ... > application that has been installed that the Local Administrators are not ...
    (microsoft.public.windows.server.active_directory)