Re: Active Directory Replication Error Messages

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

From: "Will" <westes-usc@xxxxxxxxxxxxxx>
Date: Thu, 25 Aug 2005 22:50:01 -0700

So as a side question, how are the Active Directory service(s)
authenticating to other domains in the forest in order to have proper access
to NTDS connection objects? I see most services running as SYSTEM.

--
Will

"Rick Kingslan [MSFT]" <rickk.microsoft.com@xxxxxxxxx> wrote in message
news:efO6hzfqFHA.3016@xxxxxxxxxxxxxxxxxxxxxxx
> Will -
>
> Running as the Domain Admin in any of the domains would produce these
errors as the Domain Admin does not have access to the NTDS connection
objects in the domain in which you are NOT a Domain Admin.
>
> It succeeds, naturally (as I think you suspected) as the Enterprise Admin
because the Enterprise Admin can read both ends of the NTDS in any domain in
the forest - giving complete results.
>
> Obviously, if you are the Domain Admin in a single forest / single domain,
it's going to succeed as well.
>
> Rick

.

References:
- re: Active Directory Replication Error Messages
  - From: Rick Kingslan [MSFT]

Prev by Date: What is the best way for domain rename
Next by Date: Re: feeling dizzy about setting up a small remote office.
Previous by thread: re: Active Directory Replication Error Messages
Next by thread: Group Policy in W2k
Index(es):
- Date
- Thread

Relevant Pages

Re: Configure an Empty Root in Active Directory
... > an empty root domain would not offer any security benefit because if the ... > root domain in the forest has been compromised, ... Also there are ways that a skilled malicious domain admin in any ... > To protect your domain it would be good to read the Windows 2003 Server ...
(microsoft.public.windows.server.security)
Re: Having problem moving Schema Master
... Domain Admin accounts do not have permission to change the Schema Master. ... This change is a forest level change. ...
(microsoft.public.windows.server.active_directory)
Re: Are Domains True Security Boundaries?
... The ONLY true bondary of security is the Forest. ... So if you do not trust a group of "domain admin" who for whatever reason you ... > We feel that adding a second domain and giving untrusted domain admin ...
(microsoft.public.windows.server.active_directory)
Re: Configure an Empty Root in Active Directory
... >> The link below explains why some consider the empty root domain. ... >> root domain in the forest has been compromised, ... Also there are ways that a skilled malicious domain admin in any ... >> domain in a forest could possibly gain domain admin powers in any domain ...
(microsoft.public.windows.server.security)
Re: Are Domains True Security Boundaries?
... Can anyone give me a solid concrete example of what a domain admin could do ... > A Domain is a boundary of security policy only. ... > The ONLY true bondary of security is the Forest. ... >> We feel that adding a second domain and giving untrusted domain admin ...
(microsoft.public.windows.server.active_directory)