Re: Please help refresh my memory on AD DC
- From: Meinolf Weber <meiweb(nospam)@gmx.de>
- Date: Wed, 12 Nov 2008 15:28:08 +0000 (UTC)
Hello Joe,
The domain user has not really access to the OU, the structure in AD is only for administration, the domain users will not work on that. In AD you configure all needs for computers or user accounts/groups. The users will not see anything of that basically, they just get the result of that what the domain administrator or equivalent configures there.
See here about AD:
http://www.microsoft.com/windowsserver2003/technologies/directory/activedirectory/default.mspx
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
Hello Meinolf,
Thank you very much. I do believe I got it! Let me recap for concise
measures:
In a nutshell:
Domain is a Cental OU and a central place to join PC's and Servers for
management and administration.
If any PC is joined to the Domain, any Domain user NOT local machine
user is on the DC they can login from any joined PC and have access to
there central OU and ther assigned rights and permissions.
They however cannot logon directly to the physical DC machine.
Ok great There is a local user and a domain user understood clearly
I couldn' thank you more. I will take the IIS post over to the next
block in IIS country.
Thanks again for your time
Joseph
"Meinolf Weber" wrote:
Hello Joe,
See inline.
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and
confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
Hello Meinolf,Yes.
Thanks for your reply. I am getting very clear on this now.
*****************************************************
"WEB308\administrator" does not longer exist, because DC's have no***************************************************** This is great
local administrator.
I can now purge this from my thought process.
I have two scenarios that I am wondering how to tackle?
By saying that using local accounts would defeat the use of the
Domain I can see why. The whole idea is to controll the envronment
PC and User.
So here is a question/Scenario
Using my Laptop as an example:
When I boot my Laptop I reach the Logon screeen for XP Laptop and
here
I am
presented with
Domain Logon or
This Computer
Ok the Local user for my Laptop is Joseph
However if i wanted to Logon to the domain I have to use the DC's
administrator account. There is no other domain user at this time on
the DC.
This presents an entirely new desktop on the XPLaptop. Which is
normal.
So I guess I would need to create a Domain User for this Laptop NOTYes, you have to create a domain user, but this does not belong to a
an admin account to be able to Login so I can control it from the
DC. Is this correct?
computer. A domain user can by default logon to any domain computer,
except Domain controllers.
Second Scenario:For IIS i can not give you an clear answer, sorry. If you install IIS
A Server has websites already hosted on it in a Workgroup and now I
join it to the domain. What happens to the permissions of the
anonymous account (or any account) IUSR_MACHINNAME if I needed to
add
this permission on a folder for write permissions? Or similar
situation?
Would I login to the DC and do it from there? If I can recall this
is
how I didi a few years back.
in a domain the accounts are created in Active directory. Better post
this question to: microsoft.public.inetserver.iis or
microsoft.public.inetserver.misc
Present FTP users would they change Logons?Are they locally created? They still should work.
That is all I think that narrows it to the core.
I deeply apprecaite your time Mr. Weber
Thanks You,
Joseph
"Meinolf Weber" wrote:
Hello Joe,
"WEB308\administrator" does not longer exist, because DC's have no
local administrator.
"However this does not mean that there is a user from that added
machine in the domain users." Correct, the still are locally.
"It is just on the Domain network...?" The computer is now member
of the domain, if you mean this and still has the local user
account.
"in order to add the server or pc I would have to have a user on
the domain to logon to the domain . This would be added by the
Domain admin account on the DC." Correct
"1. logon Locally 2. Logon to the domain. To Logon locally I would
use the admin account of the Server 2003 machine. To Logon to the
domain I would use the AD DC Domain admin account to logon to the
domain." Correct
"Unless there was a user specified for this server added to the
Domain User accounts." No, do not longer use local users. In a
domain only use domain user accounts. Over that accounts you have
full control in Active directory users and computers. If you
configure local users you have to control them allways on that
specail machine and you have to change passwords/settings/etc.
allways on tha machines. You kick out the advantage of a domain.
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties,
and
confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
Hello Mr. Weber,
Thanks for the update. That is some awesome info. Yes I have
worked with AD before but not for a long time and not in a large
environment. When I did work with it. It was when Server 2003 came
out and I was using it on a small scale. Even then I was a little
confued on the naming conventions. That is the reason I posted so
I could get human intervention. I am very familiar with DNS as the
9 servers are a small hosting comany. We have a few DNS servers
serving zones for public sites -but not an AD DC setup. We are
looking to host MS Dynamics CRM and this is feaure requires AD.
You carified a lot for me. Thank you very much!!.
I realize that the DC controlls the entire network except that I
will only be using one Master DC. I do think that you are correct
I need to do a little more reading on the permissions sections as
there is a domain user and then there is the local machine user.
Also when I promoted this Server 2008 box it did somthing that was
not normal.
It made me change the password from the old
Let me explain. I had a saved Icon on my Desktop of my Laptop for
WEB308 and it was set to RDP in automatically. Ok fine. When I did
this I got the prompt for
WEB308\administrator
passwordmy old password did not work however as you mentioned since this
is now a DC would the only logon be a Domain logon or would the
option to logon locally still exist in this DC?
However after realizing out of the blue that the netbios was
changed for me. I then approached the logon as such:
WE3080\administrator
old password
and it made me change the password Don't know why but I got passed
that part.
I then saw the WEB3080 as an option to logon to with my Laptop so
I
am getting my memory back on this. Correct me please if I am
wrong...
The Domain administrator has the rights to add a PC or
workstation/server to the domain. However this does not mean that
there is a user from that added machine in the domain users. It is
just on the Domain network...?
in order to add the server or pc I would have to have a user on
the domain to logon to the domain . This would be added by the
Domain admin account on the DC.
Example: Server 2003 box as a user admininstrator and a password
this is now a workstation. Then it is a added to the Domain by the
domain admin. When it is rebooted the newly added Server 2003
machine would have the option to either
1. logon Locally 2. Logon to the domain.
to Logon locally I would use the admin account of the Server 2003
machine.
to Logon to the domain I would use the AD DC Domain admin account
to
logon
to the domain. Unless there was a user specified for this server
added
to the
Domain User accounts.
Yes I will read up a bit on this.
Thanks for ALL you help!!
Joseph
"Meinolf Weber" wrote:
Hello Joe,
See inline.
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties,
and
confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!!
http://www.blakjak.demon.co.uk/mul_crss.htm
Hello,If you promote a server to Domain controller, there is no
I am currently using a workgroup infrastructure with 9 servers
and I am in need of changinf it to a AD DC Domain
infrastrucrture. However I am a little rusty in some areas. I
have 4 Server 2003 Enterprise machines and 4 Server 2008
Standard machines. One Linux but that doesn't matter.
1. When I created the domain I used the same name as the server
and
this
caused the installation wizard to change the NetBIOS name from
WEB308
to
WEB3080 The Original name for this server was
web308.mydomainname.com
and
when I was asked for the FQDN I entered the same thing. This is
what
prompted
the NetBIOS change as it told me to avoid conflict with the DC.
renaming of the computer. As you said you have to specify on the
first install the full qualified domain name (FQDN) you like to
use. In your case you choose web308.mydomain.com, after that i
pops up with the Netbios name which you can choose your own, the
suggestion is always a part from the FQDN in your case it uses
"web3080".
2.Ok so when I rebooted the server and it rebooted as a DC IAs said before the name of the computer is not changed during
could
no
longer access the server by the old administrator password as it
was
as so
Administratator
password1
I now had to change the password but not for WEB308 it now was
WEB3080.
promotion to a DC. I assume you mean the logon window with
USERNAME, PASSWORD and the "LOGON TO" which now shows only
"web30380", the Netbios name of the domain, this is NOT longer
the computer name as on a workgroup server. On a member server of
a domain for example, you have two options under "LOGON TO", the
"NetBios name" of the domain and the "computername(this
computer)".
What I am struggling with is there are so many names that I amOn a domain controller you have ONLY the Netbios name displayed,
unsure
which
is the DC and which is just the NetBIOS.
in your case "web3080". You can NOT logon locally, like on a
member server.
On a member machine, either server or client, you have "web3080"
AND "computername(this computer)". With "web3080" you are able to
logon to the domain with a domain user account and with
"computername(this computer)" you have to use user account,
created on the local machine.
I kinda figured that out as I tried to access old shares thatSee above the description about domain logon and local logon.
still had WEB308 as the label . But when prompted I had to use
the new WEB3080 and the new password for access.
Part two:This is correct, your servername is still "web308" as before and
Now I have always been confused about what SHOULD you use as a
DC FQDN? I looked in the DNS of the DC ans now thefull computer
name is web308.web308.mdomainname.com
is now working/providing/serving for the domain
"web308.mydomain.com". The FQDN is now correctly
"web308.web308.mydomainname.com"
The domain is specified as web308.mydomainname.com. So whenIf you join other machines to the domain, you can choose either
joining the other servers and boxes the name that I should enter
is this one correct?
the netbios domain name "web3080" or as you said the FQDN, both
should work.
Now that the AD DC was created successfully I wanted to test theCorrect place for joining, here choose the CHANGE button and on
"joinng
ablility"
with my XP Pro Laptop
I used the network ID method on the myComputer Properties
Computer
Name Tab.
Here is where I get lost.
the next window, you have the option domain and workgroup. Choose
.
- Follow-Ups:
- References:
- Prev by Date: Re: Please help refresh my memory on AD DC
- Next by Date: Re: Please help refresh my memory on AD DC
- Previous by thread: Re: Please help refresh my memory on AD DC
- Next by thread: Re: Please help refresh my memory on AD DC
- Index(es):
Relevant Pages
|
