Re: 2003 Server Client/Delegation and Data Issues
- From: Meinolf Weber [MVP-DS] <meiweb(nospam)@gmx.de>
- Date: Tue, 11 Aug 2009 20:08:03 +0000 (UTC)
Hello Diane,
You are correct, for member servers use of 2003 no schema upgrade is needed, only for adding 2003 DCs. If you check the user account properties on the DC and they are shown correct and you connect form the 2003 AD UC to that DC there is still a difference? Did you also use F5 to update the AD UC console on the 2003, changes require a manual update?
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
Thanks Paul.
As an update to all, I have checked the replication between the 2 DCs
and all looks fine to my eye. No errors in the replication logs, both
have updated AD data, and the replication monitor reports they have
both received successful updates recently.
Since my last post, I also - - Went through all the services on the
Win23K server to look for a unstarted services that may be needed, but
nothing jumped out. - Checked the delegation permissions on the OU
containing the admin group amd its members. It showed the read/write
property as not inherited, and applying to user objects.
In thinking further about this, how does a member server interact with
the DC to get/receive updates and present data in the admin console?
As I understand it, it is not part of the DC replication activity.
- Is there some service or other function I need to check that makes
this happen? -- Also, does the group with delegation permissions
need to be a local group on the server?? - What is the best way to
check the delegation permissions at the user level?
One other thought I had was I have not extended the DC schema in any
way for Win23K, my understanding is that is not necessary unless we
have Win23K DCs - correct?
The console itself appears to be working fine, meaning snap-ins can be
added, etc. Is it worth it to try to reinstall again - does that
"trigger" a data refresh? I did reinstall already and it did not
change the issue.
I am sorry for so many questions, and appreciate everyone's help and
guidance.
Diane
"Paul Bergson [MVP-DS]" wrote:
Different Jorge :-)
--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009
http://www.pbbergs.com
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no
rights.
"Diane" <Diane@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:8107B600-7927-42ED-A42D-4E44E33F0D42@xxxxxxxxxxxxxxxx
Thank you Paul. I will go through Jorge's blog plus the links he
sent. I agree with you re: the desktops. I tested the adminpak on
an xp pro/sp3 desktop and ran into MMC conflicts with sp3. I had to
remove it to enable mmc to work. I plan to try again, however,
these same folks also need the ability to unlock the backup
autoloader (when necessary) to change tapes which is on the same
server. For the time being, I thought I would centralize their
access.
Diane
"Paul Bergson [MVP-DS]" wrote:
Is there a reason you have them logging into a seperate machine to
manage these accounts? They should be able to be controlled from
their own desktops.
I think Jorge's blog on this could help you out:
http://blogs.dirteam.com/blogs/jorge/archive/2006/01/05/369.aspx
--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009
http://www.pbbergs.com
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no
rights.
"Diane" <Diane@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:C7AA9E84-47F7-4D15-B604-8EEF6962AA77@xxxxxxxxxxxxxxxx
Windows 2000 DC, Win2003/sp2 member server with Adminpak for
Windows
Server
2003 sp2
I have been going 2 steps back and 3 forward on this, but now I
seem to
be
just going backwards. I have concluded that since I'm new to all
this,
I'm
may be missing some basic understanding of how this is suppose to
work.
I want to delegate the ability to unlock user accounts to 3
non-technical
users in a firm. I have a global security group for the 3 users.
On
the
OU
that I want these folks to be able to manage, I have delegated
permissions
to
the group (read/write lockout). I checked the security/advanced
tab
and
they
appear to be assigned correctly.
The issue is on the Win2003 server. The goal is for them to be
able to
log
into the server with their own user accounts to access a very
limited
console. However, after installing the adminpak for Winserver
2003/sp2,
just
the admin tools, I noticed that in the administrator account the
data
in
the
console is not up to date. For example, it shows an account as
locked
out,
when on the DC it is not (it had been at some point, but was
unlocked).
Also, when I log in as one of the delegates, the unlock is grayed
out
and
also shows the same incorrect data as the admin account. I had
this
working
for just one of delegates - then they wanted to add more people.
After
I
created the group and went to recreate my steps, nothing worked.
I
have
run
dsrevoke on the DC and permissions appeared correct to me. I have
also
installed and uninstalled the console, rebooted, etc. to no avail.
I
have
no
idea what to try next and would greatly appreciate guidance to get
me
going
forward again.
Thank you,
.
- References:
- Prev by Date: Re: 2003 Server Client/Delegation and Data Issues
- Next by Date: Share printers in 2003 domain
- Previous by thread: Re: 2003 Server Client/Delegation and Data Issues
- Next by thread: Re: 2003 Server Client/Delegation and Data Issues
- Index(es):
Relevant Pages
|
Loading
