Re: 2003 Domain Admins in NT4 Domain
- From: v-amanwa@xxxxxxxxxxxxxxxxxxxx (Amanda Wang [MSFT])
- Date: Fri, 17 Jun 2005 11:54:48 GMT
Hi Jimmy,
Thanks for your detailed response.
>From your confirmation, it seems that you only add the 2003\Domain Admins
group to the NT4\Administrators group and then log onto a workstation in
the 2003 domain as a member of the 2003 Domain Admins group does not have
admin rights on a workstation in the NT4 domain.
Just as I explained in my first reply: Simply by adding 2003\Domain Admins
group to NT4\Administrators group does not give access to the workstations
in NT4 domain because NT4\Domain Admins does not contain NT\Administrators.
Therefore, if you use an account who is a member of 2003\Domain Admins
will not have the full control to the each workstation in NT.
I have performed the test and found that we also need to perform the
following things manually:
1. Add 2003\Domain Admins group to NT4's workstation\Administrators group
2. Add 2003\Administrators group to NT4's workstation\Administrators group
After adding these two groups into NT4's workstation's local Administrators
group, we can administer it by using 2003\Domain Admins account from
workstation in Win2k3 domain.
HTH! Anything unclear, please feel free to let me know.
Thanks & Regards
Amanda Wang [MSFT]
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
====================================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================================
--------------------
>From: "Jimmy Chu" <reply@xxxxxxxxxxxxx>
>References: <uFs3I$TcFHA.2128@xxxxxxxxxxxxxxxxxxxx>
<esZG4vWcFHA.3928@xxxxxxxxxxxxxxxxxxxxx>
<#5wX4LdcFHA.2652@xxxxxxxxxxxxxxxxxxxx>
<zB3fRkmcFHA.3372@xxxxxxxxxxxxxxxxxxxxx>
>Subject: Re: 2003 Domain Admins in NT4 Domain
>Date: Thu, 16 Jun 2005 15:47:58 -0700
>Lines: 233
>X-Priority: 3
>X-MSMail-Priority: Normal
>X-Newsreader: Microsoft Outlook Express 6.00.2900.2527
>X-RFC2646: Format=Flowed; Original
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2527
>Message-ID: <ewJfzVscFHA.4040@xxxxxxxxxxxxxxxxxxxx>
>Newsgroups: microsoft.public.windows.server.migration
>NNTP-Posting-Host: 192-42-240-245.gen.twtelecom.net 192.42.240.245
>Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP14.phx.gbl
>Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.migration:10711
>X-Tomcat-NG: microsoft.public.windows.server.migration
>
>Hi Amanda,
>
>Thanks for following up. Here are the answers to the questions:
>
>1. Yes. The 2003\Domain Admins group is added to the NT4\Administrators
>group. Log onto a workstation in the 2003 domain as a member of the 2003
>Domain Admins group does not have admin rights on a workstation in the NT4
>domain.
>
>2. No. Even though our 2003 domain controller is running DNS, our NT4
>workstations are actually using a different DNS server. We have made sure
>that the 2 DNS servers have the right/same DNS records. Our workstations
>are not using DHCP.
>
>3. When I use Computer Management console to connect to a NT4 workstation,
I
>get the access denied message when I try to access Device Manager, Disk
>Management, etc. When I use Server Manager (srvmgr) to connect to NT4
>workstations, I get a access denied message. When I user Registry Editor
to
>connect to a NT4 workstation's registry, I can't expand the registry tree.
>
>I also checked the NT4 workstations' local Administrators group, the group
>does not show 2003\Domain Admins group as a member even though the
>2003\Domain Admin group is in the NT4's Administrators group.
>
>Amanda, I really appreciate your help, and hopefully we could figure out
the
>problem.
>
>
>"Amanda Wang [MSFT]" <v-amanwa@xxxxxxxxxxxxxxxxxxxx> wrote in message
>news:zB3fRkmcFHA.3372@xxxxxxxxxxxxxxxxxxxxxxxx
>> Hello,
>>
>> Glad to hear from you.
>>
>> I understand the issue occurs after migration. Now you have some
>> workstations in the NT4 domain and some are migrated into the 2003
domain.
>> The problem is that even though we added Domain Admins group into other
>> domain's Administrators group, you can't administer NT4's workstations
>> from
>> 2003's workstations as 2003's domain admin--it does not look like the
>> 2003\Domain Admins group are added into NT4's workstations' local
>> Administrators group like the NT4\Domain Admins group.
>>
>> For the current situation, this issue seems to be complex and the
>> troubleshooting steps may be time-consuming, please take your patience in
>> helping me isolate the issue and confirming the following things:
>>
>> 1. Do you mean you have added 2003\Domain Admins to NT4\administrators
and
>> NT4's workstations' local Administrators group, use Win2k3 Domain Admins
>> account to log on Win2k3 domain's workstation, and then you found it
>> haven't administrative rights on NT4 workstation?
>>
>> 2. Have you tried to point the NT clients' DNS to win2k3 DNS server?
Also
>> you can configure DHCP in NT BDC to assign the DNS settings. Does the
>> issue persist?
>>
>> 3. How do you administer the NT4 workstation by using 2003\Domain Admins
>> account from Win2k3 workstation? How do you know it cannot administer NT
>> workstation? Is there any error information during you perform
>> administration? If so, please send the detailed error information to me
>> or
>> get a screen shot of the error and send to me at v-amanwa@xxxxxxxxxxxxx
so
>> that I can perform further research on it.
>>
>> HTH! Thanks for your time!
>>
>> Thanks & Regards
>>
>> Amanda Wang [MSFT]
>>
>> Microsoft Online Partner Support
>>
>> Get Secure! - www.microsoft.com/security
>>
>> ====================================================================
>>
>> When responding to posts, please "Reply to Group" via your newsreader so
>> that others may learn and benefit from your issue.
>>
>> =====================================================================
>>
>> --------------------
>>>From: "Jimmy Chu" <reply@xxxxxxxxxxxxx>
>>>References: <uFs3I$TcFHA.2128@xxxxxxxxxxxxxxxxxxxx>
>> <esZG4vWcFHA.3928@xxxxxxxxxxxxxxxxxxxxx>
>>>Subject: Re: 2003 Domain Admins in NT4 Domain
>>>Date: Wed, 15 Jun 2005 10:52:12 -0700
>>>Lines: 121
>>>X-Priority: 3
>>>X-MSMail-Priority: Normal
>>>X-Newsreader: Microsoft Outlook Express 6.00.2900.2527
>>>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2527
>>>X-RFC2646: Format=Flowed; Original
>>>Message-ID: <#5wX4LdcFHA.2652@xxxxxxxxxxxxxxxxxxxx>
>>>Newsgroups: microsoft.public.windows.server.migration
>>>NNTP-Posting-Host: 192-42-240-245.gen.twtelecom.net 192.42.240.245
>>>Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl
>>>Xref: TK2MSFTNGXA01.phx.gbl
>>>microsoft.public.windows.server.migration:10681
>>>X-Tomcat-NG: microsoft.public.windows.server.migration
>>>
>>>Hi Amanda,
>>>
>>>Thanks for the reply.
>>>
>>>We actually have problem after the migration, not during. Let me explain
>>>our situation a little more:
>>>We're doing the NT4-2003 migration in stages, and the ADMT was installed
>> and
>>>functioning, and the 2-way trust seems to be working. So now we have
some
>>>workstations in the NT4 domain and some are migrated into the 2003
domain.
>>>The problem is that even though we added Domain Admins group into other
>>>domain's Administrators group, we can't administer NT4's workstations
from
>>>2003's workstations as 2003's domain admin--it does not look like the
>>>2003\Domain Admins group are added into NT4's workstations' local
>>>Administrators group like the NT4\Domain Admins group. Is there anything
>> we
>>>missed here?
>>>
>>>
>>>"Amanda Wang [MSFT]" <v-amanwa@xxxxxxxxxxxxxxxxxxxx> wrote in message
>>>news:esZG4vWcFHA.3928@xxxxxxxxxxxxxxxxxxxxxxxx
>>>> Hello,
>>>>
>>>> Thanks for your post.
>>>>
>>>> I understand you have added 2k3 Domain Admins group into NT4's
>>>> Administrators group but 2k3 Domain Admins do not have administrative
>>>> rights on the workstations in the NT4 domain during migration.
>>>>
>>>> Yes. It's true. Simply by adding win2k3\Domain Admins to
>>>> NT\Administrators does not give access to the workstations. (NT\Domain
>>>> Admins does not contain NT\Administrators). Therefore, now you use an
>>>> account who is a member of win2k3dom\domain admins will not have the
>>>> full
>>>> control to the each workstation in NT. This is the reason you cannot
>>>> install the agent on the NT client to restart the machine and you will
>>>> encounter "access denied" issue.
>>>>
>>>> When you migrate objects from the source to the designation domain, you
>>>> need to perform:
>>>>
>>>> On NT:
>>>> ===========
>>>> Add win2k3dom\domain admins to NT\administrators group
>>>>
>>>> By default, NT\domain admins group to NT\administrators group;
NT\domain
>>>> admins group is in the clients' built-in administrators group. You'd
>>>> better
>>>> to recheck it to avoid any mistake.
>>>>
>>>>
>>>> On win2k3 DC:
>>>> ================
>>>>
>>>> Add NT\domain admins to Win2k3dom\administrators
>>>>
>>>> By default, win2k3dom\domain admins are the member of
>>>> Win2k3dom\administrators; win2k3dom\domain admins group is in the
>> clients'
>>>> built-in administrators group. You'd better to recheck it.
>>>>
>>>> Now we need to perform two important steps as following:
>>>>
>>>> 1. Make sure the NT clients' DNS point to win2k3 DNS server; otherwise,
>>>> you
>>>> will encounter error "failed to change domain affiliation" in dispatch
>>>> log.
>>>> You can configure DHCP in NT to assign the DNS settings.
>>>>
>>>> 2. Use NT\administrator to logon to the win2k3 DC and then perform the
>>>> ADMT
>>>> migration.
>>>>
>>>> After the computer has been migrated to the win2k3 domain, the client
>> will
>>>> receive a message to restart the computer within one minute. Therefore,
>> it
>>>> will be better to perform the migration process during the non-business
>>>> time to avoid any data loss.
>>>>
>>>> HTH!
>>>>
>>>> Thanks & Regards
>>>>
>>>> Amanda Wang [MSFT]
>>>>
>>>> Microsoft Online Partner Support
>>>>
>>>> Get Secure! - www.microsoft.com/security
>>>>
>>>> ====================================================================
>>>>
>>>> When responding to posts, please "Reply to Group" via your newsreader
so
>>>> that others may learn and benefit from your issue.
>>>>
>>>> =====================================================================
>>>>
>>>> --------------------
>>>>>From: "Jimmy Chu" <reply@xxxxxxxxxxxxx>
>>>>>Subject: 2003 Domain Admins in NT4 Domain
>>>>>Date: Tue, 14 Jun 2005 17:18:39 -0700
>>>>>Lines: 8
>>>>>X-Priority: 3
>>>>>X-MSMail-Priority: Normal
>>>>>X-Newsreader: Microsoft Outlook Express 6.00.2900.2527
>>>>>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2527
>>>>>X-RFC2646: Format=Flowed; Original
>>>>>Message-ID: <uFs3I$TcFHA.2128@xxxxxxxxxxxxxxxxxxxx>
>>>>>Newsgroups: microsoft.public.windows.server.migration
>>>>>NNTP-Posting-Host: 192-42-240-245.gen.twtelecom.net 192.42.240.245
>>>>>Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP14.phx.gbl
>>>>>Xref: TK2MSFTNGXA01.phx.gbl
>>>>>microsoft.public.windows.server.migration:10653
>>>>>X-Tomcat-NG: microsoft.public.windows.server.migration
>>>>>
>>>>>Hi All,
>>>>>
>>>>>We've added 2003 Domain Admins group into NT4's Administrators group
as
>>>>>a
>>>>>part of the NT4 to 2003 migration, but 2003 domain admins do not have
>>>>>administrative rights on the workstations in the NT4 domain. Is there
>>>>>something else we need to do? Any suggestion is appreciated.
>>>>>
>>>>>
>>>>>
>>>>
>>>
>>>
>>>
>>
>
>
>
.
- Follow-Ups:
- Re: 2003 Domain Admins in NT4 Domain
- From: Jimmy Chu
- Re: 2003 Domain Admins in NT4 Domain
- References:
- 2003 Domain Admins in NT4 Domain
- From: Jimmy Chu
- RE: 2003 Domain Admins in NT4 Domain
- From: Amanda Wang [MSFT]
- Re: 2003 Domain Admins in NT4 Domain
- From: Jimmy Chu
- Re: 2003 Domain Admins in NT4 Domain
- From: Amanda Wang [MSFT]
- Re: 2003 Domain Admins in NT4 Domain
- From: Jimmy Chu
- 2003 Domain Admins in NT4 Domain
- Prev by Date: RE: W2k Advanced DC to 2003
- Next by Date: RE: NT 4 decommission
- Previous by thread: Re: 2003 Domain Admins in NT4 Domain
- Next by thread: Re: 2003 Domain Admins in NT4 Domain
- Index(es):
Relevant Pages
|
Loading
