AD and DHCP

M

Mark N.

Okay, I have two parallel domains right now: one AD and one NT4. The NT4
domain has a DHCP server that is also my print server (and WINS). So
anyway, I tried moving that to the AD domain as a member server and my DHCP
service stopped. It says that it's unauthorized? I tried clicking the
"authorize" button and it told me "denied."

I've noticed that with my two domains and the trust between them that I have
more trouble accessing member servers than DC servers. I also noticed that
since this server was my print server, I'm having problems seeing it from
the NT4 domain - the printers are still there and I can see them in AD
(though not in the way that I'd expect - I have to drill down to them rather
than seeing them in the directory). But from the NT4 domain, this server is
not available.

It's late and I'm tired and this is driving me nuts - hopefully I can fix
the DHCP and printing in the morning. The permissions are what's getting
me, I think. Why can I browse a DC from the NT4 domain, but when I hit a
member server, I have to login (and rarely can)?

Oh, and my database server's another story altogether... For a later
post...

Cheers,
Mark
 
A

Ace Fekay [MVP]

In
Mark N. said:
Okay, I have two parallel domains right now: one AD and one NT4. The
NT4 domain has a DHCP server that is also my print server (and WINS).
So anyway, I tried moving that to the AD domain as a member server
and my DHCP service stopped. It says that it's unauthorized? I
tried clicking the "authorize" button and it told me "denied."

I've noticed that with my two domains and the trust between them that
I have more trouble accessing member servers than DC servers. I also
noticed that since this server was my print server, I'm having
problems seeing it from the NT4 domain - the printers are still there
and I can see them in AD (though not in the way that I'd expect - I
have to drill down to them rather than seeing them in the directory).
But from the NT4 domain, this server is not available.

It's late and I'm tired and this is driving me nuts - hopefully I can
fix the DHCP and printing in the morning. The permissions are what's
getting me, I think. Why can I browse a DC from the NT4 domain, but
when I hit a member server, I have to login (and rarely can)?

Oh, and my database server's another story altogether... For a later
post...

Cheers,
Mark
Click to expand...

You need to be an Enterprise Admin to be able to authorize it.

As for AD, which OS? W2k or W2k3?

--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services

Security Is Like An Onion, It Has Layers
HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.
 
M

Mark N.

You need to be an Enterprise Admin to be able to authorize it.
As for AD, which OS? W2k or W2k3?
Click to expand...


Thanks - I added Domain Admins to the Enterprise Admin group and was able to
authorize DHCP - W2k3 running in 2000 native mode.

Thanks,
Mark
 
C

Cary Shultz [A.D. MVP]

Howdy, Mark!

I am not sure that I would have added the Domain Admins security group to be
a member of the Enterprise Admins security group. You often want the
membership of these two groups to be a bit different. The key word in that
sentence is *often*. The Enterprise Admins group is all powerful throughout
the forest. The Domain Admins group is all powerful in each particular
domain. You only want very knowledgeable people to be a member of the
Enterprise Admins group.

I might have added individual user account objects to that security group.
BTW - the Administrator account is, by default, a member of the Enterprise
Admins group. Were you not using this account or were you using an
'Administrative' account? I would make that account a member of the
Enterprise Admins group.

Granted, if you really know what you are doing you - as a Domain Admin - can
get around this. But that would create a situation where someone would have
to make a concerted effort to do this. You could also audit accounts to
have the 'papertrail'.

HTH,

Cary
 
M

Mark N.

Howdy, Mark!
I am not sure that I would have added the Domain Admins security group to be
a member of the Enterprise Admins security group. You often want the
membership of these two groups to be a bit different. The key word in that
sentence is *often*. The Enterprise Admins group is all powerful throughout
the forest. The Domain Admins group is all powerful in each particular
domain. You only want very knowledgeable people to be a member of the
Enterprise Admins group.

I might have added individual user account objects to that security group.
BTW - the Administrator account is, by default, a member of the Enterprise
Admins group. Were you not using this account or were you using an
'Administrative' account? I would make that account a member of the
Enterprise Admins group.

Granted, if you really know what you are doing you - as a Domain Admin - can
get around this. But that would create a situation where someone would have
to make a concerted effort to do this. You could also audit accounts to
have the 'papertrail'.

HTH,

Cary
Click to expand...


Hi Cary,

I'm in a unique/privileged position at my company - I'm the sole IT guy. I
don't have to worry about other admins messin' around in my network, so
keeping those groups segregated isn't so big a deal for me. Now if we ever
grow, I will have to revisit my security levels, but by then, I should have
a MUCH BETTER handle on all of this AD stuff :)
There is talk of acquiring other companies, but if that happens, I'll still
be in charge and can deal with the newly-acquired admins (sorry for them) as
I wish. For this reason in particular, I went with an empty root here. I
took in all of the advice I received and based on this, thought that there
are way too many unknowns in the near future. The empty root gives me a lot
of options and I'll never regret not doing that right from the start.
Besides, I have some time to work out the kinks and may as well enjoy it!!!
You may find me asking for advanced security advice sometime in the future
though ;-)

Thanks,
Mark
 
C

Cary Shultz [A.D. MVP]

Howdy Mark.

When you have them simply post your questions so that we can help.

Cary
 
A

Ace Fekay [MVP]

In
Mark N. said:
Thanks! This is a great newsgroup!

Mark
Click to expand...

Everyone is here to help!
:)

--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services

Security Is Like An Onion, It Has Layers
HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Help moving from NT4 to 2000 AD? 5
AD Trust to NT4 Domain 3
NT4 to 2000 / 2003 Exch 2
DHCP Rogue Detection Problem 4
Authorizing NT4 DHCP servers in AD child domain after upgrade/join to AD forest 3
NT 4 domain clients authenticating to AD member server 1
Migration Approach in NT4 to Win2K3 AD 1
NT4 to AD Question 5

Top