EPFL > VPSI > IT > EXAPP - Site d'information: WinAD (Windows Active Directory)
 

  Affiche tous les articles

 Mode d'emploi du moteur de recherche  Rechercher : 
Moteur de recherche
Home page
Accréditation
Activation MS
AD c'est quoi ?
AD PowerShell
Authentifications
Autorisations DHCP
bugs
Conseils AD
DCs Sécurité
Délégations OUs
Domaine SC
Gaspar
GPO
Grp-Staff
KMS
Migrations
Outils
Procès verbaux
Profiles Itinérants
PWAD
Règles de nommage
Restaurations DC Fac
ServerAD2003
· Updates Support Tools Windows Server 2003 Service Pack 2
· Planning des Mises à jours AD Windows2003-SP2 R2 "fac".Intranet.epfl.ch
· Windows Server 2003 Service Pack 2
· Intégration GPOs Vista
· DFS Windows Server 2003 R2
· Planning des Mises à jours AD2003 R2 "fac".Intranet.epfl.ch
· Windows Server 2003 R2
· Le service de temps Windows peut générer l'événement ID 7023 après la mise à niveau vers Windows Server 2003 Service Pack 1
· Windows Server 2003 Service Pack 1 application compatibility
· Problème mise à jour MS05-019
· Windows Server 2003 Service Pack 1 list of updates
· Windows Server 2003 Service Pack 1 Support Tools
· Nouvelles fonctionnalités Active Directory Win2003
· Windows Server 2003 en matière de développement
· Déploiement et administration de Windows Server 2003
· Active Directory avec Windows Server 2003
· Mise à jour éditeur GPO
· Planning des Mises à jours AD2000 à AD2003 "fac".Intranet.epfl.ch
· Configuration de Windows Server 2003
· Interopérabilité Server AD 2000/2003 Administration Tools
ServerAD2008
Seven
Students
synchro
toto1
Trucs et Astuces
Win 8.1
WinAD
Windows 10
Windows 8
Windows Server
Wins
Work Shop
  Afficher une version imprimable de ce document dans une nouvelle fenêtre
 
Interopérabilité Server AD 2000/2003 Administration Tools
 

Windows 2000 Domain Controllers Require SP3 or Later When Using Windows Server 2003 Administration Tools

S'applique à
This article was previously published under Q325465
IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows Registry

SUMMARY

By default, Active Directory administrative tools in the Windows Server 2003 family sign and encrypt all Lightweight Directory Access Protocol (LDAP) traffic. Signing LDAP traffic guarantees that the packaged data comes from a known source, has not been tampered with and does not hit the wire in clear text where network trace utilities like Network Monitor can view it. Active Directory administration tools may also negotiate by using the NTLM authentication protocol instead of LDAP signing. Two scenarios that invoke NTLM authentication include the following scenarios:
  • The administration of Windows 2000 domain controllers that are located in an external forest that is connected by earlier-version trusts.
  • Focusing MMC snap-ins against a specific domain controller that is referenced by its IP address. For example, you click Start, click Run, and then type dsa.msc /server=x.x.x.x, where x.x.x.x is the IP address of the domain controller.
To use these Windows Server 2003 Active Directory administrative tools when NTLM authentication is negotiated with Microsoft Windows 2000-based domain controllers, administrators must take either of the following actions:
  • Install Windows 2000 Service Pack 3 (SP3) on Windows 2000-based domain controllers.

    -or-
  • Turn off LDAP signing and sealing in the registry of the client computer that is running the administrative tools, and then restart the tools on the client.
The Windows Server 2003 snap-ins and command-line tools that automatically secure LDAP traffic over the network include:
  • Active Directory Domains and Trusts
  • Active Directory Sites and Services
  • Active Directory Schema
  • Active Directory Users and Computers
  • ADSI Edit
  • Dsmove.exe
  • Dsrm.exe
  • Dsadd.exe
  • Dsget.exe
  • Dsmod.exe
  • Dsquery.exe
  • Group Policy Management Console
  • Object Picker
To maintain a secure network, Microsoft recommends that you sign and encrypt administrative LDAP traffic by deploying the Windows Server 2003 administrative tools exclusively on Microsoft Windows XP and Windows Server 2003 member computers and Windows Server 2003 and Windows 2000 Service Pack 4 (SP4) domain controllers.

With Windows 2000 Service Pack 2 and Earlier

WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.
To use the Windows Server 2003 Active Directory administrative tools to manage Windows 2000-based domain controllers with Windows 2 Service Pack 2 (SP2) or earlier installed when NTLM authentication is negotiated, you can configure the administrative tools to communicate by using non-secured LDAP traffic. To turn off the signature and encryption of LDAP traffic for the Windows Server 2003 Active Directory tools, set the ADsOpenObjectFlags value to 0x03 in the following registry key on the client computer:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\AdminDebug\ADsOpenObjectFlags

Restart the administrative tools after you set the ADsOpenObjectFlags registry key. Administrators can also use Windows 2000 versions of the tools against Windows 2000-based domain controllers with SP2 or earlier on Windows 2000-based clients and servers. The client may not negotiate a connection with the earlier-version server if the client tries to authenticate by using NTLM. For example, this may occur in cross-forest trusts or when the client tries to connect to the server by means of an IP address.

The Windows Server 2003 snap-ins and command-line tools that automatically secure LDAP traffic over the network. Possible error messages include:

  • Active Directory Domains and Trusts: The configuration information describing this enterprise is not available. The server is not operational, or the configuration information describing this enterprise in not available. The directory service is not available. Contact your system administrator to verify that you domain is properly configured and is currently online.

  • Active Directory Sites and Services Naming information cannot be located because: The directory service is not available. Contact your system administrator to verify that you domain is properly configured and is currently online.

  • Windows cannot connect to the new forest because: The server is not operational.

  • Active Directory Schema: The Domain Controller could not be set. The directory service is unavailable.

  • Active Directory Users and Computers Windows cannot connect to the new domain because: The server is not operational.

  • Naming information cannot be located because: The directory service is not available. Contact your system administrator to verify that you domain is properly configured and is currently online.

  • ADSI Edit - Dsmove.exe dsmove failed: dn of object: The directory service is unavailable .

  • Dsrm.exe dsrm failed: The directory service is unavailable.

  • Dsadd.exe dsadd failed: <dn of object>: The directory service is unavailable.

  • Dsget.exe dsget failed: The directory service is unavailable.

  • Dsmod.exe dsmod failed: dn of object :The directory service is unavailable.

  • Dsquery.exe dsquery failed: The directory service is unavailable.

  • Group Policy Management Console: The specified network resource or device is no longer available.

  • Object Picker Object Not Found.

The information in this article applies to:

  • Microsoft Windows Server 2003, 64-Bit Datacenter Edition
  • Microsoft Windows Server 2003, 64-Bit Enterprise Edition
  • Microsoft Windows Server 2003, Datacenter Edition
  • Microsoft Windows Server 2003, Enterprise Edition
  • Microsoft Windows Server 2003, Standard Edition

Article N° 77, du 26.03.2004, par Alain Gremaud
URL de cet article : http://winad.epfl.ch/?article=77

© 2017 VPSI - EXAPP - TC