Re: Assign Domain Security Policy/Manage remote computer

From: Martin (x@y.z)
Date: 03/29/03 

From: "Martin" <x@y.z>
Date: Sat, 29 Mar 2003 17:40:18 -0000

Hi Steve,

I've run netdiag and dcdiag on the domain controller (Active Directory
server), nothing fails a few netdiag tests are passed namely:
WINS service test (none configured)
Trust relationship (none configured).

All dcdiag tests pass.

The dc does refer to itself as it's DNS server.
My client is a Windows XP Pro box. I can't find any reference to netdiag
for this OS. Any ideas?

It was not configured to use the DC dns server, but now has that as it's
primary DNS server.

Not done anything more with the IPSec config yet, except it now specifies
specific IP addresses at both source and destination.

Thanks again
Martin

"Steven L Umbach" <sumbach@ameritech.net> wrote in message
news:FQjha.328$kd1.378217@newssrv26.news.prodigy.com...
> I would recommend running netdiag and dcdiag on your domain
controller
> to see if it is set up properly, especially with regards to dns zone
> creation and dns srv records. The dc needs to be pointing to itself, by
it's
> assinged ip address, as it's primary dns server. The clients need to point
> to the dc as their dns server. Run netdiag on the client computers to see
if
> they are correctly configured. As far as ipsec policy. I recommend that
you
> assignd the "request" (not require) policy to the domain controllers via
> domain controllers group/security policy if you need to include them. Then
> assign whatever you require to the rest of the domain computers - usually
> client (respond only) to workstations and request/require to servers based
> on their security needs. Computers of course will need to be in domain/OU
> where policy is implemented. Only W2K/XP computers can implement ipsec, so
> if you have any W9X or NT4.0 computers they will not be able to
communicate
> with any computers requiring ipsec. Use ipsecmon to monitor and
> troubleshoot ipsec security associations. If you do implement ipsec on the
> domain controllers you may want to create a policy exempting dns traffic
to
> keep network communications responsive. --- Steve
>
> "Martin" <x@y.z> wrote in message
> news:eHQYN4S9CHA.3412@TK2MSFTNGP11.phx.gbl...
> > Hi,
> >
> > I've just setup active direcotry, and added other computers to the new
> > domain - maintained backwards compatibility with domains, though I did
not
> > have a domain before.
> >
> > From my AD server, I can see the other computers and they can also see
> each
> > other.
> >
> > I have defined an ISPec policy that I want all computers in the domain
to
> > adopt. I defined it in the Domain Security Policy section on my AD
> server.
> > How do I apply it to the other computers in my domain? Simply doing
> assign
> > by the new policy doesn't seem to work - though there may be an error in
> my
> > policy settings.
> > Roughly the policy has IP filter source My Address, dest Any IP Address,
> All
> > protocols, and mirror. I had previously used a similar policy explictly
> > setup on two separate computers to secure traffic between the two. Now
I
> > want to have a policy that is administered from AD.
> >
> > I believe I don't need to define this policy anway else, but each
computer
> > in my domain needs to adopt it - how do I make that happen?
> >
> > I tried to do Computer Management on one of the domain members, from my
AD
> > server, but although I can browse to it, and the shares fine, I can't do
> > Computer Management of it from my AD server. I can see the name when
I'm
> > asked what computer to manage, but it then says "Computer
\\mc1.domain.com
> > cannot be managed. The network path was not found."
> >
> > Help!
> >
> > Thanks
> > Martin
> >
> >
>
>

Relevant Pages

  • Re: GPO causing client security logs to fill?
    ... What bothers me is that if this policy, ... into from other computers. ... When I view the event logs through server management the ... All event logs should be set to a decent size (about 20MB at ...
    (microsoft.public.windows.server.sbs)
  • Re: group policys
    ... are you wanting the workstations to lock the session if the user walks away? ... I created my own policy. ... > this.(Microsoft Network Server: Amount of idle time before suspend ... >> then My Business and then Computers and then SBS Computers and in here ...
    (microsoft.public.windows.server.sbs)
  • Re: Assign Domain Security Policy/Manage remote computer
    ... creation and dns srv records. ... as it's primary dns server. ... As far as ipsec policy. ... assign whatever you require to the rest of the domain computers - usually ...
    (microsoft.public.win2000.security)
  • Re: Require connecting systems to be a Domain Computers
    ... something in which I include the group Domain Computers. ... >kerberos computer authentication for the ipsec SA then the computer must be ... In such case the server must not be a domain controller, ... >ipsec require policy will need to exempt all domain controllers with a rule ...
    (microsoft.public.security)
  • Re: GPOs not being applied
    ... After several tests using netdiag, ... The obvious solution was to remove the server ... I am still wondering what caused the trust relationship to ... >> computer Group Policy processing... ...
    (microsoft.public.win2000.group_policy)