Windows 2000 Domain

[nagetech]

Hello Everyone,

I have a spare PC with win2k server on it, and i want to learn how to setup a Win2k Domain on it.

@ school, they have 3 Windows NT servers, and everythign is setup on a Domain.... i want to do that with my home systems

if someone could help me out, I'll repay them by giving them FREE space on my t-1 server (yes, i setup a separate server just for web hosting, and its working great!)

PLEASE HELP OUT!!

thanks

[master7]

Does this site help any?

http://www.microsoft.com/windows2000/te ... efault.asp

[cyberskye]

Start by researching Active Directory. Otherwise you may not see the forest for the trees...

Sorry could resist

Seriously, though, understanding Active Directory is where you want to go. This is the new security/domain model in W2K. Once you get this, you will understand my very, very bad joke.

Skye

[Alby]

cmd prompt type dcpromo
the rest is easy name it and let it set up dns
'wood for the trees'

[BaLa]

Originally posted by Alby
cmd prompt type dcpromo
the rest is easy name it and let it set up dns
'wood for the trees'

does this only work on W2k Server I have W2k Pro and it did nothing..

[twwabw]

Originally posted by BaLa

does this only work on W2k Server I have W2k Pro and it did nothing..

Yes- Win2K server only. DCPROMO starts the process of creating a domain controller, which consists of starting the setup of active directory. No AD = no domain controller = no Active Directory. You don't need DNS to be set up on the DC itself, but it need to be up and running somewhere already on your network.

[nagetech]

Ok, I've had SOME success......

I got the computer to be a Domain Controller, and it has Active Directory working just fine on it, and i can get other computer to join the Domain.....

now heres my prob

With windows xp...when i boot up and get to the log on screen..i get that box that says "username, password, and log on too"

in the log on too box it says either Log on to this computer or to the domain, which in my case is Rhosting1

if it logs on locally to the computer, im fine..it does it fast..but i konw technically its not joining hte domain100%.......but if i ask it to log on too the Domain (using the username and password I've created on the server)..IT TAKES FOREVER TO LOG ON!

Itll get stuck on "Applying Computer/Personal Settings"

And when i say long..i mean long.......i got up..made a sandwich..came back...still @ it........

PLEASE SOMEONE TELL ME YOU KNOW WHY THIS IS HAPPENING!

all help is apprecaiteed....

By the way....the server is setup to have DHCP (it gives out ips)...theres NO DNS, WINS.................... did i maybe forget to add some protocol thats causing this? is ita secuitry policy i have to edit??

thanks again

[twwabw]

Is this XP Home? If so, it can't log onto a domain.

[twwabw]

How can you have Active Directory set up without setting up DNS ??? This is not possible. No DNS? No AD.

Did you set up any DHCP scope options? You have to set them up to tell logging clients where gateway, DNS, WINS (if hybrid is used) are all located.

[nagetech]

It's possbile..trust me...... is Wins a required protocol to install?

so DNS is required?.....would it speed up my slow logon Problem

[twwabw]

Originally posted by nagetech
It's possbile..trust me...... is Wins a required protocol to install?

so DNS is required?.....would it speed up my slow logon Problem

No, this is NOT possible, if you ran DCPROMO- you HAVE to have DNS installed to run Active Directory. No option. You need to have DNS installed either on the server you're setting up, or on another server in your network. It is just not possible any other way. Otherwise, you do NOT have active directory running yet.

Wins on the other hand, IS an optional component. Of little value, IMO.

What about scope options I asked about before? Did you set any?

[nagetech]

SUCCESS!!

Ok, about DNS..i didnt have that protocol installed @ all..and active directory was functioning...just really slow..... now i installed it..... and set up the scope to give out my server's IP address as the DNS server...and bingo!..all computer log on to the domain quick...no delay...this is great!!

Now im gonna see what else i can do with my newly founded Domain..... any ideas??

One last question....all the 2k and XP computers have the IP settings blocked out (you know ..when you go to properties..).... i know this is a restrciton from the server....but my question is...where do i go to disable this??

My first guess woudl be the Domain Security Policy.... any suggestions??

thanks for all ur help guys

[Alby]

yeah nagetech, heres an idea (wtf is wins or dns... w2k oops)
get your mum or sister and make a gpo so they cant see jack ****
btw why u running dhcp on such a small lan?

[nagetech]

i dunno what the hell the frist half of ur message is about....

but

for dhcp..i have 32 computers tototal now ...so dhcp is a definite must..i run my clomputers..the ones up stairs..and some clear cros this block...we have netowrk lines up in the poles...and they all hook up to swtiches i have upstairs.....

i just hope this aint illegal in anyway

[twwabw]

Originally posted by nagetech
SUCCESS!!

One last question....all the 2k and XP computers have the IP settings blocked out (you know ..when you go to properties..).... i know this is a restrciton from the server....but my question is...where do i go to disable this??

My first guess woudl be the Domain Security Policy.... any suggestions??

thanks for all ur help guys

If the users are not members of domain admins, or local machine admins, they cannot change network connection settings. Welcome to the world of Domain Admin power !!

Nobody changes anything unless you let 'em!

[nagetech]

so id have to set their account as domain admins so that htey may make changes to the pcs while logged into the network?

I noticed that once im logged in...i cant do much to change my system period. Device Manager for example wont let me do squat with my drivers....

THanks again guys...

ANy other suggestions as to what i can do to furter improve my network?

im always up for new stuff...hell i learn the best by tinkering...

you know the ironic part of all this? i was able to setup a NT Domain @ a shcool....cause to me it was simpler with NT..but2k kinda threw me off A LITTLE bit..but in the end..i figured everything out

[twwabw]

NO!!!! Do not maker users domain admins!! They can be LOCAL admins of their LOCAL PC's, but they should NOT be admins!!

I learned a great phrase a long time ago on how to deal with users, groups, and resources. Although 2K's security and group structure is slightly different than NT, the concept remains the same.

The phrase is UGLieR
USERS into Global groups;
GLOBAL groups into LOCAL groups;
LOCAL groups control the RESOURCE

In other words, making domain users members of Global groups, allows YOU the control of what they can do, and makes the administration of those resources, even on the local level, controllable globally.

Case in point: If you want users to be able to be local admins so they can install software etc. on their own pC's, then make the GLOBAL Domain users group members of the LOCAL pc's administrator's group. This administrative priviledge only allows LOCAL changes, and not Domain changes.

But even this may be too widespread, sonce everyone is a Domain User by default. So, you can create a new global group called let's say, "Approved Users". Now, select whatever domain users you want to belong to this Global group, and assign THIS global group LOCAL admin priviledges, instead of domain users. So now, unless you've been added to this global group (ie: a regular domain user.... your kids for instance) you will be unable to effect changes to the local PC.

Cool, huh?

[Alby]

thats what gpo is all about makin local group policies with custom settings, for example disabling startup memu items etc. its always best to make your own OUs, an groups within with your polices
i agree 32 comps then dchp is a must, just thought you wanted to experiment with w2k