Re: Pathworks 6.0C Windows 2003k AD Domain, making it work.
chris.moler_at_gmail.com
Date: 01/24/05
- Next message: Jan van der Weijde: "RFA string format"
- Previous message: Keith Cayemberg: "Re: PDF-Konverter?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: 24 Jan 2005 06:09:22 -0800
Mike, We actually had to modify the following keys in addition to those
you mentioned to get the trust to work properly. This came down to a
call to MS, so hopefully someone else can benefit from it.
NT trust 2003:
Regedit
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\lmcompatibilitylevel
1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\parameters\requirestrongkey
0
Services
NT LM Security Support Provider should be started and set to Automatic
GPO's
Domain Controller Policies
Domain member: Require strong (Windows 2000 or later) session key
Disabled
Network access: Do not allow anonymous enumeration of SAM accounts
Disabled
Network access: Do not allow anonymous enumeration of SAM accounts and
shares Disabled
Default Domain Policies
Domain member: Require strong (Windows 2000 or later) session key
Disabled
Network access: Do not allow anonymous enumeration of SAM accounts
Disabled
Network access: Do not allow anonymous enumeration of SAM accounts and
shares Disabled
*Note* we never were able to actually validate the trust in 2k3. But we
were able to browse both ways and add permissions across groups as
needed.
Michael Clark wrote:
> I asked a while back, months back, about getting Windows 2003 AD
> Server and Pathworks 6.0C to work together. The general response was
> that it would not work. Google did not have any information of
anyone
> doing this before, so hopefully someone else will find this
> information useful. I had to make it work, this is a 24-7 operation
> and no downtime was allowed of OpenVMS, so after some creative
> thinking here is what happened:
>
> The old domain was at NT 4 domain, in which the OpenVMS 7.2-1 Machine
> was a backup domain controller emulating Windows 3.51 Domain
services.
> I installed the new 2003 machine as a AD Server, on a new domain. I
> created a domain trust between the 2003 Domain and the NT 4.0 Windows
> domain controller.(Q325874)
>
> LMHOST had to be created(or WINS) on the Windows NT Domain Machine to
> see the Windows 2003 Domain
>
> 127.0.0.1 <http://127.0.0.1> localhost
> 10.10.13.1 <http://10.10.13.1> svhqdcinv721 #PRE
> #DOM:2k3Domain
>
> I used the LMHOST file on OpenVMS to declare the IP Address and
domain
> of the 2003 Server.
> PWRK$LMROOT:[LANMAN] LMHOST.
>
> 10.10.13.1 <http://10.10.13.1> svhqdcinv721 #PRE #DOM:2k3Domain
> 10.10.13.1 <http://10.10.13.1> "2k3Domain \0x1b" #PRE
> 10.10.10.3 <http://10.10.10.3> backupserver #PRE #DOM:NTDomain
>
> Pathworks was modified to work with LMHOST instead of WINS. For some
> reason It would not pick up the domain from the WINS entries I had
> created. On the Windows 2003 AD server I modified the Security
> Options in the "Default Domain Controller Security Settings" GPO.
> These are the same modifications that are required to make samba work
> on with Windows 2003.
>
> Domain controller: LDAP server signing requirements = NONE
> Domain member: Digitally encrypt or sign secure channel data(always)
=
> DISABLED
> Microsoft network server: Digitally sign communications(always) =
DISABLED
> Microsoft network server: Digitally sign communications(if the client
> agrees) = DISABLED
> Network security: LAN Manager authentication level = Send LM & NTLM
> responses
>
> rebooted Windows 2003 AD server
>
> on OpenVMS:
>
> @sys$startup:pwrk$define_commands
> pwstop
> pwstart
>
> To test I went into admin mode
>
> NTDOMAIN\\ALPHA1> login
> Username: administrator
> Password:
> The server \\BACKUPSERVER successfully logged you on as
Administrator.
> Your privilege level on domain NTDOMAIN is ADMIN.
> The last time you logged on was 12/06/04 03:15 PM
>
> NTDOMAIN\\ALPHA1> show trust
> Domains trusted by domain NTDOMAIN:
> 2k3DOMAIN
> Domains permitted to trust domain NTDOMAIN:
> 2k3DOMAIN
>
> NTDOMAIN\\ALPHA1> modify share miccla/perm=(2k3DOMAIN\miccla=full)
> %PWRK-S-SHAREMOD, share "MICCLA" modified on server "ALPHA1"
>
> At this point I was able to browse to the share from windows, while
> logged into the Windows 2003 Domain.
>
> ----------------------------------
> Hopefull I didnt leave anything out.
>
> Special thanks to the guys at OpenVMS Support for sticking it out on
> the phone with me even if you did tell me it wouldn't work =)
>
>
> Michael Clark
> Network Adminsitrator
> Nemschoff Chairs Inc
> mclark at Nemschoff dot com
> CompTIA A+, Network+, Server+, MCP
>
>
>
>
> CONFIDENTIALITY NOTE: This electronic transmission, including all
> attachments, is directed in confidence solely to the person(s) to
whom it is
> addressed, or an authorized recipient, and may not otherwise be
distributed,
> copied or disclosed. The contents of the transmission may also be
subject to
> intellectual property rights and all such rights are expressly
claimed and
> are not waived. If you have received this transmission in error,
please
> notify the sender immediately by return electronic transmission and
then
> immediately delete this transmission, including all attachments,
without
> copying, distributing or disclosing same.
- Next message: Jan van der Weijde: "RFA string format"
- Previous message: Keith Cayemberg: "Re: PDF-Konverter?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
