JSI Tip 6755. Windows 2000 domain controllers require SP3 or later when using Windows Server 2003 administration tools?
May 25, 2003
Microsoft Knowledge Base Article 325465 contains the following summary:
By default, Active Directory administrative tools in the Windows Server 2003 family sign and encrypt all Lightweight Directory Access Protocol (LDAP) traffic. Signing LDAP traffic guarantees that the packaged data comes from a known source, has not been tampered with and does not hit the wire in clear text where network trace utilities like Network Monitor can view it. Active Directory administration tools may also negotiate by using the NTLM authentication protocol instead of LDAP signing. Two scenarios that invoke NTLM authentication include the following scenarios:
• | The administration of Windows 2000 domain controllers thatare located in an external forest that is connected by earlier-versiontrusts. |
• | Focusing MMC snap-ins against a specific domain controllerthat is referenced by its IP address. For example, you clickStart, click Run, and then typedsa.msc /server=x.x.x.x,where x.x.x.x is the IP address of the domaincontroller. |
To use these Windows Server 2003 Active Directory administrative tools when NTLM authentication is negotiated with Microsoft Windows 2000-based domain controllers, administrators must take either of the following actions:
• | Install Windows 2000 Service Pack 3 (SP3) on Windows2000-based domain controllers.-or- |
• | Turn off LDAP signing and sealing in the registry of theclient computer that is running the administrative tools, and then restart thetools on the client. |
The Windows Server 2003 snap-ins and command-line tools that automatically secure LDAP traffic over the network include:
• | Active Directory Domains and Trusts |
• | Active Directory Sites and Services |
• | Active Directory Schema |
• | Active Directory Users and Computers |
• | ADSI Edit |
• | Dsmove.exe |
• | Dsrm.exe |
• | Dsadd.exe |
• | Dsget.exe |
• | Dsmod.exe |
• | Dsquery.exe |
• | Group Policy Management Console |
• | Object Picker |
To maintain a secure network, Microsoft recommends that you sign and encrypt administrative LDAP traffic by deploying the Windows Server 2003 administrative tools exclusively on Microsoft Windows XP and Windows Server 2003 member computers and Windows Server 2003 and Windows 2000 Service Pack 4 (SP4) domain controllers.
About the Author
You May Also Like