Remote Management across VLANs

Similar Messages

• Bonjour multicast across vlans?

  We have Linksys SRW2048s and i'm wondering if anyone here has any experience configuring the Multicast options to allow iTunes sharing across VLANs.
  Thanks,
  Joel

  You are asking the wrong question. Bonjour is how iTunes advertises it availability (daap.tcp) on the local LAN. However, even if you managed to see those advertisement on a remote LAN, iTunes also is programmed NOT to service any requests originating from outside of it local LAN (otherwise people could share their music across the Internet.) So, Bonjour advertisements is only half the story.
  If you really wanted to accomplish this you'd need to:
  1) have a proxy on the local LAN with iTunes to access the iTunes daap share.
  2) simulate the Bonjour advertisement on the remote LAN to point to that proxy.
  I made this work once with router port forwarding and a program called Rendezvous Proxy -- because my home network used to have the wireless on a separate VLAN for security. However, the hassle of separate segments with Bonjour, etc., eventually just led me to flatten out my network into a single broadcast domain.

• IPS Tech Tips: IPS Best Practices with Cisco Remote Management Services

  Hi Folks -
  Another IPS Tech Tip coming up and this time we will be hearing from some past and current Cisco Remote Services members on their best practice suggestions. As always these are about 30 minutes of content and then Q&A - a low cost high reward event.
  Hope to see you there.
  -Robert
  Cisco invites you to attend a 30-45 minute Web seminar on IPS Best   Practices delivered via WebEx. This event requires registration.
  Topic: Cisco IPS Tech Tips - IPS Best Practices with Cisco Remote Management   Services
  Host: Robert Albach
  Date and Time:
  Wednesday, October 10, 2012 10:00 am, Central Daylight Time (Chicago,   GMT-05:00)
  To register for the online event
  1. Go to https://cisco.webex.com/ciscosales/onstage/g.php?d=203590900&t=a&EA=ralbach%40cisco.com&ET=28f4bc362d7a05aac60acf105143e2bb&ETR=fdb3148ab8c8762602ea8ded5f2e6300&RT=MiM3&p
  2. Click "Register".
  3. On the registration form, enter your information and then click   "Submit".
  Once the host approves your registration, you will receive a confirmation   email message with instructions on how to join the event.
  For assistance
  http://www.webex.com
  IMPORTANT NOTICE: This WebEx service includes a feature that allows audio and   any documents and other materials exchanged or viewed during the session to   be recorded. By joining this session, you automatically consent to such   recordings. If you do not consent to the recording, discuss your concerns   with the meeting host prior to the start of the recording or do not join the   session. Please note that any such recordings may be subject to discovery in   the event of litigation. If you wish to be excluded from these invitations   then please let me know!

  Hi Marvin, thanks for the quick reply.
  It appears that we don't have Anyconnect Essentials.
  Licensed features for this platform:
  Maximum Physical Interfaces       : Unlimited      perpetual
  Maximum VLANs                     : 100            perpetual
  Inside Hosts                      : Unlimited      perpetual
  Failover                          : Active/Active  perpetual
  VPN-DES                           : Enabled        perpetual
  VPN-3DES-AES                      : Enabled        perpetual
  Security Contexts                 : 2              perpetual
  GTP/GPRS                          : Disabled       perpetual
  AnyConnect Premium Peers          : 2              perpetual
  AnyConnect Essentials             : Disabled       perpetual
  Other VPN Peers                   : 250            perpetual
  Total VPN Peers                   : 250            perpetual
  Shared License                    : Disabled       perpetual
  AnyConnect for Mobile             : Disabled       perpetual
  AnyConnect for Cisco VPN Phone    : Disabled       perpetual
  Advanced Endpoint Assessment      : Disabled       perpetual
  UC Phone Proxy Sessions           : 2              perpetual
  Total UC Proxy Sessions           : 2              perpetual
  Botnet Traffic Filter             : Disabled       perpetual
  Intercompany Media Engine         : Disabled       perpetual
  This platform has an ASA 5510 Security Plus license.
  So then what does this mean for us VPN-wise? Is there any way we can set up multiple VPNs with this license?

• How to remotely manage a Mac not on my network?

  I'd like to remotely manage a Mac over the Internet. Specifically my mother's iMac, so when she loses Dock icons or can't find her Address book or something I can fix it from my location in another state. Simple things, but trying to explain it over the phone is generally unsuccessful. We're both running Snow Leopard. I can set things up initially on her Mac in person, and then I need something that requires no effort on her end for this to work. Thanks.

  As Sijmons suggests, TeamViewer.com might be the easiest solution (and is frequently my suggestion).  This is a secure connection.
  Some alternatives.  You get 2 free AOL Instant Messenger (AIM) accounts.  Setup your iChat client with one AIM account, and then setup your Mom's iChat client with the other.  Then you can use iChat Screen Sharing, as long as your Mom is available to approve the Screen Sharing request.  As a bonus, you can text, audio, or video chat with your Mom over iChat.  An Audio chat while using Screen Sharing will allow you to talk her through things while you demonstrate or watch her and provide feedback and corrections.
  LogMeIn.com can be used free for personal use (secure connections used), but it does not provide file transfers (you could use something like Dropbox or insync (from Google) to do file transfers.
  You could setup a Hamachi VPN (virtual private network) between your Mom's and your Mac (Hamachi.com free for personal use).  Once you have Hamachi setup, you could then just use Mac OS X Screen Sharing.  This is a secure connection.
  A more complex approach is setting up your Mom's home router to port forward port 5900 (see portforward.com), then get a free dynamic DNS name from a service such as No-IP.com or DynDNS.org, and run a dynamic DNS updating client available from the service you get the dynamic DNS name from.  Now you can use Finder -> Go -> Connect to server... -> vnc://your.moms.dynamic.dns.name.  And if you also port forward port 548, you can do file sharing via afp://your.moms.dynamic.dns.name (down side is that this approach is not as secure, and it opens well known ports that might be attacked).
  And for the really hardcore, you can port forward port 22 (ssh) and then create secure ssh tunnels that you use for screen and file sharing across the Internet.

• ZCM 11.2 cannot remote control across WAN

  ZCM 11.2 appliance (sole Primary). There is a satellite located across the WAN at my other office. It is still at 10.3. Just completed upgrading from ZCM 10.3 appliance to 11.2 appliance. I can remote control any PC on my LAN. But if I attempt to remote a device across the WAN, I get an error: "Rights Authentication failed. The managed device was unable to contact the ZENworks server." I tried this too many times with my satellite and now it gives me this error: "The managed device is blocked from accepting Remote Management requests since the number of consecutive unsuccessful attempts exceeded the configured limit." The only cause I have seen listed for this is time not in sync. But I believe I have everything in sync. Any suggestions for how to fix this?
  Ken
  PS. nntp access to the forums appears to be down. I had to use the web interface to post this.

  On Tue, 01 May 2012 14:01:25 GMT, Shaun Pond
  <[email protected]> wrote:
  >KeN,
  >
  >d'oh! And yes, NNTP was down :0
  After posting via the web interface, I saw Kim's notice. :-)

• Back to My Mac / Remote Management / Screen Sharing

  I'm managing computers for my family spread across 3 states. I would love to get screen sharing working but it's just not happening. I've tried the steps in the following KB article and that's allowed me to access two mini servers (one 10.7 and one 10.6.8) at home. However, I can't access a MBP at home and I can't access my family's computers (via screen sharing) at all. Here's the KB article...
  http://support.apple.com/kb/HT3486
  Here's all I'm seeing (5 computers are "missing")
  I've tried NAT port forwarding (Airport Extreme/Time Capsule) for "Apple Remote Desktop" to the computers internal IPs on ports 5900 & 3283. I've tried it without. I've tried both "Screen Sharing" and "Remote Management" in preferences. I've made sure I have my own account with admin privledges on all machines etc. This is, of course, all peppered with the occasionaly outburst of foul language...
  What am I missing?

  Spoke with Apple who spoke with Apple and so on. Tech support for Apple Desktop Remote acknowledges (as best they could) that there is a bug/ problem. Yes, reverting to an older (3.5 - 3.4 ARDagent) solves the problem (short term ?). They captured my OS info and will get back to me in 3-5 days - how do you like them apples! So, revert to ARDagent 3.4 and you can remote connect - may try this later... will post if it works. Here's what's been posted on this: https://discussions.apple.com/thread/3192451?start=0&tstart=0

• Survey - How do you run Remote Manager?

  Greetings,
  We recently upgraded to Exchange 2010 and I'm running across the issue that many other people are.. what to do with Remote Manager. I'm just wondering how other people keep Remote Manager running? I know some people use Java Service Wrapper, but there seems to be a lot of discussion around how well that truly works. I'm just also wondering if there are a lot of companies that keep an account logged into your machine to keep Remote Manager running? Just looking for options on how to run this program without costing the company additional dollars.
  Thanks in advance,
  Ryan

  simple
  instead of making remote manager as an accouunt specific process..make it a system specific process.
  so when u log off it still be running.
  there are ways you can add it to services
  try this http://www.tacktech.com/display.cfm?ttid=197
  Edited by: A Dhiman on Sep 19, 2011 5:21 AM

• Remote Manage computers that are not on my LAN.

  Hi.
  i want to be able to remote manage laptops & desktops that are not on my LAN all running 10.6.4
  i want to be able to ARD and get logs and even changed settings in workgroup manager if i can.
  ideas?
  would wide afea bonjour achieve this for me? or is there better options ideas out there.
  just a note: i would still like to use apple remote desktop. not some web client like log me in.
  and also just a random question, if i have laptops that are bound to the directory but the users home folder is on the device. if they were to change there password on the LDAP / login, mail, CalDAV password. would that update the laptop not on our LAN. so the user has to login with there new password?
  you might be asking why: new start up company with a lot people spread across to countries. and i wont to enforce password has to change every 28 days for their login, mail, CalDAV, CardDAV etc.
  Message was edited by: -{ jonohayes }-

  i want to be able to remote manage laptops & desktops that are not on my LAN all running 10.6.4
  I'm not sure I understand the question. ARD isn't limited to machines on your LAN. You can manage any machine you have TCP/IP connectivity to - in other words, if you can ping the machine you can (probably) manage it via ARD.
  The only issue you may have is that the Bonjour auto-discovery mode won't necessarily find remote machines - you obviously don't want it scanning the entire internet for available machines, so you can either use the Scanner and define a range of IP addresses to check, or specify the remote machine's IP address directly.
  and also just a random question, if i have laptops that are bound to the directory but the users home folder is on the device. if they were to change there password on the LDAP / login, mail, CalDAV password. would that update the laptop not on our LAN. so the user has to login with there new password?
  Impossible to answer with the data provided.
  If the user's account is on the Open Directory server, then changing the password on the LDAP server will require them to login to their laptop with their new password.
  However, it's also entirely possible that the users have local accounts on their machines and just use Open Directory for server-side functions (mail, etc.). In this mode account 'joe' in Open Directory might not be the same account 'joe' on the Open Directory server. As such, changing the Open Directory server will require the user to use the new password for the server-side functions, even though they continue to log on to the laptop with their old account/password.
  Only by looking at the machine's configuration will you know which mode you in (or trying it and seeing what happens, I suppose )
  i wont to enforce password has to change every 28 days for their login, mail, CalDAV, CardDAV etc.
  Personally, I hate this approach. Forcing users to change passwords frequently results in users choosing weak passwords because they don't have time to learn the muscle memory that eases the typing of complex passwords. Moreover what you'll often find is that users choose the same password stub and just append a number on the end - kind of like 'password1' -> 'password2' -> 'password3', etc., which is barely useful.
  It's your company, though, and this is just my personal opinion. A better solution hinges on having an effective notification and account revocation process (i.e. if someone's account gets compromised it can be shut down quickly).

• NetInstall across vlans

  I've just migrated from 10.7 to 10.8 Server. While mosrt of the services are running well NetInstall is being a pain in the neck..
  In 10.7 the server had a static address assigned to the Ethernet pot and also had a VLAN with a static address. With this setup I was able to NetInstall any mac on that VLAN.
  I've done the same with 10.8 but I can't NetInstall any Macs that are on the VLAN. Also the NetInstall Service only lists Ethernet as the avalible interface.
  Has anyone managed to get NetInstall working across VLANs?
  Thanks

  We have this working just fine at my company. What we had to do was politely ask the Network Admins to add the IP of our server to the Helper Address list on the switches and routers. It only needs to be added to the first network device that is subneting the network that the client is on. (could be switch or router, most likely not a hub)
  The Helper Address list is used for various discovery protocols, DHCP being one of them.
  What this does is when the client is looking for the server, the switch/router takes that request and knows that at xxx.xxx.xxx.xxx (the server) there might be a device to help the client and passes that request on to the server on the other part of the network. So for every subnet of computers that needs access to the server you must add the IP of the server to the first device that divides that subnet.
  sidenote DO NOT add the IP of the server to the Helper list for the subnet it is actually on, only for subnets that the server is NOT ON. This one drove me crazy for diskless booting. The server ends up getting the request from the client twice. Network guy got overly excited when he was helping us.

• CISCO ASA config issue (Remote management ASDM/SSH/etc)

  I cant ping the device from 10.23.1.x either, I can ping it on 10.23.2.x though. 

  I have a couple ASA devices than I want to be able to manage across our network. I have two devices, Device A-10.23.1.10 the other is on 10.23.2.10, if I remote into a machine on the 10.23.2.x network I can connect through SSH and ASDM, but on the 10.23.1.x network I can not connect.. I have the ASDM configured to accept connection from both netowkrs. any idea why it does not work, the remote ASA is on the local/inside netwkr just on a diff subnet.
  This topic first appeared in the Spiceworks Community

• Guide to remote manage Hyper-V servers and VM's in workgroups or standalone

  This guide is based on the following 3 products:
  Windows server 2012 (core)
  Windows 8
  Hyper-V server v3 / Hyper-V server 2012
  The following guide will enable you to:
  1: remotely manage your Hyper-V Virtual Machines with Hyper-V manager
  2: remotely manage your Hyper-V servers' firewall with a MMC snap-in.
  3: remotely manage your Hyper-V server (2012) with server manager
  ! This should also work for Core installations of server 2012, but I haven't tried.
  This guide is purely focussed on servers in a WORKGROUP, or as a stand alone.
  I CAN NOT tell you what you need to do to get it working in a domain.
  * You can run these commands straight from the console (Physically at the machine) or through RDP.
  * You will need to be logged on as an administrator.
  * Commands are listed in somewhat random order; I do however advise to follow the steps as listed.
  * Commands with ? in front of them are only ment to be helpfull for troubleshooting,
  * and to identify settings and changes made.
  * Commands and instructions with ! in front of them are mandatory.
  - server: means the server core or hyper-v server (non gui)
  - client: means the machine you want to use for remote administration.
  - Some commands are spread over 2 lines; be sure to copy the full syntax.
  > To enable the Hyper-V manager to connect to your server, you need to perform the following 2 actions: (Assuming you have already installed the feature)
  1:
  ! Client: Locate the C:\Windows\System32\Drivers\etc\hosts file.
  ! right-click --> properties --> security
  ! click --> edit --> add --> YOURUSERNAME or Administrator --> OK
  ! then select this new user, and tick the "modify"-box under the "allow"-section.
  ! apply the change, and close.
  ! doubleclick the file, and open with notepad
  ! add the ip-address and name of your server (no // or other crap needed)
  ! Save the file
  # I recommend putting a shortcut to this file on the desktop.
  # If you change the ip-address of your server (e.g. move the server from staging to a live environment)
  # you might forget to do so in the hosts file.
  # Hyper-V manager, MMC, RSAT, and Server-manager all rely on the hosts-file to resolve the name.
  # some of these might connect to their respective service on an i.p.-level, but some don't.
  # This is the main reason you need to modify this file.
  ! USE AN ELEVATED CMD/POWERSHELL PROMPT TO CONTINUE !
  # the next config needs to be done on windows 8.
  # It seems that it's already preconfigured under server 2012
  2:
  ! Client: dcomcnfg
  ! open component services --> computers
  ! right-click -> my computer -> properties
  ! select "COM SECURITY" tab
  ! under "ACCESS PERMISSIONS" select "edit limits"
  ! select "ANONYMOUS LOGON", and tick "remote access" under ALLOW
  # Without this adjustment, you can't connect to your Hyper-V server
  # with the Hyper-V manager if you're not in a domain.
  > And if you haven't done so already... make sure you have enabled remote management number 4 on the Hyper-V server console.
  > Next, is to get the MMC firewall snap-in working.
     The reason for this, is to have a GUI available to configure it.
     If you're happy without it, you may skip this and use a shell instead to do so.
  ? server: netsh advfirewall show currentprofile
  # shows the current profile (public/domain/private) and its settings
  # depending on your needs, you should set the right profile to fit your needs.
  # You can easily do this when the MMC snap-in is done. (after you've followed these steps)
  ! server: netsh advfirewall set currentprofile settings remotemanagement enable
  # enables remote management of the firewall on an application level 
  # (In other words: allows the firewall to be remotely managed)
  ! server: netsh advfirewall firewall set rule group="Windows Firewall Remote Management" new enable=yes
  # allows remote management of the firewall, through the required firewall ports with TCP protocol.
  # 4 rules will be updated to allow access: public & Domain, dynamic and endpoint-mapper.
  # You can disable/add/change the rule from the MMC snap-in after finishing this guide.
  # e.g. set the firewall through the MMC-GUI to only allow specific ip-addresses etc.
  ? server: netsh advfirewall firewall show rule all
  # Shows a list of available rules, and their current state.
  # when run from cmd, the list exceeds the maximum length for review.
  # (from cmd,type:) start powershell, and run the command from there.
  ! Client: cmdkey /add:YOURSERVERNAME /user:USERNAMEONTHESERVER /pass:THEPASSWORDOFTHATUSER
  # I recommend you to use a username with enough privileges for management
  # All capital letters need to be replaced with your input
  # CMD answers "credential added successfully" when you're done
  ! Client: locate MMC, and run it as an admin.
  # In windows 8/2012, go to search and type MMC. Right-click the icon, 
  # and choose run as admin on the bar below.
  ! Client: application MMC: select "file" --> Add/remove snap-in 
  ! --> (left pane) scroll down to "windows firewall" --> select and click "add"
  ! select "another computer"
  ! type the name of the server you want to manage (NO workgroup/ or //, just same name as you typed for cmdkey)
  * Part 2 is done.
  # Have a look by doubleclicking the firewall icon in the left pane.
  # It looks and works the same as the GUI version that you are familiar with.
  ! Next is the Server Manager.
  # Follow the steps listed to get your server listed and manageable in the server manager.
  ! Client: Open the created Firewall snap-in for your server.
  ! Find the 3 "Remote Event Log Management" entries in the list of INBOUND rules, and enable them.
  ! Open powershell --> in cmd windows, type: start powershell
  ! run the following line in powershell
  ! Client: in C:\Windows\system32> set-item WSMAN:\localhost\client\trustedhosts -value YOURSERVERNAME -concatenate
  # WinRM Security Configuration.
  # This command modifies the TrustedHosts list for the WinRM client. The computers in the TrustedHosts list might not be
  # authenticated. The client might send credential information to these computers. Are you sure that you want to modify
  # this list?
  # [Y] Yes  [N] No  [S] Suspend  [?] Help (default is "Y"): y
  # I recommend to choose yes; unless you like to pull some more hairs...
  ! server: winrm qc
  # WinRM service is already running on this machine.
  # WinRM is not set up to allow remote access to this machine for management.
  # The following changes must be made:
  # Configure LocalAccountTokenFilterPolicy to grant administrative rights remotely
  # to local users.
  # Make the changes? y / n
  !  select yes
  ! Client: open the server 2012 server manager
  ! click manage -> add server
  ! select the DNS tab, and type the name of your server
  Done.
  You can now manage your remote server through the familiar computer management GUI.
  ! Right-click your remote server, and select "Computer Management"
  A few side notes:
  ? The Performance tab seems to list the local machine's performance, in stead of the remote servers'
  ? If you want Windows server backup, you need to right-click the server in the server manager, and select "add roles and features.
  ? it will then become available under the "computer management" of the remote server.
  If you liked this guide you may thank my employer, Mr. Chris W.
  for giving me the time to work it all out.
  Cheers!

  As a little update to the post, I'd like to add that replication, clustering and migration will not work in workgroup environments. Unless someone can provide an additional guide for this, I'd recommend anyone to no even bother to try.
  To manage the standalone hyper-v server in a remote location over the internet, I would recommend the following:
  Install windows 8 pro (x86 uses less resources!) as a vm on the host, and assign 2 network connections to it.
  1 external (shared with host) (be sure you have a dedicated ip-address for it!)
  1 internal connection.
  What I did was this:
  As soon as you've installed the win8 guest, proceed with the guide as described.
  For the 1st step of the guide (hosts-file) use the ip-address you will later assign to the "internal" network switch of the host!
  In my example, I'm using 10.0.0.1 for the host, and 10.0.0.2 for the guest.
  To be clear: I first used the guide on a LAN-environment, and did all the steps from a "real" client to server on the LAN.
  Then, installed the win8 guest on the host using the "real" clients' hyper-v manager over the LAN.
  Next, assigned the 2 network connections to the VM, and configured them as follows:
  external - as you would to be able to make your guest reach the internet.
  internal - I used the following config:
  ip-address: 10.0.0.2
  subnet: 255.255.255.252
  gateway - blank
  dns - Blank
  Now, when you get to the console of the hyper-v server (host) or RDP to it, go to network settings.
  You'll see that the internal card has been added here as well.
  Configure it as follows:
  ip-address: static - 10.0.0.1
  subnet: 255.255.255.252
  gateway - blank
  dns - blank
  You should now be able to ping your guest (win8) on 10.0.0.2 if it's running.
  Don't forget to enable ping response (option 4 on the host) to test connectivity the other way around as well (guest to host)
  When you're done, you'll be able to RDP to the guest OS over the internet, and then connect to the host with server manager, hyper-v manager, and MMC.
  Don't forget to enable each module on the hosts' firewall to make the snap-ins work!
  Remote volume management requires your guest/client firewall INcoming ports to be enabled as well! not just the host.
  Either update the firewall rules from the MMC gui as described in the guide, or use the following commands on the
  hosts' powershell:
  Enable the firewall rules with the command Enable-NetFirewallRule -DisplayGroup "USE_THE_COMMANDS_BELOW" (include the " " in the command)
  Remote Service Management
  Remote Volume Management
  Remote Event Log Management
  Remote Scheduled Tasks Management
  Windows Firewall Remote Management
  Windows Remote Management
  You can get the list with Get-NetFirewallRule -DisplayName *management*
  You can get the list with Get-NetFirewallRule -DisplayName *remote*
  Commands provided with credits to F. verstegen
  Cheers,
  Michael.
  Sigh...

• How can i prevent users to delete remote management on their IPADs

  hello everyone
  i have Mac with OS X server i have created profile manager to manage the students I Pad's
  students keep deleting the profile remote management profile
  anyway to help me to manage their I PADS remotely 

  When configuring a profile in Profile Manager, if you edit the General entry you can set it to require a password before allowing a user to remove the profile. If you don't give users this password then they will not be able to remove it.

• Screen sharing and remote management no longer working after some uptime

  Server is withoiut monitor.
  Users need to login via screen sharing from time to time.
  "Enable screen sharing and remote management" is ticked in Server.app everything is working fine (for days, weeks).
  ARD reports "Screen Sharing Available", so remote management is not running how it should.
  Screen Sharing.app is "Connecting…" forever.
  Kickstarting ARD (http://support.apple.com/kb/HT2370) does not help.
  Restart fixes it.
  Is there a workaround (over ssh) or a fix?

  seduc wrote:
  Do you know if
  fdesetup authrestart
  works then too?
  Off-hand, no.   I don't.  See this posting, or as would be typical in any case, try it?

• Screen Sharing and Remote Management

  Is there a way in 10.6 to make both Screen Sharing and Remote Management run at the same time?
  In the past (10.5), you could convince Mac OS to run both Screen Sharing and Remote Management to run simultaneously. I say "convince" because you could not enable them both through System Preferences. You could turn one on, then use Terminal to enable the other. This worked great for me, because I needed remote management for the machines I managed, and the users need screen sharing to work from home.
  However, the work-around for 10.5 no longer seems to work for 10.6. Has any one gotten this to work yet for 10.6? Thanks!

  I figured this out. First enable Remote Management via System Preferences. Then create /private/etc/ScreenSharing.launchd with 'enabled' as it's contents.

• Mountain Lion Server: add network user to remote management

  Hi,
  So recently I have upgraded from Lion Server to ML Server. A little disappointing, but whatever, I've moved on and got everything almost back to where I had it with Lion.
  My last few issues I believe are related but can't quite figure it out. In Lion I have an admin profile and then a network user profile that I used on my MBP bound with AD. I'm at the stage where my nre network user can log in on the server machine but I can't log in as the network user via screen sharing. I can't add a network user to Remote Management, and with Remote Management enabled Screen Sharing is greyed out. I'd really like this to work.
  My second problem is that I can't bind my MBP to the server but even when bound the network user account can't log in.
  Any body have  any ideas?
  Thanks!

  I had this problem on a clean install.
  The solution was incredibly simple for me, but only  after I saw Ross.M's note about opening the Users & Groups settings panel (in the OS System Prefs, not in server) and rebinding to OD server under Login Options.
  That was not the solution for me, but under Login Options I discovered a previously unnoticed pref for "Allow network users to login at login window."  I had this option set (apparently by default) to "Only these network users:"  but with an empty list.  Adding my users to the list made it work perfectly.
  Talk about KISS