Standalone versus Domain Member

Similar Messages

• Error while trying to change Standalone to Domain Member

  Error while writing settings. (Cannot make the server a domain member)
  What setting have I got wrong?

  Could you by chance post what setting was causing the issue? I am also encountering it and I'm not exactly sure where the error is coming from.

• Difference between Domain member and standalone server with AD binding

  Hi all,
  Can anyone explain the difference between:
  A) Setting up a MacOSX server as Windows domain member server using Server Manager;
  B) Setting up a MacsOSX server as Windows standalone server and joining the Active Directory using Directory Access;
  My setup:
  ====================
  We have a Windows 2003 A.D. running, all users are set up in the A.D.
  Also we have two MacOSX servers, which provide file services (both AFP and SMB/CIFS) for Mac and Windows clients, while using the A.D. for user authentication.
  One of the MacOSX servers is configured as a domain member server, the other is configured as Windows standalone server. The latter is bound to the A.D. using Directory Access.
  Following the Apple manuals one should think that the first setup (domain member) is the best.
  As for Open Directory: both servers are running as Standalone.
  How my setup behaves
  ====================
  Official Apple guidelines are to set up the Mac server as domain member. Reality is another thing though.
  For AFP both servers perform equal: users are authenticated against the A.D. and get access to their shares. File/Folder permissions are as expected.
  For Windows clients things aren't the same.
  The server setup as Windows Domain member acts strange. Windows clients don't have single signon experience.
  Every file/folder's owner shared on this server is <<unknown>> to the client. Also, when a Windows user creates a file/folder the owner is <<unknown>>.
  Sometimes the Samba server just stops authentication. A relaunch of the Samba service fixes this.
  The server setup as a standalone server performs as expected. Windows clients have single signon experience, there are no issues with file/folder owner. Also authentication never stops.
  Several kinds of Mac   Mac OS X (10.4.9)  

  Hi all,
  Can anyone explain the difference between:
  A) Setting up a MacOSX server as Windows domain member server using Server Manager;
  B) Setting up a MacsOSX server as Windows standalone server and joining the Active Directory using Directory Access;
  My setup:
  ====================
  We have a Windows 2003 A.D. running, all users are set up in the A.D.
  Also we have two MacOSX servers, which provide file services (both AFP and SMB/CIFS) for Mac and Windows clients, while using the A.D. for user authentication.
  One of the MacOSX servers is configured as a domain member server, the other is configured as Windows standalone server. The latter is bound to the A.D. using Directory Access.
  Following the Apple manuals one should think that the first setup (domain member) is the best.
  As for Open Directory: both servers are running as Standalone.
  How my setup behaves
  ====================
  Official Apple guidelines are to set up the Mac server as domain member. Reality is another thing though.
  For AFP both servers perform equal: users are authenticated against the A.D. and get access to their shares. File/Folder permissions are as expected.
  For Windows clients things aren't the same.
  The server setup as Windows Domain member acts strange. Windows clients don't have single signon experience.
  Every file/folder's owner shared on this server is <<unknown>> to the client. Also, when a Windows user creates a file/folder the owner is <<unknown>>.
  Sometimes the Samba server just stops authentication. A relaunch of the Samba service fixes this.
  The server setup as a standalone server performs as expected. Windows clients have single signon experience, there are no issues with file/folder owner. Also authentication never stops.
  Several kinds of Mac   Mac OS X (10.4.9)  

• Standalone windows services as opposed to Domain Member

  Hi
  I know very little about windows networking, and have a basic question.
  I have a school network with mostly macs, and a 10.4 server. There is also a windows server on the network that someone else comes in to maintain that supplies all the windows needs, but they know very little about macs.
  All I want to do is allow access to a shared folder between teachers and students on the mac server to the teachers that use windows machines.
  I am wondering if I should should use the Standalone Windows server option or the Domain member role in the windows server section of Server Admin?
  I have briefly tried the standalone option, and it works fine, but am not sure if it will cause disruption to the windows machines and I should use the Domain Member role.
  Apples OSX server guide only mentions how to set things up in relation to other Mac servers, not windows servers on the same network.
  Any help would be appreciated.
  thanks
  G5 2.3G   Mac OS X (10.4)  

  >I wondered if I used the Standalone server option whether it may cause any kaos in the windows camp.
  Well, in my experience, there's always some chaos in the Windows camp, but that's not the point here
  If you're assigning users the same username and password on both the Windows and Mac directories then you shouldn't have much of a problem. If course, this means that you need to add accounts in both places, delete accounts in both places and when you change passwords, change them in both places. If you're happy to deal with that then there's no problem in keeping the Mac as standalone.
  On the other hand you could join the Mac to the Windows directory and then the Mac would automatically use the user credentials defined on the Windows server. You'd only need to add users in one place, change passwords in one place, etc., etc.
  Whichever way you're happy with is fine.

• File sharing to Windows with XServe as Domain Member

  I have an XServe (10.4.3 server) that I am attempting to use as a new fileserver on an established Windows network (with SBS2000 on the old Windows server).
  I had the XServe as a standalone server, and set up some folders to share, and used WGM to share them. This worked, but of course windows users accessed as guests, as they weren't identified properly.
  I changed the XServe to be a domain member, and after a little hassle got this working, but now "Sharing" in WGM is greyed out, so I cannot mess with the shares (i.e. I cannot add or remove shares, or change the attributes of those folders that I have already shared).
  How do I manipulate shares on a server which is a domain member?

  Wow - 3 posts in my own thread - it just shows how much of a nuisance beginners can be. Sorry.
  My issue, it turns out, was between the chair and the keyboard. I was connecting to the server using its Rendezvous name, not its domain name. (an easy mistake to make, in my case, as both start with the server name, and both end in local).
  When WGM is connected to the renezvous name, the sharing tab is greyed out, when connected via the domain name, it works splendidly.
  Sorry to bother you all, and I leave this here just in case others are as stupid as me, and therefore my solution may help them.

• ADCS - ROOT CA domain member ?

  Hello,
  I have installed a RootCA(Standalone) and SubCA(Enterprise) in my company and all its working well.
  But, I just see that is not recommended to have ROOTCA as domain member. How can I do to fix that ?
  (Is it a real problem ?)
  Thank you,

  On Wed, 5 Feb 2014 09:18:09 +0000, stickman93400 wrote:
  I finally decommissioned my ADCS servers by following this walk through :
  http//social.technet.microsoft.com/wiki/contents/articles/3527.how-to-decommission-a-windows-enterprise-certification-authority-and-how-to-remove-all-related-objects.aspx
  First of all, it is kind of unfortunate that you went through this exercise
  as it really wasn't necessary. Given the fact that you'd initially
  installed your root as a Standalone root, you could have simply followed
  one of the migration guides whereby you simply back up all of the AD CS
  related stuff (database, logs, private key, registry templates published at
  the CA), remove the AD CS role, remove the computer from the domain,
  reinstall and configure the role using the same certificate and private,
  restore the database and everything else.
  But I was unable to do step 5 : part 3 and 4 and the command line *ldifde -r "cn=<var>CACommonName</var>"*(off course  I put my CACommonName and my AD configuration).
  We can't help you with this unless you're more specific. What was the exact
  command line you used? What error or errors were reported when you ran the
  commands?
  And I have not done step 9, I was scared. Can "certutil -dcinfo deleteBad"cause trouble ? Do I need to do it on all my DC ?
  No, it won't cause trouble and needs to be done. If you don't do this you
  will have trouble as your DCs won't get certificates from your new PKI as
  long as their existing certificates are still time valid. You do not need
  to run it on all your DCs, in fact, it doesn't need to be run on a DC at
  all, it just needs to be run on a domain joined computer.
  Paul Adare - FIM CM MVP
  "High fat emulsified offal tube", thank y'very much. -- Lionel about
  sausage

• SMB - Domain Member when already an OD member?

  I have a file server connected to an OD Master. The file server itself is not a replica or anything fancy.
  I also have the server host files through SMB, and would like the file server to also be part of the OD's SMB Windows Primary Domain as a member, so it shows up in the domain's list of computers on Windows machines when looking through the network list. At best right now, it's just in the default Workgroup.
  Every time I try to add it as a domain member, it says it can't. I assume because it's already an OD member. Is there any way around this other than to make it a replica and backup domain member?
  I didn't make it a replica because when setting it up, the manual said to try to specialize servers to specific tasks, so this ones specific task is file serving, and the Open Directory stuff is done on another box.

  After updating to 10.5.7 on all four servers there seems to be no difference with respect to my problem. I am still unable to change the SMB role to a Domain Member. However I am able to host smb shares and windows user profiles with no problems (yet). I wonder if it is even necessary to configure samba as a domain member after OD has been configured as being connected to a ODM.

• Installing Ciscoworks LMS 4.0 on Windows domain member server.

  Hello.
  I'm looking for some suggestions about installing CiscoWorks LMS 4.0, and upgrade, on a domain member server running Windows 2008 R2 SE 64 bit.
  Thanks.
  Andrea

  Here are the basic install best practices:
  1) Install as a local administrator (this means create a local account and add it
  the "Administrators" group).
  2) My Computer -> Properties -> Advanced -> Environment Variables
  Set the USER TMP and TEMP to a shorten path like
  C:\Windows\temp
  3) Make sure you have FIXED pagefile size like 8182
  My Computer -> Properties -> Advanced -> Performance Options -> Advanced
  4) May need to reboot, certainly log out an back in to make sure step 2 applies.
  5) Stop all anti-virus and firewall during the installation.  Disable them in services and reboot if necessary.
  *  NOTES: Anti-virus can be re-enabled after installation, but you should  EXCLUDE
  the NMSROOT directory as long as LMS is installed on the  server. DEP should
  remain off (that is, set to only protect critical  Windows system files) as long as LMS
  is installed on the server.
  *  If Internet Information Services (IIS) is detected on your system and  if you have
  continued the installation with IIS services, you cannot use  the port number 443 for
  HTTPS. Instead, you must use the port numbers  ranging from 1026 to 65535 for
  HTTPS to avoid this conflict.
  When performing the installation, make sure these two steps are followed:
  *  Install from original, locally attached media
  *  NEVER abort the installation after the installer says not to
  It may not always be possible to install from original, locally attached  media
  (especially on VMs). But you should avoid from installing over  the network as hiccups
  can cause bad installations. If you are  installing on a virtual machine, convert the DVD
  to an ISO image, then  mount that within the VM.
  Here is the document detailing all ports needed to be allowed (excluded from policy)
  for LMS 4.0
  LMS 4.0 Port Usage
  General Notes:
  If you want to upgrade the operating system from Windows 2003 or Windows
  2008 to Windows 2008 R2, you must first complete upgrading the operating
  system, and then install the LMS 4.0.x Windows 2008 R2 patch.
  *  You can install the LMS 4.0.x Windows 2008 R2 patch only on LMS 4.0.x
  and not on the lower version of LMS.
  *  You cannot install Integration Utility and HP Open View 7.x or 8.x on
  Windows 2008 or Windows 2008 R2 servers.
  Check out:
  System and Browser Requirements for Server and Client
  LMS Patches-Windows

• Windows CAL server 2003 and Domain Server with a 2008 server as domain member

  We have a Windows Server 2003 as domain controller with 70 user CALs, and we have added a Windows 2008 R2 OEM with 5 users licences.
  I have no plans to migrate my domain controller 2003 to 2008 but the 2008 is a member of the domain and I need to know if we are fine with the licences.
  Thanks for your help,
  Alejandro Sueldo

  Hi
  You need CAL for anything that would access the 2008. If a server that is accessed by only 5 user you are ok, but if like a Exchange for your 70 users, then you have to buy more CAL. (that link explain it good;
  http://blogs.msdn.com/b/mssmallbiz/archive/2007/11/06/5942350.aspx)
  Contact the VLSC to be sure at 100% before buying; (866) 230-0560
  Regards, Philippe
  Don't forget to mark as answer or vote as helpful to help identify good information. ( linkedin endorsement never hurt too :o) )
  Answer an interesting question ? Create a
  wiki article about it!

• Is it better to use router port versus vlan member port?

  Hi CSC,
  This is more of a philosophical or "best practices" question.
  I have a Cisco 3550 at the home office. Connected to the 3550 is a number of branch offices by way of T1 circuits or VDSL modems. They all come to the home office, where we have a central internet connection and server farm for our entire organization.
  Except for one special case branch office, we don't forsee the need for appearances of the  home office vlan at the branch office sites. In that case, we bring it  into a trunk port at the home office, and at the special case branch office we have a dell 3024  switch and tag some ports as vlan 18 (the home office) or vlan 27 (the  special case branch office).
  We also do not forsee a need for the vlan from one branch office to appear at another branch office.
  They are all (except for the special case mentioned above) currently configured something like this:
  interface FastEthernet0/1
  description home office
  switchport access vlan 18
  switchport mode access
  interface FastEthernet0/2
  description t1 to branch office 1
  switchport access vlan 19
  switchport mode access
  interface Vlan18
  description subnet for home office
  ip address 192.168.18.1 255.255.255.0
  interface Vlan19
  description subnet for branch office 1
  ip address 192.168.19.1 255.255.255.0
  Is it better, in terms of reduced network complexity or performance on my 3550, to do something like this instead?
  That is, to make the interfaces router ports as opposed to vlan member ports?
  Of course, if we ever DID need to have appearances of the home office vlan at branch office sites, or appearances of one branch office's vlan at another branch office, we would lose that flexibility.
  interface FastEthernet0/1
  description home office
  switchport access vlan 18
    switchport mode access
  interface FastEthernet0/2
  description t1 to branch office 1
  ip address 192.168.19.1 255.255.255.0
  interface Vlan18
  description subnet for home office
  ip address 192.168.18.1 255.255.255.0
  no vlan 19

  Hello,
  In my opinion there is no 100% right answer here. I think it depends also about network forecast. I'll try to add here some thoughts:
  - if you use trunk interfaces from home to branch and SVI for L3 connection, in terms of scalability is much easier to expand (you have now only one p2p L3 link, but in future you'll need another one; if the port is a trunk one, you just configure another SVI interface, allow vlan on trunk and your good to go)
  - trunk interfaces involve more configuration (L2 interface and SVI L3 interface)
  - if you add in the home office another switch to existing one, and for some reason you have misconfiguration in STP / VTP, then you can run into problems like loops, vlan database modification (e.g. VTP server mode and the new added switch has a higher revision number than existing one)
  - L3 physical interfaces are easier to configure and less complex, but in case you want to scale to additional p2p link will be harder
  - L3 configuration is easier to troubleshoot as you avoid the L2 complexity
  - in terms of packet exchange a L3 interface will exchange less packets than a L2 trunk with SVI (I'm talking here about control traffic, not user traffic)
  - with L2 trunk you can have other problems like if somebody is "smart enough" to add a new switch into the existing switch (if you have a switch there) at the branch location; imagine that the new switch due to misconfigurated STP became root bridge; you have a large STP domain.
  As I said, there is no good or bad approach. You have to guide yourself about forecasts in your network. For example if you know that a branch location will not be extended in the next 2 years, then go ahead with L3 interface and that's it. On the other hands if you have doubts you can add for another location L2 trunk with SVI. You can mix this two solution to obtain the best results for your network characteristics.
  Cheers,
  Calin

• How to authenticate a Non domain member laptop with AAA

  Dear all,
  I do have problem in resolving issue for AAA, the scenario is like if a user connect his laptop with a cisco Switch, and the computer is not a member of domain, we do like to allow internet and get an ip from DHCP server only to those users who;s computers are member of active directory. do let me know how is it possible? support will be appreciated.
  Regards
  Ibrahim

  Hi Ibrahim,
  Do you use CiscoSecure ACS?
  If so, this is possible, using AAA/dot1X on the switch and configuring ACS to authenticate against Active Directory.
  There are lots of configuration examples available here:
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/prod_configuration_examples_list.html
  Specifically the wired dot1x; nac: ldap integration with acs; cisco secure acs for windows with eap-tls machine authentication.
  Although some of these are for wireless, I can't see why the principle can not be applied to wired.
  Also there are posts on the learning network:
  https://learningnetwork.cisco.com/thread/2221
  https://learningnetwork.cisco.com/thread/12897
  Regards, Ash.

• Trouble with detect network "Domain network" in the domain member server

  HI a have quetstaion about detecking "domain network " in the windows 2012 r2 server . after instaling and adding this member server to domain i look that i cannot connect to this server . After I connect to console a detect site also public site
  . After I disable and enable this netwotk site the network is correct domain. How is detect which network is it ? this contacted domain controller ? etc. ???
  Thank you for answer 
  Falcon

  Hi
  Not fully understood the problem. But if you have a Windows domain and you can't add the new server to the domain or can't connect
  to the server after or before joining to the domain. Then it could be no of reason first one to check is firewall.
  Turn the firewall on host and source and then try again. Also are you able to ping the new server?
  How are you trying to connect to the server via RDP?
  If yes then you need to enable the RDP and give yourself permission to remote dial in.
  Thanks
  Umar

• Monitoring of other domain member server

  Hello,
  we have some servers in our LAN with another domain then our scom server. We create a scom certificate from our scom cert template with the servername.other.domain and import it with the Momcertimport.exe on the server. The entry on the Key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft
  Operations Manager\3.0\Machine Settings" is correct like the serial number in the imported certificate. The telent connection runs successfulll over port 5723.
  But the server is not visible at scom and throws some errors in OM event log:
  ID20057: Failed to initialize security context for target MSOMHSvc/SCOMSERVER.domain The error returned is 0x80090303(The specified target is unknown or unreachable).  This error can
  apply to either the Kerberos or the SChannel package.
  ID21001: The OpsMgr Connector could not connect to MSOMHSvc/SCOMSERVER.domain
  because mutual authentication failed.  Verify the SPN is properly registered on the server and that, if the server is in a separate domain, there is a full-trust relationship between the two domains.
  ID20071: The OpsMgr Connector connected to
  SCOMSERVER.domain, but the connection was closed immediately without authentication taking place.  The most
  likely cause of this error is a failure to authenticate either this agent or the server. Check the event log on the server and on the agent for events which indicate a failure to authenticate.
  ID21016: OpsMgr was unable to set up a communications channel to
  SCOMSERVER.domain and there are no failover hosts.  Communication will resume when
  SCOMSERVER.domain is available and communication from this computer is allowed.
  What can we check?
  Thanks & regards
  Doreen

  Hi,
  Please make sure you have full-trust relationship between the two domains, if they are not in the same foreast, you may try create forest trust between them.
  Note, with External trust, there is only NTLM authentication is supported. So check whether you are using this kind of trust.
  In addition, please also refer to the link to check SCOM SPN:
  OpsMgr 2012: What should the SPN’s look like?
  http://blogs.technet.com/b/kevinholman/archive/2011/08/08/opsmgr-2012-what-should-the-spn-s-look-like.aspx
  Here is an article which should be helpful
  Solving the Gateway 20071 event
  Regards,
  Yan Li
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• Samba - disabling access for certain users on domain member servers

  Hi all!
  I'm running a small network that has domain logons for windows clients and I want to have single sign on (samba shares and shell accounts) on those three servers I'm running. The problem is, I don't want to allow all users to access all servers.
  I have the samba running tdbsam password backend. Do I have to use ldap backend to achieve this or is it possible to do using tdbsam backend? I'd prefer to have all configuration concerning windows domain and passwords in one place...
  Tomato

  Hi LMS,
  I’m writing to just check in to see if the suggestions were helpful. If you need further help, please feel free to reply this post directly so we will be notified to follow it up.
  If you have any feedback on our support, please click here.
  Best Regards,
  Anna Wang
  TechNet Community Support

• NPS Certificate with Internal Domain

  Hi all,
  We currently run an AD domain with an internal (.local) domain name.  We're a school and run a BYOD program, so we have lots of non-domain machines, it's therefore important that the certificate used on our NPS server for our PEAP secured wireless for
  these users is trusted.  We've used Godaddy to sign certificates for this in the past, but after November 2015 they won't support signing certificates for internal domains (and nobody else will).
  What I'd like to know, is do I have any other choice to overcome this in the future other than renaming my domain (1000 users and 1000 PC's, so not a small undertaking), or is there a way to have NPS present another name, or some other way around this?
  Thanks.

  Hi
  I am in the same situation as "Speculator" but your solution "non-domain clients can request the certificates with the CA build-in web enrollment function" is a NO-GO. Most users can't handle this and lot's of devices are mobile
  devices (iPhones, etc.) so much to complicated.
  So I wonder if there are other solutions. Renaming the domain for sure is NO option; btw.
  .local domain was best practice recommended by Microsoft for a long time so I refuse to rename/setup from scratch a customer domain just because this recommendation has now turned into bad practice by some major CA palyers without
  even thinking about the consequences.
  So lets think loud about other possible solutions workarounds:
  NPS 2008 lets you choose the certificate it uses to present to the client. Is that of any help? Can I use a signed certificate? Or is it impossible because the NPS server always presents the
  server.domain.local FQDN?
  What about a NPS Proxy Server (standalone, non-domain member server) using a fully valid FQDN (e.g. nps.mydomain.com) and a corresponding certificate? Will the clients use this certificate or will they use the certificate from the NPS server behind
  the NPS Proxy? I mean is the certificate an end-to-end relationshipor is it a
  client-to-NPS Proxy relationship?
  Setup a new Active Directory Forest with a real, public, valid domain name (e.g. mydomain.com) an install a NPS Server in this domain with a fully valid/signed certificate. A trust would be established between the
  .local domain/forest and mydomain.com domain/forest. People would have to enter the REALM as well when connecting.
  Any other ideas?
  @Speculator: How did you solve this in the end?
  Regards,
  Oliver