Wednesday, March 14, 2012

Active Directory Mixed Mode and Built-in Groups

Issue

If you are running your Active Directory in Mixed mode and FSMO roles are on the Windows 2000 or Windows 2003 DC, you won’t be able to see the following built-in groups:

  • Event Log Readers
  • Cryptographic Operators
  • IIS_IUSERS
  • Certificate Service DCOM Access

 

image

Some of these groups have introduced with Windows 2008 and some these groups have changed name.  For example, Certificate Service DCOM Access serves the same purpose as CERTSVC_DCOM_ACCESS in Windows 2003.

However, if you are running Active Directory in Windows 2000/2003 and Windows 2008 mixed mode and your PDC Emulator FSMO roles is not on the Windows 2008 DC, you won’t be able to see these groups.  You need to transfer the PDC Emulator FSMO role to windows 2008/Windows 2008 R2 DC (or newest OS) to resolve this issue.

 

image


Update - Wednesday, July 25, 2012 9:50 PM

I received the following email from Chris regarding this topic.  I thought I would share it with you.

From: Christoffer Andersson
Sent: Wednesday, July 25, 2012 9:50 PM
To: Santhosh Sivarajan
Subject: Active Directory - Built-In Groups

 

Just came across your article: http://portal.sivarajan.com/2012/03/active-directory-mixed-mode-and-built.html

Just wanted to share that: This can be accomplished without moving/transferring the PDC to a DSA running the latest bits: (This is how MS deal with the presence of the required RODC* groups even if the PDC isn’t running Win2k8 or above)
http://msdn.microsoft.com/en-us/library/dd240061(v=prot.13).aspx

The state that “runSamUpgradeTasks” are stored in sam-domain-updates, haven’t really got time to decode the values yet, but lower it allows re-creation of built in groups.

Modifying the “wellKnownOtherObjects” attribute on the SamServer object at the PDC (1. WIN2K DC) to contain “B:32: 6ACDD74F3F314AE396F62BBE6B2DB961:<X>” where <X> is the NTDS Settings object of (3. WIN2K3 DC), calling “runSamUpgradeTasks” will cause new groups defined in the Windows Server 2003 release to be created in the domain without moving off the PDC role from the (1. WIN2K DC)

 

Enfo Zipper

Christoffer Andersson – Principal Advisor

2 comments:

Hello Dude,

Active Directory is a service created by Microsoft for windows servers. It allows centralized network administration and security management. Some organizations create their own applications to help IT departments use Active Directory. Thanks for sharing it......

Server Audit Tool

Post a Comment

Popular Posts

Share

Twitter Delicious Facebook Digg Stumbleupon Favorites More