三百多分能上什么大学

Question

I have a complete newbie question on Active Directory.

I was provided with an IP address of a Domain Controller and credentials.

On my Windows 10 machine I opened this:

entered the IP address of the Domain Controller and the Status became Online, so I can guess, that I entered the IP address to a right place, but I do not understand well enough where do I enter the credentials.

When I press OK I get this:

I do not need my Windows 10 machine to be included to the domain, but I need to see the users and computes in Active Directory. Is it possible?

Do I use a right tool?

EDIT1:

The right tool:

Answer 1

First, that's the wrong console – "Users and Computers" is dsa.msc. (Though all of them use the same credentials. You can also run mmc.exe and build a custom AD mega-console.)

Second, if all you have is an IP address, then that's not enough for a secure connection. Both Kerberos and TLS generally require a full domain name of the system you're connecting to (i.e. the domain controller in this case).

Without that, the AD clients will only be able to use NTLM security – probably okay if it's used over some kind of corporate VPN, but really bad practice in general.

If the program doesn't ask you for credentials, there are still two ways to run it with different network credentials than the default ones:

• The easiest way is to store the credentials in your Windows Credential Manager:

  cmdkey /add:dc01.ad.example.com /user:[email protected] /p
  -or-
  cmdkey /add:*.ad.example.com /user:[email protected] /p
  

  The parameter to /add: is the server name you're connecting to. When connecting to an IP address, specify that IP address. When connecting to a hostname, specify that hostname, e.g. dc1.example.com (wildcards like *.example.com also work).

  You can also do this through the "Credential Manager" GUI; make sure to create it as a "Windows" credential and not a "Generic" one.

  

• The other way is to use runas /netonly, but this can conflict with UAC (depending on your UAC level) due to mmc.exe being marked as requiring elevation whereas the result of runas is non-elevated.

  runas /netonly /u:[email protected] cmd
  

  (Not 'full' runas as your system doesn't have the account in question, and the Active Directory consoles actually refuse being run under runas anyway, but /netonly will suffice.)

In both cases, it is strongly preferred to specify the username as user@domain or user@REALM – e.g. [email protected] or [email protected] – not as the legacy DOM\user syntax.

Domain-joined machines still recognize the latter format as equivalent, but a non-joined one wouldn't be able to discover the domain controllers for Kerberos if it doesn't know the full domain name, therefore limiting you to insecure NTLM authentication.

(Though at the moment, using raw IP addresses already limits you to NTLM anyway...)

Another note: Connecting from a non-joined machine can result in connections being somewhat slow, as Windows often does not properly cache the Kerberos tickets and will keep re-acquiring them anew for every connection (even though they remain valid for several hours).

Answer 2

The screenshot shows you are using Active Directory Sites and Services, but you are looking for Users and Computers, which is a different Active Directory program.

Open the correct Active Directory Users and Computers program first, then connect to the server, and it should work.

Answer 3

It sounds like you might have mistyped the credentials. Be sure to type the credentials as follows (there are two ways to do it, choose only one):

Option 1: DOMAIN\username: Enter the domain name followed by a backslash (`\`) and your username.  
Option 2: [email protected]: Enter your username, then the "@" symbol, and your domain name.