Microsoft KB Archive/314976

= How To Use the Ntdsutil Utility to Deny Access to IP Addresses in Windows 2000 =

Article ID: 314976

Article Last Modified on 10/30/2006

-

APPLIES TO


 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server

-



This article was previously published under Q314976



IN THIS TASK
SUMMARY
 * How to Start the Ntdsutil Utility
 * How to Add an IP Address to the Deny List
 * How to Verify the Addition

REFERENCES



SUMMARY
This step-by-step article describes how to use the Ntdsutil utility to add an IP address to the IP Deny list. To provide higher levels of security for the domain controller, you can apply an IP Deny List that prevents the domain controller from accepting Lightweight Directory Access Protocol (LDAP) queries from clients that have specific IP addresses. The IP Deny List is similar to LDAP administration limits; it only alters the Default LDAP Policy object. The default LDAP policy is applied to any domain controller that has not had a specific LDAP policy applied to it or to the site in which it belongs.

NOTE: To perform the procedure described in this article, you must be member of the Administrators group on a system that is running Windows 2000 Server or Windows 2000 Advanced Server.

Ntdsutil is located in the Support tools folder on the Windows 2000 installation CD-ROM.

back to the top

How to Start Ntdsutil

 * 1) Click Start, and then click Run.
 * 2) In the Open box, type ntdsutil. For more information about Ntdsutil, type a question mark (?) at a command prompt, and the press ENTER to access the Help file.

back to the top

How to Add an IP Address to the Deny List

 * 1) At the Ntdsutil command prompt, type IPDeny List, and then press ENTER.
 * 2) At the IP Deny List command prompt, type connections, and then press ENTER.
 * 3) At the server connections command prompt, type connect to server , and then press ENTER.

NOTE: Connect to the server that you are working on.
 * 1) At the Server connections command prompt, type q, and then press ENTER to return to the previous menu.
 * 2) At the IP Deny List command prompt, type add  , and then press ENTER.

If you are working in a single-node environment, you can use &quot;node&quot; for the mask variable.
 * 1) At the IP Deny List command prompt, type commit, and then press ENTER to commit the change.

back to the top

How to Verify the Addition

 * 1) At the IP Deny List command prompt, type Show, and then press ENTER.

A list of all denied IP addresses is displayed.
 * 1) At the IP Deny List command prompt, type q, and then press ENTER.
 * 2) At the Ntdsutil command prompt, type q, and then press ENTER to quit Ntdsutil.

back to the top

