Remote RAS authorization

Posted on 1997-04-07
Last Modified: 2013-12-23
I have a NT 3.51, 200 MHZ, 128 MB Ram server with service pack 5, 4 terminal server cards made by Rocketport and Cyclades serving 80 analog modems.
I have been told I need to divide these 4 cards onto two different machines because of resource problems.

My question is, how do I have PC#2 look to PC#1 for RAS authorization? Also do I have to re-format my current PC which is configured as a server and change it to a domain server? (It will be the one with the user database).

Is the PC that has the RAS user database supposed to be the primary domain and the second PC without the database the secondary domain? What steps do I go through to setup the computers to be a domain server and how to I tell PC#2 to look to PC#1 for user name and password authorization?

Please be elementary in your answer, I am dumb.... <g>
Step one, do this
Step two, do that
Step three, do this and that....

Thanks in advance...
Question by:alpha
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3

Expert Comment

ID: 1559675
You set up PC#1 as PDC (primary domain controller)
PC#2 is a server that joins the domain (it is NOT a domain on its own).
Now #1 and #2 akt as one and #2 automatically asks #1 for authentication.
I was told to avoid problems in the future it is better to reinstall #1 as PDC and not to upgrade it. I am not sure if this is true. I think upgrading must be possible in the servermanager or somewhere else in the control panel.

Sorry I have no steps for dumb users. Please try on your own first.


Accepted Solution

jmataso earned 200 total points
ID: 1559676
You cannot upgrade from a Workstation to a Domain Controller (or from a domain server to a domain controller).  You need to reinstall, see my answer to the 4/8/97 question titled "Trust Relationships" for more information on why.

The simplest solution is to create a domain (with either machine) and set it up with your accounts for RAS.  The second machine can either be a Backup Domain Controller or a Domain Server.  If it is a BDC, it will be able to authenticate even if the other machine is down, otherwise it will be down whenever the PDC goes down (for new connections).

Your steps in this process hould probably be as follows (I am assuming you are going to format PC#1):

-Copy down you account info from PC#1 (to paper)
-Reinstall PC#1 as PDC (w/ RAS)
-Reenter account info from paper (you will probably have some
 upset users at their accounts being reset, but it can't be
-Manually transfer the accounts from PC#2 to PC#1 (essentially
 the same process you did above, only you may not need to write
 them down on paper.  Once again, you may have some upset users).
-Now, optionally, you can reinstall the second server as a BDC.


Author Comment

ID: 1559677
I do use the server for dialup RAS and I have over 1000 customers,
that's a lot of retyping. After I reformat the server and change it to a
PDC, isn't their a way to just restore my "SAM" RAS user database
without restoring the other registry keys and messing the whole thing
Can I then put two terminal server cards in this PDC and put two other
terminal server cards in my BDC and they both work? Does it matter that
my BDC will be 3.51 and the PDC will be version 4.0?
Save the day with this special offer from ATEN!

Save 30% on the CV211 using promo code EXPERTS30 now through April 30th. The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.


Expert Comment

ID: 1559678
Alpha sent me this comment via e-mail, and so I am posting it, as well as my response here on-line:
I would like to ask you just one simple followup question if you don't mind.

I do use the server for dialup RAS and I have over 1000 customers, that's a lot of retyping. After I reformat the server and change it to a PDC, isn't their a way to just restore my "SAM" RAS user database without restoring the other registry keys and messing the whole thing up?

Can I then put two terminal server cards in this PDC and put two other terminal server cards in my BDC and they both work? Does it matter that my BDC will be 3.51 and the PDC will be version 4.0?

1000+ users does pose a problem.  I was wondering if both of your machines are currently up and running, or if only the first of the two is up?  What I am concerned about, is where is your accounts are located at.  Once you have things merged into a single domain, the same accounts can be used from all of your RAS servers, but until that point you may get stuck retyping.

As far as restoring your old SAM, I am fairly certain that the SAM DB CANNOT be restored, as it does not just contain user accounts, it also contains accounts for machines in the domain, trust relationships, etc. that would get blown out of the water by a restore.  To be honest, I am not entirely sure either that the machine would work after doing that, or how things would work.  It is definitely NOT supported by MS support (if you get that far).

Once the migration is done, you can string up as many different NT servers w/ modems attached as you like and set all of them to authenticate with the domain.  Any user account on the domain can then login through any of the servers (so you can have them all on a common rollover, if you want).  I just want to clarify one point, in that you mention "terminal server cards with modems attached", by this I assume you mean multiple serial port cards with modems hanging off of them (of a Digiboard-ish nature).  If you are talking about a different sort of technology, let me know.

As far as I know, the shouldn't be any problems with different versions of NT for the domain controllers.  Several other people that I know are doing it at their sites, and they aren't having any problems.

Back to the question of retyping, I know there are some utilities in the resource kit that allow for automated entry of large numbers of accounts from a text-file format, but I am not sure about dumping a SAM to disk and then reloading.  That might be a good place to start looking for that info.  Unforunately, I am not sure you will be able to get around it.  Sorry I can't be of more help on that point.



Author Comment

ID: 1559679
I have two NT servers one is sitting there as a emergency hardware backup PC. The main server is a 3.51, server pack 5, dual CPU, 128MB ram system. Both systems are currently setup as servers and not PDCs or BDCs.
It only recognizes one CPU, but that's another story...

I am using RocketPort and Cyclades terminal servers cards which are multiport serial cards attached to 80 analog modems.
(It's a mess and digitial is coming).
According to what you are saying, I need to do a backup, reformat the dual CPU server and configure it as a PDC (I will use version 4.0) and then put two cards in it and two cards in my backup PC which is currently configured as a server and not a BDC. It's my understanding that ther server (version 3.51) will connect to my dual CPU PDC and use that SAM database on the PDC for authentication. I assume I have to go into the "network" settings and tell it to look at the dual CPU PDC for authentication.
It sounds like I am ready to go. I can either keep PC#2 as a v3.51 server or change it to a BDC and it will work either way, right?
The only problem now is figuring out how to import just the SAM database.
Thanks for all your help.


Expert Comment

ID: 1559680
No problem.  Like I said, you might start with the ResKit, as it has a utility for bulk loading accounts from a file, it may also have one for dumping info to a file.

One other thought, you can transition over time as follows:

You make the backup server your PDC and add the currently active server to that domain.  You now begin the migration of accounts over in groups to the domain (users can still login through the old server in the interim).  This way, you will not have as big a problem of trying to immediately having to switch the accounts over.  One note is that I am not sure how the users will have to specify what account they want to use when they are logging in (if they are using a non-MS dialer).  When authenticating through the server to the domain, they may need to specify a username of the following format:  <DOMAIN>\<USERNAME> for the server to recognize that they are specifying a domain account.  When the server is a BDC, that would not be necessary, as it will default to checking its local SAM, and find them.


Author Comment

ID: 1559681
Great idea! Thanks again!

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A brief overview to explain gateways, default gateways and static routes OR NO - you CANNOT have two default gateways on the same server, PC or other Windows-based network device. In simple terms a gateway is formed when a computer such as a serv…
The Need In an Active Directory enviroment, the PDC emulator provide time synchronization for the domain. This is important since Active Directory uses Kerberos for authentication.  By default, if the time difference between systems is off by more …
In an interesting question ( here at Experts Exchange, a member asked how to split a single image into multiple images. The primary usage for this is to place many photographs on a flatbed scanner…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question