Remote RAS authorization

Posted on 1997-04-07
Last Modified: 2013-12-23
I have a NT 3.51, 200 MHZ, 128 MB Ram server with service pack 5, 4 terminal server cards made by Rocketport and Cyclades serving 80 analog modems.
I have been told I need to divide these 4 cards onto two different machines because of resource problems.

My question is, how do I have PC#2 look to PC#1 for RAS authorization? Also do I have to re-format my current PC which is configured as a server and change it to a domain server? (It will be the one with the user database).

Is the PC that has the RAS user database supposed to be the primary domain and the second PC without the database the secondary domain? What steps do I go through to setup the computers to be a domain server and how to I tell PC#2 to look to PC#1 for user name and password authorization?

Please be elementary in your answer, I am dumb.... <g>
Step one, do this
Step two, do that
Step three, do this and that....

Thanks in advance...
Question by:alpha
  • 3
  • 3

Expert Comment

Comment Utility
You set up PC#1 as PDC (primary domain controller)
PC#2 is a server that joins the domain (it is NOT a domain on its own).
Now #1 and #2 akt as one and #2 automatically asks #1 for authentication.
I was told to avoid problems in the future it is better to reinstall #1 as PDC and not to upgrade it. I am not sure if this is true. I think upgrading must be possible in the servermanager or somewhere else in the control panel.

Sorry I have no steps for dumb users. Please try on your own first.


Accepted Solution

jmataso earned 200 total points
Comment Utility
You cannot upgrade from a Workstation to a Domain Controller (or from a domain server to a domain controller).  You need to reinstall, see my answer to the 4/8/97 question titled "Trust Relationships" for more information on why.

The simplest solution is to create a domain (with either machine) and set it up with your accounts for RAS.  The second machine can either be a Backup Domain Controller or a Domain Server.  If it is a BDC, it will be able to authenticate even if the other machine is down, otherwise it will be down whenever the PDC goes down (for new connections).

Your steps in this process hould probably be as follows (I am assuming you are going to format PC#1):

-Copy down you account info from PC#1 (to paper)
-Reinstall PC#1 as PDC (w/ RAS)
-Reenter account info from paper (you will probably have some
 upset users at their accounts being reset, but it can't be
-Manually transfer the accounts from PC#2 to PC#1 (essentially
 the same process you did above, only you may not need to write
 them down on paper.  Once again, you may have some upset users).
-Now, optionally, you can reinstall the second server as a BDC.


Author Comment

Comment Utility
I do use the server for dialup RAS and I have over 1000 customers,
that's a lot of retyping. After I reformat the server and change it to a
PDC, isn't their a way to just restore my "SAM" RAS user database
without restoring the other registry keys and messing the whole thing
Can I then put two terminal server cards in this PDC and put two other
terminal server cards in my BDC and they both work? Does it matter that
my BDC will be 3.51 and the PDC will be version 4.0?
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.


Expert Comment

Comment Utility
Alpha sent me this comment via e-mail, and so I am posting it, as well as my response here on-line:
I would like to ask you just one simple followup question if you don't mind.

I do use the server for dialup RAS and I have over 1000 customers, that's a lot of retyping. After I reformat the server and change it to a PDC, isn't their a way to just restore my "SAM" RAS user database without restoring the other registry keys and messing the whole thing up?

Can I then put two terminal server cards in this PDC and put two other terminal server cards in my BDC and they both work? Does it matter that my BDC will be 3.51 and the PDC will be version 4.0?

1000+ users does pose a problem.  I was wondering if both of your machines are currently up and running, or if only the first of the two is up?  What I am concerned about, is where is your accounts are located at.  Once you have things merged into a single domain, the same accounts can be used from all of your RAS servers, but until that point you may get stuck retyping.

As far as restoring your old SAM, I am fairly certain that the SAM DB CANNOT be restored, as it does not just contain user accounts, it also contains accounts for machines in the domain, trust relationships, etc. that would get blown out of the water by a restore.  To be honest, I am not entirely sure either that the machine would work after doing that, or how things would work.  It is definitely NOT supported by MS support (if you get that far).

Once the migration is done, you can string up as many different NT servers w/ modems attached as you like and set all of them to authenticate with the domain.  Any user account on the domain can then login through any of the servers (so you can have them all on a common rollover, if you want).  I just want to clarify one point, in that you mention "terminal server cards with modems attached", by this I assume you mean multiple serial port cards with modems hanging off of them (of a Digiboard-ish nature).  If you are talking about a different sort of technology, let me know.

As far as I know, the shouldn't be any problems with different versions of NT for the domain controllers.  Several other people that I know are doing it at their sites, and they aren't having any problems.

Back to the question of retyping, I know there are some utilities in the resource kit that allow for automated entry of large numbers of accounts from a text-file format, but I am not sure about dumping a SAM to disk and then reloading.  That might be a good place to start looking for that info.  Unforunately, I am not sure you will be able to get around it.  Sorry I can't be of more help on that point.



Author Comment

Comment Utility
I have two NT servers one is sitting there as a emergency hardware backup PC. The main server is a 3.51, server pack 5, dual CPU, 128MB ram system. Both systems are currently setup as servers and not PDCs or BDCs.
It only recognizes one CPU, but that's another story...

I am using RocketPort and Cyclades terminal servers cards which are multiport serial cards attached to 80 analog modems.
(It's a mess and digitial is coming).
According to what you are saying, I need to do a backup, reformat the dual CPU server and configure it as a PDC (I will use version 4.0) and then put two cards in it and two cards in my backup PC which is currently configured as a server and not a BDC. It's my understanding that ther server (version 3.51) will connect to my dual CPU PDC and use that SAM database on the PDC for authentication. I assume I have to go into the "network" settings and tell it to look at the dual CPU PDC for authentication.
It sounds like I am ready to go. I can either keep PC#2 as a v3.51 server or change it to a BDC and it will work either way, right?
The only problem now is figuring out how to import just the SAM database.
Thanks for all your help.


Expert Comment

Comment Utility
No problem.  Like I said, you might start with the ResKit, as it has a utility for bulk loading accounts from a file, it may also have one for dumping info to a file.

One other thought, you can transition over time as follows:

You make the backup server your PDC and add the currently active server to that domain.  You now begin the migration of accounts over in groups to the domain (users can still login through the old server in the interim).  This way, you will not have as big a problem of trying to immediately having to switch the accounts over.  One note is that I am not sure how the users will have to specify what account they want to use when they are logging in (if they are using a non-MS dialer).  When authenticating through the server to the domain, they may need to specify a username of the following format:  <DOMAIN>\<USERNAME> for the server to recognize that they are specifying a domain account.  When the server is a BDC, that would not be necessary, as it will default to checking its local SAM, and find them.


Author Comment

Comment Utility
Great idea! Thanks again!

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Downtime reduced, data recovered by utilizing an Experts Exchange Business Account Challenge The United States Marine Corps employs more than 200,000 active-duty Marines with operations in four continents, all requiring complex networking system…
Are you one of those front-line IT Service Desk staff fielding calls, replying to emails, all-the-while working to resolve end-user technological nightmares? I am! That's why I have put together this brief overview of tools and techniques I use in o…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now