Solved

Windows 2000 authentification problem

Posted on 2001-09-07
8
301 Views
Last Modified: 2010-04-13
I have a NT domain with 1 PDC and 1 BDC with Exchange Server 5.5 resides on BDC. Last month, I have upgraded all workstations to Win2000 prof. Then I upgraded all the server to Windows 2000 Server. Following is what I have done:
1- promote BDC containing Exchange Server to PDC. Now Exchange Server became PDC and old PDC became BDC.
2- upgrade this new PDC to Windows 2000 Server first as  Active Directory controller (named as AD1).
3- upgraded BDC to Windows 2000 Server and promoted it to be an Active Directory Controller. However, this process failed. After changing something in DNS server, this server could finally be promoted to AD controller (named as AD2).

All are working fine until the day when I have a new staff and have her account created.
Now problem happened. The new account can access all  shared folders on all other servers except one on AD2.
Thinking that the problem may be in the AD replication process, I tried to demoted AD2 to be a member server but it is impossible because of an "access denied" even with a domain administrator. Checking AD2, I just discovered that this server still use SAM and old domain user database existed on it for authetification instead of new AD user database. I now want to remove old SAM and domain user database but don't know how. Could you please tell me HOW TO:
1- EITHER remove old SAM and domain user database so that the Active Directory in AD2 could take over the authentification
2- OR remove AD database on AD2 to demote manually it to a normal member server and then promote it back to an AD controller later.

Thank you very much in advance.
0
Comment
Question by:quang051097
8 Comments
 
LVL 4

Expert Comment

by:darrenburke
ID: 6465519
Are you running Native of Mixed mode?
0
 
LVL 2

Expert Comment

by:newwavepro
ID: 6465551
Well first of all it is not wise to have your exchange server lower than Exchange Server 2000 on a PDC, should have left it on the BDC since this contains a completely different SAM table than used in AD. Also you needed to use the Active Directory Migrator tool

http://www.microsoft.com/windows2000/downloads/tools/admt/default.asp

If you did not then you are possibly stuck with the old SAM & Exchange for the alternated DC's.  Once a PDC should stay a PDC unless it crashes according the AD. So unless AD1 is totally down you will not be able to demote the ad2 until there is NO AD for it to find or reference to it at all.

Now this is just my experience with this problem in the field in promoting and changing from NT4 to Win2k and AD only adds to the problems.
0
 
LVL 1

Author Comment

by:quang051097
ID: 6465598
darrenburke, I am running in Mixed Mode.
newwavepro, I now know it is not wise but because it is too rush to install SSL with Verisign certificate, I have very little time to do some investigation and planning for upgrading. Is it too late.
Is there any way to overcome the problem or do I have to upgrade Exchange Server 5.5 to Exchange Server 2000 and change to Native Mode?
Thank you very much and look forward to your reply soon.
0
 
LVL 2

Accepted Solution

by:
newwavepro earned 100 total points
ID: 6466293
well you have part of the steps needed but, I would still have the Exchange 2000 on the BDC no matter what once you put the Exchange and PDC together you are almost asking for a entire reformat, I had to do this with a Exchange 2000 server on a PDC of a Domain Tree and the highest tree in forest due to SAM overwrites,  The key will be NOT removing Exchange but to allow the AD Exchange directory to be migrated to the BDC which is the missing element

------
Make sure the connection agreement is communicating properly between exchange 5.5 and both PDC & BDC by using the dcpromo utility to demote the PDC and promote the BDC for the two to exchange the AD to each other since it require the equal log share file.

The link also gives the resource kit to help manage your group policies which is more likely the root of the problem since Exchange 5.5 is not designed for win2k

http://www.microsoft.com/exchange/techinfo/deployment/2000/default.asp

These requirements must not have been followed below to come to your problem.

If all your Windows 2000 domains are in native mode, you will be able to take advantage of all Windows 2000 features in all domains, including universal groups and nested groups. Windows 2000 groups replace Exchange 5.5 distribution lists (DLs) during the upgrade of your messaging system.


----------
Exchange Version Prerequisites
To upgrade directly, Exchange 2000 requires that the Exchange-based server be running Exchange 5.5 Service Pack 3 (SP3). This is because the Active Directory service must connect to Exchange 5.5 SP3 servers to synchronize the directories of the two systems. Therefore, the prerequisites are:

In a single-server Exchange organization or site, that server must be running Exchange 5.5 SP3 to be upgraded.
In a multisite Exchange organization, there must be at least one Exchange 5.5 SP3 server in each site in which you plan to perform bidirectional directory synchronization.
In a multisite Exchange organization, there must be at least one Exchange 5.5 SP3 server in each site in which you plan to upgrade a server.
If you plan to install Exchange 2000 Server in a multiserver Exchange site, there must be at least one Exchange 5.5 SP3 server in the site. This allows for Active Directory/Exchange 5.5 directory replication.
If you plan to upgrade one of the servers in a multiserver Exchange site, that server must be running Exchange 5.5 SP3.

-------
Then you have to make sure that you have a proper ADC (Active Directory Connection) which is part of this link of tools to follow

http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/prodtechnol/exchange/deploy/depovg/e2kguide.asp

Once all that is resolved then it should work properly with the schemas set right.

I would Upgrade the Exchange 2000 AFTER you get your SAM fixed, by copying the user profile logs over to the BDC as it is from the PDC.

Sounds like a bunch of mess to me :(  but I was in a place where they didnt matter if i reformatted the whole thing they rather had it working properly.
0
Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

 

Expert Comment

by:kupriaa1
ID: 6477521
NTDSUTIL metadata cleanup will remove incorrectly promoted Domain controllers

Your in a fix and this is the only fix without reinstalling the whole domain structure.  You may need to reinstall The old bdc however you can remove this machine from the Directory with the Command Line utility NTDSUTIL
Use the MetatData cleanup to remove old SIDS for the other server.
0
 
LVL 5

Expert Comment

by:cempasha
ID: 8493742
Hi quang

- This question is still open and needs to be closed. If any of the comments above helped you, please accept that comment as an answer. If not please send an update about your issue so that the question can be finalised. Thank you

- Experts, please feel free to add any comments in here, if you keep silent points of question can be removed

- *** PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER ***

Pasha

Cleanup Volunteer
0
 
LVL 1

Expert Comment

by:netwiz562
ID: 8958115
**** CLEAN UP ****

No comment has been added lately, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question is:

RECOMMENDATION: [ Award points to "newwavepro" ]

Please leave any comments here within the next seven days.

¡PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!

------------------------------
Rajiv Makhijani
EE Cleanup Volunteer
0
 
LVL 1

Author Comment

by:quang051097
ID: 9816142
Feel free to delete this question.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
In  today’s increasingly digital world, managed service providers (MSPs) fight for their customers’ attention, looking for ways to make them stay and purchase more services. One way to encourage that behavior is to develop a dependable brand of prod…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now