Solved

Start over or fix...

Posted on 2004-04-09
8
250 Views
Last Modified: 2011-09-20
I'm  new to a network that's four years old and has been "tinkered" with by 6 different admins.  The current problems identified are:
* New/Modified GPO's having no effect on current OU's
* gpupdate /force on XP systems does not  force anything
* Changes to securtiy groups taking up to 45 minutes to the only other DC (same site)
* Accounts that are disabled actually work for a couple hours before locking out (even after replicating)
* Exchange server set up and connected to only 1 DC - not the Schema master
* Lost of funky SMTP issues - messages stuck in queue and legite addresses rejected
* Users "dissapear" from security groups

NTDSUTIL shows AD DB integrity as good. My boss and I are trying to figure out if setting up a new domain and trust to the current domain is a good idea, slowly migrating systems and users into the new domain.  I'm willing provided none of this corrupt stuff makes it's way in.  I'm thinking more bulk export of AD and build a new DC - start over.  I don't trust that any of the master roles are doing thier jobs. Ideas?
0
Comment
Question by:zenportafino
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
  • +1
8 Comments
 
LVL 23

Expert Comment

by:rhandels
ID: 10795913
You can actually change the roles the DC's have, but if i where you, i'd start over. Else you have to find out all these problems. If you start over again (the domain is 4 years old) you actually know what has been done, now, you're supporting somebody elses garbage..... You can use migrating tools, but if you don't have a lot of users, just set up a new domain. You can migrate one domain within a weekend...

If you'd like to have some tips and tricks for migrating, just say so.. We just did one from NT to 2003 Server. Stated all over again and it works like a charme...
0
 
LVL 1

Author Comment

by:zenportafino
ID: 10796045
More info... The site is small with only 50 users, 8 servers (1 ISA 1 WEB 1 Exchange 2 SQL 1 FILE 2 DC's), 70 mailboxes 2 DC's.  My main concern is keeping security group membership in tact.    We're also current on all MS software assurance and want to take all of the servers to 2003. Any tips would be greatly appreciated.  The solution has to be within a two day time frame and include an efficient method to verify that all problems are fixed and the new (if) system is healthy.

Thank you.
0
 
LVL 6

Expert Comment

by:parkerig
ID: 10796054
Hi,
As the IT manager for a large company I agree with the above.
Buy New Hardware and New Servers - Win 2003 and exchange 2003
Cost is minimal compared to wasting months of time trying to fix problems that weren't even conceived when win 2000 and win nt4 built.
Server 2003 is far more secure and less likely to be damaged by viruses etc
Exchange 2003 is brilliant and does all the pda and smart phone stuff - this is a huge saving in itself.

Also take opportunity to plan the network and Active Directory etc.
By buying new hardware you have the luxury of taking your time and doing it right.

As rhandels says if you need any more help I'm sure an EE can assist.
Ian
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 1

Author Comment

by:zenportafino
ID: 10796098
Thank you rhandels and parkerig. Could anyone provide a simple overview or general outline from where to start and what to watch out for? I don't want to upgrade the OS - fresh installs on all - is this nuts?  What do I need to watch out for when moving the mailboxes ect... Also, does anyone see a benefit in the domain/trust idea?
0
 
LVL 6

Expert Comment

by:parkerig
ID: 10796130
Hi,
My 5 cents worth
Agree, don't upgrade but use new hardware and new installs.
From memory we created all users from scratch and then imported mail. There is a few utils that do this if another EE can give a URL for them. If not with only 70 mailboxes just do it manually.
Make sure you plan security before copying across data.
Get an extra pair of hands on go live day as there is always something.
Don't forget the printers.

Cheers
Ian.
0
 
LVL 23

Accepted Solution

by:
rhandels earned 200 total points
ID: 10797135
Hi,

I'd go for a new fresh install if i were you. New servers, new operating system. In a new oprating system i would start up a new forest and then create the domains within the forrest. Thjis elimenates the need for trusts...

The best way to migrate the mailboxes is with exmerge. Export the mail from you're 2000 domain using exmerge (it is on the exchange cd, in the tools folder). Make .pst files form the mailboxes and create the new users on the new domain. After that, use exmerge to import the pst files into the new users... Be aware that, when using Exmerge on 2003 to import. The pst files need to have the same name as the user alias.. Or else the mailbox will not be imported. Also, give the admin rights to all users the send as rights, else you cannot import the pst files. It's all in the documentary of Microsoft.

If you use the same ip plan, i don't see any strange things can happen with ISA and other things. Be aware that OWA in 2003 is much different than the 2000 version... It's nicer, but takes more out of the server.

Also, what parkerig said, be aware of the printers. There aren't many 2003 drivers for printers. You can use integrated in 2003 Server or use the 2000 pcl 5e drivers, they seam to work best.

Just try it from here.'If you have more questions, i will try to help you, but this is my easter weekend, i'm fre for 3 days (heaven it is heaven  ;)).

I'll try to look into EE tomorrow....
0
 
LVL 11

Assisted Solution

by:rafael_acc
rafael_acc earned 50 total points
ID: 10800576
Ok. Here is my tip:

First, make a backup of your system by backing up your system state data or, you could use the Norton System Ghost wich make a clone of your disk so you could easily restore it in case something goes wrong.

Instead of reinstalling your OS or reconfiguring some settings manually, you could reaply the default instalation security settings by applying the default administrative template on your server machine. Then, considering your network requirements, make all needed configurations for yourself.

See these links:
· http://www.microsoft.com/windows2000/en/server/help/default.asp?url=/windows2000/en/server/help/sag_SCEdefaultpols.htm
· http://is-it-true.org/nt/nt2000/atips/atips74.shtml
· http://support.microsoft.com/default.aspx?scid=kb;en-us;q313434&sd=tech

If your are a patient guy, try also verbose logging, to troubleshoot your GPOs (it could be a painfull process):
· http://support.microsoft.com/default.aspx?scid=kb;EN-US;316243


That's it for now! I wish you good luck.

Cheers,
Rafael
0
 
LVL 11

Expert Comment

by:rafael_acc
ID: 10800579
Oh, ... these are security templates not, administrative templates as I first post it.
0

Featured Post

Easy, flexible multimedia distribution & control

Coming soon!  Ideal for large-scale A/V applications, ATEN's VM3200 Modular Matrix Switch is an all-in-one solution that simplifies video wall integration. Easily customize display layouts to see what you want, how you want it in 4k.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article runs through the process of deploying a single EXE application selectively to a group of user.
This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question