taking windows 2000 server down and replacing it temporarily
I want to reformat our server at school. It has some bugs and its been running for 2 years now. I would like to take a computer that has the hard drive space but is windows 98 and take the travan backup tapes and restore to this computer so that I can take the server down and run this one on the network until I can get the server back up. Can I do this? Will it reformat the hard drive and replace the operating system too? I have nothing to lose with the windows 98 computer because I can just reformat it in the end. We can't go without a server and I predict that it will take approx. 2 weeks to redo active directory and our database.
Lisa
Lisa
Pete Long
If you're running a domain This is not as simple as you would think, is this the case?
Hey Pete..!! gtcu again.. :)
This is a pretty involved procedure, as Pete mentions. But it would be good to do it anyway, and the practice it gives you would be a good learning experience... But do not take the server offline until you absolutely know that the new DC is working correctly.
You would need to wipe that 98 box clean, install the W2K Server OS, and then restore your System State and whatever data, including profiles, etc. back to the server...
FE
This is a pretty involved procedure, as Pete mentions. But it would be good to do it anyway, and the practice it gives you would be a good learning experience... But do not take the server offline until you absolutely know that the new DC is working correctly.
You would need to wipe that 98 box clean, install the W2K Server OS, and then restore your System State and whatever data, including profiles, etc. back to the server...
FE
I would assume a domain because she said she is running Active Directory.
I would reformat the Windows 98 box and install a fresh copy of Windows 2000 on it and make it a DC. Then allow for replications of all domain accounts, policies and security settings and ACLs. Copy over any data or other shared resources you need.
Restoring from tape a server onto different hardware will most likely croak.
I would reformat the Windows 98 box and install a fresh copy of Windows 2000 on it and make it a DC. Then allow for replications of all domain accounts, policies and security settings and ACLs. Copy over any data or other shared resources you need.
Restoring from tape a server onto different hardware will most likely croak.
yea.. that could cause some problems, and installing that Travan drive may be a headache also.. :)
Everyone is correct above. The headache with the backup and restore would be immense.
Much better to do a clean install on the Win98 box and run dcpromo to make it a DC.
Let the two DC's chit-chat for a day or so to make sure everything is working.
Transfer all files etc . . . to the new DC.
Before taking the original DC offline you MUST transfer to FSMO roles to the new DC.
See MS Knowledge Base Article 223787 for all the details.
The easiest way is to run dcpromo on your original DC to demote it to a member server. This process will transfer all of the FSMO roles to the new DC.
If the dcpromo approach doesn't work, you can shut down the original DC and have the new DC seize the roles. This is also covered in the reference Knowledge Base Article.
Note: After you rebuild the original DC you will need to transfer to FSMO roles back to it.
If you don't transfer the FSMO roles you won't be able to do things like add new computers to the domain, rename machines, create trusts, etc . . .
Much better to do a clean install on the Win98 box and run dcpromo to make it a DC.
Let the two DC's chit-chat for a day or so to make sure everything is working.
Transfer all files etc . . . to the new DC.
Before taking the original DC offline you MUST transfer to FSMO roles to the new DC.
See MS Knowledge Base Article 223787 for all the details.
The easiest way is to run dcpromo on your original DC to demote it to a member server. This process will transfer all of the FSMO roles to the new DC.
If the dcpromo approach doesn't work, you can shut down the original DC and have the new DC seize the roles. This is also covered in the reference Knowledge Base Article.
Note: After you rebuild the original DC you will need to transfer to FSMO roles back to it.
If you don't transfer the FSMO roles you won't be able to do things like add new computers to the domain, rename machines, create trusts, etc . . .
ASKER
Yes it is a domain controller. The travan backup is on another computer. I backup over the network so restoring the database that we use will be easy. averyb you scared me. I read the knowledge base article and I didn't understand it. The man that built our computer gave it to me and said that he didn't know how to use Windows 2000server so I set up active directory and all that my self in two weeks before the school started up. I am not an expert.
But I did it once I guess I can do it again.
Lisa
But I did it once I guess I can do it again.
Lisa
ldavis.. don't worry, it is really a simple process if you follow those directions... the only trick is to make sure that you have transfered the pertinent data. The AD will replicate by itself after you dcpromo it... Just make sure you that transfered the FSMP roles as avery mentioned...
FE
FE
Seems like all us techs here agree on the solution for your problem. Be it, if things go wrong we are a website away. :)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Piece of cake, and like digg says, we are always around to help you when things go south... :)
Hands FE a cookie.....man FE...early mornings, lates nights....
<looks for caffiene high beverage>
<looks for caffiene high beverage>
*grin* Early mornings, but I leave the late nights for you younger techs.... haha
Caffiene, did you say caffiene. Check out thinkgeeks.com for goodies.
ASKER
Thank you for your help. I will begin to try this. This is a schoolminder database with all the records and grades for the entire school.
Lisa
Lisa
ASKER
Ok. I started dcpromo and for some reason I can't get past the full dns name for which the existing server will become an additional domain controller. I browse and select the domain name and then it says that it cannot contact the domain. I can browse through the network and access the server and the folders and I can get on the internet, but I can't set this up.
Lisa
Lisa
Have you joined it to the Domain..?? (Not dcpromo, but actually make it a member server -meaning a member of the domain..)
First of all which server are you running dcpromo on? There has been so much info on this thread that I am getting confused.
This is what I remember:
You have a functional W2K AD domain with only one DC
You have a brand new install of W2K.
You just tried to run dcpromo on the new install.
Is this correct?
Can you give the servers some names to make it easier to reference them.
Don't get frustrated. This part can be tempermental.
Before you run dcpromo on the member server:
Can servers see each other in Active Directory?
Can you ping the DC from the member server by name?
Do a nslookup on the DC name fromm the member server at the cmd line. What are the results?
Might be worthwhile to start over.
Remove the meber server from the domain. Delete the machine account in AD.
Now join the member server back to the domain.
This is what I remember:
You have a functional W2K AD domain with only one DC
You have a brand new install of W2K.
You just tried to run dcpromo on the new install.
Is this correct?
Can you give the servers some names to make it easier to reference them.
Don't get frustrated. This part can be tempermental.
Before you run dcpromo on the member server:
Can servers see each other in Active Directory?
Can you ping the DC from the member server by name?
Do a nslookup on the DC name fromm the member server at the cmd line. What are the results?
Might be worthwhile to start over.
Remove the meber server from the domain. Delete the machine account in AD.
Now join the member server back to the domain.
ASKER
How do I join it to the domain? When I open up active directory in the main server I don't see it. The steps averyb listed are correct. I will try doing what you suggested in the am at school
Thanks,
Lisa
Thanks,
Lisa
Thanks for the clarification
To add a W2K server to a domain:
First make sure the new server can ping the DC by name and by IP address.
Make sure the primary DNS server listed under TCP/IP Properties is the DC
Right-click MY Computer and choose Properties
On one of the tabs will be a button for renaming the machine or changing the workgroup/domain.
(I am on XP right now and can't remember which tab it is)
Click it.
Enter the domain name in the appropriate blank. This should be a blah.com or .edu or something. Whatever you call your domain.
To check your domain name, log off of your DC. The domain name will be the only choice in the Log On drop down list when you log back on. Enter this name in the blank mentioned above. (Note: in some weird caes this still might not work).
You will need a domain admin account and password to add the server to the domain.
You should get a message saying Welcome to Domain blah.com or .edu or whatever.
You should no be able to log onto the new server with the same domain user account you use to log onto the DC.
I've been thinking about that database you are using. We'll need to talk about that in detail. There could some under the hood things going on that we need to investigate to make sure it'll work on the new server. We'll worry about that later.
First I want to get your new server in the domain.
Then I want to promote it to another domain controller.
Then we'll worry about the database.
Then we'll demote the original domain controller
My goal is to avoid any downtime and prevent any data loss for all your users. We could do it quick and dirty and cross our fingers or slow and clean. If there are time factors that need to be addressed let me know and we can speed things up some if needed.
To add a W2K server to a domain:
First make sure the new server can ping the DC by name and by IP address.
Make sure the primary DNS server listed under TCP/IP Properties is the DC
Right-click MY Computer and choose Properties
On one of the tabs will be a button for renaming the machine or changing the workgroup/domain.
(I am on XP right now and can't remember which tab it is)
Click it.
Enter the domain name in the appropriate blank. This should be a blah.com or .edu or something. Whatever you call your domain.
To check your domain name, log off of your DC. The domain name will be the only choice in the Log On drop down list when you log back on. Enter this name in the blank mentioned above. (Note: in some weird caes this still might not work).
You will need a domain admin account and password to add the server to the domain.
You should get a message saying Welcome to Domain blah.com or .edu or whatever.
You should no be able to log onto the new server with the same domain user account you use to log onto the DC.
I've been thinking about that database you are using. We'll need to talk about that in detail. There could some under the hood things going on that we need to investigate to make sure it'll work on the new server. We'll worry about that later.
First I want to get your new server in the domain.
Then I want to promote it to another domain controller.
Then we'll worry about the database.
Then we'll demote the original domain controller
My goal is to avoid any downtime and prevent any data loss for all your users. We could do it quick and dirty and cross our fingers or slow and clean. If there are time factors that need to be addressed let me know and we can speed things up some if needed.
*grin* Slow and clean vs quick and dirty... interesting way of putting it..!!
Looks like avery did the job explaining the domain joining process.. You must do this before you can promote a server...
FE
Looks like avery did the job explaining the domain joining process.. You must do this before you can promote a server...
FE
ASKER
I joined it to the domain and I see it in active directory under computers.
So far so good. I had to add the user name in computer management on the new server under users and made it a member of the administrator's group and when I go to run dcpromo it tells me that I need to be a member of the administrator's group.
I already did that. The default administrator is administrator but you said not to use that as the log in if it is the same as the other computer. Did I understand that correctly?
Lisa
So far so good. I had to add the user name in computer management on the new server under users and made it a member of the administrator's group and when I go to run dcpromo it tells me that I need to be a member of the administrator's group.
I already did that. The default administrator is administrator but you said not to use that as the log in if it is the same as the other computer. Did I understand that correctly?
Lisa
ASKER
I'm starting to see the problem. When I do nslookup I get the following error. Can't find server name for the following address and it lists the ip address. Non-existant domain DNS request timed out.
Default servers not available.
Lisa
Default servers not available.
Lisa
Are you loggin in as the Local Admin, or the Domain Admin..?
ASKER
Local administrator
Also, on the old server the dns is our internet service provider not the local domain. When I changed the dns server to match the old server the nslookup finds our internet service provider. When I go to settings > control panel >admin tools >dns it cannot connect to the domain.
I think I have a bigger problem perhaps with the way the old server was set up.
Lisa
Also, on the old server the dns is our internet service provider not the local domain. When I changed the dns server to match the old server the nslookup finds our internet service provider. When I go to settings > control panel >admin tools >dns it cannot connect to the domain.
I think I have a bigger problem perhaps with the way the old server was set up.
Lisa
The reason I asked the above question is:
To perform this procedure, you must be a member of the Domain Admins group or the Enterprise Admins group in Active Directory, or you must have been delegated delegated
An assignment of administrative responsibility to a user, computer, group, or organization.
For Active Directory, an assignment of responsibility that allows users without administrative credentials to complete specific administrative tasks or to manage specific directory objects. Responsibility is assigned through membership in a security group, the Delegation of Control Wizard, or Group Policy settings.
For DNS, an assignment of responsibility for a DNS zone. Delegation occurs when a name server (NS) resource record in a parent zone lists the DNS server that is authoritative for a child zone.
the appropriate authority. As a security best practice, consider using Run as to perform this procedure.
To create an additional domain controller
http://www.microsoft.com/resources/documentation/WindowsServ/2003/enterprise/proddocs/en-us/Default.asp?url=/resources/documentation/windowsserv/2003/enterprise/proddocs/en-us/replicadcpromo.asp
Step by Step guide to setting up additional domain controllers:
http://www.microsoft.com/windows2000/techinfo/planning/activedirectory/domaincntrl.asp
Checklist: Creating an additional domain controller in an existing domain
http://www.microsoft.com/resources/documentation/WindowsServ/2003/enterprise/proddocs/en-us/Default.asp?url=/resources/documentation/windowsserv/2003/enterprise/proddocs/en-us/checklist_createreplicaDC.asp
To perform this procedure, you must be a member of the Domain Admins group or the Enterprise Admins group in Active Directory, or you must have been delegated delegated
An assignment of administrative responsibility to a user, computer, group, or organization.
For Active Directory, an assignment of responsibility that allows users without administrative credentials to complete specific administrative tasks or to manage specific directory objects. Responsibility is assigned through membership in a security group, the Delegation of Control Wizard, or Group Policy settings.
For DNS, an assignment of responsibility for a DNS zone. Delegation occurs when a name server (NS) resource record in a parent zone lists the DNS server that is authoritative for a child zone.
the appropriate authority. As a security best practice, consider using Run as to perform this procedure.
To create an additional domain controller
http://www.microsoft.com/resources/documentation/WindowsServ/2003/enterprise/proddocs/en-us/Default.asp?url=/resources/documentation/windowsserv/2003/enterprise/proddocs/en-us/replicadcpromo.asp
Step by Step guide to setting up additional domain controllers:
http://www.microsoft.com/windows2000/techinfo/planning/activedirectory/domaincntrl.asp
Checklist: Creating an additional domain controller in an existing domain
http://www.microsoft.com/resources/documentation/WindowsServ/2003/enterprise/proddocs/en-us/Default.asp?url=/resources/documentation/windowsserv/2003/enterprise/proddocs/en-us/checklist_createreplicaDC.asp
You're right about the DNS a little messed up.
We'll need to get that fixed be promoting the other server.
Is your domain on the Internet (i.e. public) or is it private (i.e. no one can see it over the Internet)?
Your DC must point to itself as its DNS server.
Enter the ISP's DNS servers on the Forwarder tab. All your clients and servers should point to your original DC as their primary DNS server.
Do you have anything on the root hints tab?
After making the change, make sure your users can still get to the Internet. Be sure to write down the DNS settings before you make the changes. We'll get DNS working as is then we'll get the second DC up and running. If your original DC does have a functional DNS server then you'll won't be able to upgrade.
Also, you should make the forward lookup zone for your domain an AD integrated zone.
We'll need to get that fixed be promoting the other server.
Is your domain on the Internet (i.e. public) or is it private (i.e. no one can see it over the Internet)?
Your DC must point to itself as its DNS server.
Enter the ISP's DNS servers on the Forwarder tab. All your clients and servers should point to your original DC as their primary DNS server.
Do you have anything on the root hints tab?
After making the change, make sure your users can still get to the Internet. Be sure to write down the DNS settings before you make the changes. We'll get DNS working as is then we'll get the second DC up and running. If your original DC does have a functional DNS server then you'll won't be able to upgrade.
Also, you should make the forward lookup zone for your domain an AD integrated zone.
ASKER
When I add the dns for the server and do nslookup up on the old server, it can't find the domain. I gave up decided that I didn't configure the domain server correctly and since the computer is not working well, I went ahead and installed the active directory on the new computer as a new domain. When I get the old server working correctly, I will follow these steps to demote the new server.
Lisa
Lisa
Good luck with it then.. let us know how it turns out..
FE
FE
That won't work!
What do you mean by a new domain?
If you installed AD as the first domain controller in a domain, then you created a new domain. Even if you gave it the same name.
The two DC's are in reality in two different domains.
If DNS is properly configured then you want have any problems.
Let's forget about the new DC for now and get the original one working.
What do you mean by a new domain?
If you installed AD as the first domain controller in a domain, then you created a new domain. Even if you gave it the same name.
The two DC's are in reality in two different domains.
If DNS is properly configured then you want have any problems.
Let's forget about the new DC for now and get the original one working.
Good idea avery... Unless she wants to input all new data into the AD database, it will be a problem..
ASKER
I already created a new domain on the new server. I can do an nslookup and it finds it. I already had some goofy things going on the old server in active directory and was going to have to fix it anyway. Can't I set this one up the right way and take the old server down and then when I get it working do the dcpromo and demote the new server? I told you the old server had problems. The event viewer is broken and the server locks up every other day. Thats what happens when someone who doesn't know everything about windows 2000 server sets it up. I'm getting really good at it though.
Lisa
Lisa
Yes you could with a BIG but. Seeting things up the right way is definitely the way to go. Sometimes people get so focused on the fixing the problem they often forget that avoiding the problem is often a better solution. It's good you know when to cut your losses.
I assume that you gave the new domain the same name. I'll refer to them as D1 and D2. They are two distinct domains. It's important to remember that the two DC's will not communicate with each other like two DC's in the same domain would. Your two DC's are NOT in the same domain.
All of your clients were members of D1. They will need to be removed from the domain and put into a workgroup and then put back into D2. All the clients will need to use D2 as their primary DNS server after they are moved to a workgroup but before they are joined to D2. Normally you could just move machines from one domain to another, but since they are the same name it'll be simpler to go through a workgroup.
Since the domains are different permissions on the different folders will need to be recreated.
You'll need to create a new user account in D2 on the new DC for every user in D1. There are tools to do this, but they can be problematic in your situation. Doing it the long way will be a good learning process, and you'll know exactly what is happening each step of the way.
Depending on your database, it might have used a domain account for its service account. It it did then it's a D1 domain account not a D2 domain account. You'll need to make the appropriate changes. How does you database work? How do users access the database to enter grades and such? How does the database interact with the original DC from D1?
Make sure DC2 has its own IP address listed as its primary DNS server.
Make sure you document everything on the DC from D1 so you can create it in D2:
Shares
Users (including group membership)
Groups
IP Configuration (ISP DNS IP addresses and default gateway)
DNS configuration for zone name
A good approach might be to unplug the original DC from the network, if users can handle down time. ( How many users do you have?) that way you can look at the old DC while you configure the new one. It'll often show you by example how to configure stuff .l . . or show you how not to configure stuff depending on how you look at it.
If you do unplug the DC from the network, you'd get an error that the DC could not be contacted when you remove machines from the domain but you could just ignore it. To "test" this approach you could just unplug the DC from the network.
If you gave the new domain a different name, then you can just change the domain it belongs to instead of going through a workgroup.
You'll need to review each client machine for erroneous or conflicting entries in the host and lmhost file. \winnt\system32\drivers\et
I assume that you gave the new domain the same name. I'll refer to them as D1 and D2. They are two distinct domains. It's important to remember that the two DC's will not communicate with each other like two DC's in the same domain would. Your two DC's are NOT in the same domain.
All of your clients were members of D1. They will need to be removed from the domain and put into a workgroup and then put back into D2. All the clients will need to use D2 as their primary DNS server after they are moved to a workgroup but before they are joined to D2. Normally you could just move machines from one domain to another, but since they are the same name it'll be simpler to go through a workgroup.
Since the domains are different permissions on the different folders will need to be recreated.
You'll need to create a new user account in D2 on the new DC for every user in D1. There are tools to do this, but they can be problematic in your situation. Doing it the long way will be a good learning process, and you'll know exactly what is happening each step of the way.
Depending on your database, it might have used a domain account for its service account. It it did then it's a D1 domain account not a D2 domain account. You'll need to make the appropriate changes. How does you database work? How do users access the database to enter grades and such? How does the database interact with the original DC from D1?
Make sure DC2 has its own IP address listed as its primary DNS server.
Make sure you document everything on the DC from D1 so you can create it in D2:
Shares
Users (including group membership)
Groups
IP Configuration (ISP DNS IP addresses and default gateway)
DNS configuration for zone name
A good approach might be to unplug the original DC from the network, if users can handle down time. ( How many users do you have?) that way you can look at the old DC while you configure the new one. It'll often show you by example how to configure stuff .l . . or show you how not to configure stuff depending on how you look at it.
If you do unplug the DC from the network, you'd get an error that the DC could not be contacted when you remove machines from the domain but you could just ignore it. To "test" this approach you could just unplug the DC from the network.
If you gave the new domain a different name, then you can just change the domain it belongs to instead of going through a workgroup.
You'll need to review each client machine for erroneous or conflicting entries in the host and lmhost file. \winnt\system32\drivers\et
ASKER
I gave DC2 a new name. I installed the database through the network onto the server. Each person has rights to use it. All I have to do is to make sure that the database is in the same folder on the DC2 as it was on DC1. The mapped drive should pick it up as the same. I hope. I have approximately 30 users at the school. A question I have on the active directory is when do you use a computer and not a user? I have a computer lab that logs onto the server to store files that they create. They can't access anything but one folder. Do I set each computer up as a user or a computer? If I set it up as a computer, how do I give it a log in password? Last time, I set each one up as a user. I appreciate all your help averyb and fatal exception. Thanks for being patient.
Lisa
Lisa
:) Computer accounts and User accounts are 2 different things alltogether... If I am understanding you correctly... You must setup user accounts for users to log in with.. The default location is the User Container, but I like to create OU's for my users and place them there for administrative ease.. (Finance/Human Resources/etc...) I can also setup Group Policy that way that reflects the Container I place them into...
The computer accounts should setup automatically when you connect the computer to the domain.. One thing here though, if you want to push GPO's to your computers outside the Domain GPO, then you must create an OU for them and move them into it, then set a specific GPO on that OU...
FE
The computer accounts should setup automatically when you connect the computer to the domain.. One thing here though, if you want to push GPO's to your computers outside the Domain GPO, then you must create an OU for them and move them into it, then set a specific GPO on that OU...
FE
Sounds like the database is working fine.
FE nailed it.
Computer accounts are created for you. You just need to create the user accounts for your users in the new domain.
You'll need to share the the db folder on D2 with the same name as the original share on D1. You'll also need to make sure the clients are pointing to D2 as their primary DNS server and after they are members of the new domain. Remember that when you map drives and connect to shares you use the computer name\share name to do it. Even with the same share name all the users are connecting to D1\share name. Now they will need to connect to D2\share name. You'll need to make changes to each client. How do the users connect to the database? Is there a shortcut on the desktop? Do they point to a mapped drive? Depending on the answer you might be able to use a login script to make the changes automatically.
You'll quickly realize that GPO's make things much easier, but they do have a different degree of complexity.
FE nailed it.
Computer accounts are created for you. You just need to create the user accounts for your users in the new domain.
You'll need to share the the db folder on D2 with the same name as the original share on D1. You'll also need to make sure the clients are pointing to D2 as their primary DNS server and after they are members of the new domain. Remember that when you map drives and connect to shares you use the computer name\share name to do it. Even with the same share name all the users are connecting to D1\share name. Now they will need to connect to D2\share name. You'll need to make changes to each client. How do the users connect to the database? Is there a shortcut on the desktop? Do they point to a mapped drive? Depending on the answer you might be able to use a login script to make the changes automatically.
You'll quickly realize that GPO's make things much easier, but they do have a different degree of complexity.
ASKER
If I understand correctly, GPO's wont work on windows 98 computers? I only have one Windows xp computer currently on the network, the rest are windows 98. We are in the process of upgrading this summer.
Lisa
Lisa
Correct, Active Directory Group Policy cannot affect Windows 98 clients. Group Policy only affects W2K, XP and the W2K3 Server OS's.. You'll need to use old-style SYSTEM POLICY which creates CONFIG.POL files. Remember -- these SYSTEM POLICIES will be permanent entries in your registry until you specifically change and inverse the settings ( the reason why AD was created in the first place, I believe..)
Am sure you are looking forward to the upgrade... I run a mix of W2K and XP Pro right now, and am trying to get everyone up to XP.. Like pulling teeth.. :)
Am sure you are looking forward to the upgrade... I run a mix of W2K and XP Pro right now, and am trying to get everyone up to XP.. Like pulling teeth.. :)