Solved

Configure Win2K DC and DNS to allow Trust relation with Win2003 Server.

Posted on 2004-08-03
41
850 Views
Last Modified: 2012-08-13
Configure Win2K DC and DNS to allow Trust relation with Win2003 Server.

The servers don't recognize each other as domain controllers so a trust relationship cannot be established.
The Win2003 server is a fresh load with AD and integrated DNS. Nothing special done for this box, it is just a standard install.

The Win2K server was upgraded from NT4, years ago, it has a single name - domain name "VCSLAB".
DNS has been recreated and most DCDiag errors are gone.
NSLookup fails again to recognize the server as a DC.
 Lets start with this one:

NSLOOKUP
*** Can't server name for address 192.168.0.2: Nonexistant domain
*** Default servers are not available
Default Server: Unknown
Address:    192.168.0.2

0
Comment
Question by:mgoering
  • 24
  • 17
41 Comments
 
LVL 16

Expert Comment

by:JamesDS
ID: 11708686
mgoering
Your fist problem is the single label domain name on the W2k AD domain.

You can set the forwarders on the W2k DNS to point to the DNS on the W2k3 box
You can set conditional forwarders on the W2k3 box to point .VCSLAB domain lookups to the W2k box and set the forwader for all other domains to whatever the original forwarder on the W2k box was set to.

Then you can add a domain suffix search list to each server for the other domain - configure that in the IP advanced, DNS properties on each server's NIC

They should be able to resolve each other after that and the trust should then create OK.

Cheers

JamesDS
0
 

Author Comment

by:mgoering
ID: 11709561
I'll try this!
Forewarders in DNS are set on each Svr with each other's IP.
I have also added each others domain suffix to their suffix search list.

IPConfig of the Win2003 server, AKA vcs01.vcsc.org shows: VCSC.ORG as the primary DNS Suffix and vcslab in the search list.
IPConfig of the Win2K server, Lab-PDC1.vcslab shows no Primary DNS Suffix(?), and vcsv.org in the search list.

Still no trust.

Where Can I set the Primary DNS on lab-pcd1?

0
 
LVL 16

Expert Comment

by:JamesDS
ID: 11709647
mgoering
what about the network, are they on the same subnet, or routed/firewalled?

DNS primary is set in the same place as the suffix search list and in the computer name properties:
Control panel, system, computer name, change, more, "primary DNS suffix of..."

I am looking at XP, but I think they are the same places on W2k :)

Cheers

JamesDS
0
 

Author Comment

by:mgoering
ID: 11709865
JamesDS,

The servers are non-production. I have built up the Svr2003 as a domain controller in a new forrest
(I just want the user list from the old domain).

The Old server is still running un-changed on teh network.  I have a copy (create backup file, ghost-mirror HD, reload win2K, restore from backup), loaded on a system in the lab. Both servers are connected to a switch, they ping etc.

I don't have a More button in the properties of General-My computer.
But I'll search for the control.

Michael
0
 

Author Comment

by:mgoering
ID: 11709932
I did check under the Network Identification tab instead of the General tab.

Win2K server won't allow a name change once it was promoted to DC, at least under MyComputer.

Michael
0
 

Author Comment

by:mgoering
ID: 11712398
I confirmed at ms that the primary domain suffix could not be changed through the System GUI.
I downloaded a VBS script from MS:
http://support.microsoft.com/default.aspx?scid=kb;en-us;257623&Product=winsvr2003
My Primary DNS suffix on teh old Win2K server is now VCSLab!
nslookup is OK.

Still no trust. The Win2K server will now present a request to "verify the trust" to authenticate as admin from the Win2003 server but the result fails to "verify the trust".

mg
0
 
LVL 16

Expert Comment

by:JamesDS
ID: 11712564
mgoering
In order for trusts to work you need a PDCEmulator on each domain
Download and run DUMPFSMOS and post the result from each domain controller:
http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/dumpfsmos-o.asp


Cheers

JamesDS
0
 

Author Comment

by:mgoering
ID: 11722214
JamesDS

These are the two dumps:

ntdsutil: roles
fsmo maintenance: Connections
server connections: Connect to server lab-pdc1
Binding to lab-pdc1 ...
Connected to lab-pdc1 using credentials of locally logged on user
server connections: Quit
fsmo maintenance: select Operation Target
select operation target: List roles for connected server
Server "lab-pdc1" knows about 5 roles
Schema - CN=NTDS Settings,CN=LAB-PDC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=VCSLab
Domain - CN=NTDS Settings,CN=LAB-PDC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=VCSLab
PDC - CN=NTDS Settings,CN=LAB-PDC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=VCSLab
RID - CN=NTDS Settings,CN=LAB-PDC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=VCSLab
Infrastructure - CN=NTDS Settings,CN=LAB-PDC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=VCSLab
select operation target: Quit
fsmo maintenance: Quit
ntdsutil: Quit
Disconnecting from lab-pdc1 ...


ntdsutil: roles
fsmo maintenance: Connections
server connections: Connect to server vcs01
Binding to vcs01 ...
Connected to vcs01 using credentials of locally logged on user.
server connections: Quit
fsmo maintenance: select Operation Target
select operation target: List roles for connected server
Server "vcs01" knows about 5 roles
Schema - CN=NTDS Settings,CN=VCS01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=vcsc,DC=org
Domain - CN=NTDS Settings,CN=VCS01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=vcsc,DC=org
PDC - CN=NTDS Settings,CN=VCS01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=vcsc,DC=org
RID - CN=NTDS Settings,CN=VCS01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=vcsc,DC=org
Infrastructure - CN=NTDS Settings,CN=VCS01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=vcsc,DC=org
select operation target: Quit
fsmo maintenance: Quit
ntdsutil: Quit
Disconnecting from vcs01...
0
 
LVL 16

Expert Comment

by:JamesDS
ID: 11723535
mgoering


*@#&%$!!!
I really thought that would be it!

You are trying to create a domain trust and not a forest trust aren't you? Windows 2000 doesn't support forest trusts.

It might be simply that the trust relationship cannot be established with a single label domain on windows 2000. Perhaps you should consider fixing that first.

The usual thing to do is do an in place upgrade to Windows 2003 and use the RENDOM.EXE tool

Cheers

JamesDS
0
 

Author Comment

by:mgoering
ID: 11728017
JamesDS,

I thought that Win2000 could do a forest trust from a question I posted earlier.  I could change the domain name to VCSLAB.Loc if you think that would allow the trust and migration to occur.

If  on the other hand, I upgrade the server wouldn’t I still need to change the domain name anyway?

I will backup the Win2K server then run adprep.  

mg
0
 
LVL 16

Accepted Solution

by:
JamesDS earned 500 total points
ID: 11728982
mgoering

no, Windows 2000 cannot do forest trusts, if you give me a link to the Q I will post a correction.

The forest trust was a new feature introduced with Windows 2003 to facilitate domain consolidations (typically necessary during company mergers). The Domain Rename Tools were introduced for the same sorts of reasons.

To establish a forest trust trust, both domains MUST be running in Windows 2003 full native mode as well.

To change the domain name of a Windows 2000 domain you will need to upgrade it to Windows 2003 and use the Domain Rename Tools (downloadable from the MS website)

So the process we have now is:

Upgrade old domain to Windows 2003 using ADPREP and insitu upgrade
Domain Rename
Establish trusts
Migrate using ADMTv2 or other preferred tool

You can still do a domain trust, which might well work even with the single label domain name (I have looked and can't find out for sure either way). This would save you doing the upgrade.

Cheers

JamesDS
0
 

Author Comment

by:mgoering
ID: 11754034
The question that suggested WIn2K forest trusts was:
http://www.experts-exchange.com/Operating_Systems/Windows_Server_2003/Q_21069748.html

ADPrep is completed w/o errors. I don't recognize insitu upgrade. Is that an application or a typo?

It sounds like I should rename my domain to VCSLAB.LOC?
Is there a benefit or risk to changing the name to match the new domain?

I see light at the end of this tunnel!

mg
0
 
LVL 16

Expert Comment

by:JamesDS
ID: 11755092
mgoering

insitu refers to an in place upgrade. This is where you upgrade an existing server by installing the new OS over the top of the old. IE insert the cd, run setup and follow the prompts.

You can't migrate to the new forest if the two domains are the same name as the trust relationship wont work and your DNS will get confused.

Other than that, you seem to be doing fine!

Let me know how you get on
Cheers

JamesDS
0
 

Author Comment

by:mgoering
ID: 11756138
JamesDS,

Full speed ahead, I have already started runnig from the 2003 install, doing the pre-install checkup.

Several things have been pointed out as problems, modem, fax and other not-so critical. One however I will resolve before going on; the pre-install listed administrative tools as not being 2000?

I've moved the server to connect to the internet to what might be called the DMZ, that small network driven by the DSL router that typically has the address of 10.0.0.1-5, to check for updates...
so far so good.

mg
0
 
LVL 16

Expert Comment

by:JamesDS
ID: 11756174
For the new version of the Administrative Tools go here:

http://www.microsoft.com/downloads/details.aspx?FamilyID=c16ae515-c8f4-47ef-a1e4-a8dcbacff8e3&displaylang=en

These are newer versions than the one on the W2k3 CD in \I386\adminpak.msi

I am signing off for the night now, UK time is EST+5
I'll pick up any more in the morning
Cheers

JamesDS
0
 

Author Comment

by:mgoering
ID: 11759569
Now I'm turning in... The internet connection wasintermittant then not responding at all. Ping worked to the outside. I remembered to disable the other nic. now Internet is working, I did some updates. I think the server will be ready for me to start the actual upgrade in the morning ~10:00 PST.

mg
0
 

Author Comment

by:mgoering
ID: 11766442
The server is Win2k3.

I had to upgrade without resolving the Administrative tools issue. After the upgrade they installed from the msi file on the CD without any problems.

I am making a backup of the root drive & system files then plan to use the netdom command to rename the domain to vcslab.loc.

mg



0
 

Author Comment

by:mgoering
ID: 11768303
I haven't been able to download the rendom.exe file from MS. There seems to be a problem with the link found on:
http://www.microsoft.com/windowsserver2003/downloads/domainrename.mspx

I read the Implementation Guide and see that no other prep to the server is needed because this is the only server in the forest. The guide did point out that the rendom shouldn't run from the server but from a workstation on the domain.

mg
0
 
LVL 16

Expert Comment

by:JamesDS
ID: 11770304
mgoering
The link works fine here. Do you have the Enhanced IE Security installed (it installs by default on W2k3)

Look in add/remove programs, windows components to see if it's installed, and remove it if necessary - or download from elsewhere. You can put it back on later.

Cheers

JamesDS
0
 

Author Comment

by:mgoering
ID: 11773638
I've just tried the link from home, (the actual download-link of the .exe file) and it still fails.
The doc files downloaded OK.

I'll try right clicking and save file...The link returns "MS Ie cannot open the site. The requested site is unavailable or cannot be found".

I'll try downloading with an un-protected system when I get to the lab.
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 16

Expert Comment

by:JamesDS
ID: 11775612
mgoering
I just checked back and the download link is no longer there!

Looks like they are doing a re-release

Cheers

JamesDS
0
 

Author Comment

by:mgoering
ID: 11775854
Server update:
The upgraded server isn't acting like a domain controller.
   DNS isn't working... When I open DNS it has no structure and reports that it "Cannot contact the DNS server" as if this server is no longer the main DC in the forest.

I will look into DCPromo otherwise I'll have to wait for MS to release the rendom app.

mg
0
 

Author Comment

by:mgoering
ID: 11776099
DCPromo wizard warns that this is already an AD domain controller and a global catalog server.
To procede would remove AD and risks loosing the user list?

mg
0
 

Author Comment

by:mgoering
ID: 11776241
I found that I needed to start DNS in Services. DNS is now up and I can login from the single workstation I have connected to this lab network and have logged in using an existing account. I feel better now.
mg
0
 
LVL 16

Expert Comment

by:JamesDS
ID: 11777890
mgoering
yup, don't run DCPromo again, it will remove AD!!

let me know how you're getting on in the morning, signing off for now

Cheers

JamesDS
0
 

Author Comment

by:mgoering
ID: 11817024
JamesDS,

I haven't given up, I'm still waiting for MS to release the rendom.exe app.
I don't suppose that there is another way to prepair for migration without this application is there?

mg
0
 
LVL 16

Expert Comment

by:JamesDS
ID: 11817888
mgoering
This Q was all about getting a trust to work. If the trust is now dependant on RENDOM then you will have to wait. However, if you are able to upgrade the domain to Windows 2003 and retry the trust it may work that way and rendom will be unnecessary.

Cheers

JamesDS
0
 

Author Comment

by:mgoering
ID: 11861825
I have the rendom command and am following the steps outlined in the posted process, http://www.microsoft.com/windowsserver2003/downloads/domainrename.mspx .
I had to build up another Win2k3 server and have it join the domain to run the command.

The server needed the forest function level increased. The process to "raise it to interum level" caused the DC not to be recognised so I cleared the "msDS-Behavior-Version", and raised the forest level in AD Trusts and Domains.
Now the server passed the "rendom /list" step.

Now to step 4...
0
 

Author Comment

by:mgoering
ID: 11862000
JamesDS,

Step 5 failed, "rendom /upload" reported that it couldn't find the GC.

"Can not connect and bind to the domain naming FSMO".

This is the GC. The new, (standard-not a DC) server has joined the domain. I don't understand what is missing.

mg
0
 
LVL 16

Expert Comment

by:JamesDS
ID: 11863476
This should be your old domain, why are you joining machines to it?
0
 
LVL 16

Expert Comment

by:JamesDS
ID: 11863484
sorry. ignore me, I misread your previous post.

Can you re-run DUMPFSMOS and just confirm that all the FSMOs are pointing to the same place?

Then, can you tell me where this machine is pointing to for it's DNS?
0
 

Author Comment

by:mgoering
ID: 11864463
The server is having problems: dumpfsmos reports:

ntdsutil: roles
fsmo maintenance: Connections
server connections: Connect to server vcs_lab
Binding to vcs_lab ...
DsBindW error 0x6ba(The RPC server is unavailable.)
server connections: Quit
fsmo maintenance: select Operation Target
select operation target: List roles for connected server
Not connected to a server - use "Connections"
select operation target: Quit
fsmo maintenance: Quit
ntdsutil: Quit

It surprises me that this server’s processes change though I do very little to it!

I can restore from an earlier backup (from last week) then re-raise the forest level to svr2003 only domain or ...?
0
 
LVL 16

Expert Comment

by:JamesDS
ID: 11864599
Sounds like it's lost its DNS

I would look at DNS and make sure it it pointing to an internally controlled DNS That it can write the _MSDCS entries to

You can restart the netlogon service to put the entries back if they are missing

Cheers

JamesDS
0
 

Author Comment

by:mgoering
ID: 11875537
So far go good.

I am at step 6.
Recap: The DCList was created and shows the origional name for the old server.

The command line "dsquery server -hasfsmo name"
returned the message "The server is not operational".

dumpfsmos looks OK.

0
 

Author Comment

by:mgoering
ID: 11876181
I'll need to sort out any instructions in this process that require other DCs in the forest to generate the same results as the Step-by-Step Guide. I wouldn't ant to be trying to fix somethin that isn't there.

The dsquery is intended to "discover dns host name of the domain naming master"
 mg
0
 
LVL 16

Expert Comment

by:JamesDS
ID: 11878240
mgoering
Again, this is DNS related, not all the necessary DNS Settings for the domain are on the DNS Server.

Can you give me a recap on the the DNS settings on the source and destination domains and their DCs.


Cheers

JamesDS
0
 

Author Comment

by:mgoering
ID: 11883622
JamesDS,

Is there a way to dump the DNS in a shareable format similar to:
 forward lookup
"_msdcs.lab-pdc1.vcslab = StartOf Athority [17], lab-pdc1.vcslab., vcsa."
"_msdcs.lab-pdc1.vcslab = NameServer lab-pdc1.vcslab."
"_msdcs.lab-pdc1.vcslab.4646b67a-3cec-8fo9-446a5ac722cd = Alias(CName) lab-pdc1.vcslab"

"_msdcs.lab-pdc1.vcslab.dc._sites._tcp._kerberos = (SRV) [0][100][88]lab-pdc1.vcslab."
"_msdcs.lab-pdc1.vcslab.dc._sites._tcp._ldap = (SRV) [0][100][389]lab-pdc1.vcslab."

"_msdcs.lab-pdc1.vcslab.dc._sites.Default-First-Site-Name._tcp._kerberos = (SRV) [0][100][88]lab-pdc1.vcslab."  
"_msdcs.lab-pdc1.vcslab.dc._sites.Default-First-Site-Name._tcp._ldap = (SRV) [0][100][389]lab-pdc1.vcslab."  

"_msdcs.lab-pdc1.vcslab.domainss.4646b67a-3cec-405c-8f09-446a5ac722cd._tcp._ldap = (SRV) [0][100][389]lab-pdc1.vcslab."  

"_msdcs.lab-pdc1.vcslab.gc._sites.Default-First-Site-Name._ldap = (SRV) [0][100][389]lab-pdc1.vcslab."
"_msdcs.lab-pdc1.vcslab.gc._sites._tcp._ldap = (SRV) [0][100][389]lab-pdc1.vcslab."

"_msdcs.lab-pdc1.vcslab.pdc._tcp._ldap = (SRV) [0][100][389]lab-pdc1.vcslab."

If not I'll type in the rest of the DNS listed under "vcslab" level.

BTW, I did recreate the old server's DNS from a pattern I got from another single-DC 2003-server.

mgoering
0
 

Author Comment

by:mgoering
ID: 11883934
DNS Continued... I changed the format hopefully making it easier to read.

In Foreword Lookup Zone:
    _msdcs.lab-pdc1.vcslab (already posted)
    vcslab (posted here, all that is left is a brief line in Reverse lookup.

vcslab._msdcs.(same as parent) = (NS) Lab-pdc1.
vcslab._msdcs._sites.Default-First-Site-Name._tcp._gc = (SRV) [0][100][3268]lab-pdc1.vcslab.
                                                                 ._kerberos = (SRV) [0][100][88]lab-pdc1.vcslab.
                                                                 ._ldap = (SRV) [0][100][389]lab-pdc1.vcslab.

vcslab._msdcs._tcp._gc= (SRV) [0][100][3268]lab-pdc1.vcslab.
                           ._kerberos = (SRV) [0][100][88]lab-pdc1.vcslab.
                           ._kpasswd = (SRV) [0][100][464]lab-pdc1.vcslab.
                           ._ldap = (SRV) [0][100][389]lab-pdc1.vcslab.

vcslab._msdcs._udp.kerberos = (SRV) [0][100][88]lab-pdc1.vcslab.
                             ._kpasswd = (SRV) [0][100][464]lab-pdc1.vcslab.

vcslab._msdcs.lab-pdc1.msdcs.(NS) = lab-pdc1.

Was this helpful?
0
 
LVL 16

Expert Comment

by:JamesDS
ID: 11885002
mgoering
erm, no, on both questions!

sorry!

Cheers

JamesDS
0
 

Author Comment

by:mgoering
ID: 11893587
The at this point the failure seems to focus on the RPC server being un-available. I will work on this. School starts next week and I will need to decide which DC the teachers will log in on. I have accomplished quite a bit! Thank you for your help.

MGoeirng
0
 
LVL 16

Expert Comment

by:JamesDS
ID: 11893679
MGoeirng

Welcome, glad to help

Cheers

JamesDS
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

by Batuhan Cetin Within the dynamic life of an IT administrator, we hold many information in our minds like user names, passwords, IDs, phone numbers, incomes, service tags, bills and the order from our wives to buy milk when coming back to home.…
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now