Solved

Transfer Active Directory (win2k3) accounts onto another domain controller (win2k3)

Posted on 2004-09-15
21
1,818 Views
Last Modified: 2010-05-18
I had a server running windows nt server with around 60-70 user accounts and various other permissions. I then created a test server and installed windows nt on it as a BDC. Then I disconnected the main windows nt server and promoted the BDC to PDC. Then I upgraded it to windows 2003. That is how I created my test server. It has all the accounts and it working fine but I need to transfer this data acrross to the new super fast server.

My question is how? I know I have to setup the superfast server as an additional domain controller but then how do I upgrade it to a standalone domain controller so I can get rid of my test server?

Or are there any tools that can just copy over active directory and the DNS onto my fast server?

Thanks, Look forward to your replys
0
Comment
Question by:georgecooldude
  • 10
  • 8
  • 2
  • +1
21 Comments
 
LVL 5

Author Comment

by:georgecooldude
Comment Utility
Added a few more points... Don't get this system :S anyway hope someone can help me
0
 
LVL 95

Expert Comment

by:Lee W, MVP
Comment Utility
So you want your test server to become THE domain controller?  If you do that, users who changed their passwords, new users, users who have had their accounts disabled on the regular DC won't be transferred.  

What I'd do is, now that you know things will work on that "test" server, blow the test server away and reinstall it as an NT4 BDC.  Then promote it to PDC as you did before, but leave it on your main network.  Then do the upgrade again.

Actually to be safe, yank the BDC off the network and store it someplace safe (or create another BDC on yet another machine and put it somewhere safe OFF THE NETWORK).  If the upgrade to AD fails in some strange and unexpected way, you can yank the AD domain controller machine off the network and restore the NT4 network by bringing the BDC back online and promoting it to the PDC.

That said, you run DCPROMO on any 2k3 box you want to be a DC.  Then make sure you transfer the operations masters off any server you want to retire.  Before retiring the server, run DCPROMO on it again - this will allow you to demote it from a DC to a plain old server, properly.  Keeping Active Directory from getting messed up with ghost DCs.
0
 
LVL 4

Accepted Solution

by:
sriwi earned 125 total points
Comment Utility
What i would do in your situation is:

1. Keep the old server running side by side with the new server 2003
2. Run forest prep and domain prep on your current win nt server, to make sure that the active directory is complaint to windows 2003 active directory
3. install windows 2003 server on the new box
4. install active directory on new win2003 box, (dcpromo ).
5. transfer all the roles (PDC,RID,PDC,Active directory schema, Global Catalog) to the new win2003 fast box.
6. Transfer your dns server as well, and make your new win2003 a primary zone
7. Make the old winnt DNS box secondary zone
8. when everything can authenticate ok, you just have to demote the old nt box (dc promo) and drop it back to workgroup and turn it off.

Thats all

i've done that before and it is the best way to do it (i think this method is called replication)

hope this helps

Cheers
0
 
LVL 25

Expert Comment

by:Ron M
Comment Utility
You need to run dcpromo in command window from the computer you want to host AD...then wait for replication..transfer roles.......then run dcpromo on the other dc and demote it.

check for errors before demoting pdc...and if you have a backup method i would say use it.
0
 
LVL 5

Author Comment

by:georgecooldude
Comment Utility
sriwi,

[quote]5. transfer all the roles (PDC,RID,PDC,Active directory schema, Global Catalog) to the new win2003 fast box.
6. Transfer your dns server as well, and make your new win2003 a primary zone
7. Make the old winnt DNS box secondary zone[/quote]

It is the transfering the roles accross I am having problems with. I'm totally new to it. Could you please run through these options above in a bit more detail :-) What programs used? How should I setup Active directory on the fast box? As a domain controller?

Thanks for your help so far. :-)

..oh btw I have 5 extra points today? Do you get 5 points free per day?
0
 
LVL 95

Expert Comment

by:Lee W, MVP
Comment Utility
Check this out for how to trasnfer the roles.
http://www.microsoft.com/resources/documentation/windowsserv/2003/standard/proddocs/en-us/sag_ADtransferFSMOroles.asp

Also, generally, you should accept an answer until every aspect of the question has been answered.  Then if more than one person helped, you can split the points to everyone.
0
 
LVL 4

Expert Comment

by:sriwi
Comment Utility
hi.. is that help you already ? or you still need more ?

most of them are on active directory & computer -> operations master, that is 3 things knocks out already,

sory for just reply now.

i was going out on a job

cheers
0
 
LVL 5

Author Comment

by:georgecooldude
Comment Utility
I am stuck with DNS.

On my test server (old machine) the DNS works great. I've got a fresh install of windows 2003 on the fastbox  (new machine) how should I configure the DNS settings? Everytime I create new zones they have trouble speaking to each other. So my question is how should i config the DNS on the fastbox bearing in mind i want it to be an additional domain controller and then promted to the main server controlling everything and remove the test server from the network.

And sorry about the points guys, I didn't release it could be split between two ppl.
0
 
LVL 4

Expert Comment

by:sriwi
Comment Utility
When you dcpromo win 2003 server to be DC, the active directory DNS will be replicated as well, i don;t understand what is the problem here, unless you create another zone that is different to the current one, then it is a different story.

After all of the DNS data replicated succesfully, you have to transfer the role the new server, as what is describe above.

Make sure that you new server DNS settings points to your Old test box, otherwise it will not work, after you transfer everything, you have to set the dns to point to itself on the network card, and then use dns forwarder to forward all the queries to the outside world.

Can you let me know what is your plan ?

cheers
0
 
LVL 4

Expert Comment

by:sriwi
Comment Utility
If you have another zone, just create the same exact zone again, it will be prompted as a secondary zone, then after all replicated, you have make the new fast server primary zone, and the old box will automatically become the secondary zone.

all of this is done on: DNS-->forward look up zone --> right click on the new zone that you created--> properties --> change the role

cheers
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 4

Expert Comment

by:sriwi
Comment Utility
You have to make sure the zone transfer is ticked on the old server DNS setting.

0
 
LVL 5

Author Comment

by:georgecooldude
Comment Utility
Hi sriwi,

Thanks for the reply and continuing to support me with my problem.

Ok, I will explain where I have got to now.

Just did a fresh install of windows 2003 on the fastbox. I tried setting up DNS but got errors and stuff so I have removed  it.You said above the DNS gets replicated from the testbox. So do I need to recreate any DNS settings on my fastbox other than NIC card is pointing to my testbox DNS.

Assume I don't here need to create any more DNS settings on the fastbox here is where I am currently. I go to run, type "DCpromo" and then go to setup an "additional domain controller". I choose a username and password and domain, then I click next. It prompts for the domain name and i fill that in. (btw my dns and domains are both called the same thing as the network I am dealing with is small and I have been instructed to continue using these names for constancy). Then i goes to the options where you choose the paths for the databases to be saved and I click next. When I click the final option to does a search and then comes back with "Cannot connect to domain controller - User already exists". I have been using the administrator account to connect and the password is the same for both machines. I then tryed logging in with my user account that is stored on the test box (full admin account) and it said the same thing. So I tryed with a made up account that doesn't exist on either box and it said "username password doesnt exist"

So I am stuck as to what to do. I tryed setting up DNS on the fastbox and I am still getting the same problem.

My problems seem to be evolving into very wierd happenings. I've been using windows 2003 now for about 1 week and am having to learn it from 0 knowledge.

0
 
LVL 4

Expert Comment

by:sriwi
Comment Utility
Couple of things that i would like to ask you

1. is your active directory on the old server running ok ? have you run dcdiag and all the test past ?
2. DNS setup correctly on the old server ? have forward and reverse look up zone ?

if you try to join from workgroup to domain mode, does it comes up with error on the event viewer ?

cheers
0
 
LVL 4

Expert Comment

by:sriwi
Comment Utility
I have done the exact same proses that you are about to do 2 days ago:

1. Have you run forestprep and domainprep from the windows 2003 CD ?
2. after that, install fresh 2003 server
3. Install all of the driver
4. Assign a static IP on the NIC, point the DNS to the old BOX
5. Join the domain (from workgroup mode to domain mode) make sure no error on the event viewer
6. promote it to become DC, during the installation of Active directory, it will ask you to install DNS server as well, and it will be setup as Active directory driven DNS server, remember to setup forwarder.
7. Setup DHCP, WINS on the new server
8. Transfer all of the FSMO roles accross , Global Catalog as well
9. Try to turn off the old server, then correct all of the reference that is pointing from the old server to the new server.
10. see if there is any problem arise, if there is not, turn demote the old server, drop back to workgroup and job done.

at step 9, usually the problem is with time, therefore the time need to corrected as well, look it up on google for the best time server that is closest to your location.

cheers

0
 
LVL 5

Author Comment

by:georgecooldude
Comment Utility
I think my DNS is set up badly.

My setup is like this - I can't do a print screen so I've tryed to recreate how it looks in text:

DNS:
dev ( test servers name )

Forward Lookup Zones
 - ourdomain
      - SOA, NS, Host (A) (I've the following records in here - possibly configured wrong??)

Reverse Lookup Zones
 - 192.1.1.x.Subnet
      - SOA, NS, PTR, Cname (Again these might be configured wrong as i made this setup on a trial and error basis)


What records would I need in each zone? And is DNS case sensitive? My domain is spelled with Capital letters but i've noticed some of my DNS records use dev.ourdomain instead of dev.OURDOMAIN.

Could you give an example of how my NS Forward lookup zone file should look for instance? At the FQDN section is setup as dev.ourdomain. (with the dot)

When I lauch nslookup from the command line it also cannot find the server name of 192.1.1.87 (dev server).

Any ideas? I'm doing something wrong maybe you can point me in the right direction. :-)

I also assigned the dev server (test servers name) an IP of 192.1.1.87 and my Main Windows 2003 server (fastbox) will be using an IP of 192.1.1.86 this is just so we can replace it on the network without having to change any IP configs. Our network consists of around 60 users
0
 
LVL 4

Expert Comment

by:sriwi
Comment Utility
With DNS, it should be set up automatically, especially when you are using windows 2003, you don't have to worry about anything such as NS, Start of Authority, it is all created for you automatically, what you need to set up usually is the reverse lookup zones, just before you put the server onto production, set it up properly, and test it first.

when you put it on production, DNS and DHCP will work together and will start filling up all of the entries, (both forward and reverse)

DNS is case sensitive, not sure about that, a quick test on my working DNS pointing to the same thing, so i would say it doesn;t matter.

"Could you give an example of how my NS Forward lookup zone file should look for instance? At the FQDN section is setup as dev.ourdomain. (with the dot)"

The Dot need to be taken off, that means that it is the root (source of everything), but infact it is not, you have to delete the dot and start create your own zone or using active directory to create it. And start a forwarder to your DNS ISP, so that any request that is not answered by the DNS server will be forwarded to the ISP to get an answer, from now on, all of your PC will need to point it's dns server to the Server IP address for everthing to be working properly.

so what you have in the domain will be: dev.ourdomain

that's all, nothing else.

Try to download this tools, it is very helpful: DCDIAG, NETDIAG, it can help you correct your error, the problem may not be DNS, it could be your active directory not set up correctly.

Cheers
0
 
LVL 5

Author Comment

by:georgecooldude
Comment Utility
Thanks sriwi,

If you look at these pictures you see things such as _udp,  _sites - Do I need anything like that? I may be jumping ahead of myself here.

http://www6.tomshardware.com/howto/20040716/images/dns-1.gif
http://www.oucs.ox.ac.uk/windows/active/dns/dns6.jpg

My forward lookup zones only contain what I wrote above and non of the folders etc..

It is quite possible my active directory is messed up. I migrated it from an NT PDC by upgrading windows. I was instructed to do this as it was thought it would make the process of switching servers easy and the rest of the departments at work eg marketing etc wouldnt be the wiser as we wouldnt need to touch their machines. But I am now thinking we might have to change every setting on the client pc's to point to the new server IP for the DNS on the NIC card and not the ISP DNS how it used to on the NT server? Am I correct there?

Do you think it would be quicker to re-create our user accounts (60 or so) and start again assuming we have to manually change the dns on each client machine? We need to re-created the permissions of folders and files. is that easy? Our current domain we log onto is called "ourdomain" (being our company name instead) and it doesn't have any .com extention or anything like that. Does active directory require me to have a .com or .local on the end as if it does it certainly is going to be easy to start over again.

I  have read various things from various sites and you seem to have the more proffesional answers so maybe you could advise me on which way to go?

Thanks and i look forward to hearing from you

And I have some more points (about 15 or so) I can send to you. Im not really sure how this points thing works but hey! ;-)
0
 
LVL 4

Expert Comment

by:sriwi
Comment Utility
yes you need all of those _udp, _sites etc.. it is required for DNS to run properly.

look at the kbid=306602

it tells you what it means on those _ thing..

now if you upgrading the windows, i am not sure whether the Active directory structure is upgraded or not, because if you read the documentation, to introduce win 2003 PDC, you have to upgrade the active directory structure by running /forestprep and /domainprep.

Now it looks like it is better if you just load a freshly new server, set it to "yourcompany.local" domain, that will save you more time rather then fixing all of this thing now.

on the server:

Setup DNS, DHCP, WINS, AD, plus some other services you might require exchange etc,

DNS: setup DNS such that it forward any unresolved request to your ISP, it should have forward lookup and reverse lookup.
DHCP: Setting for client, such as gateway, DNS server, Time server, etc
Wins: for older client (98,95)
AD: required for Domain controller to function properly.

on the client:

drop everyone to workgroup, rejoin the new domain that you have created, have the NIC obtain IP automatically from DHCP server (This is only once off) and will make it become one point of administration (at the DHCP, not at every PC).

with the permission and user, it is easy, you just have take all of the ownership from the user to the administrator, then change the ownership to the user later when everything is set up correctly.

By doing this, i can estimate that you will take about 1-2 days only to get everyone up and running again, this problem have been going on for more then a week already, the boss is gonna kill you at some stage, hehe

cheers

PS: love to have a point, but i also love comments as well, don;t mind helping out.



0
 
LVL 5

Author Comment

by:georgecooldude
Comment Utility
Thanks :-)

Added once I finished writing this. hehe, sorry my posts seem to be getting longer and longer and going more and more into a seperate topic. I have listed all possible things and problems that I can think could arise.

Is DCHP really required? I know there are benefits but are they significant? (in my opinion its better as it would allow the network to expand requiring less configuration for us. But I suspect we might only have between 5 - 20 new users in the next 6 months - hence why static IP's could still be used) At the moment the boss was wanting to stick with static IP's but now that we know all client PC's need to have their NIC DNS changed to the fastserver and were going to have to manually adjust 60 or so machines is it worth moving to DHCP or keeping static IP config?

We also have quite a few Windows NT, 95, and 98 machines which we are slowly upgrading but they still exist. I read that windows 2003 is not compatible with the 98 and below machines and you can run in 2000/2003 mixed mode to solve this. But then we lack some of the features in 2003 which we have payed for. How do you suggest we come around this problem? Could I setup WINS on the fastbox and the old 98 and below machines woudn't be the wiser and the nice new 2000 + XP machine could use all the benefits of the new 2003 features?

We also have various files stored "servername/departmentname/username/theirfiles/
Each with various permissions. eg. people in a department can only go to their own /departmentname and /username - We also have a shared folder within the department where anyone from that department can save files /servername/departmentname/sharedfolder

If I copy over all of these files from the current windows NT server onto the new fastserver (which I will start from scratch) will all the permissions stay the same on the files? If so good because then I think I just need to add users to groups and set up some permissions in the active directory user managment. If not then we've a serious problem - 15gb of data. lol.

And can you think of any other problems I might encouter? I think I'm about reading to do a another serious batch of reading and then go for it!



0
 
LVL 5

Author Comment

by:georgecooldude
Comment Utility
Oh and I'll add we are going to be wanting to setup some VPS and remote access too.

hehehe, even more problems. do'h!
0
 
LVL 4

Expert Comment

by:sriwi
Comment Utility
All of those things that you mention before are standard on Server: VPN, Remote access, Mail server, ISA server

with all of the file permissions, you have to take ownership using new fast box administrator logon and replace it to the new user, simple as that, it is to do with SID of th e objects, for shared folders, just grants "everyone" or "staff" access if you don;t want guest account to look at the file.

wins is still required to be set up since you got old machine running, but wins is simple, the key thing here is dns, AD and DHCP

DHCP is very important, for example if your gateway change or your Server DNS change, all you have to do is update DHCP, not every single machine, plus having the advantage of having a new machine plug in into network and working straight away is the best thing that could happen, you don;t have to worry about anything such as ip,dns, gateway, etc, even your boss could do it, therefore your job will now become insecure :)

but the most important thing is, get the nasic right, then the rest should be ok

good luck
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Introduction You may have a need to setup a group of users to allow local administrative access on workstations.  In a domain environment this can easily be achieved with Restricted Groups and Group Policies. This article will demonstrate how to…
Sometimes a user will call me frantically, explaining that something has gone wrong and they have tried everything (read - they have messed it up more and now need someone to clean up) and it still does no good, can I help them?!  Usually the standa…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now