• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 532
  • Last Modified:

Small Business Server Question (PDC, BDC)

Hello,

I have a 2k3 sbs, and am needing to use trusts in active directory, along with several other functions that small business server will not let me use.

The SBS server is not running exchange or sql or anything, just managing active directory, and group policy.

I think sbs will let you configure a BDC.  What I am wondering is if i set up a windows standard server as a bdc, then wipe out the sbs server and start over with enterprise server and make it the pdc for the domain, will the bdc relinquish control and allow the new enterprise server to take over again?

Also will all the settings (Active Directory, Group Policy, etc..) be sent back over to the PDC after this is done?

I would think that this scenario has come up before, and I know that there is the SBS transition pack, but I already own another copy of enterprise server, and dont really want to pay for the transition pack.

Any Help will be much appreciated.  I am going to try and get this done tomorrow hopefully so thanks in advance.
0
rafordhargrove
Asked:
rafordhargrove
  • 25
  • 18
  • 8
  • +2
2 Solutions
 
Jay_Jay70Commented:
Hi rafordhargrove,

1) Promote your new machine as an additional domain controller in an already existing domain - this will allow AD to replicate to the new server
2) Make sure DNS is AD integrated on your old DC to allow all DNS replications also
3) Transfer the FSMO roles to the new server
http://www.petri.co.il/transferring_fsmo_roles.htm
http://support.microsoft.com/default.aspx?scid=kb;en-us;255690
4) Make the new DC a Global Catalog under Sites and Services
http://support.microsoft.com/?kbid=313994
5) Demote the SBS
0
 
rafordhargroveAuthor Commented:
Will I then be able to take the SBS out and replace it with Enterprise, the server I'm going to use as BDC is hopefully just a temp solution...

Also (sorry to sound dumb) how do I know if my DNS is AD integrated?

Also I thought SBS had to be a domain controller, will I be able to demote?
0
 
Jay_Jay70Commented:
if you promote your new server in as an additional domain controller, you will be able to replicate AD automatically,

DNS zones can be checked under the DNS console and the properties of the forward lookup zone and then zone type

Thats a good point, i think from reading that SBS comes preconfigured as a Domain yes? what happens if you run dcpromo on the SBS as is, just to see hat options you get
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
rafordhargroveAuthor Commented:
I'll have to check into it tomorrow to see what happens when you dcpromo a sbs...one of the biggest mistakes ever, sbs is probably fine if you have 5 users and thats all you will ever have, and you dont plan on doing anything special within your domain.  Live and learn though right.

I still wonder what would happen if the standard server were set up as an additional dc...make sure all of the gpo and ad settings are replicated to the new dc...then take the sbs server out of the environment, install enterprise on it, put it back in the domain then dcpromo it and make it the primary dc.

I wonder if that would cause all kinds of problems...seems like it would be about the same thing as having your PDC crash.
0
 
Jay_Jay70Commented:
thats when would need to seize the fsmo roles rather than transfer them, that way you get your ad working well, you would have to play with ntdsutil and clean your metadata but in theory it would work, il see if i can grab the attention of the SBS Guru and see what he thinks :)
0
 
northcideCommented:
Since when can you have a DC as a BDC to a SBS?  You can only have member servers alongside SBS, not DC's.
0
 
rafordhargroveAuthor Commented:
northcide, i think sbs will let you have a backup domain controller
0
 
northcideCommented:
before you do that you should read through http://support.microsoft.com/kb/q200866/
0
 
Kini pradeepIT Technology Senior ConsultantCommented:
SBS would definitely let u have an additional DC, but you cannot make this additional DC as the FSMO role holder. There is a difference in the schema and this might break things in the domain, you could start with a fresh enterprise 2003 Dc and probably migrate users from SBS, that would be a better thing to do.
0
 
rafordhargroveAuthor Commented:
how would you migrate if you cant have trusts?
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
There is a lot of inaccuracy in this thread, and I'd like to first clear all of that up:

1.  northcide's reference is very old and applies to sbs4.5!  Not Sbs 2003.  So, just to set the record straight, you can have up to 74 additional domain controllers on an SBS network.  (of course, that means you wouldn't have any workstations since there is a limit of 75 devices with an SBS).
see:  http://msmvps.com/blogs/bradley/archive/2005/11/02/74121.aspx

2.  SBS does not support trusts.  However, that does not at all preclude the use of an additional DC within the same domain.  

3.  The answer that Jay_Jay70 provided right off will work just fine if you are keeping the same domain name.

4.  Th conversation about not wanting to use the Transition Pack because you already own an Enterprise Server 2003 are two non-related items.  You don't need to buy the transition pack if you don't want to use the SBS Operating systems again.  You can easily add the Enterprise Server 2003 to your existing SBS network by running domainprep, promote it to a secondary Domain Controller, transfer the FSMO roles and ensure that it's the GC and then demote the SBS and remove it from your network.  
Newsgroup posting by a Microsoft Support Tech that confirms what I'm saying:  http://snipurl.com/qa7k

SBS will not react badly to this as long as it's removed from the network within 14 days.
This KB describes what happens with an SBS that is not the holder of FSMO master roles:  http://support.microsoft.com/kb/884453  

Note that in the top paragraph it describes that the retirement of an existing SBS must occur within 14 days.


If you want to migrate to a different domain, then you must swing the migration method.  Details are at http://sbsmigration.com.  

Hope that clears up everything.

Jeff
TechSoEasy


0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
Also, just to clarify... since Server 2000 the terms PDC and BDC have been deprecated.  There is no longer such thing as a PDC or BDC.  Domain controllers can handle any portion of the FSMO roles, except in the world of SBS where all master roles must be held by the SBS.  Additional DC's are welcome, but are not called Backup DC's because they don't  hold any of the FSMO roles.

Jeff
TechSoEasy
0
 
Jay_Jay70Commented:
raford,

Told you this guy knows all :)
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
well, not "all"... just "some" + "know where to find out more".
0
 
rafordhargroveAuthor Commented:
Hey guys,

Thanks for the info.  We are about to give this a shot.  Hope it all goes well.  With Jeff's comment I think we are pretty much set.

Thanks again for the info.
0
 
Jay_Jay70Commented:
:) let us know how you fare
0
 
rafordhargroveAuthor Commented:
I promoted the windows 2k3 server to bdc...and am in the process of transferring fmso roles...i am trying to transfer the schema first...i go in and follow the instructions in

http://support.microsoft.com/?id=324801

however I am not able to click the change button in operations master.

I dont know if I am not waiting long enough or what (waited about 10 minutes).

I am doing all of this on the sbs server, which is the current pdc.

Thanks again for getting me this far guys.
0
 
Jay_Jay70Commented:
i would say you need to use the ntdsutil in the link above mentions as SBS doesnt want to let those roles go
0
 
rafordhargroveAuthor Commented:
ok we will research ntdsutil a little more, think we will continue with it in the morning, 2 am here.

Thanks Jay i'll post up the points when we finish up with this.  want to keep it open in case i have more questions.

sure do appreciate your help though, couldnt have done it without you.
0
 
Jay_Jay70Commented:
points arent an issue, no rush :) here to help and learn :)
0
 
rafordhargroveAuthor Commented:
OK another question.  I think I have to assign the new bdc as a global catalog server.  I went in and did that in ad sites and services and clicked the checkbox telling it to make it a gc.

how do i know if and when this replicates?
0
 
Jay_Jay70Commented:
no more bdc's my friend - just DC's :)

you replication will happen basically instantly with GC, allow 20 mins or so though, just check your replication entries under the event logs
0
 
rafordhargroveAuthor Commented:
ok, where do i check the replication entries?  event viewer?
0
 
Jay_Jay70Commented:
event viewer system logs, there should be replication entries, doesnt take long though, you can also force replication on the actual NTDS site links in sites and services
0
 
rafordhargroveAuthor Commented:
ok i get a message when i dcpromo the sbs saying it is a gc and i should make sure gc is available to users on another comptuer before continuing.

how do i know if its available to users?
0
 
rafordhargroveAuthor Commented:
I am trying to demote the sbs, because i read that if it demotes gracefully it will automatically transfer the fsmo roles to another dc on the network, and i only have one other dc on the network
0
 
Jay_Jay70Commented:
never rely on the drcromo tool to transfer roles - there is documented problems with it, have you transfered the roles as yet?
0
 
rafordhargroveAuthor Commented:
no havent yet.

tried once to follow instructions on doing it with a gui, but never could get the change button to light up when i tried to change the operations master.

so i was going to try and do it with ntdsutil.exe

also havent demoted the sbs yet
0
 
rafordhargroveAuthor Commented:
so do i run ntdsutil from the server that is transferring the roles or from the server that i want to recieve the roles?
0
 
rafordhargroveAuthor Commented:
well i ran ntds util, and i guess it worked, is there a way to tell, i transferred all 5 roles, got prompted at all five, seems like a good sign to me
0
 
rafordhargroveAuthor Commented:
i just tried to demote the sbs and got the error: failed to complete the operation, netlogon timed out.

wonder what that means?
0
 
Jay_Jay70Commented:
sorry mate i was at lunch

you can confirm your role placement under the GUI on your other DC or your SBS
http://support.microsoft.com/?id=234790

im not actually sure you can demote a SBS machine, thats Jeff's specialty, so i wont point you in the wrong direction there

how does dcdiag look since the role transfer?
0
 
rafordhargroveAuthor Commented:
Hey Jay, I went ahead and transferred the roles to the new server.  Then went and tried to demote the sbs...it failed the first time...but i tried it again and it worked(failed the first time on the netlogon service).  I dont know how to tell if I need to run metabase cleanup or not, but in the gui all of the roles are assigned to the new server.

I think I am going to take the sbs out of the environment tomorrow and reinstall it with enterprise server.  Will it cause problems if I give it the same name?

After i get enterprise server installed i'll promote the new server to a dc and hopefully move the roles again to it.  I dont want my apache/tomcat/application server to be the primary domain controller, just a backup in case the pdc goes down.

Thanks again Jay
0
 
Jay_Jay70Commented:
just make sure you remove entries from the sites and services and you should be fine :) you may also need to refresh your dns entry for the old server but see how you first
0
 
Jay_Jay70Commented:
how you go*
0
 
rafordhargroveAuthor Commented:
jay i dont know how it went..i'll look in sites and services for the old sbs server... i dont think its anywhere in there...after the demotion of sbs the old sbs server would not get online no matter what, but it doesnt matter i dont think...looks like everything got moved...i may run ntdsutil.exe /metabase cleanup just in case... shouldnt hurt anything should it???

i shut down the old sbs server and am going to leave it out of the network...probably will reinstall enterprise on it first thing in the morning...its 440 am here

thanks again
0
 
Jay_Jay70Commented:
wow early!    if dcpromo wa successful then no need to run the ntdsutil, its for failed DC's that dont demote properly,

sounds to me like it is a success so far, you have done well
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
And all done while I was sleeping the night away!  

Good job!

:-)

Jeff
TechSoEasy
0
 
rafordhargroveAuthor Commented:
ok, so after i demoted the sbs server, it wouldnt connect to the internet...and i though oh well no big deal since we were going to wipe it out and reinstall enterprise on it.

however, i just got done installing enterprise and gave the server the same name it had before.  promoted it, active directory is replicating...dns is installed and replicating with the other dns server on the network...i can talk to all of the computers on my network, but cannot get out to the internet.

any other computer on the network has no problems.

any ideas on whats causing this?
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
did you do a clean install?  reformat the hard drive?

I wouldn't have named it the same btw, your dns and AD could easily have problems with that because they work off of hostname, not SID.

Jeff
TechSoEasy
0
 
rafordhargroveAuthor Commented:
Yes Jeff, clean install...i'm demoting it again as we speak...got the same error when i tried to demote the first time, netlogon could not be configured as requested...so i ran dcpromo again and its going to demote it.

I guess the next thing to do will be to remove it from the domain, and clean install again giving it a new name next time.

I should have known better than to give it the same name I guess.

will report back shortly with new results...hopefully good ones.

Should I run ntdsutil.exe /metabase cleanup???   Since this stuff isnt going as well as first thought?
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
Couldn't hurt to run ntdsutil anyhow.

Jeff
TechSoEasy
0
 
rafordhargroveAuthor Commented:
Guys I sure do appreciate your help, couldnt have done it without you.
0
 
Jay_Jay70Commented:
now its my turn, i was asleep!

i take you got it cranking in the end?
0
 
rafordhargroveAuthor Commented:
yep jay i think its working...i'm about to demote the server that i had to promote in order to get everything off of sbs...have to demote it because it runs postgresql...appearantly it will only run on a local user account and i guess active directory wipes out the local users and groups.

i still never ran ntdsutil /metabase cleanup, i dont know if would do any good or not...sounds to me like it wipes out the metadata and i guess its rebuilt afterwards.
0
 
Jay_Jay70Commented:
its just wipe the metadata records of dead servers......

the SAM (local) DB gets wiped out by AD
0
 
rafordhargroveAuthor Commented:
i think i had better run it...i guess also somewhere in group policy, the small business server has a logon script loaded still...the servers are trying to get a logon.bat from the old sbs server, it doesnt error out, just goes away after it tries and cant find it i think.

so the syntax for metadata cleanup is pretty strange, do you have to put in the entire cn=server and everything?

I have never used it, but it sounds like its the thing to do.
0
 
Jay_Jay70Commented:
its fairly interactive but the exact syntax can get tricky, the link above, works like a charm, i ran through it on friday to refresh myself

also, after any command you can type /? and it will show you your options
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
Because the logon script is stored in a FRS directory, it most likely replicated to your new server.  Check to see if there is a \NETLOGON share there which should have the batch file in it.  

Jeff
TechSoEasy
0
 
rafordhargroveAuthor Commented:
damn you guys are good, ok something thats wild is that the netlogon share is there, and the batch file is there, but the script the server is running is \\oldsbsservername\clients\setup\setup.exe /s oldservername...that may not be a login script at all, i'm not sure what that is.

anyway \\oldservername is no longer there
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
that's the SBS's login script --- delete it.

Jeff
TechSoEasy
0
 
rafordhargroveAuthor Commented:
deleted...ok guys got another question, see what ya think

http://www.experts-exchange.com/Operating_Systems/Windows_Server_2003/Q_21849218.html
0
 
rafordhargroveAuthor Commented:
sorry, that last link is invalid...the tombstone or whatever it is went away, i allowed another user account to take ownership

well you guys have been more help than you know...i think this all worked out fairly well, and boy did i learn a lot.

thank you guys again so much
0
 
Jay_Jay70Commented:
:) anytime

cheers
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

  • 25
  • 18
  • 8
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now