Solved

Windows 2003 migration help

Posted on 2006-06-29
26
378 Views
Last Modified: 2010-03-19
I recently went from a windows NT domain and upgraded it to windows 2003 active directory.

Step taken.
1.  upgraded nt BDC to windows 2003 and installed active directory with DNS
2.  Installed a new windows 2003 server and added it to the to domain with the Add additional domain control to domain option

Here is my problem, I used the NTDSUTIL utility to transfer FSMO roles to the additional domain controller.  In order for me to run the login script I have to have the upgraded BDC running.  When I remove the upgraded BDC from the network I can log into the domain but can't run the login script.

Can someone please tell me what I need to so in order to run the login script of the number 2 server from above without having the upgraded bdc on the domain.

thanks
0
Comment
Question by:pgamez
  • 14
  • 11
26 Comments
 
LVL 26

Expert Comment

by:Pber
ID: 17012639
Usually when you want to do an implace upgrade you'd:

Take one BDC offline and leave it off incase you need to backout of the upgrade.
Next you upgrade the Nt4 PDC to 2003.

Anyhow, sounds like your problem is with the sysvol.

What do you see when you type net share from a command prompt on the additional DC?
0
 

Author Comment

by:pgamez
ID: 17012819
I  get the following when I type net share

Share name       Resource                                                                                   Remark
_______________________________________________________________________________
IPC$                                                                                                                  Remote IPC
ADMIN$              C:\WINDOWS                                                                           REMOTE ADMIN
E$                      E$                                                                                           DEFAULT SHARE
C$                      C$                                                                                          DEFAULT SHARE
NETLOGON         C:\WINDOWS\SYSVOL\sysvol\rockville.hcmg.net\SCRIPTS           LOGON SERVER SHARE
SYSVOL             C:\WINDOWS\SYSVOL\sysvol                                                    LOGON SERVER SHARE
0
 
LVL 26

Expert Comment

by:Pber
ID: 17012901
Are the netlogon shares in sync?  Do you have the same files on both machines?

Also is the additional server a GC?
0
 

Author Comment

by:pgamez
ID: 17012925
What's a GC?
Not sure if the netlogon shares are in sync or not?  is there a way to find out?

Right now the other server is offline.

thanks,
0
 
LVL 26

Expert Comment

by:Pber
ID: 17012976
On the additional server is there files in the \\server\netlogon share?

A GC is a Global Catalog server.  You generally need a GC to be able to login to the domain (Above and beyond FSMO).  

To configure a GC go to AD Sites and Services
Expand your site, then expand the servers.
Expand your server and Right click NTDS settings and select properties
Check the Global Catalog box and click OK.

0
 

Author Comment

by:pgamez
ID: 17013156
the Global catalog is checked in AD sites and services

Under servers there are two servers
server 1 which was the upgraded one
and server 2 which is the main one that I want to use.  Server 2 has global catalog selected.


yes to files being in the server netlogon sharenetlog
0
 
LVL 5

Expert Comment

by:onlinerack
ID: 17015485
Try this.... May help.
Make sure you have no drive mappings manually (Disconnect them)
Logoff your machine, wait a for a minute then log on..... You may have NIC card initilaizing after the system boot (in GPO you can disable that by fast boot)
Secondly, try to see if you can have the script edited without checking group membership (in the event you are using ifmember) just have it run a net use and map a drive and see if this works.  (assuming you are running bat files)
0
 

Author Comment

by:pgamez
ID: 17018102
I think there maybe something else that I have not done or the FMSO roles did not configure properly.  I removed the server from the rest of the network and placed it in a hub.  I also placed my pc on the same hub and try connecting to it.  I went to network neighborhood and tried to access the server I was not able to see it.  When I placed it back on the hub where the backup pc that I upgraded to 2003 I am able to gain access to the server.

after doing a transfer (schema, domain naming master, pdc, rid, infrastructure) should I have re-ran dcpromo on the server?

thanks,
0
 
LVL 26

Expert Comment

by:Pber
ID: 17018122
re-running DCpromo will remove the DC from the Domain if there are other DC's.  If it's the only DC, then it's going to remove the domain.
0
 

Author Comment

by:pgamez
ID: 17018139
Any suggestions on what I need to do? I am lost here.

0
 

Author Comment

by:pgamez
ID: 17019222
Seems that I have found the solution, for some weird reason I had to disjoing the domain and rejoin the domain.  After I did this I was able to log into the domain and run the login script.  My new question is, when I migrated the workstations and users into this domain the username works fine but the computer doesn't seem to be part of the domain.  Do I have to go to everyone's pc dijoin them from the domain and rejoin them into the domain.

thanks,
0
 
LVL 26

Expert Comment

by:Pber
ID: 17019248
To migrate a workstation to the domain is the same as manually adding it to the domain.  A reboot is required for changed to take effect.
0
 
LVL 26

Expert Comment

by:Pber
ID: 17019272
Initially you mentioned you upgraded the NT4 domain to 2003.  So this wouldn't really be considered a migration, but more of an upgrade.  With this method, you shouldn't have had to do anything to the clients.

If you had an NT4 domain and setup a new 2003 AD domain then migrated the users/machines with a migration tool such as ADMT that would be considered a migration.

Which method did you use.
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:pgamez
ID: 17019711
I had an NT 4 system (bdc) which I upgraded to 2003 then installed a new 2003 server as an additional domain.  Removed  the bdc from the network and just kept the new server 2003 running.   I used the ntdsutil to transfer FMSO roles to the 2003 server from the upgraded bdc.  

0
 

Author Comment

by:pgamez
ID: 17169439
still having problems with some systems, I have a couple of 2000 systems as well as xp with all of the service packs.  I am trying to login into the new domain and a couple of them can not see the new domain.  While the other ones can?  Checked DNS settings and they are correct any one have any ideas?

than ks
0
 
LVL 26

Expert Comment

by:Pber
ID: 17169494
You have to start with basics... from the offending desktops:

Can you ping the IP of the DC?
Can you ping the name of the DC?
0
 

Author Comment

by:pgamez
ID: 17170274
I can the IP address but not the name of the DC.  I've also noticed that on occassion the login script does not run from one of the pc's that's  login into t he new DC.

thanks
0
 

Author Comment

by:pgamez
ID: 17177615
I don't know if this also helps but I  placed 3 systems on their own switch as well as the dc server and removed them from the rest of the network.  I was able to ping the DC and IP address as well as join  the domain.  As soon as I connect the swith or the DC to the rest of the network I am unable to ping it etc.  Do I need to contact our ISP and inform them of the new server?  Our ISP currently host's our DNS settings for outside of the network.
0
 
LVL 26

Expert Comment

by:Pber
ID: 17177652
So ultimately all your clients should be pointing to your DC for DNS.  The DNS server should be configured with a forwarder to the ISP's DNS.  
0
 

Author Comment

by:pgamez
ID: 17177682
I don't remember if I did that or not, is there a way of checking it out and installing the option.

thanks,
0
 
LVL 26

Expert Comment

by:Pber
ID: 17177736
Well on the clients are configured in the TCP/IP properties.

Load Control Panel and select Network connections
Double Click the NIC and select properties
In the "This connection uses the following items", select TCP/IP and select properties
In the Gernal TAB you configure the IP address and the DNS server.  The DNS server address should be the ip of your DC.

If you are using DHCP, then it is a little different.  You need to configure that in the DHCP scope.

On the DC to set the forwarder...
Load the Administrative tools
Load the DNS MMC
right click the server and select properties
Select the Forwarders TAB
Add the ISP DNS server to the "Selected domain's forwarder IP address list".

This way the clients will always go to the DC for DNS.  If the client wants to connect externally, the DC's DNS server will redirect them to the external DNS server for resolution.







0
 

Author Comment

by:pgamez
ID: 17177813
I've done the first part on the local  pc's and have just setup the settings per your instructions on the DC to set the fowarder.  Will let you know what happens.  

thanks
0
 
LVL 26

Expert Comment

by:Pber
ID: 17177878
Also if you are not using WINS, you might need to configure the dns suffix on the clients.  Load the TCP/IP settings and select Advanced and select the DNS TAB
Enter your domain name (rockville.hcmg.net\) in the DNS suffix for this connection.
0
 

Author Comment

by:pgamez
ID: 17178193
THANKs for the info, I ran a dcdiag on the server and this is the results that I got


Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\HCMGPRIME
      Starting test: Connectivity
         HCMGPRIME's server GUID DNS name could not be resolved to an
         IP address.  Check the DNS server, DHCP, server name, etc
         Although the Guid DNS name
         (38b0dcaa-4aa2-408e-bde8-8da87d7f55ef._msdcs.rockville.hcmg.net)
         couldn't be resolved, the server name (hcmgprime.rockville.hcmg.net)
         resolved to the IP address (10.1.0.23) and was pingable.  Check that
         the IP address is registered correctly with the DNS server.
         ......................... HCMGPRIME failed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\HCMGPRIME
      Skipping all tests, because server HCMGPRIME is
      not responding to directory service requests

   Running enterprise tests on : rockville.hcmg.net
      Starting test: Intersite
         ......................... rockville.hcmg.net passed test Intersite
      Starting test: FsmoCheck
         ......................... rockville.hcmg.net passed test FsmoCheck

0
 
LVL 26

Accepted Solution

by:
Pber earned 50 total points
ID: 17178240
Make sure the TCP/IP settings on the DC are pointing to itself for DNS as well.
Once that is confirmed, ensure the DHCP client service is running on the DC.
Once that is confirmed, do an ipconfig /registerdns on the DC.
Restart the netlogon service.
wait about 1 minute
re-run dcdiag

0
 

Author Comment

by:pgamez
ID: 17195030
thank you very much for all of your help. Our PC's are now connecting to the new server.
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

I've written instructions for one router type, but this principle may be useful for others of the same brand and even other brands of router. Problem: I had an issue especially with mobile devices that refused to use DNS information supplied via…
#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now