Solved

Options to Build Domain Controller

Posted on 2010-08-22
23
450 Views
Last Modified: 2012-05-10
Hello Experts!!

I need to know what options do I have in order to build or rebuild a DC.

1. My previous DC is not longer working and I have no backups of it..(admin password was not able to be recovered by any tool) so I had to go and proceed with the DC re-creation..

2. I have one server that I can convert to a DC... and/or I have build up a new server from 0(installing win sever 2003 enterprise)
3.I currently have AD-exchange 2003 running as my email system...

what options do I have?
Will be I be able to use my current domain? and how can I do that?
will be better if I use another domain name?

I really appreciate your help
Thanks!

0
Comment
Question by:ARPI
  • 7
  • 7
  • 4
  • +3
23 Comments
 
LVL 3

Expert Comment

by:eldios
ID: 33497834
You can use your current domain name since the old one is no longer in existence.  Since the domain is gone, naming it the same name wouldn't hurt anything.  I would always recommend a fresh installation of Windows Server if you can.  You will also have to disjoin your client machines from the old domain and join them to the new one, even though the new one is the same domain name.
0
 

Author Comment

by:ARPI
ID: 33497850
eldios,

Do I need to do something else on the exchange server?

thanks!
0
 
LVL 3

Expert Comment

by:Telxon
ID: 33497874
Is the Exchange server also a DC? How is Exchange still receiving email for the domain without a DC?

Previous poster is correct. Since the domain is gone (assuming that really was the only DC on the network) using the same internal domain name is fine. You will have to disjoin and rejoin all the workstations from the domain and rejoin them.

I would run the FAST wizard or Windows Easy Transfer (depending upon what version of Windows) since you'll be losing all the profiles for the workstations when you disjoin and rejoin. If you run the FAST wizard to restore the settings after re-joining, you'll have much happier users  :-)  . Also, if the DC was a file server, when you restore the files to it, you'll want to restore without preserving the previous security.

Lastly, have you already wiped the old DC? There are a lot of password recovery tools out there. It sounds like you're in last effort mode. It couldn't hurt to try a couple of more.

Best of luck in the unfortunate situation -- it's no small undertaking to rebuild a domain from scratch and make it just like the previous one.
0
 
LVL 16
ID: 33497876
If you only had one DC, and it is not functioning, and you have no back up, then you're basically stuck with rebuiding your domain. If your domain is down I doubt that Exchange is functional. Your options if you don't have a backup of exchange are likely going to boil down to exporting all your mailboxes at the client level (if they are caching the mailbox locally).

Rebuild your domain, rebuild exchange, rejoin your clients to the new domain, and then import your PST's either from the client or using exmerge.

MO
0
 

Author Comment

by:ARPI
ID: 33497894
Telxon,

Unafortunately my Exchange server is not a DC (but will be after all this issue).

Yes, Exchange server was still receiving emails.. funny thing is if I disconnect the DC (old/crashed password) from the network nothing work!! so I had to leave connected the server until the weekend , to not disturb office operations...

How do I run the Windows easy transfer?
Lucky me that the server was only a DC only...but I will double check to be on the safe side...

I haven't wiped out the old DC, I tried few I guess they weren't the correct ones...


0
 
LVL 3

Expert Comment

by:tomex07
ID: 33497902
If you have no backup, you will have to start from zero with a new environnement.
Domain name doesn't import since you are going to recreate everything.
What you can do is:
1. Install a fresh Windows 2003 R2 SP2
2. Promote the server to Domain  Controller
3. Create the users
4. On the old Exchange server, export users mailboxes to PST with Exmerge
4. Reinstall Windows 2003 R2 SP2, join the server to the new domain, reinstall Exchange
5. Create users mailboxes
6. Reimport PST to new Mailboxes with Exmerge.
7. Rejoin the client machines to the new domain
8. Copy the old user profile to the new user profile

My only concern is to know if Exmerge will run without a running DC but you should try.
Hope this help.
0
 
LVL 16
ID: 33497904
ok, I'm confused. Your DC is operational, but you don't have the domain admin login? It sounds to me that if exchange is working and your client systems can authenticate then the DC is working. If you suspect that there are problems with the existing DC then get another system and promote it to a DC. Let it replicate and transfer or seize all the FSMO roles. Make sure to make the new DC the Global Catalog. Then you can rebuild the original DC.

MO
0
 
LVL 16
ID: 33497911
tomex07, if the DC is down then Exchange will not work, which means exmerge will also not work. The important thing to find out here is if the DC and Exchange is really working right now. If the DC is working then my suggestion above will be the best method and will not require any reconfiguration of exchange, the domain, or the client computers.

MO
0
 
LVL 3

Expert Comment

by:Telxon
ID: 33497926
This *is* unsupported by Microsoft, so use at your own risk. That said, I've had extremely good luck (no damage to dae) using Linux-based password recovery tools like: http://www.howtogeek.com/howto/windows-vista/change-your-forgotten-windows-password-with-the-linux-system-rescue-cd/

I think it's your best bet for saving yourself a *ton* of work.
0
 

Author Comment

by:ARPI
ID: 33497943
mgortega,

believe it or not the Exchange server was working...the problem was that I was not able to access the DC using my administrator password...tried few tools and they didn't work.....
0
 

Author Comment

by:ARPI
ID: 33497960
Telxon,

Does this tool work for windows server 2003?...there says that works for XP/ vista...
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 
LVL 16
ID: 33500160
The tool that Telxon provided won't work. You need the domain admin user account password reset. This tool only resets local user accounts.

MO
0
 
LVL 3

Expert Comment

by:tomex07
ID: 33500539
mgortega, how can he promote an new DC without a Domain Admin account?
I think he has to rebuild a new domain and as Exchange is still working, Exmerge will work too.
0
 
LVL 16
ID: 33501257
ARPI,

I'm not going to argue with tomex. As you can clearly see in my comments above I was asking if the problem was an access/authentication issue or if the system was completely down. Now that we know the server is 100% operational and the problem really is that you don't have domain admin access you will have to rebuild the domain if you can't find a domain admin password reset tool. You will NOT be able to run exmerge on the exchange server, because you need full mailbox access to all AD users which you could only set from active directory on your DC. Since you can't manage AD then you're only option is to stop email from coming into the exchange server (perhaps at your network firewall), export mailboxes from the client computers, and then rebuild your domain. You can look at my earlier comment where I explained this as well.

Are you sure you don't have another Domain Admin account you can try and logon with? Perhaps one of your other users were part of the Domain/Enterprise/Schema Admin groups?

MO
0
 
LVL 3

Expert Comment

by:rapco
ID: 33501580
ARPI:

1. Stay away as possible into reinstall the DC, you have no idea the amount of work to get that done.
2. Look around for another account with administrator rights that may help you log in, then change the "administrator" password. Any account within Domain Admin group will be able to do that
3. Look around for accounts created for monitoring servers, usually people just give them full rights with the domain to monitor everything.
4. You are right in terms of Exchange and DC, you should keep them in different boxes; or VM
5. Try log in in Safe Mode using the credentials you do remember

Keep us posted.
0
 

Author Comment

by:ARPI
ID: 33502465
mortega,

I rebuilded a new DC (DC-New) due the other DC( DC-old) was not accepting the administrator authentication password ,I tried many tools but none worked... I tried all my possible passwords/ username access an still was unable to access my DC-old, so I move on to create the DC-new.

I tried all my possible domain admin accounts and didn't work :(

... I have builded the DC-new. I named using the same domain name and used the same IP address as my DC-old...
My next step are ?...
1. stop exchange and re-join it to the DC-new..do I need to do something else here?
2. exmerge all PST emails..do I need do something else here also?
3. rejoin all the PC's

I appreciate your help!
Thanks!
:)



0
 
LVL 3

Expert Comment

by:Telxon
ID: 33503216
Sorry about the local / domain password... I should have known that!

Silly question... you don't have *any* other account you can logon to the server that has administrative rights? If you do, you can always reset the "Administrator" password from the other account.
0
 
LVL 3

Expert Comment

by:rapco
ID: 33503940
ARPI:

Try use a password recovery tool using CD then log on with in Safemode.

Usually Linux based utilities resets the admin password however in a DC they are stored in the Active Directory and another set in SAM registry.

You may want to try:
http://www.petri.co.il/forgot_administrator_password.htm
http://www.nobodix.org/seb/win2003_adminpass.html

Sorry I just want you to stay away from full reinstall and rejoin everyone to the new domain.
0
 

Author Comment

by:ARPI
ID: 33504693
Telxon,

I tried with other accounts and didn't work.

rapco,
I tried both options, they didn't work for me... both options asks you to provide admin password (directory administrator) and the DC was not accepting any passwords provided...

I still don't understand what happened with the server that didn't accept any passwords
0
 
LVL 16

Accepted Solution

by:
Michael Ortega (Internetwerx, Inc.) earned 500 total points
ID: 33506957
ARPI:

Couple things:

1. I would demote DC-new and remove it from the network for now.
2. Turn DC-old back on. You need to do some client maintenance first.
3. Reset the local admin account on all your client computers
4. Export all the cached exchange mailboxes from all your client computers
5. Turn DC-old off.
6. Turn DC-new back on and DCPROMO it with a new domain name. Note: you can use the old domain name, but you'll save some time and make things cleaner with a new private domain name.
7. Creat all your AD user accounts, groups, etc.
8. Reload your Exchange server configuring it on the new domain
9. Import all your mailboxes. Note: You can do that now with a tool like Exmerge or you can do it later during the reconfiguration of all your client computers by using Outlook to import
10. Log on locally and join your computers to the new domain. Make sure that DNS is pointing at DC-new. Presumably it will be if you're using the same old private IP of the DC-old. Note: You don't need to remove and then re-join the client computers if you chose a new domain when you created DC-new. You can simply just change the domain name to the new domain. If you created DC-new with the same domain name you will have to remove each client from the domain and then joing them.

It's a lot of work, but if you can't get domain admin access back then there is no other way.

MO
0
 
LVL 16
ID: 33506973
One note on the mailbox export in step 4. You'll need to logon with the user account in question to do the export. If you can't then you'll need to use a 3rd party tool to convert their OST to a PST.

This is all based on the assumption that you don't have a good backup of exchange. Make sure that before you start exporting that you stop inbound mail flow by blocking port 25 on your network firewall.

MO

0
 
LVL 3

Expert Comment

by:Telxon
ID: 33507202
Have you had a look at http://www.foofus.net/~fizzgig/fgdump/default.htm ? It's a little long -- follow the instructions carefully, but it claims to be able to retrieve domain passwords from inside the LAN.

Still *a lot* less work than rebuilding the DC.
0
 

Author Closing Comment

by:ARPI
ID: 33549682
Thank you so much experts!!!
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

This may not be a text book method to resolve VSS backup issues but it seemed to have worked on few of the Windows 2003 servers we had issues while performing a Volume Shadow Copy backup. If you have issues while performing a shadow copy backup usin…
On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now