Solved

Joining a Server 2003 box to a 2008 R2 Domain

Posted on 2010-08-23
21
336 Views
Last Modified: 2012-05-10
Hi

I have a Server 2008 R2 PDC. Within this I have another box sat just as a domain member (another 2008 ver R2 no promo just sits there all happy as file server)

I have taken a server 2003 box off of another domain and now have joined it to the above domain again as a member no promo or anything. This runs a SQL server database thats all it does.
Soon as it is a member of the above new domain I cannot RDP into it (access is denied contact your administrator) Also logging onto the machine using the domain credentials is very slow like 15 mins and still going. I have done the dns thing etc and they are ok. Is there something I am missing??  If I log on locally the machine is as bright and fast as a spark.

I have just joined 70 PC's to the new domain no problem and they work all ok.
0
Comment
Question by:rmfb
  • 8
  • 7
  • 5
  • +1
21 Comments
 
LVL 4

Expert Comment

by:joeyw
ID: 33500583
are your server ip settings hardcoded or do they pull from dhcp.  I had this problem before and the DNS servers were hardcoded to an old server that no longer existed.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 33500937
Make sure you are only pointing to the DC for DNS you should not have external DNS servers listed.

Post ipconfig /all
0
 
LVL 4

Expert Comment

by:evilsi
ID: 33500964
Hi,
After checking the network configuration as reccommended above you could also check there are no group policies preventing RDP connections or other restrictions.

Regards
Si.
0
 

Author Comment

by:rmfb
ID: 33501303
Firstly

Tried both DHCP and static and yes my server dns only points to the primary dns server on the network.

I have searched the registry for IP relating to the old server and found one and dealt with this.

No there are no policies stopping it remoting in as i can remte into the other server in the ou.

Have checked local policy and nothing.

Its almost as if the machine is not authenticating properly with 08 or something but i dont want to throw you off the scent. If I go down to local policy and try to add a account in security for ex allow logon through terminal services it hangs and tries to search active directory then eventually comes up with something.

Any ideas how to rid the system of the last domin traces etc like dns??

0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 33501357
Seems like a DNS issue or an AD issue.

Remove system off the domain and delete the computer account from AD. Reboot server.

Rejoin server to the domain.
0
 
LVL 4

Expert Comment

by:joeyw
ID: 33501519
Is the server using a one to one nat in your firewall, mapping an external address to your internal address?  If so you may have to create a rule to allow internal traffic to hit the NAT.

for the domain stuff, try nslookup.  once active, just type the server address like www.acme.com to see what ip comes back.  this will also tell you which dns server is trying to supply you the information.  Also, if these ip's changed recently, try doing a ipconfig /flushdns on your dns server to clear the cache.
0
 

Author Comment

by:rmfb
ID: 33501752
No Nats all on same network and same subnet. DNS working fine other machines log on swiftly,
dns resolves etc.

Interestingly when ever i try though to browse active directory from the server 2003 machine it says the system detected a possible attempt to compromise security. Please ensure you can contact the server that attempted to authenticated you.

This is weird.

Just joined another xp machine to the domain to show im not going mad and all went ok.

Yet from all other machines can browse active directory and other parts at will.

0
 
LVL 4

Expert Comment

by:joeyw
ID: 33501999
Was this server a DC or did it run any roles (like dns or dhcp) in the old network?  If so, you may need to stop these services.

Another thing to check is static routes. do a netstat -r and check for any persistent routes or do a tracert to see what path the server thinks it should take.
0
 

Author Comment

by:rmfb
ID: 33502200
this server did not house dhcp but it did house a dns server which has been removed all services are stopped
0
 

Author Comment

by:rmfb
ID: 33502217
if i put it back on the old domain it works perfectly again i will look at the what you suggested
0
Do email signature updates give you a headache?

Do you feel like all of your time is spent managing email signatures? Too busy to visit every user’s desk to make updates? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today!

 
LVL 4

Expert Comment

by:joeyw
ID: 33502267
Gnerally, a machine has to be a DC to run dns.  If this is the case, you need to dcpromo this server to demote it before you try to move it.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 33502786
Are you sure that the 2003 server is joined the to new domain?
0
 

Author Comment

by:rmfb
ID: 33505138
no im not sure that this machine has fully joined to the domain although it exhibits that it has. Thats what im trying to explain. It joins but has no access to the PDC because it is always denied. The acount shows in Active directory and exhibits characteristics that it hjas joined but nothing can access the dc not even if i try to add a security group to a file it cannot find the DC. It sees it but is being denied access for some reason



0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 33505303
So, remove the server from the domain then add the server to the new domain. Disable any firewalls or AVs installed.

Post ipconfig /all from server and DC.

Run dcdiag post results.
0
 

Author Comment

by:rmfb
ID: 33526058
Okay on a little more investigation I have some other news about this machine (perhaps i should have mentioned ive inherited this site).

The machine is running on a intranet its a uk schools intranet. There are several thousand schools on this intranet. The school is running a program called serco which uses IIS to promote a working website link to the program for external use. When we did a nslookup it revealed that the machine was resolving to eportal.name of school.sch.uk. Talking to the previous tech this was because the intranets techs made a dns entry on their servers to resolve this to the ip of the machine. Externally they made an entry so that the website resolved to the static ip then on to the internal (on the intranet and machine IP)>
I have now changed the ip of the machine and it is now resolving to the internal name of the machine (serverF) when i do a nslookup) But still the machine will not allow me to log on remotely (access denied). The machine hangs if i log on locally and try to add a security item (user) to a file for a test which indicatates to me it is still not finding or accessing active directory or ven the pdc. It cannot register a entry into dns on the pdc, I have repaied the lan connection and reset the winsock incase this was damaged. There must be a entry some where polluting this machine looking in the right direction but can i find it No.

I am convinced this is a dns problem now, I have done all dns tests run dcdiag on the pdc and cannot see anything untoward. Im not great on IIs so dont know where to look to see if this is a possible cause.
0
 
LVL 4

Expert Comment

by:joeyw
ID: 33526110
On the remote desktop issue, did you click on the select remote users button to see if access was limited to only remote users.  Also, if the firewall is running, i would turn it off until this situation is resolved.
0
 

Author Comment

by:rmfb
ID: 33526138
there is no firewall internally in the school on our scope only at the gateway which is controlled by the county authority. Access I have tried different configs to try to eliminate that
0
 
LVL 4

Expert Comment

by:joeyw
ID: 33526144
on the website access, since this was on a intranet, the previous admin could have locked it down to the old domain.  In IIS admin screen (found on administrative tools), right click on the website and select properties.  Choose the directory security tab and verify each of the settings.
0
 
LVL 4

Expert Comment

by:joeyw
ID: 33526161
Is the windows firewall service turned off? Also, is the server running anything like McAfee security suite that would have a firewall on or access permissions configured on the virus tab?
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 33526561
Please post ipconfig /all for the server and a working DC.
0
 

Accepted Solution

by:
rmfb earned 0 total points
ID: 33625703
Okay upgraded the server to 2008 and all cured now
0

Featured Post

Shouldn't all users have the same email signature?

You wouldn't let your users design their own business cards, would you? So, why do you let them design their own email signatures? Think of the damage they could be doing to your brand reputation! Choose the easy way to manage set up and add email signatures for all users.

Join & Write a Comment

I have been working as System Administrators since 2003. I recently started working as a FreeLancer and was amazed to find out that very few people are taking full advantage of their Windows Server Machines. Microsoft Windows Server comes with so…
We recently had an issue where out of nowhere, end users started indicating that their logins to our terminal server were just showing a "blank screen." After checking the usual suspects -- profiles, shell=explorer.exe in the registry, userinit.exe,…
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now