rmfb
asked on
Joining a Server 2003 box to a 2008 R2 Domain
Hi
I have a Server 2008 R2 PDC. Within this I have another box sat just as a domain member (another 2008 ver R2 no promo just sits there all happy as file server)
I have taken a server 2003 box off of another domain and now have joined it to the above domain again as a member no promo or anything. This runs a SQL server database thats all it does.
Soon as it is a member of the above new domain I cannot RDP into it (access is denied contact your administrator) Also logging onto the machine using the domain credentials is very slow like 15 mins and still going. I have done the dns thing etc and they are ok. Is there something I am missing?? If I log on locally the machine is as bright and fast as a spark.
I have just joined 70 PC's to the new domain no problem and they work all ok.
I have a Server 2008 R2 PDC. Within this I have another box sat just as a domain member (another 2008 ver R2 no promo just sits there all happy as file server)
I have taken a server 2003 box off of another domain and now have joined it to the above domain again as a member no promo or anything. This runs a SQL server database thats all it does.
Soon as it is a member of the above new domain I cannot RDP into it (access is denied contact your administrator) Also logging onto the machine using the domain credentials is very slow like 15 mins and still going. I have done the dns thing etc and they are ok. Is there something I am missing?? If I log on locally the machine is as bright and fast as a spark.
I have just joined 70 PC's to the new domain no problem and they work all ok.
are your server ip settings hardcoded or do they pull from dhcp. I had this problem before and the DNS servers were hardcoded to an old server that no longer existed.
Make sure you are only pointing to the DC for DNS you should not have external DNS servers listed.
Post ipconfig /all
Post ipconfig /all
Hi,
After checking the network configuration as reccommended above you could also check there are no group policies preventing RDP connections or other restrictions.
Regards
Si.
After checking the network configuration as reccommended above you could also check there are no group policies preventing RDP connections or other restrictions.
Regards
Si.
ASKER
Firstly
Tried both DHCP and static and yes my server dns only points to the primary dns server on the network.
I have searched the registry for IP relating to the old server and found one and dealt with this.
No there are no policies stopping it remoting in as i can remte into the other server in the ou.
Have checked local policy and nothing.
Its almost as if the machine is not authenticating properly with 08 or something but i dont want to throw you off the scent. If I go down to local policy and try to add a account in security for ex allow logon through terminal services it hangs and tries to search active directory then eventually comes up with something.
Any ideas how to rid the system of the last domin traces etc like dns??
Tried both DHCP and static and yes my server dns only points to the primary dns server on the network.
I have searched the registry for IP relating to the old server and found one and dealt with this.
No there are no policies stopping it remoting in as i can remte into the other server in the ou.
Have checked local policy and nothing.
Its almost as if the machine is not authenticating properly with 08 or something but i dont want to throw you off the scent. If I go down to local policy and try to add a account in security for ex allow logon through terminal services it hangs and tries to search active directory then eventually comes up with something.
Any ideas how to rid the system of the last domin traces etc like dns??
Seems like a DNS issue or an AD issue.
Remove system off the domain and delete the computer account from AD. Reboot server.
Rejoin server to the domain.
Remove system off the domain and delete the computer account from AD. Reboot server.
Rejoin server to the domain.
Is the server using a one to one nat in your firewall, mapping an external address to your internal address? If so you may have to create a rule to allow internal traffic to hit the NAT.
for the domain stuff, try nslookup. once active, just type the server address like www.acme.com to see what ip comes back. this will also tell you which dns server is trying to supply you the information. Also, if these ip's changed recently, try doing a ipconfig /flushdns on your dns server to clear the cache.
for the domain stuff, try nslookup. once active, just type the server address like www.acme.com to see what ip comes back. this will also tell you which dns server is trying to supply you the information. Also, if these ip's changed recently, try doing a ipconfig /flushdns on your dns server to clear the cache.
ASKER
No Nats all on same network and same subnet. DNS working fine other machines log on swiftly,
dns resolves etc.
Interestingly when ever i try though to browse active directory from the server 2003 machine it says the system detected a possible attempt to compromise security. Please ensure you can contact the server that attempted to authenticated you.
This is weird.
Just joined another xp machine to the domain to show im not going mad and all went ok.
Yet from all other machines can browse active directory and other parts at will.
dns resolves etc.
Interestingly when ever i try though to browse active directory from the server 2003 machine it says the system detected a possible attempt to compromise security. Please ensure you can contact the server that attempted to authenticated you.
This is weird.
Just joined another xp machine to the domain to show im not going mad and all went ok.
Yet from all other machines can browse active directory and other parts at will.
Was this server a DC or did it run any roles (like dns or dhcp) in the old network? If so, you may need to stop these services.
Another thing to check is static routes. do a netstat -r and check for any persistent routes or do a tracert to see what path the server thinks it should take.
Another thing to check is static routes. do a netstat -r and check for any persistent routes or do a tracert to see what path the server thinks it should take.
ASKER
this server did not house dhcp but it did house a dns server which has been removed all services are stopped
ASKER
if i put it back on the old domain it works perfectly again i will look at the what you suggested
Gnerally, a machine has to be a DC to run dns. If this is the case, you need to dcpromo this server to demote it before you try to move it.
Are you sure that the 2003 server is joined the to new domain?
ASKER
no im not sure that this machine has fully joined to the domain although it exhibits that it has. Thats what im trying to explain. It joins but has no access to the PDC because it is always denied. The acount shows in Active directory and exhibits characteristics that it hjas joined but nothing can access the dc not even if i try to add a security group to a file it cannot find the DC. It sees it but is being denied access for some reason
So, remove the server from the domain then add the server to the new domain. Disable any firewalls or AVs installed.
Post ipconfig /all from server and DC.
Run dcdiag post results.
Post ipconfig /all from server and DC.
Run dcdiag post results.
ASKER
Okay on a little more investigation I have some other news about this machine (perhaps i should have mentioned ive inherited this site).
The machine is running on a intranet its a uk schools intranet. There are several thousand schools on this intranet. The school is running a program called serco which uses IIS to promote a working website link to the program for external use. When we did a nslookup it revealed that the machine was resolving to eportal.name of school.sch.uk. Talking to the previous tech this was because the intranets techs made a dns entry on their servers to resolve this to the ip of the machine. Externally they made an entry so that the website resolved to the static ip then on to the internal (on the intranet and machine IP)>
I have now changed the ip of the machine and it is now resolving to the internal name of the machine (serverF) when i do a nslookup) But still the machine will not allow me to log on remotely (access denied). The machine hangs if i log on locally and try to add a security item (user) to a file for a test which indicatates to me it is still not finding or accessing active directory or ven the pdc. It cannot register a entry into dns on the pdc, I have repaied the lan connection and reset the winsock incase this was damaged. There must be a entry some where polluting this machine looking in the right direction but can i find it No.
I am convinced this is a dns problem now, I have done all dns tests run dcdiag on the pdc and cannot see anything untoward. Im not great on IIs so dont know where to look to see if this is a possible cause.
The machine is running on a intranet its a uk schools intranet. There are several thousand schools on this intranet. The school is running a program called serco which uses IIS to promote a working website link to the program for external use. When we did a nslookup it revealed that the machine was resolving to eportal.name of school.sch.uk. Talking to the previous tech this was because the intranets techs made a dns entry on their servers to resolve this to the ip of the machine. Externally they made an entry so that the website resolved to the static ip then on to the internal (on the intranet and machine IP)>
I have now changed the ip of the machine and it is now resolving to the internal name of the machine (serverF) when i do a nslookup) But still the machine will not allow me to log on remotely (access denied). The machine hangs if i log on locally and try to add a security item (user) to a file for a test which indicatates to me it is still not finding or accessing active directory or ven the pdc. It cannot register a entry into dns on the pdc, I have repaied the lan connection and reset the winsock incase this was damaged. There must be a entry some where polluting this machine looking in the right direction but can i find it No.
I am convinced this is a dns problem now, I have done all dns tests run dcdiag on the pdc and cannot see anything untoward. Im not great on IIs so dont know where to look to see if this is a possible cause.
On the remote desktop issue, did you click on the select remote users button to see if access was limited to only remote users. Also, if the firewall is running, i would turn it off until this situation is resolved.
ASKER
there is no firewall internally in the school on our scope only at the gateway which is controlled by the county authority. Access I have tried different configs to try to eliminate that
on the website access, since this was on a intranet, the previous admin could have locked it down to the old domain. In IIS admin screen (found on administrative tools), right click on the website and select properties. Choose the directory security tab and verify each of the settings.
Is the windows firewall service turned off? Also, is the server running anything like McAfee security suite that would have a firewall on or access permissions configured on the virus tab?
Please post ipconfig /all for the server and a working DC.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.