New server install problems

  • Thread starter Thread starter gerritjan
  • Start date Start date
G

gerritjan

Hi,

because of a server-crash and tapeware-disaster-recovery-problems I had to
do a new w2k server install.
Situation: 1 W2k server, 15 clients (XP-pro mostly) with AD and roaming
profiles.
Internet access with a router, root zone in DNS removed, added router-IP to
DHCP.

The install went OK, but when the clients started to connect all kinds of
problems appeared: host-client trustrelations failing, shared folders taking
ages to access, general network delays, etc...

I'm out of options..8-(
Hope anyone has some suggestions, TIA!

Gerritjan
 
Isn't that W2k AD require its own DNS to work?

It is going to registry all servers communication protocal, clients info and
everything into DNS.
 
gerritjan said:
Hi,

because of a server-crash and tapeware-disaster-recovery-problems I had to
do a new w2k server install.
Situation: 1 W2k server, 15 clients (XP-pro mostly) with AD and roaming
profiles.
Internet access with a router, root zone in DNS removed, added router-IP to
DHCP.

The install went OK, but when the clients started to connect all kinds of
problems appeared: host-client trustrelations failing, shared folders taking
ages to access, general network delays, etc...

I'm out of options..8-(
Hope anyone has some suggestions, TIA!

Gerritjan
Click to expand...

A new W2K install implies a new forest and domain was created since this is
the only DC. Don't be fooled by names, its the SID that matters. Did you
recreate the client's computer accounts and user accounts? Probably yes. Did
you join the clients to this new domain? Again, the forest's root domain
name is irrelevent. Names are for human consumption only.

Backup the profiles. Set the forwarders on private DNS to query the ISP's
dns server. Supply dns compatible URLs to your clients so as to provide dns
resolution and not netbios resolution.

ie: \\server.domain.local\share
 
A new W2K install implies a new forest and domain was created since this is
the only DC. Don't be fooled by names, its the SID that matters. Did you
recreate the client's computer accounts and user accounts? Probably yes.
Click to expand...
Yes, I did.
Did
you join the clients to this new domain? Again, the forest's root domain
name is irrelevent. Names are for human consumption only.
Click to expand...

Is this necessary for workstations or for users; I mean, is the SID
generated per workstation or per user?

thanks....
 
gerritjan said:
Yes, I did.


Is this necessary for workstations or for users; I mean, is the SID
generated per workstation or per user?
Click to expand...
.... and per domain, and per server , so secure channel to new domain fails
because key is incorrect
you need to rejoin _all_ workstations to domain
 
You're going to have to re-create everything. All your user accounts, all
PCs will need to be disjoined from the domain (ignore the error message
about not being able to delete the computer account as that is normal in
this situation) and re-joined to the domain, file shares and printer shares
will need to be deleted and re-created, etc.

Every object in Active Directory had a SID - the operative words are "HAD A
SID". With a new domain controller they all must be re-created.

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm
 
Jeremy Sun said:
Isn't that W2k AD require its own DNS to work?

It is going to registry all servers communication protocal, clients info and
everything into DNS.
Click to expand...

He is using DNS, he's also set it up correctly for a private domain. Thats
what he stated. The root zone is deleted, otherwise you couldn't specify
forwarders to query on behalf of clients.

Think about it this way. If a client needs to resolve a public internet
name, does it make sense to have each client query the ISP's dns server? Why
have to configure a firewall to allow this and then have to deal with the
resulting security hole.

Instead, let the private dns server query the ISP's dns server on the
client's behalf. There are 4 benefits that result of this.

1) clients only need to query the private dns server, the private dns
forwards external queries for the client (a single session results between
dns servers).
2) external queries are cached by private dns.
3) clients need not open a session with the ISP's dns server.
4) a single point of resolution is provided for the entire network.
 
gerritjan said:
Yes, I did.


Is this necessary for workstations or for users; I mean, is the SID
generated per workstation or per user?

thanks....
Click to expand...

The workstations need a new account on the domain if these workstations are
NT based (NT4, W2K or XP). Since the users in question don't exist on the
workstation, but rather on the new domain, these users will be new accounts
as well.

I know: its a pain. But realizing that an FQDN related to a given domain's
workstation is actually:

worskstation-SID.domain-SID.local

This will explain the issues you see (and eventually provide a fix).

This will also entice you to develop and test a procedure to recover a
domain and its accounts (active directory recovery). failure to do this is a
waiting timebomb. You now also understand the benefit of a second DC on the
network (replication of the active domain). Even a cheap system as a
secondary DC will provide redundancy.

Speaking of recovery, and moving forward into the subject of recoverability:
please, please backup encryption keys.

Let us know if we can provide any help.
 
Thank you, all, for your most helpfull responses.
It took a few days but the server is up and running again. I will push my
custome towards a foolproof backup solution and/or a second DC.

gerritjan
 
Gerritjan,

Seems like you have some good answers. Recreate the 15 user account
objects. Go to each workstation and join it to a workgroup and then join it
to the new domain. A pain but no other way to do this.

Question for you on the 'added Router-IP to DHCP': I hope that you mean that
you are using this as the default gateway! What I am getting at is that a
lot of people who used to run WINNT 4.0 domains will have the DNS Servers of
their ISP in the DHCP Options. This is not necessary and highly problematic
in WIN2000 and WIN2003 Active Directory environments. The only DNS Server
information that the internal clients need is the internal DNS Server. And
if you are using the same AD name as your registered Domain Name ( such as
microsoft.com for your AD and you are registered as microsoft.com ) then
your internal clients will have a hard time reaching
http://www.microsoft.com. You will need to create a Host Record ( or, if
you prefer, an A Record ) in the Forward Lookup Zone in your DNS and create
a 'www' record - without the quotes - and give it the Public IP Address.

--
Cary W. Shultz
Roanoke, VA 24012
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com
 
Glad to hear it all came out well in the end. You may not need to get too
fancy on your backup solution - NTBackup can back up the "System State" and
get what you need for a rebuild. See more here:

http://www.microsoft.com/technet/pr...irectory/maintain/opsguide/part1/adogd03.mspx

--
Richard G. Harper [MVP Shell/User] (e-mail address removed)
* PLEASE post all messages and replies in the newsgroups
* for the benefit of all. Private mail is usually not replied to.
* My website, such as it is ... http://rgharper.mvps.org/
* HELP us help YOU ... http://www.dts-l.org/goodpost.htm
 
Seems like you have some good answers. Recreate the 15 user account
objects. Go to each workstation and join it to a workgroup and then join it
to the new domain. A pain but no other way to do this.
Click to expand...

Only advantage: you get to know every user personally ;-)

Question for you on the 'added Router-IP to DHCP': I hope that you mean that
you are using this as the default gateway!
Click to expand...
Yes, don't worry. The internal DNS-server is the only one in the DHCP
options, the router is the gateway.
Thanks for your response.

gerritjan
 
True, you do get to know everyone personally. However, I would rather get
to know everyone personally at the infamous water cooler then when doing my
job and do my job in a more 'intelligent' manner. Please do not
misunderstand me. I used to (sometimes) enjoy going from desk to desk. The
problem with that is the 'since you are here, the color on my screen is not
right anymore and the icons on my desktop are not there any more and how do
I create a pivot table in MS Excel and how come I can not send that 27MB
file to my buddy ( do not ask what type of file it is....you already know
what it is! ) and.....'! If you have only 15 desktops this might be okay.
However, in a 300-seat environment this is not really feasible. And in a
10,000-seat environment there is no time to go seat-to-seat!

And there might be a way to do this with netdom!

--
Cary W. Shultz
Roanoke, VA 24012
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com
 
What was the original question? If it is joining machines to a domain, I
have never seen any "remote" way to do that. It always had to be done at the
machine, one machine at a time.
 
Back
Top