W2K AD Domain issues, migration and rename native mode

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Hi all,

I have a client that has a poorly designed (IMHO) AD with only one Windows
2000 DC. There are multiple errors in the DS and DNS logs (I have DS-MPS
reports) and the domain is a public domain (someone else's .com) which seems
to be causing conflict on the owner's domain. Also the servername.domain is
the same as another servername.com of a public-facing server across the
Internet. I have temporarily fixed it by removing forwarders and isolating
the local DC but it still has root hints. All the clients have the local
DC/DNS listed first in DNS servers, second is the ISP DNS.

I have been looking to setup another temp W2K DC to migrate the FSMO foles
to and all the AD info (shares, printers, users, computers, etc). But the
articles that I have been reading say that DCs in native mode cannot have
their domains renamed. Is there a workaround? How Painful would it be?

Thanks.

RM-Admin
 
RM-admin said:
Hi all,

I have a client that has a poorly designed (IMHO) AD with only one Windows
2000 DC. There are multiple errors in the DS and DNS logs (I have DS-MPS
reports) and the domain is a public domain (someone else's .com) which seems
to be causing conflict on the owner's domain. Also the servername.domain is
the same as another servername.com of a public-facing server across the
Internet. I have temporarily fixed it by removing forwarders and isolating
the local DC but it still has root hints. All the clients have the local
DC/DNS listed first in DNS servers, second is the ISP DNS.

I have been looking to setup another temp W2K DC to migrate the FSMO foles
to and all the AD info (shares, printers, users, computers, etc). But the
articles that I have been reading say that DCs in native mode cannot have
their domains renamed. Is there a workaround? How Painful would it be?

Thanks.

RM-Admin
Click to expand...

It's gonna be painful. Is the server on a hardware RAID? Can you ghost
the system drive/partition to make a copy? If so, that'll buy you a
fail-safe backup of your domain. Then, assuming you don't have Exchange
running on the DC, you could upgrade to to Server 2003, put it in 2K3
functional level, which allows renaming the domain. There are a few
other requirements, and I've never done it, so I wouldn't recommend
doing it without a backup.

If you can't ghost the drive, you can bring up a new DC, transfer all
the FSMO roles, take the original off line, then upgrade the new one to
W2K3 and try renaming that one.

If you have Exchange installed on your DC, you'll need more suggestions.

....kurt
 
Hi RM,

Even with the overload of having the internal domain being the same
<domain>.com as someone else, this usually doesn't affect the performance of
the domain or internal clients unless they have to access resources that are
in that other .com.

If all of your clients are looking at your AD Integrated DNS and any
external resources that they need in the internet facing .com are spoofed in
your DNS, this should work just fine. The problems arise when you are
reaching out to those other services and you ahve to be careful -- especially
if doing hairpin routes through a firewall into a DMZ.

To answer your question directly, you can only rename domains that are
running 2003 in native mode for both the domain and forest -- and this is an
involved process. With only one DC, I would suggest getting a second one up
(as you should ALWAYS have two if you can afford it) and work on the health/
structure of your domain.

Migrating to another domain would require a domain migration. This is also
a very involved process and it might be easier to manually move things if
your domain is very small. Otherwise, have a look at the ADMT tools to help
you speed that up.

Let me know if you need help stepping through that.

Best of luck!
 
Ok so my client does not have 2003 or ADI DNS. They have 1 Win2000Srv in
native mode (not NT 4 compatible). There are a few shares, printers, group
policies, permissions etc. And I suppose I could bring up another test
2000/2003 Server box move the DC roles and DS structure over to the new box,
then demote the old box. But I am not sure how renaming the domain from .com
to .local would work, or if at all from what you are saying and the
infomation I have read. Also DNS and DS are getting multiple errors in the
event log (I can send the MPS-DS to you if you have the viewer) or the logs.
When I came on board DS was totally screwed and you could not bring up any
info in ADUC (or other DS MMCs). I got that part running and still I have
this confliction between domains. I had the ISP (who controls DHCP and
outside DNS) make changes to DHCP scope options to put our private DNS first
in the DNS server order but what seems to be occurring in sometimes the DNS
stops responding, clients start to automatically query the secondary DNS
(ISP) which points them to the other .com servers causing an outage. At
those times when I go to a client and ping the hostname of the local server
(DC) I recieve the IP of a remote host which happens to be a public server
with the same host.domain.com so I was wanting to correct this once and for
all by renaming the domain. Also other hosts are bieng registered apparently
on the remote domain as the same issue happened when trying to ping a local
HP net printer (jet direct) with an odd-ball default name of NPI2D... so
that was really wierd too. Also I noticed in the DS event log that other
remote DNS servers were trying to do zone transfers. I removed all other
servers from the domain so that they should be refused as unathorized. But I
can't help but think that these events are related.

Also I agree that islanding a DNS/DC like it is now setup is a bad idea but
this is how it was setup prior to my involvment. And had ran well for a
couple years. My client feels that his single server is sufficient for his
small business (10 computers), and does not understand the importance of
redundant of DC/DS/DNS.

I have never perfomed a live AD migration and I would be willing to look at
any information that you think would be helpful and the AD tools.

Also we have NAT on our ISP router now with no hairpin routes or DMZ. We
have no services available to remote or internet users at present and no
static routes. It is a small business network that is fairly simple. The
server however would require a significant effort to rebuild and has
essential shared applications, attached storage, shares, permissions, etc.
located locally. I am not trying to scrap this installation and rebuild,
only as a last alternative.

Please let me know if you have any ideas or need any additonal info.
 
Back
Top