J
James W. Long
Dear Ace and Kevin and All,
Thank you for all your excellent help.
I was lost before I came here and now I am not.
The server is a fully integrated W2KADV AD DNS Server.
it works for the Domain and for the Internet.
With the exception of a few things caused by upgrading
from NT, it went pretty smooth. I had to hack for a bit.
Some things I learned on this journey:
"When upgrading, before you upgrade....."
Cant be said enough.
When upgrading, before you upgrade, update the Server bios with the
latest revision to support the current acpi standard. Make sure
bios has acpi turned on. When the Win2k setup runs off the
booted CD, and its says "hit F6 to install scsi drivers",
you have to hit f5 (which is not mentioned at all,
thank you very much microsoft) to get it to properly detect
the ACPI of your system. The acpi state will detemine the
plug and play hierarchy. If acpi is wrong, and you end up
with "standard PC" under my computer in control panel,
you will have to reinstall windows 2000 as an upgrade
to fix it and you will lose data. Microsoft has confirmed this
as a problem. switching from acpi to standard or from standard to
acpi can make your machine unbootable due to the fact that the plug and play
hierarch is radically different between the two states, and also affects the
location of your boot disk, causing your system to become unbootable.
the only way to fix it is to reinstall w2k.
Too bad they didnt just tell us what to do in the first place.
(ACPI is a standard which allows software control over such things
as completely turning off the computer after you select shut down,
going into suspend mode, wake on LAN, wake on USB, etc.)
When upgrading, before you upgrade,
If your domain name was not previously suffixed, suffix it.
If you are running NT 4.0 server, you can change the domain suffix
in contol panel->network->services->tcpip->properties->
->domain suffix field. And THEN you need to update your NT DNS server
records to the same suffix..
When upgrading, before you upgrade, If you have a
multihomed topology, make sure your binding order is
correct before you upgrade. Nics on the inside have to resolve to
inside addresses and nics on the outside have to resolve to exterior
addresses. This goes for Servers, PDC's, BDC's and client machines alike.
I also disabled every client outside nic before I upgraded, and totally
disconnected everything from the internet beforehand as well.
When upgrading, before you upgrade,
My PDC was multihomed and I wanted my
upgraded DC to be multihomed, but I did not upgrade it that way.
It will cause a big problem if you attempt to upgrade
or install with 2 nics in the PDC/DC system. I removed
the outside nic before upgrading. (it gets put back later, read on).
If you arent running a good firewall, you'll want to
start your upgrade without the internet.
After the upgrade but before you connect to the internet,
you can disable at least the messenger service (and whatever else)
on the upgraded server, BEFORE you do connect.
Upgrading while directly connected to the internet raw will pretty much
make an invitation for, and and insure that, you'll receive
the very latest viruses and trojans during the upgrade process.
I disable such services as runas, remote registry, terminal service, remote
desktop,
BITS, Automantic Updates, netmeeting, remote access everything,
routing and remote access, and telephony. Be aware that doing so
will knock out these capabilities while they are disabled, but will also
keep most stuff from comming in, if you do elect to connect.
You can re-enable what you need after you are safely behind a good firewall
again.
I downloaded the full install of service pack 4 and
made sure it was slipped into my install before I started.
The upgrade:
My upgrade came up in mixed mode non ad integrated DNS.
This was AFTER I told it I was a new forest in Native mode.
So much for that. It must have read my bdc info out of the
PDC's account info and changed my mind for me.
I had to change the DNS server to become AD integrated.
and I had to change to native mode after I migrated
all my NT servers, PDCs and BCDs included.
I had to restart the netlogon service in order
to get ALL the DNS AD info added into the DNS server
properly. This is an issue when the upgrade cannot
find a DNS server then installs one. CLASSIC
chicken-before-the-egg scenario. microsoft admits
this is a problem.
If you only have a few lines of DNS info such
as the SOA, the NS records, and A recs,
You definately DON'T have ALL the stuff you need for AD DNS,
like all the ldap recs and so on. when its sucessful,
there will be GOBS of stuff in your forward zone(s)
in the DNS manager mmc snapin about
how to locate your DNS server. You'll know the difference.
And, to really make it work right, you must point yourself
to your own DNS server's IP, and configure a forwarder.
I re-added the second nic back in,
only after the upgrade, dcpromo, and DNS were working
correctly on the DC and lan. After the second nic was installed,
I disabled the first nic momentarily, and used
the internet connection wizard to to point the second nic
to the internet. Then I configured the 2nd nic for dhcp,
except for the DNS section. There, I configured the second nics'
first dns server as the ip of my DC.
- Another way to accomplish this is to get a router preferably
with a good firewall and and use only 1 nic.
Other stuff I ran into:
I had to disable the netdde service and the netdde management service,
which were left over from NT because they would hang in
a start-pending state initially. I suppose if you authenticated
them or the service users correctly, these services would
be able to run under win 2000 platforms. I did not care to.
One less security hole for me.
My DC constantly re-disables the write cache on the boot device,
and microsoft has a fix for that (dskcache.exe) and higly
recomends also an uninterruptable power supply be in place so the
DC doesn't suddenly lose power, corrupting the write cache and
hard drive. Funny, this must be from an NT upgrade because
my other test DC didnt exhibit this problem. I'm still working on this.
Also "a left over from the NT system", there is no
"Documents and Settings" folder installed when upgrading
from NT. You would have thought microsoft would fix that.
all that stuff is where it was under NT,
C:\winnt\profiles, and Win2k regerences it as "Personal".
I had an irpstacksize error, and this I looked up on the
internet. It's an entry in the registry. I increased this value
by two until the error went away.
I want to thank you, Ace and Kevin, both, for all the excellent tech support
that you provided before I did this upgrade. I really understood why
I wanted my domain name suffixed, and I am very delighted it is that way
now.
DNS is doing as its supposed to; My Domain members get right in.
I didn't have to do a thing to my clients except insure thier tcpip dns
properties
were default, point to my domain dns server and reboot.. It was that easy on
them.
The DC found them all and they even ended up in my AD DNS automatically.
Awsome.
I'm happy.
Thanks !!!
Rock and Roll!
James W. Long.
Jewelconsulting
Thank you for all your excellent help.
I was lost before I came here and now I am not.
The server is a fully integrated W2KADV AD DNS Server.
it works for the Domain and for the Internet.
With the exception of a few things caused by upgrading
from NT, it went pretty smooth. I had to hack for a bit.
Some things I learned on this journey:
"When upgrading, before you upgrade....."
Cant be said enough.
When upgrading, before you upgrade, update the Server bios with the
latest revision to support the current acpi standard. Make sure
bios has acpi turned on. When the Win2k setup runs off the
booted CD, and its says "hit F6 to install scsi drivers",
you have to hit f5 (which is not mentioned at all,
thank you very much microsoft) to get it to properly detect
the ACPI of your system. The acpi state will detemine the
plug and play hierarchy. If acpi is wrong, and you end up
with "standard PC" under my computer in control panel,
you will have to reinstall windows 2000 as an upgrade
to fix it and you will lose data. Microsoft has confirmed this
as a problem. switching from acpi to standard or from standard to
acpi can make your machine unbootable due to the fact that the plug and play
hierarch is radically different between the two states, and also affects the
location of your boot disk, causing your system to become unbootable.
the only way to fix it is to reinstall w2k.
Too bad they didnt just tell us what to do in the first place.
(ACPI is a standard which allows software control over such things
as completely turning off the computer after you select shut down,
going into suspend mode, wake on LAN, wake on USB, etc.)
When upgrading, before you upgrade,
If your domain name was not previously suffixed, suffix it.
If you are running NT 4.0 server, you can change the domain suffix
in contol panel->network->services->tcpip->properties->
->domain suffix field. And THEN you need to update your NT DNS server
records to the same suffix..
When upgrading, before you upgrade, If you have a
multihomed topology, make sure your binding order is
correct before you upgrade. Nics on the inside have to resolve to
inside addresses and nics on the outside have to resolve to exterior
addresses. This goes for Servers, PDC's, BDC's and client machines alike.
I also disabled every client outside nic before I upgraded, and totally
disconnected everything from the internet beforehand as well.
When upgrading, before you upgrade,
My PDC was multihomed and I wanted my
upgraded DC to be multihomed, but I did not upgrade it that way.
It will cause a big problem if you attempt to upgrade
or install with 2 nics in the PDC/DC system. I removed
the outside nic before upgrading. (it gets put back later, read on).
If you arent running a good firewall, you'll want to
start your upgrade without the internet.
After the upgrade but before you connect to the internet,
you can disable at least the messenger service (and whatever else)
on the upgraded server, BEFORE you do connect.
Upgrading while directly connected to the internet raw will pretty much
make an invitation for, and and insure that, you'll receive
the very latest viruses and trojans during the upgrade process.
I disable such services as runas, remote registry, terminal service, remote
desktop,
BITS, Automantic Updates, netmeeting, remote access everything,
routing and remote access, and telephony. Be aware that doing so
will knock out these capabilities while they are disabled, but will also
keep most stuff from comming in, if you do elect to connect.
You can re-enable what you need after you are safely behind a good firewall
again.
I downloaded the full install of service pack 4 and
made sure it was slipped into my install before I started.
The upgrade:
My upgrade came up in mixed mode non ad integrated DNS.
This was AFTER I told it I was a new forest in Native mode.
So much for that. It must have read my bdc info out of the
PDC's account info and changed my mind for me.
I had to change the DNS server to become AD integrated.
and I had to change to native mode after I migrated
all my NT servers, PDCs and BCDs included.
I had to restart the netlogon service in order
to get ALL the DNS AD info added into the DNS server
properly. This is an issue when the upgrade cannot
find a DNS server then installs one. CLASSIC
chicken-before-the-egg scenario. microsoft admits
this is a problem.
If you only have a few lines of DNS info such
as the SOA, the NS records, and A recs,
You definately DON'T have ALL the stuff you need for AD DNS,
like all the ldap recs and so on. when its sucessful,
there will be GOBS of stuff in your forward zone(s)
in the DNS manager mmc snapin about
how to locate your DNS server. You'll know the difference.
And, to really make it work right, you must point yourself
to your own DNS server's IP, and configure a forwarder.
I re-added the second nic back in,
only after the upgrade, dcpromo, and DNS were working
correctly on the DC and lan. After the second nic was installed,
I disabled the first nic momentarily, and used
the internet connection wizard to to point the second nic
to the internet. Then I configured the 2nd nic for dhcp,
except for the DNS section. There, I configured the second nics'
first dns server as the ip of my DC.
- Another way to accomplish this is to get a router preferably
with a good firewall and and use only 1 nic.
Other stuff I ran into:
I had to disable the netdde service and the netdde management service,
which were left over from NT because they would hang in
a start-pending state initially. I suppose if you authenticated
them or the service users correctly, these services would
be able to run under win 2000 platforms. I did not care to.
One less security hole for me.
My DC constantly re-disables the write cache on the boot device,
and microsoft has a fix for that (dskcache.exe) and higly
recomends also an uninterruptable power supply be in place so the
DC doesn't suddenly lose power, corrupting the write cache and
hard drive. Funny, this must be from an NT upgrade because
my other test DC didnt exhibit this problem. I'm still working on this.
Also "a left over from the NT system", there is no
"Documents and Settings" folder installed when upgrading
from NT. You would have thought microsoft would fix that.
all that stuff is where it was under NT,
C:\winnt\profiles, and Win2k regerences it as "Personal".
I had an irpstacksize error, and this I looked up on the
internet. It's an entry in the registry. I increased this value
by two until the error went away.
I want to thank you, Ace and Kevin, both, for all the excellent tech support
that you provided before I did this upgrade. I really understood why
I wanted my domain name suffixed, and I am very delighted it is that way
now.
DNS is doing as its supposed to; My Domain members get right in.
I didn't have to do a thing to my clients except insure thier tcpip dns
properties
were default, point to my domain dns server and reboot.. It was that easy on
them.
The DC found them all and they even ended up in my AD DNS automatically.
Awsome.
I'm happy.
Thanks !!!
Rock and Roll!
James W. Long.
Jewelconsulting