Re: Adding Windows 2003EE Server to Windows 2000 Domain and promoting

Hello Buttnuts,

Backups a really important, i fully agree, but do not forget, they are only
useful if tested.

How to remove orphaned domains:
http://support.microsoft.com/kb/230306

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> On Nov 20, 11:51 pm, Meinolf Weber <meiweb(nospam)@gmx.de> wrote:
>
>> Hello Buttnuts,
>>
>> Even for Acronis images from domain controllers:
>> The only supported way to roll back the contents of Active Directory
>> or the
>> local state of an Active Directory domain controller is to use an
>> Active
>> Directory-aware backup and restoration utility to restore a system
>> state
>> backup that originated from the same operating system installation
>> and the
>> same physical or virtual computer that is being restored.
>> Microsoft does not support any other process that takes a snapshot of
>> the elements of an Active Directory domain controller's system state
>> and copies elements of that system state to an operating system
>> image.
>>
>> Try out to add the new machine only with poiting to the 192.x.x.x ip
>> from the server. If the running DC registered correctly in DNS zones
>> with that one it should work. After that you can move the 5 FSMO
>> roles. Do not forget to make it GC and DNS server.
>>
>> For the new network make your life easier and connect all machines to
>> a switch
>> and the switch to the ASA. If you have the need for servers in the
>> internet
>> use the DMZ port from the ASA, so no machine with public ip address
>> is in
>> your internal network.
>> To remove the Exchange and DC correctly you have to uninstall
>> exchange first and after that demote the DC. See here about
>> Exchange:http://support.microsoft.com/kb/307917/
>>
>> After exchange is removed you can demote the DC with running dcpromo
>> from
>> the command line, if you get an error uncheck the GC on that DC and
>> try again.
>> If it is demoted check that it is also removed complete in DNS.
>> Remove it
>> from AD sites and services, not done automatically during demotion.
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers
>> no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!!http://www.blakjak.demon.co.uk/mul_crss.htm
>>> On Nov 20, 2:14 pm, Meinolf Weber <meiweb(nospam)@gmx.de> wrote:
>>>
>>>> Hello Buttnuts,
>>>>
>>>> The "Mangled attributes" article is just for checking this
>>>> attributes, it can happen not must.
>>>>
>>>> Do NOT use images from domain controllers for restoring them, this
>>>> will result in USN rollbacks:http://support.microsoft.com/kb/885875
>>>> http://support.microsoft.com/kb/875495
>>>>
>>> Ok here I am talking about using Acronis Full disk images. These
>>> should be able to do a complete 'bare metal' restore. I have done so
>>> in that past with many other machines just not one so laden with poo
>>> and so mission critical.
>>>
>>>> The DNS errors you have as you said yourself of the multihoming of
>>>> a
>>>> DC.
>>>> DC's should never be multihomed for many reasons, except you use a
>>>> SBS version,
>>>> this is designed a different way.
>>>> Installing ISA server on a DC should be avoided, one site of your
>>>> network
>>>> is in the internet. An ISA server should always be a dedicated
>>>> member
>>>> server
>>>> with at least 2 NIC's.
>>> As for the ISA I have nothing to do with that except for now I am
>>> here
>>> to fix it.
>>> The previous people set it up that way - very, very poorly I know.
>>> The
>>> DC is running ISA, and itself has an Exchange server on it - but I
>>> have moved all the accounts off already to the main mail server.
>>> We are going to be taking ISA completely out of the picture soon -
>>> got
>>> a Cisco ASA 5520 for routing and access.
>>>> Also i see 3 differnet ip's, 192.168.31.1, 12.127.16.67 and
>>>> 4.2.2.2, are all of them on the DC? Is on of them the ISP's DNS
>>>> server? That one should be configured on the Forwarders tab of the
>>>> DNS server properties in the DNS management console.
>>>>
>>> The first ip is the internal domain (and the ip of the DC), the
>>> other two belong to the 'external' ip adapter (it has about 15
>>> 'bound' ip addresses, the 12.x is our IPSs dns and I through in the
>>> 4.x to help)
>>>
>>>> A Dc should even not be used as a router, that should be done from
>>>> a real router.
>>>>
>>>> Personally i would only start with new OS when i have changed my
>>>> running setup.
>>>>
>>> So what I am looking to do is get the new W2k3 machine up as a DC
>>> and
>>> have it take over virtually everything the current DC does - minus
>>> the
>>> ISA and Exchange.
>>> Get the router (ASA5520) in about the same time allowing me to 'turn
>>> off' ISA.
>>> Make sure all works and remove the old machine (DC) from the
>>> picture.
>>> My biggest issue is that we cannot have any down time (must be no
>>> more
>>> than a few minutes max).
>>>> Best regards
>>>>
>>>> Meinolf Weber
>>>> Disclaimer: This posting is provided "AS IS" with no warranties,
>>>> and
>>>> confers
>>>> no rights.
>>>> ** Please do NOT email, only reply to Newsgroups
>>>> ** HELP us help YOU!!!http://www.blakjak.demon.co.uk/mul_crss.htm
>>>>> On Nov 19, 3:55 pm, Meinolf Weber wrote:
>>>>>
>>>>>> Hello Buttnuts,
>>>>>>
>>>>>> !!!NEVER START BEFORE HAVING CREATED AND TESTED A BACKUP OF YOU
>>>>>> DATA/MACHINE!!!
>>>>>>
>>>>>> For Exchange check out this
>>>>>> first:http://support.microsoft.com/?id=314649
>>>>>> The terms PDC/BDC are not longer used since windows 2000, all
>>>>>> DC's
>>>>>> are the
>>>>>> same, the difference's are the 5 FSMO roles, that can be hold by
>>>>>> any
>>>>>> DC according
>>>>>> to some rules.
>>>>>> You should make all DC's GC server in a single forest domain like
>>>>>> your's for redundancy.
>>>>>> For your logon error make sure the server firewall is not running
>>>>>> and it uses only the domain internal DNS servers.
>>>>>> Also there is no need for setting a time server manual. In a
>>>>>> domain the DC with PDCEmulator role is the time source, all DC's
>>>>>> sync with it and member servers and workstations use one
>>>>>> available DC.
>>>>>>
>>>>>> To configure a client computer for automatic domain time
>>>>>> synchronization
>>>>>> w32tm /config /syncfromflags:domhier /update
>>>>>> After that run:
>>>>>> net stop w32time
>>>>>> net start w32time
>>>>>> Upgrading from 2000:
>>>>>> - On the old server open DNS management console and check that
>>>>>> you
>>>>>> are running Active directory integrated zone (easier for
>>>>>> replication, if you have more then one DNS server)
>>>>>> - run replmon, dcdiag and netdiag on the old machine to check for
>>>>>> errors, if you have some post the complete output from the
>>>>>> command here or solve them first
>>>>>>
>>>>>> - run adprep /forestprep and adprep /domainprep from the 2003
>>>>>> installation disk against the 2000 server, with an account that
>>>>>> is member of the Schema admins, to upgrade the schema to the new
>>>>>> version
>>>>>>
>>>>>> - Install the new machine as a member server in your existing
>>>>>> domain
>>>>>>
>>>>>> - configure a fixed ip and set the preferred DNS server to the
>>>>>> old DNS server only
>>>>>>
>>>>>> - run dcpromo and follow the wizard to add the 2003 server to an
>>>>>> existing domain
>>>>>>
>>>>>> - if you are prompted for DNS configuration choose Yes (also
>>>>>> possible that no DNS preparation occur), then install DNS after
>>>>>> the reboot
>>>>>>
>>>>>> - for DNS give the server time for replication, at least 15
>>>>>> minutes. Because you use Active directory integrated zones it
>>>>>> will automatically replicate the zones to the new server. Open
>>>>>> DNS management console to check that they appear
>>>>>>
>>>>>> - if the new machine is domain controller and DNS server run
>>>>>> again replmon, dcdiag and netdiag on both domain controllers
>>>>>>
>>>>>> - if you have no errors, make the new server Global catalog
>>>>>> server,
>>>>>> open
>>>>>> Active directory Sites and Services and then double-click
>>>>>> sitename,
>>>>>> double-click
>>>>>> Servers, click your domain controller, right-click NTDS Settings,
>>>>>> and
>>>>>> then
>>>>>> click Properties, on the General tab, click to select the Global
>>>>>> catalog
>>>>>> check box (http://support.microsoft.com/?id=313994)
>>>>>> - Transfer, NOT seize the 5 FSMO roles to the new Domain
>>>>>> controller
>>>>>> (http://support.microsoft.com/kb/324801)
>>>>>> - you can see in the event viewer (Directory service) that the
>>>>>> roles are transferred, also give it some time
>>>>>> - reconfigure the DNS configuration on your NIC of the 2003
>>>>>> server, preferred DNS itself, secondary the old one
>>>>>>
>>>>>> - if you use DHCP do not forget to reconfigure the scope settings
>>>>>> to point to the new installed DNS server
>>>>>>
>>>>>> - export and import of DHCP database (if needed)
>>>>>> (http://support.microsoft.com/kb/325473)
>>>>>> Demoting the old DC
>>>>>> - reconfigure your clients/servers that they not longer point to
>>>>>> the old DC/DNS server on the NIC
>>>>>>
>>>>>> - to be sure that everything runs fine, disconnect the old DC
>>>>>> from
>>>>>> the network
>>>>>> and check with clients and servers the connectivity, logon and
>>>>>> also
>>>>>> with
>>>>>> one client a restart to see that everything is ok
>>>>>> - then run dcpromo to demote the old DC, if it works fine the
>>>>>> machine
>>>>>> will
>>>>>> move from the DC's OU to the computers container, where you can
>>>>>> delete it
>>>>>> by hand. Can be that you got an error during demoting at the
>>>>>> beginning, then
>>>>>> uncheck the Global catalog on that DC and try again
>>>>>> - check the DNS management console, that all entries from the
>>>>>> machine
>>>>>> are disappeared or delete them by hand if the machine is off the
>>>>>> network for ever
>>>>>> - also you have to start AD sites and services and delete the old
>>>>>> servername under the site, this will not be done during promotion
>>>>>> If you will also think about upgrading exchange to 2003 see also
>>>>>> here:
>>>>>>
>>>>>> Exchange 2000 Recipient Update Service does not replicate changes
>>>>>> successfully
>>>>>>
>>>>>> in forest functional level 1 or 2 in Windows Server 2003 Active
>>>>>> Directory:http://support.microsoft.com/?id=831809
>>>>>>
>>>>>> The Recipient Update Service does not update objects correctly
>>>>>> when Exchange 2000 Server is running in a Windows Server 2003
>>>>>> forest:http://support.microsoft.com/?id=873059
>>>>>>
>>>>>> Recipient Update Service may overwrite the value of the homeMDB
>>>>>> attribute for new Exchange Server 2003
>>>>>> users:http://support.microsoft.com/?id=903291
>>>>>>
>>>>>> http://blogs.dirteam.com/blogs/jorge...1/19/What-info
>>>>>> rm at ...
>>>>>>
>>>>>> Your questions:
>>>>>> 1. from
>> ...
>>
>> read more »
>>
> Thanks again for the input!
> I will also be using our Backup Exec for back up along with it too,
> backing up to tape and disk. I am a freak about back ups.
> I back up and back up again then back up my back ups.
> I have been part of many disaster recovery situations with poor/
> lacking back-ups.
> Also we will be putting everything behind the router on our switches.
> I will have no public ip on any machine inside except the web server
> which - as you stated I should - be on the DMZ port.
> I forgot about he -uninstall part of the Exchange. I will do it that
> way, thanks.
> Also I just found a 'ghost' domain on our site (one created long ago
> for testing I guess) that I will remove with the steps you outlined.
> Thanks again and I will let you know how it is going