Re: windows NT migration to 2003

Chucka Eya · ‎04-09-2006

Hello,
we've just migrated our system to 2003 from NT, with a winxp client OS on our laptops and workstations.

The laptops pick up dhcp ip from an alternative trusted domain's dhcp.
The workstations and servers have static IPs.
The dns is being resolved by an alternative server on another domain which is trusted to ours (will be moving it soon - but that's by the way)

We have had to rebuild the laptops because they take forever to download profiles, and apply personal and computer settings.
After the rebuild, everything's fine.
The workstations though don't have this problem.

Is there a reason for this or are we doing something wrong.
I'd hate to think that if we had 100 users, that this would be the way to go, esp as we need to do the same for another site.

Thanks.

Chucka Eya · ‎04-09-2006

I should mention that our profile server is still running NT, but then the profile's okay on the workstations with static IPs.

Pieter 't Hart · ‎04-10-2006

be aware that in an NT-domain the "internet temporary files" are default part of the profile.
If these temporary files arn't limited in size ore regularly cleaned the profile may grow out of proportions.

Are these laptops also used without network connection ? that's the difference with the workstations.

when some locations (int.temp.files) in the network profile are unreachable, these locations are reset to default locations.
if again connected to the network, the temporary files are copied to the network

Pieter

Alan_152 · ‎04-11-2006

You need to get to each of your user's home directories on the network and clean them out. Same as with the local versions on each machine. You may have to make the network profile (and directories) somewhat read-only for awhile to keep the excess data transfer down.

You may also want to consider at this time standard desktops and backgrounds to limit data transfer on login and logout.

Also take a look at where the Outlook PSTs and PABs are being stored, and how big they are.

Gary Cooper_1 · ‎04-11-2006

I think all of this stuff about making your profiles lean is good stuff, but the fact that the machines with the static IP address are OK makes me think it's more a name resolution problem.

Is the profile server using the same DNS server to resolve the notebooks as it is the workstations? It's not using a hosts file for the static IP machines is it? Use nslookup and use one of the debug options to see what's happening when the profile server tries to resolve the name of a workstation and the name of a laptop.

Also use nslookup to check out how the name resolution is working on the workstations and the laptops.

You might want to check your what you've got your TTL set to on your DNS server. If it's too long, this could cause problems if the laptops are swapping IP addresses frequently. (You don't say if the DNS server and the DHCP server are the same machine).

You don't say anything about your network topography. Any slow links?

Regards,

Gary

Chucka Eya · ‎04-11-2006

Thanks for the feedback.
since I started the thread, I've come across more revealing problems, so in order to get you up to speed, see the following.

*******************************************
NB: this is an inherited network,so if the topography is confusing, welcome to my world
********************************************

we had 3 domains d1 and d2 are 2 NTs with trust.
server1 from d2 supplies Wins services.
*******************************************
d3 is a 2003 domain.
server2 supplies dhcp and dns for all three domains.
it is split this way:
domaind3 - as parent zone
domaind1 - as d1's child zone.
domaind2 - as d2's child zone.
********************************************
cause the 2003 domain was set to native mode, we performed an inplace upgrade of d1 and d2 - because none of us were familiar with nt4.0, we followed instructions and created a new dns zone for d1 and d2.
********************************************
Now d3 is housing dns and dhcp, + secondary versions of the new d1 and d2 dns records so it has all the records. - is there potential problem by doing this?
we are looking to reduce the number of zones to 2, but for now want everyone to talk to everyone.
********************************************
Anyway, laptop users and workstation users use same server for dns
********************************************
That's the long and short of it.

now:
to answer your questions:

-the profile server uses the same dns.
-no host files are involved.
-trying the different nslookup options - so far no problem.

interesting problem though:
when I ran dcdiag from the win2003 support tools - tells me all the connections are fine and beautiful
dcdiag from the SP1 which allows for testing dns connections, ends up with:

Performing initial setup:
[LONDONDC1] Directory Binding Error -2146892976:
Win32 Error -2146892976
This may limit some of the tests that can be performed.
Done gathering initial info.

Doing initial required tests

Testing server: Default-First-Site-Name\LONDONDC1
Starting test: Connectivity
[LONDONDC1] DsBindWithSpnEx() failed with error -2146892976,
Win32 Error -2146892976.
......................... LONDONDC1 failed test Connectivity
-

how can they both spill out conflicting results.

********************************************
any pointers into this would be helpful. Think I'm looking at a DS RPC problem.

Thanks.
Exhausted but still fighting :)

Robert S. Carr · ‎04-11-2006

Interesting problems you've got there Chuck. I was curious. Are the domains all in the same physical space? i.e. same building, same floor etc?

From experience, usually each domain will have it's own DNS and DHCP servers (usually on the same server). This tends to make administration a little easier and has a plus where if one domain gets in trouble, all machines are not affected. For example, if I have DHCP on 3 servers, if one dies, only those devices related to that server are affected, not the entired organization.

Anyway, regarding your problems, have you tried this:

http://support.microsoft.com/?id=839880

Good luck.

Rob

Gary Cooper_1 · ‎04-11-2006

So if I understand correctly, all three domains are Win 2K3?

Have a look at http://support.microsoft.com/?id=898060

Regards,

Gary

Pieter 't Hart · ‎04-11-2006

You should separate DNS-namespace domains with Windows logon-domains. These are seperate things.
It IS possible that, when NOT using WINS but only DNS as name-resulotion mechanism, that when trying to connect a server by its short name, connection will fail.
if the server prforming the test is server1.domain1 then for DNS, londondc1 (londondc1.domain1) is another server than the server in the root-domain (londondc1.domaind3).

Pieter

Chucka Eya · ‎04-12-2006

Thanks guys,

I'm starting to narrow down possible potential trouble spots.

The dns settings on the some servers was pointing to an old switched off one - so that resolved a few dcdiag errors.

The trusts between the domains - which weren't working properly initially cause my predecessor tried it bw nt and 2003 domains - probably need to be restablished.
Getting a lot of trust denials etc when connecting to machines - esp between laptops (dhcp enabled) and workstations (statics)

Not out of the woods yet, but the scenario is more familiar.
The dns namespaces are all okay now and every domain has secondary records of the others.

I will get back to you over the next couple of days.

Thanks for the feedback so far...

By the way: any reason why the dcdiag from 2003 support tools would be generating different results from dcdiag on sp1 (the latter is supposed to be new, but always ends up with a DS RPC failure) whatever I do.
if you've got SP1 - try it from:
c:\windows\servicepackfiles\i386\dcdiag.exe

Chucka Eya · ‎04-15-2006

well, my dns is sorted and everything's working fine now.

However, I'd like to move my dns A records between zones, so i can consolidate what we have and reduce the number of dns zones.

Apart from the manual way of deleting and creating each A pointer, is there a way to move all info on one dns server to another.

nf

Pieter 't Hart · ‎04-17-2006

if you have w2k3 based DNS then it's "dynamic".
so when configuring a server's network properties all you have to do is fill in it's domain suffix!
The server itself should register itself in the right namespace.
again DNS-namespace is a separate thing from windows logon-domain.

again this is related to authentication so if the previous A-records are not registrerd by the server itself it may be denied to overwrite the info.
If this is so it can be seen bij looking at the properties of the DNS-record (owner should be the computeraccount)

if the computer itself is not the owner of it's A-record you can either
- manually delete the A-records.
- at the DNS zone properties you can temporarily alow "dynamic updates" as "nonsecure and secure" this will allow records to be overwritten by someone else but the owner.

next
- type ipconig/registerdns
- or click repair in the network-connection properties
- or reboot the server.

Pieter

Chucka Eya · ‎04-17-2006

Thanks Pieter,

That makes sense and I believe everything's working fine with dns entries replicated across all three domains.
However, I want to rid myself of the dns zones and limit to just 2.
That means moving the A-records from one domain name space to another..
ie.
moving A-records from zzzz.com to xxxx.com
That would mean an A-record:
dice.soft.com
moves to
dice.hard.com

can this be done automatically? or am I doomed to manual entries.

I know its easier to transfer only the zones - just curious as I want to leave the current zone names (and client suffixes) we currently use.

Thanks

Pieter 't Hart · ‎04-17-2006

As i said before when reconfiguring the server's domain suffix (at the server) from dice.soft.com to dice.hard.com the server itself should be able to remove the old A-record from dice.soft.com and register the new a-record in dice.hard.com.

manually adding A-records should just prevent this (the server is not owner of this a-record).

NB! whan you do add A-records and the server configuration is not altered it will again register itself under its original domain-suffix so you would never get rid of the old domain.

as for the workstations, you probably have to change/add the DHCP-server option "015 DNS domain name".

Pieter

Pieter 't Hart · ‎04-17-2006

my previous post was focused just on DNS-configuration, but maybe what you really want is to change the dns-name of the windows root-domain.
try this article
http://technet2.microsoft.com/WindowsServer/en/Library/996741d8-28e4-4d20-9949-8f17fb9d3cfd1033.mspx

Pieter

Chucka Eya · ‎04-17-2006

okay.
I understand everything you're saying, but maybe we're not saying the same things, so I'll simplify...

you have two domains A & B.
A trusts B
A & B use dns server in B.

A gets a new dns. you want to replicate the records in B in A as well.

You add B's dns as a secondary dns for A and verse versa.

Problem solved.

I want to move B's records to A under A's zone name because obviously they are 2 diff zone names.

I can change the suffixes and dns server entry on the workstations & member servers & they will begin to appear gradually.
problem solved.

question is: can I move the records from B to A with A's zone name, on the dns servers automatically.

I think your answer is referring to one dns server handling everything.

if your previous answer compliments this seanrio - just say it does - and I'll look at it again. I understand what you've said but I can't relate it a 100% to my scenario.

Sorry about this.

Pieter 't Hart · ‎04-18-2006

As i stated earlier you should make the change at the server. if the server is configured as server.dom1.com it will not register as server.dom2.com

i advise not to use a-records for the same host in different namespaces.
what you might do is add an alias (cname-record) so for a server with an a-record in dom1.com, there is an corresponding cname-record in dom2.com.
Microsoft has in de w2k3 support tools a "dnscmd" commandline utility with wich you can create a list with all A-records in dom1.com, and subsequently edit this file to add all cname-records to dom2.com.

http://technet2.microsoft.com/WindowsServer/en/Library/cee759b0-7a2a-4ba7-904e-ff399814b1711033.mspx

but then again you do still have to keep the old zone active.

Chucka Eya · ‎04-20-2006

dns is okay, Its running fine for now. I am leaving it as is and will run a few more tests, after which I can close this thread.

watch this space.

Thanks for your help so far.

Chucka Eya · ‎04-20-2006

Okay,
Strange problem, I've just noticed that nobody can actually change their passwords on the domain including myself.
when anybody tries it, it generates the following message:

"your password must be at least 3 xters, cannot repeat any of your presious 1 password and must be at least 30 years old. please type a different password which meets this requirements in both text boxes"

I haven't defined password policies on AD yet?

Any ideas?

Alan_152 · ‎04-20-2006

That's the default password policy...

Chucka Eya · ‎04-20-2006

okay, that sounds right, but why won't it let users change their passwords....
I just tried setting it up on AD I mentioned it here, and 2 of our American users got messages of their password credentials having expired and access denied to an intranet site we use.

had to return it to default policy so the latter could continue working...

never come across that before..
any ideas?

Alan_152 · ‎04-20-2006

I suspect that the password policy conversion from NT4 to 2k03 and from pdc/bdc to AD was simply too big a jump given that the upgrade is unsupported.

Having said all that, most of my intro AD students have sorting out the local and domain password policies in these kinds of situations. I'd suggest getting to a point where the domain policy is acceptable enough to use for everybody, then tweaking it 1 element at a time until you reach your company's standards. Sounds like you've already done the 1st part...

A new topic specific to setting up AD password policies might be appropriate at this juncture.

Chucka Eya · ‎04-21-2006

cheers.
I was actually editing the policy on a different gp.
sorted with the domain security policy.

Just before I close this,
I keep getting license logging service errors between the NT servers and 2003 - saying it can't contact it -even though the service is running on both.

a. would this affect operations?
b. if I disable it - would it matter?

Cheers.

Chucka Eya · ‎04-24-2006

Everything's working okay now.
got DNS sorted and password policy is okay.
still not sure about the license logging service, but disabled it and all seems okay for now.

Thanks for all the feedback.

Chuck

Chucka Eya · ‎04-24-2006

Cheers you guys.

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: windows NT migration to 2003

windows NT migration to 2003