Announcement

Collapse
No announcement yet.

2+2=4, 4-2=errors

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • 2+2=4, 4-2=errors

    I've recently started working for a small company who has been IT-guy-less for the past several months. I'm in the hot seat and don't know how the last guy did anything.

    One of his last tasks was adding two new 2003 domain controllers to the domain to replace the aging and failing two they were using. That's a good idea. The bad idea, however, was leaving the two 2000 dinosaurs on the network after the migration was complete.


    At some point, they dabbled in roaming profiles, but weren't fond of the loading and saving, so they axed it. Unfortunately, when they stopped using roaming profiles, things stayed on the old servers. One of the old servers is totally dead now, luckily, it's just the email server. However, I feel the file server isn't far behind. When I first started here, I was told the old servers were junk and could be removed. I powered them off and thought nothing of it. The next day, people were complaining about office and other things loading really slow. One girl's favorites even disappeared from her favorites menu. Long story less long, after searching the registry, I found dozens, if not hundreds, of calls to the old file server!

    Thankfully, any newly created accounts don't seem to be aware of the old server, so I'm not really concerned about the client portion, but I do have a question. If I use the Files and Settings Transfer Wizard to backup peoples stuff before I recreate their profiles (or get them new machines) will FAST carry over the calls to the old server?

    My major concern, and reason for the exposition, is I have no idea what'll happen in AD when I take the server offline for good. I have this feeling that if I remove it I'm going to make the network implode.

    Is there a safe way to remove a domain controller?
    Last edited by Kayden; 10th November 2008, 19:11.

  • #2
    Re: 2+2=4, 4-2=errors

    Originally posted by Kayden View Post
    One of the old servers is totally dead now, luckily, it's just the email server
    That made me laugh!

    Safe removal is dcpromoing it back down to a member server but you say it doesn't know about any new accounts, that says to me it isn't working anyway.

    First off I would get full backups of the new servers. Make sure there is DNS running on them both and open up sites/services and check they are both GCs.
    From a command prompt on one of them try typing "netdom /query fsmo" and post back the results. You can change the names but make sure you tell us if they are new or old.

    You need to make sure all client machines point to the new domain controllers for DNS in their network properties. If they are on DHCP then check if this is running on the old or new server.

    To be honest there is a lot to check and you may find it better to hire in a consultant for a couple of days.

    http://www.petri.com/determining_fsmo_role_holders.htm

    Could you also change your subject, as per the forum rules, to something that people can understand otherwise you may not get as may replies as you want.


    EDIT: - I do like the "2+2=4, 4-2=errors" comment though!
    Last edited by AndyJG247; 8th November 2008, 00:11.
    cheers
    Andy

    Please read this before you post:


    Quis custodiet ipsos custodes?

    Comment


    • #3
      Re: 2+2=4, 4-2=errors

      Dont' forget to check the programs that are installed.
      And maybe check all the roles it does, like print server, wsus, ts, ftp, web, ect ect.
      Please remember to award reputation points if you have received good advice.
      I do tend to think 'outside the box' so others may not always share the same views.

      MCITP -W7,
      MCSA+Messaging, CCENT, ICND2 slowly getting around to.

      Comment


      • #4
        Re: 2+2=4, 4-2=errors

        As Andy said, make sure no active roles are on the old DCs and demote it properly. As uk_network said, go piece by piece through everything that it may be doing and then port that function to another server. So why did I post if I was only going to say "Me too!" to what Andy and uk said? I felt like elaborating a little bit...

        Set up access auditing on the server and see what gets accessed, when and by whom. Pick a service to port over and don't worry about the others until you finish the task at hand. I'd look at all file shares and see what or who is using it. Slowly disabled and turn off services until the thing is just sitting there, lonely and unwanted. :sniff:

        I can't answer you specific question about FAST, but you could experiment with it and then view the audit logs to see if the user that you ported over is still logged as access the old server. Oh, and make sure to let us know how it turned out.
        Wesley David
        LinkedIn | Careers 2.0
        -------------------------------
        Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
        Vendor Neutral Certifications: CWNA
        Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
        Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

        Comment


        • #5
          Re: 2+2=4, 4-2=errors

          Thread split into coffee lounge
          Tom Jones
          MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
          PhD, MSc, FIAP, MIITT
          IT Trainer / Consultant
          Ossian Ltd
          Scotland

          ** Remember to give credit where credit is due and leave reputation points where appropriate **

          Comment


          • #6
            Re: 2+2=4, 4-2=errors

            Thanks Ossian.
            Kayden, how did you get on?
            cheers
            Andy

            Please read this before you post:


            Quis custodiet ipsos custodes?

            Comment


            • #7
              Re: 2+2=4, 4-2=errors

              Been busy. =\
              I haven't been able to do much.

              The netdom doesn't work. I looked for where to get it and found this: http://www.petri.com/download_window...port_tools.htm
              However, that didn't have it... So I can't run netdom until I find it.

              Going off Nona's advice, I set up an audit, and there looks to be 3-4 people still accessing it randomly. I couldn't figure out how to log the exact files, I have a feeling it's for things like appdata on their old roaming profiles. Even if I did move that to the new server I'd still have to go through everyone's registry and point it to the new location and I REALLY don't want to do that.

              A slightly larger (I think) issue is that when I ping domain.local, it gives me the IP of the old file server.

              Both of my new servers are running DNS, however, when I reboot the new file server I get a DNS error Event ID 4001 in the event log.
              The DNS server was unable to open zone domain.local in the Active Directory. This DNS server is configured to obtain and use information from the directory for this zone and is unable to load the zone without it. Check that the Active Directory is functioning properly and reload the zone. The event data is the error code.
              Per this: http://technet.microsoft.com/en-us/l.../cc739586.aspx
              My new mail server is a Global Catalog and my new file server IS NOT. I don't know how to make a DNS server a GC.

              DHCP is running on ONLY my new file server.

              I think all the services are pretty much ported over, it's just residual files for the most part (that I know of). If I take down this server without knowing where all the files are and who's looking where for them then their PCs take 2-4 minutes to open My Computer. One girl can't even install programs with the old server down. One of her folders is mapped to the file server and the installs crash saying can't find //xserver/folder. There's also the DNS I'm wary of.

              Comment


              • #8
                Re: 2+2=4, 4-2=errors

                Originally posted by Kayden View Post
                The netdom doesn't work. I looked for where to get it and found this: http://www.petri.com/download_window...port_tools.htm
                However, that didn't have it... So I can't run netdom until I find it.
                I know that netdom is also in the XP SP 2 Support Tools package. Strange that netdom wouldn't be in Server 2003 Suptools since it's in the official list. Did you try a full search of the filesystem for the file?


                Originally posted by Kayden View Post
                Going off Nona's advice, I set up an audit, and there looks to be 3-4 people still accessing it randomly. I couldn't figure out how to log the exact files
                What you do is first turn on object access auditing in the appropriate group policy (local or domain policy applied to the correct OU... whatever you choose). Then determine which directories contain files that you want to monitor. Then right-click the folder >> properties >> security tab >> advanced button >> auditing tab >> make sure "allow inheritable auditing entries... etc. etc." is checked. That should propogate down to each child object. I'd just add the "Authenticated Users" group to be audited and then you'll see what files are accessed when you look in the Security log of Event Viewer. Be forewarned that you could be in for a long wait when you propogate those auditing options to all child objects if there are alot of files underneath the folder (Like, for instance, the root of an entire volume).

                Here's a good tutorial.
                Wesley David
                LinkedIn | Careers 2.0
                -------------------------------
                Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
                Vendor Neutral Certifications: CWNA
                Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
                Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

                Comment


                • #9
                  Re: 2+2=4, 4-2=errors

                  Originally posted by Nonapeptide View Post
                  I know that netdom is also in the XP SP 2 Support Tools package. Strange that netdom wouldn't be in Server 2003 Suptools since it's in the official list. Did you try a full search of the filesystem for the file?




                  What you do is first turn on object access auditing in the appropriate group policy (local or domain policy applied to the correct OU... whatever you choose). Then determine which directories contain files that you want to monitor. Then right-click the folder >> properties >> security tab >> advanced button >> auditing tab >> make sure "allow inheritable auditing entries... etc. etc." is checked. That should propogate down to each child object. I'd just add the "Authenticated Users" group to be audited and then you'll see what files are accessed when you look in the Security log of Event Viewer. Be forewarned that you could be in for a long wait when you propogate those auditing options to all child objects if there are alot of files underneath the folder (Like, for instance, the root of an entire volume).

                  Here's a good tutorial.
                  Hmmm... apparently, netdom was already on my workstation.
                  Code:
                  C:\Documents and Settings\Kayden Fox>netdom /query fsmo
                  Schema owner                mercury.knutson.local
                  
                  Domain role owner           mercury.knutson.local
                  
                  PDC role                    mercury.knutson.local
                  
                  RID pool manager            mercury.knutson.local
                  
                  Infrastructure owner        mercury.knutson.local
                  
                  The command completed successfully.
                  Mercury is my new mail server, so that looks good. Why does knutson.local resolve as my old file server?

                  Comment


                  • #10
                    Re: 2+2=4, 4-2=errors

                    Tried flushing the DNS?
                    ** Remember to give credit where credit is due and leave reputation points where appropriate **

                    Comment


                    • #11
                      Re: 2+2=4, 4-2=errors

                      ipconfig /flushdns? Yea. It still points to the old file server.

                      Also, I did netcom /query DC and only my 2 new servers were listed.
                      Last edited by Kayden; 10th November 2008, 23:54.

                      Comment


                      • #12
                        Re: 2+2=4, 4-2=errors

                        What about flushing the server cache?

                        dnscmd /clearcache (I think?) in a command prompt on the DNS Server.


                        Tom
                        For my own and your protection, I do not provide support by private message under any circumstances. All such messages will be deleted and ignored.

                        Anything you say will be misquoted and used against you

                        Comment


                        • #13
                          Re: 2+2=4, 4-2=errors

                          Well that didn't have the intended effect. After flushing the dns cache on all three servers, knutson.local now resolves to my old DISCONNECTED mail server. However, if I type \\knutson.local into explorer I still connect to the old file server.

                          Comment


                          • #14
                            Re: 2+2=4, 4-2=errors

                            Have you checked your host file?
                            ** Remember to give credit where credit is due and leave reputation points where appropriate **

                            Comment


                            • #15
                              Re: 2+2=4, 4-2=errors

                              Originally posted by Kayden View Post
                              Well that didn't have the intended effect. After flushing the dns cache on all three servers, knutson.local now resolves to my old DISCONNECTED mail server. However, if I type \\knutson.local into explorer I still connect to the old file server.
                              What happens when you drop into nslookup, run 'set type=all' and then lookup knutson.local? Which DNS server is nslookup pointing to? Point it at both of your DNS servers and see if you have different results. Try a zone transfer from each too. 'ls knutson.local' from nslookup, although that will probably be denied... it's worth a try.
                              Wesley David
                              LinkedIn | Careers 2.0
                              -------------------------------
                              Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
                              Vendor Neutral Certifications: CWNA
                              Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
                              Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

                              Comment

                              Working...
                              X