In light of: GPO/AD ISSUES

[M. T]

LAN Configuration: Windows 2000 Server DC w/AD, a few
file servers, 30 local users, Remote Terminal Services
users.

Since I am unable to resolve this issue (see topic GPO/AD
ISSUES), what might "pop-up" if I were to build a new
Windows 2000 server with AD. Demote current DC (to be
able to still server as my application server) and change
it's IP address. Add new DC to LAN with old DC's IP, so
I wont need to edit my Firewall. "un-join" clients and
rejoin to new DC. Sound logical/do-able? Since I can't
gain access to my AD, is there another program (like
Hyena) that I might be able to export my "Users" from
current AD and import into new AD?

Thoughts?

Thank you

 

[Richard Moreno]

Hi-

For clarification, you're proposing to build an entirely new domain tree in
your existing forest, a new forest, or simply build a new DC in your
existing forest\tree? If the latter, then I'm certain your problems will
merely duplicate themselves. As for a new forest or domain tree I'm not
confident that you could do a successful migration in this scenario. Your
final reply from the previous post asked if maybe you should just call MS.
My personal opinion is if you are in a timecrunch (and it seems you are)
then I would place that call.

I know I would personally like to know the resolution.

--
Thanks,
Richard Moreno
MCSE NT4\2000, MCSA 2000

*This posting is provided "AS IS" with no warranties, and confers no
rights.

 

[David Brandt [MSFT]]

That is doable, and don't really see any problems with it. Depending on the
problem with that one dc, it may or may not demote gracefully as last dc in
the domain, so you might have to force it using;
332199 Using the DCPROMO /FORCEREMOVAL Command to Force the Demotion of
Active
http://support.microsoft.com/?id=332199

You can also use the reskit utility Addusers.exe to dump the existing users
and their group membership to a txt file that you can then import on the new
server. You can edit the txt file all you want, and I would probably remove
Administrator from it since there will already be an Administrator account
in the new domain and just avoid that error. It's pretty simple to use and
works well.


--
David Brandt
Microsoft Corporation

This posting is provided "AS IS" with no warranties, and confers no rights.
Please do not send e-mail directly to this alias. This alias is for
newsgroup purposes only.

 

[M. T]

Much thanks for your interest into a resolution of this
issue. I am purposing to build a new PC with Windows 2000
Server on it, install AD, and import JUST the actual
users. Then once it is on my LAN, "demote" a client and
rejoin this new PDC. Once everything looks to be going
smooth, demote the old DC (left off LAN until new DC had a
few users connected to it) and use it strictly to run the
application that current my clients run. I think this
issue all started when I attempted to use GP's and create
a new one, rather than to use the "default GPO". As this
event seems to be related to GP's. Which would be
understandable if I would have changed rights. If a user
(non-admin rights) would sit at the DC and login with
there client machine account, what type of messages would
they see when opening AD as well as GP? The same error
that I have stated? Reason I ask is that on my DC, logged
in as my desktop account (with domain admin,
admin.......rights) I am restricted from seeing the
properties of the LAN connection(s). But in fact if I use
Hyena and look at my account, I sure enough still have the
domain admin., admin...and so forth rights...???

Tonight I will install a fresh copy of Windows 2000
Server, install AD and start to make entries. I have ONE
test machine that I can use tomorrow to have it join and
then if all looks good, i'll join my desktop. All via a 5-
port switch (which will not be touching my actual LAN).
Now in reference to "un-joining" my current clients from
the current DC: just change them back to a workgroup
client and then re-join to the NEW DC? And do I need to
copy there profiles, or will the replicate to the new
profile?

Much Thanks

 

[M. T]

Status:

Windows 2000 Server w/SP4 and all patches installed w/AD
currently up and running. As of right now the only item
in AD I have added is a new OU, which will contain my
front office users. I have linked a new GP to this OU as
well. Which is currently set to open the calculator upon
boot (just for testing purposes). I currently have a test
machine running Windows XP Pro. that has been joined to my
existing DC, which I will "demote" back to workgroup and
then rejoin this NEW DC. If all works well with this test
machine, what would be the best route to do the other 30
some users and my file servers. Keep in mind, I can not
access my CURRENT AD/GP snap-in's.

One last thought, my current DC has an assigned IP as well
as my other file servers. Clients are all DHCP. Should I
attempt to keep the same IP address as my current DC's IP
when I place the new DC on my LAN (after the fact of
removing current DC of course) or just edit my other
settings to the new IP?

Much Thanks

 

[Richard Moreno]

Hi-

Regarding joining workstations to a new domain, you don't necessarily have
to move the machine to a workgroup 1st then to a new domain; you could
simply join it to the new domain. As for your IP info, that is your
preference; to keep it "nice and tidy" you could put the old ip onto the
newly built server once in place. Otherwise you could just continue using
what it has now and make changes to your infrastructure accordingly.

Also, did you see more replies to your original posting from yesterday? A MS
tech replied as well as a Hyena Support tech.

--
Thanks,
Richard Moreno
MCSE NT4\2000, MCSA 2000

*This posting is provided "AS IS" with no warranties, and confers no
rights.