Taking over an AD Mess 2003 mixed with 2000

G

Guest

I have recently taken over a network that the previous guy just through 2003
into a 2000 domain. I don't know if any prep of the domain was done. When
the 2003 servers (that are DC's) are on users can't get anywhere. I have run
DCDIAG's off the 2000 DC and haven't seen a ton wrong but know something is
dorked up. Any suggestions on how to back track or figure out what this guy
did? Thanks
 
N

NIC Student

Hi Glenn,

The usual problem is the DNS configuration. Make sure the AD DNS servers
can forward to an outside DNS server or can do their own lookups; they point
to themselves or other AD DNS servers for DNS resolution. Client
workstations all should point to the AD DNS servers and not any outside DNS.
 
G

Guest

This was the first thing I checked but trying to get caught up on what needs
to be done to have a mixed 2003 and 2000 DC in the same network. What I mean
is does the 03 have to be the primary or does it matter? Was there any prep
that needed to happen prior to introducing an 03 DC? Etc. I want to push
the new 03's in and demote the 2000's to member servers to get rid of them.
So I am looking for the proper steps. I have build 2000 Domains and 2003
domains but I haven't done a mixed enviroment. So making sure I straighten
it out right.
 
N

NIC Student

Hi Glenn,

ADPREP had to be run on both the forest and the domain for a 2003 server to
be dcpromo'd into a DC.

Your domain is probably the same functional level as before the 2003
introduction, ie if your domain was 2000 native, then it is still 2000
native. If you still have 2000 dc's then you can't be at a 2003 functional
level. Your domain should function well with both 2000 and 2003 dc's, but
you obviously can't raise the functional level to take advantage of the cool
2003 features with 2000 dc's present.

It sounds like you have some underlying configuration issues that may not be
related to the presence of 2000 dcs, especially since you stated that "users
can't get anywhere". Maybe if you could provide some specifics we could be
more helpful. Our environment ran well for quite a while with 2000 & 2003
dcs mixed, but we have moved on to 2003 these days.
 
G

Guest

The error message I get is the following. Whenever I try to navigate the
network or try to join the domain.

"DomainName" is not accessible. You might not have permission to use this
network resource. Contact the administrator of this server to find out if
you have access permissions.

Windows cannot find the network path. Verify that the network path is
correct and the destination computer is not busy or turned off. If windows
still cannot find the network path, contact your network administrator.
 
N

NIC Student

Hi Glenn,

Thanks for the info. You may be experiencing some problems with SMB
signing. We had some issues when we moved to 2003 since it wants to enable
SMB signing and we have downlevel clients. Look at your GPOs to see what is
being enforced: Computer>Windows Settings>Local Policies>Domain Member/MS
Network Client/MS Network Server/System Cryptography. Use the GPMC utility
to get a resultant set of policies on both your servers and clients to see
what is wrong. Take a look at the server and workstation event logs for
more clues:

You cannot open file shares or Group Policy snap-ins when you disable SMB
signing for the Workstation or Server service on a domain controller
http://support.microsoft.com/default.aspx?scid=kb;en-us;839499

I assume you have done the normal troubleshooting to eliminate common tcp/ip
problems.. ie, you can ping the machines by name and fully quallified, etc.

"An Invalid Operation Was Attempted on an Active Network Connection" Error
Message Occurs If You Try to Browse the Network
http://support.microsoft.com/default.aspx?scid=kb;en-us;318245
 
N

NIC Student

Hi Gerry,

I just use a GPO and apply it on the workstations & servers:


Domain member: Digitally encrypt or sign secure channel data (always)
Disabled
Domain member: Digitally encrypt secure channel data (when possible)
Enabled
Domain member: Digitally sign secure channel data (when possible)
Enabled

Microsoft network client: Digitally sign communications (always)
Disabled
Microsoft network client: Digitally sign communications (if server
agrees) Enabled
Microsoft network client: Send unencrypted password to third-party SMB
servers Disabled

Microsoft network server: Digitally sign communications (always)
Disabled
Microsoft network server: Digitally sign communications (if client
agrees) Enabled

System cryptography: Use FIPS compliant algorithms for encryption,
hashing, and signing Disabled


We determined that was the best setting for us since we have downlevel
clients that we cannot upgrade. Some secure servers have "always" enabled.
I actually had to do the reg hack described in article 839499 one time
because the local policies were set by hand instead of by GPO.
 
G

Gerry Hickman

Hi Scott,

Thanks for the GPO settings, but I still don't understand the
fundamental issue here? Is this a problem with Win2003 server only, and
what kinds of member servers and clients does it affect?

I don't like relying on Group policy for this type of thing because
sooner or later it will fall over and suddenly none of the machines will
be able to talk to each other. That's why I'm trying to work out how it
should work with default settings...
 
N

NIC Student

Hi Gerry,

The issue for our environment was SMB signing is required by default for
2003 domain controllers. There is a warning when you promo up a 2003 dc
about Win95 and older Macs not understanding SMB. In our environment, we
have tons of old macs to support.

In my case, I applied a security template to a server that locked the box
down well, but I missed the fact that it then required FIPS, which basically
buggered the machine and required the registry hack I mentioned. Our OP may
have some servers that had the security templates applied (I downloaded mine
from MS).

The following article describes the default settings, which by themselves
won't lock you out (as described by the OP) because the defaults are
*enabled* but they can be changed to *required*. As I mentioned, 2003 dcs
require signing.

Overview of Server Message Block signing
http://support.microsoft.com/default.aspx?scid=kb;en-us;887429

--
Scott Baldridge
Windows Server MVP, MCSE


"Gerry Hickman"
 
G

Gerry Hickman

Hi Scott,
The issue for our environment was SMB signing is required by default for
2003 domain controllers. There is a warning when you promo up a 2003 dc
about Win95 and older Macs not understanding SMB. In our environment, we
have tons of old macs to support.
Click to expand...
Overview of Server Message Block signing
http://support.microsoft.com/default.aspx?scid=kb;en-us;887429
Click to expand...

That's great, the article is very helpful.

My concern was that head office are about to put some 2003 DCs on-line
and my member servers and workstations are on Windows 2000.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Missing schxxx.ldf files when adprep/forrest prep 2000->2003 1
Adding a 2003 server(as a Dc)to an exsisting 2000\Exchange 2000 do 1
2003 DC Not processing Logons 1
server 2003 gp templates in 2000 domain 4
2003 install on a 2000 domain 9
Adding 2003 DC to 2000 Native AD Domain 1
urgent - moving from 2kAD to 03 AD 3
Adding a 2003 server to windows 2000 domain 8

Top