changing FSMO's

[troy]

Currently our Domain Controllers are on one network
10.50.50.0. The FSMO is only on that network but the
other DC's are multihomed and have another network
connecting (192.168.1.1) to workstations. The W2K
machines joined the domain with no problems however our
WinNT machines can't seem to join ("can't locate domain
controller" error). I'm suspecting they are looking for
the PDC which they can't see. If so, can I temporarily
change the FSMO to the local DC, join the NT's to the
domain, and then change the FSMO back to the original
server? Is it going to screw something up swapping the
FSMO roles back and forth?

Another question, I'd also like to have another DC on the
192.168.1.1 network to back up the current multihomed DC.
When I dcpromo this guy he also error's with "can't locate
a domain controller" even though he is already on the
domain. I suspect this is the same problem as above,
looking for the FSMO which it can't see. Is it possible
to swap the FSMO to the local multihomed DC (same as
above), dcpromo the new computer, and then swap the FSMO
back to the original server?

One thing to keep in mind, this domain is a child domain.

thanks!

 

[Ace Fekay [MVP]]

In

Currently our Domain Controllers are on one network
10.50.50.0. The FSMO is only on that network but the
other DC's are multihomed and have another network
connecting (192.168.1.1) to workstations. The W2K
machines joined the domain with no problems however our
WinNT machines can't seem to join ("can't locate domain
controller" error). I'm suspecting they are looking for
the PDC which they can't see. If so, can I temporarily
change the FSMO to the local DC, join the NT's to the
domain, and then change the FSMO back to the original
server? Is it going to screw something up swapping the
FSMO roles back and forth?

Another question, I'd also like to have another DC on the
192.168.1.1 network to back up the current multihomed DC.
When I dcpromo this guy he also error's with "can't locate
a domain controller" even though he is already on the
domain. I suspect this is the same problem as above,
looking for the FSMO which it can't see. Is it possible
to swap the FSMO to the local multihomed DC (same as
above), dcpromo the new computer, and then swap the FSMO
back to the original server?

One thing to keep in mind, this domain is a child domain.

thanks!

Actually this is due to the multihomed DC. Mulithomed DCs are *very* ,
*very* problematic. You have to choose which segment that the DC will exist
under, for it cannot be part of two sites or two segments, due to the IP
addresses that get registered under your zone name in DNS. Hence why when
you are getting the "domain cannot be contacted" error when trying to run
dcpromo becaise its trying to look it up in DNS and its getting the wrong
IP.

Also, due to the mutlihomed configuration, there may be a duplicate NetBIOS
name error and hence why the NT4 machine cannot find the domain.

May I ask why is this DC mutlihomed? Is it performing NAT? There are bunch
of steps including registry changes (that I can post but you may not like
all the steps) to *force* a multihomed DC to function, but you have to pick
which segment you want it to live on and basically, it's adminiustrative
overhead. If its performing NAT for Internet access, with all due respect,
its way easier to buy a $39.00 Linksys router to perfom that function and
let the DC do what it does best.

--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services

Security Is Like An Onion, It Has Layers
HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.

 

[troy]

-----Original Message-----
In troy <[email protected]> made a post then I commented
below

Actually this is due to the multihomed DC. Mulithomed DCs are *very* ,
*very* problematic. You have to choose which segment that the DC will exist
under, for it cannot be part of two sites or two segments, due to the IP
addresses that get registered under your zone name in DNS. Hence why when
you are getting the "domain cannot be contacted" error when trying to run
dcpromo becaise its trying to look it up in DNS and its getting the wrong
IP.

Also, due to the mutlihomed configuration, there may be a duplicate NetBIOS
name error and hence why the NT4 machine cannot find the domain.

May I ask why is this DC mutlihomed? Is it performing NAT? There are bunch
of steps including registry changes (that I can post but you may not like
all the steps) to *force* a multihomed DC to function, but you have to pick
which segment you want it to live on and basically, it's adminiustrative
overhead. If its performing NAT for Internet access, with all due respect,
its way easier to buy a $39.00 Linksys router to perfom that function and
let the DC do what it does best.

--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services

Security Is Like An Onion, It Has Layers
HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.

4 WinNT's and an internal network. We have 8 identical
test consoles. Due to propietary software restrictions
each test console needs the same IP's on it's
workstations. For security reasons individual user logons
are required. Each test console has a DC. There is a
desire to communicate with these DC's from outside the
test console network, hence the multihomed DC's. So far
things have worked pretty good but we have 8 separate
domains, one for each test console. To get around
administering 8 separate domains I'd like to put each test
console system on the same domain. There is the FSMO DC
and each test console will have it's own DC on the same
domain. When individuals log into the test console
workstations they get they're authentication from the
local test console DC without having to travel out to the
FSMO. It's complicated (did I mention confusing) but I
need some solution for 1 domain. What about swapping the
FSMO around, is that asking for trouble?

thanks a bunch!

 

[Ace Fekay [MVP]]

In

4 WinNT's and an internal network. We have 8 identical
test consoles. Due to propietary software restrictions
each test console needs the same IP's on it's
workstations. For security reasons individual user logons
are required. Each test console has a DC. There is a
desire to communicate with these DC's from outside the
test console network, hence the multihomed DC's. So far
things have worked pretty good but we have 8 separate
domains, one for each test console. To get around
administering 8 separate domains I'd like to put each test
console system on the same domain. There is the FSMO DC
and each test console will have it's own DC on the same
domain. When individuals log into the test console
workstations they get they're authentication from the
local test console DC without having to travel out to the
FSMO. It's complicated (did I mention confusing) but I
need some solution for 1 domain. What about swapping the
FSMO around, is that asking for trouble?

thanks a bunch!

Hmm, confusing is an understatement. For the NT4 machines, assuming that was
still the problem with logging in, sure, you can put the PDC Emulator Role
on the machine itself, but from what you;re saying, each machine is its own
domain, and there's only one machine per domain, and you have multiple
domains (unless I got that part wrong?).

If that's the case, each domain has its own PDC Emulator and there would be
no other DCs to move the role over to. So hence, why I believe its the
Netbios dupe name causing it. Unless I misunderstood, I guess you can go
ahead and move it. Let us know how you make out.

--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services

Security Is Like An Onion, It Has Layers
HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.