D
Don 'Bear' Wilkinson
Good day folks,
I am looking for some guidance with a project. I am trying to
determine/plan the best course of action for some changes to my SOHO
domain/network.
Basically, I have an old slow box (called "amadan") running Win2000 Server
as the AD/PDC in a domain called "lair". It has some problems. I just got
some 'new to me' hardware and now I am trying to decide how best to proceed.
First consideration; Retain ability to access existing user
account/profile/data ("login:bear, domain:lair") on my primary
desktop/client box ("eckspee") in the new environment. E.g., I have a LOT
of applications, data, preferences and personalization associated with the
user profile on Eckspee. That profile is associated with the existing
domain "lair" and presently uses Folder Redirection policy to store the "My
Documents" data on a share on the AD/PDC server "Amadan."
Second consideration: Plan to decommission old server Amadan.
Background:
** Existing Win2000-SP3 AD/PDC system named 'amadan' in domain 'lair'. It's
a Celeron 400Mhz with 256MB RAM - wimpy! I am running IIS5 and some other
services. It's pretty slow
.
This box is LOCALLY authoritative for the DNS domain "lair.org". There is
also a public DNS domain for 'lair.org' hosted by my ISP and EXTERNALLY
authoritative for the same DNS domain. These DNSes do not exchange DNS data
and there are, as yet, no subdomains. I may wish to change that.
In my terminology, this is a 'flat' AD domain and a flat DNS domain. There
is only one forest and one tree. I am curious about the advantages to
changing that so that the local/SOHO AD domain becomes a DNS subdomain,
e.g., home.lair.org. Then the machines on this network would be
<machine>.home.lair.org. As it is now, it's <machine>.lair.org. Again, I
hope it's possible to have this desktop box (Eckspee) be moved to the new
sub/child domain but not lose the user account profile and it's data. My
experience is that when you change domain names associated with a user
account, you disassociate the profile. In other words if I now log in as
"LAIR\username" and it changes to "HOME\username", I will have 'lost' the
profile and will start over from scratch in a new profile(?).
This AD seems to have some DNS/AD problems - which I have looked into but
have not been able to remedy. AD Problem Symptoms:
-- Can't publish a shared printer. When my primary desktop (AD client,
successfully logged into domain (I believe)) was Windows 2000 Pro, using the
"Publish Printer" feature would eventually time out and fail. On the now
WindowsXP Pro client (eckspee), using the Search - Find Printers on the
Network" option the following happens. The "Find Printer" dialog opens
immediately but the box is greyed out for approximately 40 or so seconds.
Once the 'search' is done, the "In:" box correctly defaults to the "lair"
domain. Hitting "Browse" results in a delay of about 45 seconds (again). I
confirm that the lair domain is highlighted and click OK. Back in the Find
Printer window, I attempt to find any or all printers. I have tried both
"*" and the share name of the known good printer "ML-1430" to no avail.
Each time I enter a search term, the search takes a long time and eventually
fails.
-- Can not contact AD DC with Active Directory Users and Computers and
or similar snap-ins. I get the error message "Naming information cannot be
located because: The Specified Domain either does not exist or could not be
contacted. {snip}" (Could be a firewall issue? What port is used? TCP
135 (among others?) I have allowed LSA service application access to local
network)
Options as I see it:
1. Make new box Windows 2003 Server (on 180 day eval version - I can't
afford to BUY it for the foreseeable future) on a separate AD domain (to be
named 'home' , not 'lair' for example) and IP subnet as a new host within
'lair.org'. Leave everything else as is, AD problems and all. (It mostly
works well enough for my SOHO and my roommates use.) Existing domain server
stays in service to service login requests for and host machine/user account
data accociation for existing domain clients.
2. Make new box Windows 2003 Server (on 180 day eval version) in existing
'flat' domain, transfer FSMO roles, machine and user accounts from
LAIR\Amadan. Tricky and might inherit some AD/DNS problem (as described
below)? Would I be able to set it up so that my existing Windows XP Pro
desktop ("Eckspee") would be able to automagically connect to the new Server
'transparently'? (So as to not 'disassociate' the local user profile and
it's data - I'm really trying to avoid having to rebuild my account from
scratch, thereby losing all the good settings and such)
3. Make new box Windows 2003 Server (trial version) in existing domain but
as a new child/tree, e.g, called "newbox" in a AD domain of "home" as a DNS
subdomain "home.lair.org". (newbox.home.lair.org and \\HOME\newbox). Then
I'd want to transfer the FSMO and other stuff to 'newbox' from LAIR\Amadan
(the existing AD/PDC). Then I'd decomm Amadan.
4. Make new box Windows 2000 Server (which I have license for) in existing
domain but as a new child/tree, e.g, called "newbox" in a AD domain of
"home" as a DNS subdomain "home.lair.org" (newbox.home.lair.org and
\\HOME\newbox). Then I'd want to transfer the FSMO and other stuff to
'newbox' from LAIR\Amadan (the existing AD/PDC) leading to a de-comm of
Amadan.
5. Make new box Windows 2000 Server (which I have license for) in existing
domain as at the same AD/DNS level. (newbox.lair.org and \\LAIR\newbox).
Transfer FSMO roles, machine and user accounts, etc.
6. Make new box either Windows 2000 or 2003 as a new domain ('home'),
abandoning 'lair' altogether, requiring that the client machine 'Eckspee" to
be removed from LAIR and added to HOME. This of course would lead to some
kind of rebuild of my user environment on the client machine 'eckspee'. New
account/login/ and manual 'backup and restore' of data files, possibly
reinstallation of applications and so on.
7. One of the above options AND a total rebuild of my client machine since
it's a slightly messed up XP Pro install anyway. In other words, if I had
my druthers, I'd find some way to first 'backup' my 'stuff' from Eckspee.
Then I'd build the new server with whatever AD/DNS structure makes the most
sense, rebuild the XP Pro client machine, reinstall all apps and go through
the painful process of rebuilding my 'user account and environment.' Maybe
that's just it... I have to bite the bullet and 'start over from scratch.'
*sigh*
I am only passingly aware of ADMT and NEWDOM tools, but I understand that
they may be what I will work with *if* I am moving machine/user accounts. I
gather/assume they do not necessarily address my concern about
'dis-associating' the user account/data/profile on the desktop machine
(Eckspee). What tools/procedures might work there?
I think I like Options 3 and 4 above. But, I'm not sure it can work that I
both change the domain 'name' *and* keep thedesktop/client associated with
it's user profile data.
Bottom line (and I'm sorry this is so long, but I wanted to try to be
thorough), I want/need to rebuild my SOHO network. I have a new box that
will become, at some point the ONLY Windows server. I have a client machine
that probably needs to be rebuilt, but I'm trying to avoid that (even though
it probably needs to be done and would have some benefits).
Thanks in advance for info, help, insights and pointers.
Don/Bear
I am looking for some guidance with a project. I am trying to
determine/plan the best course of action for some changes to my SOHO
domain/network.
Basically, I have an old slow box (called "amadan") running Win2000 Server
as the AD/PDC in a domain called "lair". It has some problems. I just got
some 'new to me' hardware and now I am trying to decide how best to proceed.
First consideration; Retain ability to access existing user
account/profile/data ("login:bear, domain:lair") on my primary
desktop/client box ("eckspee") in the new environment. E.g., I have a LOT
of applications, data, preferences and personalization associated with the
user profile on Eckspee. That profile is associated with the existing
domain "lair" and presently uses Folder Redirection policy to store the "My
Documents" data on a share on the AD/PDC server "Amadan."
Second consideration: Plan to decommission old server Amadan.
Background:
** Existing Win2000-SP3 AD/PDC system named 'amadan' in domain 'lair'. It's
a Celeron 400Mhz with 256MB RAM - wimpy! I am running IIS5 and some other
services. It's pretty slow
.This box is LOCALLY authoritative for the DNS domain "lair.org". There is
also a public DNS domain for 'lair.org' hosted by my ISP and EXTERNALLY
authoritative for the same DNS domain. These DNSes do not exchange DNS data
and there are, as yet, no subdomains. I may wish to change that.
In my terminology, this is a 'flat' AD domain and a flat DNS domain. There
is only one forest and one tree. I am curious about the advantages to
changing that so that the local/SOHO AD domain becomes a DNS subdomain,
e.g., home.lair.org. Then the machines on this network would be
<machine>.home.lair.org. As it is now, it's <machine>.lair.org. Again, I
hope it's possible to have this desktop box (Eckspee) be moved to the new
sub/child domain but not lose the user account profile and it's data. My
experience is that when you change domain names associated with a user
account, you disassociate the profile. In other words if I now log in as
"LAIR\username" and it changes to "HOME\username", I will have 'lost' the
profile and will start over from scratch in a new profile(?).
This AD seems to have some DNS/AD problems - which I have looked into but
have not been able to remedy. AD Problem Symptoms:
-- Can't publish a shared printer. When my primary desktop (AD client,
successfully logged into domain (I believe)) was Windows 2000 Pro, using the
"Publish Printer" feature would eventually time out and fail. On the now
WindowsXP Pro client (eckspee), using the Search - Find Printers on the
Network" option the following happens. The "Find Printer" dialog opens
immediately but the box is greyed out for approximately 40 or so seconds.
Once the 'search' is done, the "In:" box correctly defaults to the "lair"
domain. Hitting "Browse" results in a delay of about 45 seconds (again). I
confirm that the lair domain is highlighted and click OK. Back in the Find
Printer window, I attempt to find any or all printers. I have tried both
"*" and the share name of the known good printer "ML-1430" to no avail.
Each time I enter a search term, the search takes a long time and eventually
fails.
-- Can not contact AD DC with Active Directory Users and Computers and
or similar snap-ins. I get the error message "Naming information cannot be
located because: The Specified Domain either does not exist or could not be
contacted. {snip}" (Could be a firewall issue? What port is used? TCP
135 (among others?) I have allowed LSA service application access to local
network)
Options as I see it:
1. Make new box Windows 2003 Server (on 180 day eval version - I can't
afford to BUY it for the foreseeable future) on a separate AD domain (to be
named 'home' , not 'lair' for example) and IP subnet as a new host within
'lair.org'. Leave everything else as is, AD problems and all. (It mostly
works well enough for my SOHO and my roommates use.) Existing domain server
stays in service to service login requests for and host machine/user account
data accociation for existing domain clients.
2. Make new box Windows 2003 Server (on 180 day eval version) in existing
'flat' domain, transfer FSMO roles, machine and user accounts from
LAIR\Amadan. Tricky and might inherit some AD/DNS problem (as described
below)? Would I be able to set it up so that my existing Windows XP Pro
desktop ("Eckspee") would be able to automagically connect to the new Server
'transparently'? (So as to not 'disassociate' the local user profile and
it's data - I'm really trying to avoid having to rebuild my account from
scratch, thereby losing all the good settings and such)
3. Make new box Windows 2003 Server (trial version) in existing domain but
as a new child/tree, e.g, called "newbox" in a AD domain of "home" as a DNS
subdomain "home.lair.org". (newbox.home.lair.org and \\HOME\newbox). Then
I'd want to transfer the FSMO and other stuff to 'newbox' from LAIR\Amadan
(the existing AD/PDC). Then I'd decomm Amadan.
4. Make new box Windows 2000 Server (which I have license for) in existing
domain but as a new child/tree, e.g, called "newbox" in a AD domain of
"home" as a DNS subdomain "home.lair.org" (newbox.home.lair.org and
\\HOME\newbox). Then I'd want to transfer the FSMO and other stuff to
'newbox' from LAIR\Amadan (the existing AD/PDC) leading to a de-comm of
Amadan.
5. Make new box Windows 2000 Server (which I have license for) in existing
domain as at the same AD/DNS level. (newbox.lair.org and \\LAIR\newbox).
Transfer FSMO roles, machine and user accounts, etc.
6. Make new box either Windows 2000 or 2003 as a new domain ('home'),
abandoning 'lair' altogether, requiring that the client machine 'Eckspee" to
be removed from LAIR and added to HOME. This of course would lead to some
kind of rebuild of my user environment on the client machine 'eckspee'. New
account/login/ and manual 'backup and restore' of data files, possibly
reinstallation of applications and so on.
7. One of the above options AND a total rebuild of my client machine since
it's a slightly messed up XP Pro install anyway. In other words, if I had
my druthers, I'd find some way to first 'backup' my 'stuff' from Eckspee.
Then I'd build the new server with whatever AD/DNS structure makes the most
sense, rebuild the XP Pro client machine, reinstall all apps and go through
the painful process of rebuilding my 'user account and environment.' Maybe
that's just it... I have to bite the bullet and 'start over from scratch.'
*sigh*
I am only passingly aware of ADMT and NEWDOM tools, but I understand that
they may be what I will work with *if* I am moving machine/user accounts. I
gather/assume they do not necessarily address my concern about
'dis-associating' the user account/data/profile on the desktop machine
(Eckspee). What tools/procedures might work there?
I think I like Options 3 and 4 above. But, I'm not sure it can work that I
both change the domain 'name' *and* keep thedesktop/client associated with
it's user profile data.
Bottom line (and I'm sorry this is so long, but I wanted to try to be
thorough), I want/need to rebuild my SOHO network. I have a new box that
will become, at some point the ONLY Windows server. I have a client machine
that probably needs to be rebuilt, but I'm trying to avoid that (even though
it probably needs to be done and would have some benefits).
Thanks in advance for info, help, insights and pointers.
Don/Bear