PDC Emulator on Windows 2000

[Guest]

Do I need to turn off the PDC Emulator on a W2K DC if I upgrade my NT 4.0 BDC
to W2K Standalone?

Currently, user info is being sync'd between the W2K DC and the NT 4.0 BDC.
I no longer need a NT 4.0 BDC as I have 2 X W2K DC's.

 

[Ace Fekay [MVP]]

In

Do I need to turn off the PDC Emulator on a W2K DC if I upgrade my NT
4.0 BDC to W2K Standalone?

Currently, user info is being sync'd between the W2K DC and the NT
4.0 BDC. I no longer need a NT 4.0 BDC as I have 2 X W2K DC's.

No, leave the PDC Emulator alone. That is a required role in a domain. If
you are done with NT4, and this is the last server, you can just wipe it
clean and install a fresh W2000 OS.

Of course if there are apps and/or files on it, you may need to move them
elsewhere, unless that is why you want to upgrade the OS on this machine. If
so, have you tested compatibility with your apps?

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

If this post is viewed at a non-Microsoft community website, and you were to
respond to it through that community's website, I may not see your reply
unless that website posts replies back to the original Microsoft forum.
Therefore, please direct all replies ONLY to the Microsoft public newsgroup
this thread originated in so all can benefit or ensure the web community
posts it back to the original forum.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services
Microsot Certified Trainer
Infinite Diversities in Infinite Combinations.
=================================

 

[Herb Martin]

Do I need to turn off the PDC Emulator on a W2K DC if I upgrade my NT 4.0
BDC
to W2K Standalone?

If a BDC is upgraded to a NON-DC then it will NOT have
a "PDC Emulator".

Only a Win2000+ DC can have the PDC Emulator -- leave
that alone.

You need this if you have an AD Domain (even in native mode.)

Currently, user info is being sync'd between the W2K DC and the NT 4.0
BDC.
I no longer need a NT 4.0 BDC as I have 2 X W2K DC's.

You still need the PDC Emulator.

It also does: Time sync mastering, Domain Master Browser, and one or two
obscure benefits.

 

[Guest]

Great thanks for your advice. I take it the PDC Emulator is an important
FSMO role. There are no apps on the machine except for anti virus. It is a
file server which is why I want to perform and upgrade.

 

[Ace Fekay [MVP]]

In

You still need the PDC Emulator.

It also does: Time sync mastering, Domain Master Browser, and one or
two obscure benefits.

In addition... Password synch, the default server used when GPOs are edited,
and the ability for backward level clients to change their passwords.

Ace

 

[Ace Fekay [MVP]]

In

Great thanks for your advice. I take it the PDC Emulator is an
important FSMO role. There are no apps on the machine except for
anti virus. It is a file server which is why I want to perform and
upgrade.

Yes, a *very* important role. Leave it be.

Antivirus? As a client or the AV server for your network?

If I were you, since there are no apps running on it, I would just trash the
server, delete it's computer account from the DOmain Controllers OU, delete
it's reference in Sites and Services, re-format, and install it as a fresh
Win2000 or Win2003. If it was the AV server, use the same name and reinstall
the AV server software and console.

If this was the last NT4 BDC in the AD domain, you can now bump it up to
Native mode.

Ace

 

[Jorge_de_Almeida_Pinto]

Great thanks for your advice. I take it the PDC Emulator is
an important
FSMO role. There are no apps on the machine except for anti
virus. It is a
file server which is why I want to perform and upgrade.

you can upgrade the server or you can install a fresh server. As it is
a file server and it is a BDC the data is protected using the domain
groups and not server local groups.
if it is "just" a file server and the data is on its own volume, you
could also:
* to be sure create a full backup of the file server
* backup share info by extracting the following key and its keys and
values to a reg file:
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServiceslanmanserverShar
es
* Create a new reg file (by copying the first) and remove the default
shares like C$, D$, admin$, IPC$, etc
* Reformat the system volume and clean the old computer account from
the domain
* Install a new server using the old name and add it to the domain
* import the second reg file
* install backup software and antivirus software and configure as
needed

this might also be a solution for you if you prefer a frsh installed
server

You could also:
* to be sure create a full backup of the file server
* export the same registry key as mentioned above and again create a
copy removing the default shares
* MOVE the data with its security using robocopy to a temp server
* Reformat everything and reinstall the server with the new OS and at
least creating a volume with the same drive letter on the server
* Move the data back and retaining security
* importing the reg file

Not sure if you have multiple DCs for your domain, but be sure to have
at least 2 DCs and also be sure to at least backup 2 DCs

Good luck!

 

[Guest]

I just did a fresh install of 2000 as I no longer need the NT 4.0 BDC. The
file server is up and running just fine. No problems.

Our users have noticed some delay when printing since the BDC went away.
Any suggestions on the cause? The print server is on a separate server and
we are still in mixed mode.

 

[Ace Fekay [MVP]]

In

I just did a fresh install of 2000 as I no longer need the NT 4.0
BDC. The file server is up and running just fine. No problems.

Our users have noticed some delay when printing since the BDC went
away. Any suggestions on the cause? The print server is on a
separate server and we are still in mixed mode.

A delay with printing? Hmm. Have the clients logged off and logged on again,
or were they all still up and running and haven't been shutdown since the
change? Are all the clients only using the internal DNS server in their IP
properties, or is there another server (such as an ISP's)?

Ace

 

[Ace Fekay [MVP]]

In

I just did a fresh install of 2000 as I no longer need the NT 4.0
BDC. The file server is up and running just fine. No problems.

Our users have noticed some delay when printing since the BDC went
away. Any suggestions on the cause? The print server is on a
separate server and we are still in mixed mode.

Oh, forgot to mention, go ahead and bump it up to native mode. Mode has
nothing to do with the clients, but rather just for DC OS types. When in
mixed, the full feature set is not used only for backward compatibility.
Since you have no more NT4 BDCs, it is safe to change it.

Ace

 

[Guest]

Most of them were running before the change and have not shutdown. We do
require that they log off each day. Also a GP was setup to include the DNS
suffix of the domain. We have the clients pointing to internal DNS only
192.168.1.2 & 192.168.1.3.

 

[Ace Fekay [MVP]]

In

Most of them were running before the change and have not shutdown.
We do require that they log off each day. Also a GP was setup to
include the DNS suffix of the domain. We have the clients pointing
to internal DNS only 192.168.1.2 & 192.168.1.3.

Ok, good to hear.

Do the SRV records exist under the zone for your DCs?

Can I see an ipconfig /all from the DCs and a client machine please?

Ace

 

[Guest]

SRV records do exist under the same zone as the DC. We have a single domain.

--DESKTOP
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

U:\>ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . : ITXP03
Primary Dns Suffix . . . . . . . : domain.com
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : domain.com

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/100 VE Network
Connecti
on
Physical Address. . . . . . . . . : 00-12-3F-72-2B-68
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.1.214
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
DNS Servers . . . . . . . . . . . : 192.168.1.2
192.168.1.3


--DC1
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.

C:\WINNT\Profiles\Administrator.000>ipconfig /all

Windows 2000 IP Configuration

Host Name . . . . . . . . . . . . : srvdns01
Primary DNS Suffix . . . . . . . : domain.com
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : domain.com

Ethernet adapter DynamicAccess [SRVDNS01]:

Connection-specific DNS Suffix . : domain.com
Description . . . . . . . . . . . : Dynamic Access Miniport
Physical Address. . . . . . . . . : 00-01-02-39-67-92
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.1.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
DNS Servers . . . . . . . . . . . : 192.168.1.2
Primary WINS Server . . . . . . . : 192.168.1.2

--DC2
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.

C:\Documents and Settings\Administrator.NAS_DOM1>ipconfig /all

Windows 2000 IP Configuration

Host Name . . . . . . . . . . . . : srvdns03
Primary DNS Suffix . . . . . . . : domain.com
Node Type . . . . . . . . . . . . : Broadcast
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : domain.com

Ethernet adapter SRVDNS03:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : BASP Virtual Adapter
Physical Address. . . . . . . . . : 00-04-76-2F-AB-6B
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.1.3
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
DNS Servers . . . . . . . . . . . : 192.168.1.3

 

[Ace Fekay [MVP]]

In

SRV records do exist under the same zone as the DC. We have a single
domain.

--DESKTOP
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

U:\>ipconfig /all

<snip>

Thanks for posting that. They all look good. One suggestion, on each DC, you
can point to itself first, and the other as the second entry. I usually like
to point to the partner as the first entry, and itself as the second. This
eliminates possible 5781 errors at boot time.

Back to the slow printing, I would assume the print server is a Win2000
machine, but apparently it seems that NTLM is still being used and it may be
looking for the old BDC, which is making me think the print server may be an
NT4 machine?

On one of the clients and on the print server, find out who the logon server
is:
echo %logonserver%
If it is the old BDC, I would suggest to restart both the print server and
the client, and try it again on both to see if it is now pointing to one of
the Win2000 DCs.

As far as mixed mode, honestly, if all the NT4 BDCs are gone, you can safely
change it to Native. Mixed mode's only purpose is for backward compatibility
with NT4 domain controllers. Mixed mode follows NT4's domain controller
feature sets and replication behavior, such as no Universal Groups, RAS
policies, or the ability to nest Global Groups and Universals (which don't
exist anyway), nor multi-master replication since an NT4 BDC only holds a
read copy of the database and they look to the Win2000 PDC Emulator for
replication changes. It has no effect on non-domain controllers.

Ace

 

[Guest]

I appreciate all of your advice. I will leave my DC in mixed as we have 8
other locations across the US that each has their own PDC. I do not want to
create a problem if those sites are unable to authenticate with the 2000 AD
domain.

I am in the process of upgrading each to 2000 ADS on a single domain. We
only have 10 or so users at each site.

I am getting this Directory Service warning in the event logs any
suggestions what may cause this? Everything looks correct in DNS and replmon
logs show replication is successful.

Thank you.


Event Type: Warning
Event Source: NTDS KCC
Event Category: Knowledge Consistency Checker
Event ID: 1265
Date: 10/28/2005
Time: 10:45:44 AM
User: N/A
Computer: SRVDNS01
Description:
The attempt to establish a replication link with parameters

Partition: DC=domain,DC=com
Source DSA DN: CN=NTDS
Settings,CN=SRVDNS03,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=com
Source DSA Address: f2a0c12c-c847-4142-9696-815af4d5a1a3._msdcs.domain.com
Inter-site Transport (if any):

failed with the following status:

The DSA operation is unable to proceed because of a DNS lookup failure.

The record data is the status code. This operation will be retried.
Data:
0000: 4c 21 00 00 L!..

In

SRV records do exist under the same zone as the DC. We have a single
domain.

--DESKTOP
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

U:\>ipconfig /all

<snip>

Thanks for posting that. They all look good. One suggestion, on each DC, you
can point to itself first, and the other as the second entry. I usually like
to point to the partner as the first entry, and itself as the second. This
eliminates possible 5781 errors at boot time.

Back to the slow printing, I would assume the print server is a Win2000
machine, but apparently it seems that NTLM is still being used and it may be
looking for the old BDC, which is making me think the print server may be an
NT4 machine?

On one of the clients and on the print server, find out who the logon server
is:
echo %logonserver%
If it is the old BDC, I would suggest to restart both the print server and
the client, and try it again on both to see if it is now pointing to one of
the Win2000 DCs.

As far as mixed mode, honestly, if all the NT4 BDCs are gone, you can safely
change it to Native. Mixed mode's only purpose is for backward compatibility
with NT4 domain controllers. Mixed mode follows NT4's domain controller
feature sets and replication behavior, such as no Universal Groups, RAS
policies, or the ability to nest Global Groups and Universals (which don't
exist anyway), nor multi-master replication since an NT4 BDC only holds a
read copy of the database and they look to the Win2000 PDC Emulator for
replication changes. It has no effect on non-domain controllers.

Ace

 

[Ace Fekay [MVP]]

In

I appreciate all of your advice. I will leave my DC in mixed as we
have 8 other locations across the US that each has their own PDC. I
do not want to create a problem if those sites are unable to
authenticate with the 2000 AD domain.

I am in the process of upgrading each to 2000 ADS on a single domain.
We only have 10 or so users at each site.

I am getting this Directory Service warning in the event logs any
suggestions what may cause this? Everything looks correct in DNS and
replmon logs show replication is successful.

Thank you.


Event Type: Warning
Event Source: NTDS KCC
Event Category: Knowledge Consistency Checker
Event ID: 1265
Date: 10/28/2005
Time: 10:45:44 AM
User: N/A
Computer: SRVDNS01
Description:
The attempt to establish a replication link with parameters

Partition: DC=domain,DC=com
Source DSA DN: CN=NTDS
Settings,CN=SRVDNS03,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=com
Source DSA Address:
f2a0c12c-c847-4142-9696-815af4d5a1a3._msdcs.domain.com Inter-site
Transport (if any):

failed with the following status:

The DSA operation is unable to proceed because of a DNS lookup
failure.

The record data is the status code. This operation will be retried.
Data:
0000: 4c 21 00 00 L!..

The error is indicating there's a DNS lookup failure looking when attempting
a DNS lookup for "SRVDNS03.domain.com" and to establish communication with
it.

Does the "SRVDNS03" record exist under the domain.com zone in DNS?

It's also referencing a lookup for
"f2a0c12c-c847-4142-9696-815af4d5a1a3._msdcs.domain.com ". Does that exist
in your SRV record?

Are any services disabled on any of the DCs? (The DHCP Client service is a
required service for registration and hostname resolution whether it has a
static IP or not).

Is there a software firewall installed on any of the DCs?

As for the mode and the other domains (assuming trusts exist), mode has
nothing to do with it as I previously explained. But I respect your
cautionary stance.

Ace