PDC stuffed up - need serious advice

[yves]

Hi all,

I have just been assigned to a small school where there are about 300
clients time sharing between approximately 50 PCs running W98. And there
is only one W2K server that is the PDC/file server/print server for all
users. The school leases this server and the majority of PC's from a local
firm.
Here goes:- The firm's technician took the server away for "maintenance"
during the school holidays and when brought it back installed the server
and then happily upgraded all of the pcs to W2ksp2 against my wishes
When I arrived on location this week, nothing was working right. The
staff can view the shares but when they accessed their personal folders,
they all receive the "access denied" message.
DNS is not running and not integrated within active directory, I had
a look through the settings and the root hints field is empty and greyed
out. Can't even add the roots manually!!
DHCP has not been authorized and none of the pc's can access the printers.
That's some of the main ones that I found amongst other things.
I managed to temporarily provide them with the internet as I redirected
the proxy to the ISP's DNS server.
There is another server, P3 800/256MBram/3 x SCSI HDD's that is available
and I'm thinking of installing W2K on it, and then transport all of the
users to this server, capture the FSMO's and demote the stuffed up
(leased) server to a member server that will only contain the shares. It's
one big mess and looks like I'm the one that has to fix it. Anyone has any
clues on what I should be weary of and what tools are best to achieve
this. The catch is; when the firm technicians that serviced/wrecked the
stuffed up server did a dcpromo on it, they typed in the AD restore mode
password that is unknown to anybody but them. And that I hope is going to
change.


All advice/pointers is very appreciated

Thanks

 

[Herb Martin]

Hi all,

I have just been assigned to a small school where there are about 300
clients time sharing between approximately 50 PCs running W98. And there
is only one W2K server that is the PDC/file server/print server for all
users. The school leases this server and the majority of PC's from a local
firm.

That would be DC (and "PDC Emulator") -- no PDC/BDC in Win2000+.

Here goes:- The firm's technician took the server away for "maintenance"
during the school holidays and when brought it back installed the server
and then happily upgraded all of the pcs to W2ksp2 against my wishes

SP4 would make more sense -- which you reall need plus
all the SPs.

When I arrived on location this week, nothing was working right. The
staff can view the shares but when they accessed their personal folders,
they all receive the "access denied" message.

Why? What's the permission status of the Shares a particular FILE
that is being accessed?

DNS is not running and not integrated within active directory, I had
a look through the settings and the root hints field is empty and greyed
out. Can't even add the roots manually!!

Integration is NOT a requirment (nice though) but you need the DNS.

DHCP has not been authorized and none of the pc's can access the printers.

Right click and authorize it.

That's some of the main ones that I found amongst other things.
I managed to temporarily provide them with the internet as I redirected
the proxy to the ISP's DNS server.

DNS
1) Dynamic for the zone supporting AD
2) All internal DNS client NIC\IP properties must specify SOLELY
that internal, dynamic DNS server (set.)
3) DCs and even DNS servers are DNS clients too -- see #2

Restart NetLogon on any DC if you change any of the above that
affects a DC.

There is another server, P3 800/256MBram/3 x SCSI HDD's that is available
and I'm thinking of installing W2K on it, and then transport all of the
users to this server, capture the FSMO's and demote the stuffed up
(leased) server to a member server that will only contain the shares.

Just fix the problems before you add new complications.

What's actualy "stuffed up" -- this isn't much of a techincial term -
besides those issues above that are easily fixed and would need to
be done even if you switch.

It's
one big mess and looks like I'm the one that has to fix it. Anyone has any

Doesn't actually sound like much of a mess.

Just fix it.

clues on what I should be weary of and what tools are best to achieve
this. The catch is; when the firm technicians that serviced/wrecked the
stuffed up server did a dcpromo on it, they typed in the AD restore mode
password that is unknown to anybody but them. And that I hope is going to
change.

Start by fixing the DNS server -- test it.

Run DCDiag.exe on that DC and correct or report any errors here.

 

[yves]

Integration is NOT a requirment (nice though) but you need the DNS.

I'm thinking of stopping the DNS service so that I could type in the root
hints manually and review all of its settings, is there another way?

Right click and authorize it.
OK


DNS
1) Dynamic for the zone supporting AD
2) All internal DNS client NIC\IP properties must specify SOLELY
that internal, dynamic DNS server (set.)
3) DCs and even DNS servers are DNS clients too -- see #2

Restart NetLogon on any DC if you change any of the above that
affects a DC.

Thanks for the tip

Just fix the problems before you add new complications.

Good point, I'll concentrate on the server first.

Start by fixing the DNS server -- test it.
Run DCDiag.exe on that DC and correct or report any errors here.

I had a look on the MS website for Dcdiag.exe. Thanks for the info, I'll
run that tool on the server.
As the local tech doesn't have any backup available, I'll first make a
full backup of the system state and all of the C: drives.


Thanks

 

[Herb Martin]

I'm thinking of stopping the DNS service so that I could type in the root
hints manually and review all of its settings, is there another way?

Stopping the service (briefly) is not a terrible thing, but you
do realize that "root hints" have nothing to do with your Internal
DNS-AD problems unless you have a complex tree-forest
situation.

(If you have only one domain, or even a few) You would likely
do better by just using a the ISP DNS as your DNS server's
forwarder.

You really don't want you internal DNS server (especially if it
is a DC) visiting random Internet sites to resovle names. Let the
ISP do that.

If your "Forwarder" tab is disabled, you must delete the "." (root)
zone which almost no one needs.

 

[Stuart Hawes]

to reset the restore password logon as a domain admin and at the command
prompt type setpwd, reset the password to what you like.