single label domain on win 2000, upgrade to 2003 and rename?

[Guest]

I have a client that’s really having some AD / DNS problems with their domain. The goal here is to get them up to Windows 2003 and Exchange 2003, they are NOT running Exchange at all now, this will be important for you to know later in the post. First of all, their original admin setup the domain as a single label domain, with an underscore as well. Let’s use the examples domain_name as their domain name and a server name of ServerName for this post. Ok, so now the client is having DDNS issues with XP clients and the domain controller, there’s only one at this point, running Windows 2000 w/ SP4. I’ve read KB article 300684 over and over and have implemented the reg changes on the clients and the DC, but there are still DNS errors when I run DCDIAG and NETDIAG, even after many reboots. I was able to resolve most of the DCDIAG errors today by manually adding SRV records to their DNS zone, one error remains. The DCDIAG error that I’m still getting is below, all other tests pass

Starting test: kcceven
* The KCC Event log tes
An Warning Event occurred. EventID: 0x8000044
(Event String could not be retrieved
ServerName failed test kcceven

Ok, I don’t have all the netdiag errors in front of me right now but let me get to my real question. I feel this domain should be renamed. It’s in Windows 2000 Native mode so I know the NT PDC option to rename is out. Downtime and loosing accounts, profiles, and printers is not an option, this is a world wide business and I was told I could only have 20 minutes of downtime…not much. So here’s my suggestion, please comment

Get a server identical to the DC for testing, and GHOST a copy of the current DC server to a file and re-apply that GHOST image to the “test†server. This will give me an exact replica of the current DC and its state…errors and all. I could then bring the test server up, off the production LAN of course, so I can try a few things. My idea was to try an upgrade to Windows 2003, and then use the rendom.exe utility to fix the single label domain issue. There’s no Exchange server yet, so I can avoid that rendom caveat. Then if all goes well, try this in production

One main concern I have is how the rendom utility will affect the domain SIDs. Meaning, I don’t want to have to remove and add servers or workstations back to the domain, all PCs are XP and all member servers are 2000 or 2003. I guess my question here is how does the rendom utility affect SIDs, user accounts, machine accounts, and user profiles. Printers are a concern too, as well as Terminal Services…this customer has TS users all over the world. Is the rendom utility pretty seamless to the users or is profile and account info screwed up in some way? Are all the SIDs left alone and unchanged

Any help with this would be great. Once I can get all this resolved, I’ll definitely propose the idea of more domain controllers, there’s no redundancy right now

Thanks!!

 

[Ulf B. Simon-Weidner [MVP]]

I have a client that's really having some AD / DNS problems with their
domain. The goal here is to get them up to Windows 2003 and Exchange
2003, they are NOT running Exchange at all now, this will be important for
you to know later in the post. First of all, their original admin setup
the domain as a single label domain, with an underscore as well.

[errors with single label snipped]

Ok, I don't have all the netdiag errors in front of me right now but let
me get to my real question. I feel this domain should be renamed. It's
in Windows 2000 Native mode so I know the NT PDC option to rename is out.
Downtime and loosing accounts, profiles, and printers is not an option,?
this is a world wide business and I was told I could only have 20 minutes
of downtime.not much. So here's my suggestion, please comment.

They have a world wide business running on a single label domain with a
not RFC Domain Name and on a single DC and tell you that the accepted
downtime will be max. 20 minutes?

Get a copy of their DC once in a while, wait until the single point of
failure does what's predictable, and be their hero afterwards ;-)

I wouldn't touch that environment if they are not aware of their
situation - you can't win.

Get a server identical to the DC for testing, and GHOST a copy of the
current DC server to a file and re-apply that GHOST image to the "test"
server. This will give me an exact replica of the current DC and its
state.errors and all.

Ghosting the server will have a longer downtime than 20 minutes -
usually. Do they have RAID mirrored harddrives? You'd be able to grab
and replace one of those and put it into identical hardware.

I could then bring the test server up, off the production LAN of course,
so I can try a few things. My idea was to try an upgrade to Windows 2003,
and then use the rendom.exe utility to fix the single label domain issue.
There's no Exchange server yet, so I can avoid that rendom caveat. Then
if all goes well, try this in production.

Sounds like a plan. Just to let you know - you'd be able to do this
with Exchange 2003 now too (there's a WebCast in the KB which gives you
more infos)
However, be aware that a domain rename has more caveats than just
Exchange. I assume that they don't run a CA as this is listed on the
top caveats with Exchange as well, but you'll need to test every
application if it has issues with the renamed domain name. You never
know if the applications are programmed right, and if they are not
storing the name of the domain anywhere else in the registry or some
ini-file or somewhere else. You need to test, test and test. And the
company needs to assist you by making a risk evaluation which
applications are worth testing and which are worth loosing and
reinstalling and configuring. When we did a domain rename in our
environment, we had a product for software distribution which was not
yet supported for a domain rename. However we decided that we won't
have much issues loosing the history and we'd be able to rebuild that
environment in a reasonable time, so we went ahead.

One main concern I have is how the rendom utility will affect the domain
SIDs. Meaning, I don't want to have to remove and add servers or
workstations back to the domain, all PCs are XP and all member servers
are 2000 or 2003. I guess my question here is how does the rendom utility
affect SIDs, user accounts, machine accounts, and user profiles. Printers
are a concern too, as well as Terminal Services.this customer has TS
users all over the world. Is the rendom utility pretty seamless to the
users or is profile and account info screwed up in some way? Are all the
SIDs left alone and unchanged?

SIDs wont change. However I'd recommend keeping the Netbios name if
possible - most application issues will more likely store the NetBios
name anywhere than the DNS-Domainname. (e.g. if a application uses a
specific account and does not store the sid, it'll store it most likely
as domain\accountname).

Windows XP and 2003 Machines will need to reboot twice before you are
finishing the domain rename - that means you'll have to stay in a
environment where no major changes to the domain (such as adding
additional DCs) will be allowed until every machine rebooted twice in
the network.

I'm not sure about 2000. Guess same behaviour as XP with a current SP.
NT would need to rejoin the domain, good that you don't have any.

Useraccounts will be fine, the SID stays. I don't see any issues with
printers. Terminal Servers depend on the applications running on them,
I'd test those.

Any help with this would be great. Once I can get all this resolved, I'll
definitely propose the idea of more domain controllers, there's no
redundancy right now.

I'd go for at least two DCs prior to that change. And first of all -
the customer needs to be aware of his situation and be glad that you
help him getting this fixed. MS recommends not to stick with a single
label domain name - I'm pretty sure that they'll have bigger problems
in the future than they have right now.

Then make sure you have a 100% Fallback path in place. I'd go for
RAID-mirrors, get additional harddrives and take one mirror out and
resync to a new harddrive so you have a fallback of the DC(s).

You didn't mention how many memberservers and clients are affected. Be
aware that each of them needs to reboot twice in the domain (do you
have laptops?) - there's a downtime on services. And if you need to
rollback than you'll need to take every server out of the domain and
rejoin the domain again.

Read the domain rename guides and make sure you are using the
up-to-date tools from the MS-website. And if I didn't mention it
before: test, test, test, ... make yourself 100% familiar with what to
do, what might happen, how to approach failures, when and how to decide
to do a rollback. And make sure you have the full understanding and
support of your customer.

Here are some things you want to read:

Windows Server 2003 Domain Rename Tools
http://www.microsoft.com/windowsserver2003/downloads/domainrename.mspx

Step-by-Step Guide to Implementing Domain Rename
http://download.microsoft.com/downl...9e8c-3a9c90a2a2e2/Domain-Rename-Procedure.doc

Windows Server 2003 Active Directory Domain Rename Tools
http://download.microsoft.com/download/5/6/d/56df978b-9a76-487e-80b7-0250289f2579/domainrename.exe

--
Gruesse - Sincerely,

Ulf B. Simon-Weidner
This posting is provided "AS IS" with no warranties, and confers no
rights.

 

[Guest]

Thanks very much for your detailed reply. Yes I know this is bad and will do my best to convince my customer of the situation they're in. GHOST shouldn't take long, the DC only has 3 GB of data on it, with a 100mbps NIC I should be able to GHOST an image in under 10 minutes and then boot the server back up. Yes the server drives are mirrored but I’d rather use GHOST than swap out drives. I've worked with GHOST a ton, so this shouldn't be a big deal. It's the DNS and domain stuff that's got me worried, but all I can do is test. Having an exact replica of the DC should help with that. There are about 17 member servers, 15 desktops, and 100 users. Most users use dumb terminals and Terminal Server for working. I'll have to discuss the need to reboot all the member servers twice. Again, downtime will be a big deal but I see no other course than to fix this now or face much more extreme consequences later. Thanks again for your comments.

I have a client that's really having some AD / DNS problems with their
domain. The goal here is to get them up to Windows 2003 and Exchange
2003, they are NOT running Exchange at all now, this will be important for
you to know later in the post. First of all, their original admin setup
the domain as a single label domain, with an underscore as well.

[errors with single label snipped]

Ok, I don't have all the netdiag errors in front of me right now but let
me get to my real question. I feel this domain should be renamed. It's
in Windows 2000 Native mode so I know the NT PDC option to rename is out.
Downtime and loosing accounts, profiles, and printers is not an option,?
this is a world wide business and I was told I could only have 20 minutes
of downtime.not much. So here's my suggestion, please comment.

They have a world wide business running on a single label domain with a
not RFC Domain Name and on a single DC and tell you that the accepted
downtime will be max. 20 minutes?

Get a copy of their DC once in a while, wait until the single point of
failure does what's predictable, and be their hero afterwards ;-)

I wouldn't touch that environment if they are not aware of their
situation - you can't win.

Get a server identical to the DC for testing, and GHOST a copy of the
current DC server to a file and re-apply that GHOST image to the "test"
server. This will give me an exact replica of the current DC and its
state.errors and all.

Ghosting the server will have a longer downtime than 20 minutes -
usually. Do they have RAID mirrored harddrives? You'd be able to grab
and replace one of those and put it into identical hardware.

I could then bring the test server up, off the production LAN of course,
so I can try a few things. My idea was to try an upgrade to Windows 2003,
and then use the rendom.exe utility to fix the single label domain issue.
There's no Exchange server yet, so I can avoid that rendom caveat. Then
if all goes well, try this in production.

Sounds like a plan. Just to let you know - you'd be able to do this
with Exchange 2003 now too (there's a WebCast in the KB which gives you
more infos)
However, be aware that a domain rename has more caveats than just
Exchange. I assume that they don't run a CA as this is listed on the
top caveats with Exchange as well, but you'll need to test every
application if it has issues with the renamed domain name. You never
know if the applications are programmed right, and if they are not
storing the name of the domain anywhere else in the registry or some
ini-file or somewhere else. You need to test, test and test. And the
company needs to assist you by making a risk evaluation which
applications are worth testing and which are worth loosing and
reinstalling and configuring. When we did a domain rename in our
environment, we had a product for software distribution which was not
yet supported for a domain rename. However we decided that we won't
have much issues loosing the history and we'd be able to rebuild that
environment in a reasonable time, so we went ahead.

One main concern I have is how the rendom utility will affect the domain
SIDs. Meaning, I don't want to have to remove and add servers or
workstations back to the domain, all PCs are XP and all member servers
are 2000 or 2003. I guess my question here is how does the rendom utility
affect SIDs, user accounts, machine accounts, and user profiles. Printers
are a concern too, as well as Terminal Services.this customer has TS
users all over the world. Is the rendom utility pretty seamless to the
users or is profile and account info screwed up in some way? Are all the
SIDs left alone and unchanged?

SIDs wont change. However I'd recommend keeping the Netbios name if
possible - most application issues will more likely store the NetBios
name anywhere than the DNS-Domainname. (e.g. if a application uses a
specific account and does not store the sid, it'll store it most likely
as domain\accountname).

Windows XP and 2003 Machines will need to reboot twice before you are
finishing the domain rename - that means you'll have to stay in a
environment where no major changes to the domain (such as adding
additional DCs) will be allowed until every machine rebooted twice in
the network.

I'm not sure about 2000. Guess same behaviour as XP with a current SP.
NT would need to rejoin the domain, good that you don't have any.

Useraccounts will be fine, the SID stays. I don't see any issues with
printers. Terminal Servers depend on the applications running on them,
I'd test those.

Any help with this would be great. Once I can get all this resolved, I'll
definitely propose the idea of more domain controllers, there's no
redundancy right now.

I'd go for at least two DCs prior to that change. And first of all -
the customer needs to be aware of his situation and be glad that you
help him getting this fixed. MS recommends not to stick with a single
label domain name - I'm pretty sure that they'll have bigger problems
in the future than they have right now.

Then make sure you have a 100% Fallback path in place. I'd go for
RAID-mirrors, get additional harddrives and take one mirror out and
resync to a new harddrive so you have a fallback of the DC(s).

You didn't mention how many memberservers and clients are affected. Be
aware that each of them needs to reboot twice in the domain (do you
have laptops?) - there's a downtime on services. And if you need to
rollback than you'll need to take every server out of the domain and
rejoin the domain again.

Read the domain rename guides and make sure you are using the
up-to-date tools from the MS-website. And if I didn't mention it
before: test, test, test, ... make yourself 100% familiar with what to
do, what might happen, how to approach failures, when and how to decide
to do a rollback. And make sure you have the full understanding and
support of your customer.

Here are some things you want to read:

Windows Server 2003 Domain Rename Tools
http://www.microsoft.com/windowsserver2003/downloads/domainrename.mspx

Step-by-Step Guide to Implementing Domain Rename
http://download.microsoft.com/downl...9e8c-3a9c90a2a2e2/Domain-Rename-Procedure.doc

Windows Server 2003 Active Directory Domain Rename Tools
http://download.microsoft.com/download/5/6/d/56df978b-9a76-487e-80b7-0250289f2579/domainrename.exe

--
Gruesse - Sincerely,

Ulf B. Simon-Weidner
This posting is provided "AS IS" with no warranties, and confers no
rights.

 

[Guest]

Thanks very much for your detailed reply. Yes I know this is bad and will do my best to convince my customer of the situation they're in. GHOST shouldn't take long, the DC only has 3 GB of data on it, with a 100mbps NIC I should be able to GHOST an image in under 10 minutes and then boot the server back up. Yes the server drives are mirrored but I’d rather use GHOST than swap out drives. I've worked with GHOST a ton, so this shouldn't be a big deal. It's the DNS and domain stuff that's got me worried, but all I can do is test. Having an exact replica of the DC should help with that. There are about 17 member servers, 15 desktops, and 100 users. Most users use dumb terminals and Terminal Server for working. I'll have to discuss the need to reboot all the member servers twice. Again, downtime will be a big deal but I see no other course than to fix this now or face much more extreme consequences later. Thanks again for your comments.

I have a client that's really having some AD / DNS problems with their
domain. The goal here is to get them up to Windows 2003 and Exchange
2003, they are NOT running Exchange at all now, this will be important for
you to know later in the post. First of all, their original admin setup
the domain as a single label domain, with an underscore as well.

[errors with single label snipped]

Ok, I don't have all the netdiag errors in front of me right now but let
me get to my real question. I feel this domain should be renamed. It's
in Windows 2000 Native mode so I know the NT PDC option to rename is out.
Downtime and loosing accounts, profiles, and printers is not an option,?
this is a world wide business and I was told I could only have 20 minutes
of downtime.not much. So here's my suggestion, please comment.

They have a world wide business running on a single label domain with a
not RFC Domain Name and on a single DC and tell you that the accepted
downtime will be max. 20 minutes?

Get a copy of their DC once in a while, wait until the single point of
failure does what's predictable, and be their hero afterwards ;-)

I wouldn't touch that environment if they are not aware of their
situation - you can't win.

Get a server identical to the DC for testing, and GHOST a copy of the
current DC server to a file and re-apply that GHOST image to the "test"
server. This will give me an exact replica of the current DC and its
state.errors and all.

Ghosting the server will have a longer downtime than 20 minutes -
usually. Do they have RAID mirrored harddrives? You'd be able to grab
and replace one of those and put it into identical hardware.

I could then bring the test server up, off the production LAN of course,
so I can try a few things. My idea was to try an upgrade to Windows 2003,
and then use the rendom.exe utility to fix the single label domain issue.
There's no Exchange server yet, so I can avoid that rendom caveat. Then
if all goes well, try this in production.

Sounds like a plan. Just to let you know - you'd be able to do this
with Exchange 2003 now too (there's a WebCast in the KB which gives you
more infos)
However, be aware that a domain rename has more caveats than just
Exchange. I assume that they don't run a CA as this is listed on the
top caveats with Exchange as well, but you'll need to test every
application if it has issues with the renamed domain name. You never
know if the applications are programmed right, and if they are not
storing the name of the domain anywhere else in the registry or some
ini-file or somewhere else. You need to test, test and test. And the
company needs to assist you by making a risk evaluation which
applications are worth testing and which are worth loosing and
reinstalling and configuring. When we did a domain rename in our
environment, we had a product for software distribution which was not
yet supported for a domain rename. However we decided that we won't
have much issues loosing the history and we'd be able to rebuild that
environment in a reasonable time, so we went ahead.

One main concern I have is how the rendom utility will affect the domain
SIDs. Meaning, I don't want to have to remove and add servers or
workstations back to the domain, all PCs are XP and all member servers
are 2000 or 2003. I guess my question here is how does the rendom utility
affect SIDs, user accounts, machine accounts, and user profiles. Printers
are a concern too, as well as Terminal Services.this customer has TS
users all over the world. Is the rendom utility pretty seamless to the
users or is profile and account info screwed up in some way? Are all the
SIDs left alone and unchanged?

SIDs wont change. However I'd recommend keeping the Netbios name if
possible - most application issues will more likely store the NetBios
name anywhere than the DNS-Domainname. (e.g. if a application uses a
specific account and does not store the sid, it'll store it most likely
as domain\accountname).

Windows XP and 2003 Machines will need to reboot twice before you are
finishing the domain rename - that means you'll have to stay in a
environment where no major changes to the domain (such as adding
additional DCs) will be allowed until every machine rebooted twice in
the network.

I'm not sure about 2000. Guess same behaviour as XP with a current SP.
NT would need to rejoin the domain, good that you don't have any.

Useraccounts will be fine, the SID stays. I don't see any issues with
printers. Terminal Servers depend on the applications running on them,
I'd test those.

Any help with this would be great. Once I can get all this resolved, I'll
definitely propose the idea of more domain controllers, there's no
redundancy right now.

I'd go for at least two DCs prior to that change. And first of all -
the customer needs to be aware of his situation and be glad that you
help him getting this fixed. MS recommends not to stick with a single
label domain name - I'm pretty sure that they'll have bigger problems
in the future than they have right now.

Then make sure you have a 100% Fallback path in place. I'd go for
RAID-mirrors, get additional harddrives and take one mirror out and
resync to a new harddrive so you have a fallback of the DC(s).

You didn't mention how many memberservers and clients are affected. Be
aware that each of them needs to reboot twice in the domain (do you
have laptops?) - there's a downtime on services. And if you need to
rollback than you'll need to take every server out of the domain and
rejoin the domain again.

Read the domain rename guides and make sure you are using the
up-to-date tools from the MS-website. And if I didn't mention it
before: test, test, test, ... make yourself 100% familiar with what to
do, what might happen, how to approach failures, when and how to decide
to do a rollback. And make sure you have the full understanding and
support of your customer.

Here are some things you want to read:

Windows Server 2003 Domain Rename Tools
http://www.microsoft.com/windowsserver2003/downloads/domainrename.mspx

Step-by-Step Guide to Implementing Domain Rename
http://download.microsoft.com/downl...9e8c-3a9c90a2a2e2/Domain-Rename-Procedure.doc

Windows Server 2003 Active Directory Domain Rename Tools
http://download.microsoft.com/download/5/6/d/56df978b-9a76-487e-80b7-0250289f2579/domainrename.exe

--
Gruesse - Sincerely,

Ulf B. Simon-Weidner
This posting is provided "AS IS" with no warranties, and confers no
rights.

 

[Kevin D. Goodknecht [MVP]]

In

I have a client that's really having some AD / DNS problems with
their domain. The goal here is to get them up to Windows 2003 and
Exchange 2003, they are NOT running Exchange at all now, this will be
important for you to know later in the post. First of all, their
original admin setup the domain as a single label domain, with an
underscore as well. Let's use the examples domain_name as their
domain name and a server name of ServerName for this post. Ok, so
now the client is having DDNS issues with XP clients and the domain
controller, there's only one at this point, running Windows 2000 w/
SP4. I've read KB article 300684 over and over and have implemented
the reg changes on the clients and the DC, but there are still DNS
errors when I run DCDIAG and NETDIAG, even after many reboots. I was
able to resolve most of the DCDIAG errors today by manually adding
SRV records to their DNS zone, one error remains. The DCDIAG error
that I'm still getting is below, all other tests pass:

Starting test: kccevent
* The KCC Event log test
An Warning Event occurred. EventID: 0x80000443
(Event String could not be retrieved)
ServerName failed test kccevent


Ok, I don't have all the netdiag errors in front of me right now but
let me get to my real question. I feel this domain should be
renamed. It's in Windows 2000 Native mode so I know the NT PDC
option to rename is out. Downtime and loosing accounts, profiles,
and printers is not an option, this is a world wide business and I
was told I could only have 20 minutes of downtime.not much. So
here's my suggestion, please comment.

Get a server identical to the DC for testing, and GHOST a copy of the
current DC server to a file and re-apply that GHOST image to the
"test" server. This will give me an exact replica of the current DC
and its state.errors and all. I could then bring the test server up,
off the production LAN of course, so I can try a few things. My idea
was to try an upgrade to Windows 2003, and then use the rendom.exe
utility to fix the single label domain issue. There's no Exchange
server yet, so I can avoid that rendom caveat. Then if all goes
well, try this in production.

One main concern I have is how the rendom utility will affect the
domain SIDs. Meaning, I don't want to have to remove and add servers
or workstations back to the domain, all PCs are XP and all member
servers are 2000 or 2003. I guess my question here is how does the
rendom utility affect SIDs, user accounts, machine accounts, and user
profiles. Printers are a concern too, as well as Terminal
Services.this customer has TS users all over the world. Is the
rendom utility pretty seamless to the users or is profile and account
info screwed up in some way? Are all the SIDs left alone and
unchanged?

Any help with this would be great. Once I can get all this resolved,
I'll definitely propose the idea of more domain controllers, there's
no redundancy right now.

Thanks!!!

You say you don't have redundacy right now, does that mean you only have one
DC?
Since you are still in Windows 2000 I might suggest you use ADMT. It will be
your quickest fix, since you have to upgrade to Win2k3 and have the domain
in Windows Server 2003 native mode.

ADMT will allow you to migrate everything; users, computers, and profiles.

 

[Guest]

Yes, only one DC. Downtime just can't happen, that's why I was leaning towards an in place upgrade to 2003. Migrating everything using ADMT would take longer than an in place upgrade I would think. I also like the idea of keeping the NETBIOS domain the same, like Ulf suggested in his reply, to minimize any legacy app issues. Once on Windows 2003, changing the single label domain from domain_name to something like domainname.local but keeping the NETBIOS domain as domain_name would minimize the impact on apps that may have the NETBIOS domain stored somewhere. This I feel this may be the most compatible way to handle it, because it would make Windows 2004 SP4 and XP machines happy because of the new .local domain but keep the NETBIOS domain unchanged for any legacy apps.

 

[1Tech]

Yes, only one DC. Downtime just can't happen, that's why I was leaning
towards an in place upgrade to 2003. Migrating everything using ADMT would
take longer than an in place upgrade I would think. I also like the idea of
keeping the NETBIOS domain the same, like Ulf suggested in his reply, to
minimize any legacy app issues. Once on Windows 2003, changing the single
label domain from domain_name to something like domainname.local but keeping
the NETBIOS domain as domain_name would minimize the impact on apps that may
have the NETBIOS domain stored somewhere. This I feel this may be the most
compatible way to handle it, because it would make Windows 2004 SP4 and XP
machines happy because of the new .local domain but keep the NETBIOS domain
unchanged for any legacy apps.