Windows NT 4.0 BDC Upgrade

[brandon]

well...i might have myself in a mess.

I had two machines that were in a MS Cluster, running
nt40, and needed to be upgraded to W2K. One was a PDC and
the other a BDC. However, neither one of them needs to be
any longers and they both just need to be member servers.

The first machine which happened to be the DC...I upgraded
to W2K installed AD, and new forest and all that crap.
Next I ran dcpromo and demoted it to a member server and
then added it to my active directory domain. All is good
with that machine.

The problem is with the second machine. The upgrade went
well...but now the AD wizard comes up and wants to make
the machine a member server or a domain controller. When
I choose to make it a member server I get a prompt asking
for a username, password and domain of an account that has
privledges to do so. At this point I have tried about
every account possible, and I get an error stating it
can't find the domain.

If I choose to make it a domain controller, it comes back
and states that the PDC of the domain hasn't been upgraded
to w2k and to upgrade it first. Well...did that but it's
not a DC anymore.

So...basically I have a W2K machine I need to be a member
server that is stuck at the AD wizard. Any ideas?

thanks

 

[Scott Harding - MS MVP]

Promote this BDC to a PDC and then do the upgrade( Server Manager will
complain but just ignore the error about not finding a PDC). You should have
waited to remove the originally upgrading PDC until after this machine was
done. Of course you know your losing your domain by doing this.

 

[Scott Harding - MS MVP]

Oops....forgot you've already upgraded to Windows 2000. Let me think about
this.....

 

[Guest]

what if I took another 2000 member server, upgraded it to
a DC with the name of the domain the current problem
server is in. Than ran the AD wizard on the problem box,
make it a member server of that domain, and then run
dcpromo on both boxes and take them both back to member
servers?

 

[Scott Harding - MS MVP]

Ok, there is a registry key that you can change from a 2 to 3, if I remember
correctly to manually change a BDC to a PDC. My thought is that if you can
change this key, then reboot, this machine will think it is a PDC and then
the AD wizard should work. I haven't tried it before but in theory it should
work. I am having a hard time remembering where this key is though. I'll dig
a little , maybe someone else will chime in with another idea. Also you
could just reinstall Win2k and not format the system but of course all apps,
setting will have to be redone. Let me see if I can find this key. Of course
before trying this make sure your backups are good because it could fail...

 

[Scott Harding - MS MVP]

"what if I took another 2000 member server, upgraded it to
a DC with the name of the domain the current problem
server is in. "

I don't think that will work because this will not be the same domain. The
registry key I was after is the following.

HKEY_LOCAL_MACHINE\SECURITY\Policy\PolSrvRo - I believe that value 3 is a
PDC and 2 is a BDC and 4?(can't remember) is a member server. You will have
to give the administrator full control to each of these keys to be able to
navigate to this key. Note this key will not work to change a member server
into a DC or vice versa. The only way to make a member server a DC or vice
versa is to reinstall w/o using a 3rd party product. You might want to wait
for some more ideas before trying this but I think this may be your only
option. You can also confirm after restart by typing 'net accounts' at a cmd
prompt and see if change to Primary(after changing key) from Backup which is
should currently state.

 

[Guest]

ok...well I tried that switch, and no luck. Same thing.
I am guessing that during the w2k upgrade it logs
somewhere within the w2k upgrade weither or not its a bdc
or pdc.

However, I tried my little idea of creating a new ad with
the old name of the domain the problem computer is in.

I got a little futher...but not much. Now, when going
through the active directory wizard it cranks along pretty
far, and I can actually hear the new DC working away (it's
a super old desktop sitting right next to me). So when I
click on the last "next" in the AD wizard the machine
right next to me starts working away...so I know that at
least the problem machine is talking to the new DC. But
now the problem is the following message..."the security
database on the server does not have a computer account
for this workstation trust relationship".

The only thought I have hear is that the computer account
passwords probably don't match....since I had to manually
make the computer account on the DC. Wonder if I can run
netdom.exe to fix that. Hmmmm...I might try that in the
morning.

Any ideas?

thanks!

 

[Scott Harding - MS MVP]

Hmmm. Thought might work but I guess not. The new domain will not work as
the SID's are different and Netdom will only reset the secure channel
password and not change the SID's. At this point I would scratch the whole
thing and do a fresh install of Win2k and forget about this whole process.
You've probably spent more time at this point trying to make this work than
it would have taken you to reinstall Win2k and all the apps. Your trying to
fit a square peg in a round hole and even if you get this to work you could
have issues. Just my $0.02 Good Luck!

 

[Guest]

yeah...I know what you mean. I probably should. Now it's
more the point of just trying to do it. And it's a
great big nasty cluster...and I really don't want to have
to rebuild all that cluster crap.

Intresting though...I've been using netdom to move it
around from domain to domain. I moved it to an old NT40
domain we have, and it moved just fine. Started going
through the AD wizard and it didnt like that the PDC for
that domain hadn't been upgraded yet. SO...I really
couldn't mess with that one. Next I moved it to
the "temp" domain I setup last night...which is a w2K AD
box. It moved to that domain as well. I figured that
would be really good...because when it moves back to that
domain it gets a new SID. Well...no luck there
either..get some message about security database and
trust. Which I think has something to do with the trust
relationship that this box had before it was upgraded to
W2K. So....now I really don't know what I am going to
do. not in any real big hurry. Like I said...it's a
cluster and the other node has already been upgraded and
the cluster started fine. So...I have some time with this
one.

 

[Scott Harding - MS MVP]

That error is because the SIDS don't match. You could try NewSid from
Sysinternals.com to try and get it into the new domain but I don't think it
will work.

 

[Guest]

OK...I can see that. But...shouldn't the machine get a
new SID when it is added to a domain?

I added it to a domain that it's never been a memeber of
before....and got that message.

thanks!

 

[Scott Harding - MS MVP]

You cannot add DC to other domain without reinstalling them in NT4. Netdom
will reset the secure channel password but will not change the computer to
the new domain.

 

[Guest]

really? Maybe with the old netdom it was that way.

but with the newer one...you can clearly move machines
into domains. Check out....

netdome move /help

 

[Scott Harding - MS MVP]

This is a domain controller though. You can try but I have serious doubts.
Moving workstations and member servers are not a problem.

 

[Guest]

It moved several time without issues...the account shows
up in AD and all. But...that still not enough to make the
upgrade go. I'm rebuilding.

 

[Scott Harding - MS MVP]

I was afraid of that. Oh well good luck with the rebuild