G Scale Model Train Forum banner
1 - 20 of 34 Posts

·
Administrator
Joined
·
5,728 Posts
Discussion Starter · #1 ·
We had a catastrophic hardware failure at work on Tuesday, taking out the Domain Controller. As a result, I've been darn busy the last three days building a new domain from the ground up. I have a few questions for you Network whizzes out there.

First a little background. The network that just died was an old NT4 TCP/IP over NETBEUI|NETBIOS system that I built up starting in '98. It had a PDC and a BDC. As the years have gone by, and XP Pro machines started coming online, I was able to integrate them into the network using TCP/IP only on those machines without having to add NETBEUI to them. At the same time, the older Win95 and Win98 machines began dropping offline as they were replaced. We picked up a 2003 server a few years back which I had running as a member server (Server-A) on the NT4 network and it became our primary data repository and file server.

Not too long ago, we bought a second 2003 server, which I configured as a domain controller for a new TCP/IP based domain using the now standard Active Directory model, etc. It wasn't doing much on the network yet - mostly acting as the DHCP server - but I had a trust established between its domain and the old NT4 domain. My plan was to start migrating the company over to the new domain and slowly phase out the old NT4 machines. We still had two old Win98 machines that were on the manufacturing floor, and these allowed people to log on and off different jobs for cost accounting purposes. While these machines were still functioning, I still needed the old NT4 domain for them to talk to.

As luck would have it, these two old Win98 machines recently died and were replaced by XP Pro machines. I just hadn't gotten around to starting the domain migration. Then the NT4 PDC died on Tuesday, and no one could get on the network or do their jobs. I brought the BDC back online (it had been offline for a few months), but for whatever reason, it wouldn't do its job. I tried promoting it to PDC, but that didn't work either. So now I HAD to do the migration ASAP.

As of the end of yesterday, I have 99% of everything back up and running. I had to build the Active Directory from the ground up, and I "unjoined" Server-A from the old domain and added it to the new. I also went to each workstation and did the same thing, also importing people's documents, favorites, emails, etc. to their new user IDs. Each workstation also now has the domain controllers IP address as its primary DNS server. I have one more machine to migrate today (the guy's on vacation), and then everyone will be functioning in the new domain model.

Now to my questions:

1 - Server-B is now the domain controller and DHCP/DNS server, and also hosts some files. Server-A is still primarily a file server/data repository. Should I add Active Directory to Server-A? As I understand it, there isn't any "Primary Domain Controller" in the 2003 Server domain model. Would adding Active Directory to Server-A spread the domain controller responsibilities over both servers?

2 - do I need WINS? Everything seems to be working just fine without it. Our network doesn't function as an Intranet, and people still look for their files by going to the appropriate server (there are only two) via My Network Places or Windows Explorer (mostly they have shortcuts on their desktops to what they need). Workstation-to-workstation communication is minimal if not non-existent - everything lives on the two servers for easy backup. What would WINS do for me? If I do need it, should it go on the same server which performs DNS/DHCP?

Thanks for any info you can provide. It's been a busy few days. hehehe
 

·
Premium Member
Joined
·
369 Posts
Dwight:you are correct no pdc in Active directory. However, the FIRST AD server in the tree is also known as the Fismo machine, this means something like first single master of operations( need to look that up again), so it does have background duties not shared by other site controllers or any other DC in the network. If you ad another server to AD, they will each be aware of each other existence, and can share authentication for example, which builds both redundancy and speed. Plus, if they are both on AD, changes such as account structure made in a single place will propagate, which also makes like easier.

You do not need WINS as I understand it, especially if you are going to be all XP or betterfor clients. WINS might be nice, but not mandatory. If I recall, we shut wins off a while ago.

Jonathan
 

·
Premium Member
Joined
·
658 Posts
I got an AD domain running at our train club a few weeks ago. I am still going to convert that old NT4 server to 2003 Server with AD. You definitely should make both servers domain controllers. That way, you only have to manage user IDs and passwords in one place instead of 2.
 

·
Super Modulator
Joined
·
21,353 Posts
I agree completely with Jonathan. Also, not using a wins server will help performance a bit, since you won't have that junk flying over your network.

If you have AD then you want two of them.

I've had exactly the same problem with promoting a BDC to a PDC.... I have seen that if it was not online at the time, promoting it fails.

(I have AD on my home network and (obviously) a Windows server. With 10 computers, just not having to manage passwords separately makes it worth it)

Regards, Greg
 

·
Premium Member
Joined
·
383 Posts
Here's all you need...

For high speed data transfer, woven kite string is recommended, otherwise, plain old twisted jute is fine...
/DesktopModules/NTForums/themes/mls/emoticons/laugh.gif" border=0>
 

·
Premium Member
Joined
·
1,767 Posts
Jonathan's got it right Dwight.. Yes, add AD to the other server and no, you don't need wins.
 

·
Premium Member
Joined
·
2,094 Posts
Amazing....totally OFF topic...highly complicated...and a corroborated answer with 90 minutes on some pretty technical stuff. And....here all along I thought Dwight knew everything...
 

·
Premium Member
Joined
·
5,510 Posts
113 reads of the thread (so far) and I bet only about 5 or 6 people could make heads or tails out of that alphabet soup! (NT4 TCP/IP NETBEUI NETBIOS AD PDC BDC WINS ASAP and a Partridge in a Pear Tree).
 

·
Administrator
Joined
·
5,728 Posts
Discussion Starter · #11 ·
Thank you very much for the answers and info guys. This place is terrific!!! :) The last workstation has been completed and several more brush fires extinguished - mostly concerned with user permissions I forgot to assign. Full backups have been done of the data in its new home. Things are pretty much back to normal. I've decided tonight I'm gonna get tanked! :D

And....here all along I thought Dwight knew everything...
Where did you that idea get ever? Certainly not from me!!! hehehe
 

·
Registered
Joined
·
1,579 Posts
Reminds me of our "official" USN short-timer's calendars.......and chains.
 

·
Premium Member
Joined
·
430 Posts
Oh yea,
Short-timers calanders. Don't know anything about the chains.
The calanders I remember were usually a pinup marked off in small
sections and each one colored in as the days went by. Seems to me it was
the last 60 days but may have been longer. That was a long time ago.
I do remember that there was a big starburst added on FIGMO day.
Thanks for the memory.
Rick
 

·
Premium Member
Joined
·
366 Posts
The requirements said "XP or better" so I installed Linux.

Being a cheapskate and hating complex licensing issues, I'd go with Samba and LDAP, etc. any day.

Glad to see it all come together and get your system on line.

Michael
 

·
Premium Member
Joined
·
15 Posts
Dwight,
Glad to hear your up and running. Been there, it's not nice.

Just some things to watch out for over the next few day.
1. File shares, check your 2003 file servers allow users to modify their files. 2003 doesn't have "modify" on as a default. This caused me some issues
2. When you get time, work out an AD scheme for your users, it's easier to implement early on, rather than later.
2. Get up to speed on your AD GPO and Policy stuff. It's a vast improvement over what was in NT
2. If you're using drive mapping via a NT logon script, try using GPO's

If you need any help, contact me. All the best

Stan
 

·
Premium Member
Joined
·
249 Posts
Short timer's calendar -- so many days and a wake-up. That was 48 years ago and I still remember it!
But what the heck is a chain??
 

·
Administrator
Joined
·
5,728 Posts
Discussion Starter · #18 ·
1. File shares, check your 2003 file servers allow users to modify their files. 2003 doesn't have "modify" on as a default. This caused me some issues
Got it. Thanks.
2. When you get time, work out an AD scheme for your users, it's easier to implement early on, rather than later.
I assume you're referring to group membership, etc. How well do groups work in 2003 for permission assignment? It worked well in NT.

Another thing about groups... 2003 has a whole slew of built-in groups, most of which I will never use. Makes it harder to to find what I'm looking for having to wade through all these extraneous groups. Can I safely delete those I don't need?
2. Get up to speed on your AD GPO and Policy stuff. It's a vast improvement over what was in NT
I'm unfamiliar with "GPO" - what's that?
2. If you're using drive mapping via a NT logon script, try using GPO's
N/A

Thanks for the tips BTW. :)
 

·
Premium Member
Joined
·
15 Posts
Dwight,
AD schemes
Much better than NT, What I do is control access by using the groups rather than individual permissions.
For example if your accounts area need a secure file store, create a group in AD users and groups called accounts, put the accounts team in it, and then only allow that group permissions to that folder (under the folder permissions). Even if there is only one member in a group, it still easier to manage, because if they leave, you drop there replacement into the same group and they have the same access. Your users can be in as many groups as they need too. The only time you will run into trouble if one group had an explicit deny on a resource and another group is allowed, and a user is a member of both, windows will favour the deny. You can also apply this to specific computers, so a computer in a public accessible area has very limited access, no matter who is logged on.

Remember it's not just permissions for windows folders, it's anything on the network, so you can control access to printers, databases, software even access to computers.

With the built in-group it depends. I know if you migrate from a NT domain it will create some stuff so AD can access the NT resources. Are any of your users members of these groups? Personally I'd leave them for now, the last thing you would want it to create more instability on your network at this point. When everything is bedded down, google the folder names, and then disable them for a while and delete later. Take it slow with deleting stuff.

GPO is group policy objects. Once you have your users pigeon holed in their groups you can apply policies to them. For example at my work which has a number of retail outlets, the sales staff cannot change the screensaver or back group from the corporate one I set, the screen saver kick in quicker than default, and is password protected. The POS computers are also locked down using GPO and straight AD users and Groups to have restricted access to network resources. You can do some realy cool stuff here. Worth learning more, a lot of stuff there.

The beaut' thing is that if a person moves from a sales role to the back office, then you just swap the group they are in.

Unfortunately you can have the best set-up in the world, but what will bring you down are your users. The more you lock down, the more people will try to get around. The hard part is getting the balance right between network access and network security. It only take a duff head in accounts to give their password to someone in sales and all of sudden you have a security hole. Get a good paper based IT Policy in place, that can be enforced, and train your users.

Stan
 
1 - 20 of 34 Posts
Top