Re: single label domain on win 2000, upgrade to 2003 and rename?
From: Ulf B. Simon-Weidner [MVP] (nospam2-ulf_at_usw-consulting.com)
Date: 06/12/04
- Next message: Adil: "INSTALL Application via logon script"
- Previous message: AW: "How do I change Domain password length, age, lockouts etc?"
- In reply to: 1Tech: "single label domain on win 2000, upgrade to 2003 and rename?"
- Next in thread: 1Tech: "Re: single label domain on win 2000, upgrade to 2003 and rename?"
- Reply: 1Tech: "Re: single label domain on win 2000, upgrade to 2003 and rename?"
- Reply: 1Tech: "Re: single label domain on win 2000, upgrade to 2003 and rename?"
- Messages sorted by: [ date ] [ thread ]
Date: Sat, 12 Jun 2004 03:01:07 -0700
"1Tech" <anonymous@discussions.microsoft.com> wrote in message
news:988015DD-764C-4D3D-B2FF-7C8B93695B65@microsoft.com:
> I have a client that's really having some AD / DNS problems with their
> domain. The goal here is to get them up to Windows 2003 and Exchange
> 2003, they are NOT running Exchange at all now, this will be important for
> you to know later in the post. First of all, their original admin setup
> the domain as a single label domain, with an underscore as well.
[errors with single label snipped]
> Ok, I don't have all the netdiag errors in front of me right now but let
> me get to my real question. I feel this domain should be renamed. It's
> in Windows 2000 Native mode so I know the NT PDC option to rename is out.
> Downtime and loosing accounts, profiles, and printers is not an option,?
> this is a world wide business and I was told I could only have 20 minutes
> of downtime.not much. So here's my suggestion, please comment.
>
They have a world wide business running on a single label domain with a
not RFC Domain Name and on a single DC and tell you that the accepted
downtime will be max. 20 minutes?
Get a copy of their DC once in a while, wait until the single point of
failure does what's predictable, and be their hero afterwards ;-)
I wouldn't touch that environment if they are not aware of their
situation - you can't win.
> Get a server identical to the DC for testing, and GHOST a copy of the
> current DC server to a file and re-apply that GHOST image to the "test"
> server. This will give me an exact replica of the current DC and its
> state.errors and all.
Ghosting the server will have a longer downtime than 20 minutes -
usually. Do they have RAID mirrored harddrives? You'd be able to grab
and replace one of those and put it into identical hardware.
> I could then bring the test server up, off the production LAN of course,
> so I can try a few things. My idea was to try an upgrade to Windows 2003,
> and then use the rendom.exe utility to fix the single label domain issue.
> There's no Exchange server yet, so I can avoid that rendom caveat. Then
> if all goes well, try this in production.
>
Sounds like a plan. Just to let you know - you'd be able to do this
with Exchange 2003 now too (there's a WebCast in the KB which gives you
more infos)
However, be aware that a domain rename has more caveats than just
Exchange. I assume that they don't run a CA as this is listed on the
top caveats with Exchange as well, but you'll need to test every
application if it has issues with the renamed domain name. You never
know if the applications are programmed right, and if they are not
storing the name of the domain anywhere else in the registry or some
ini-file or somewhere else. You need to test, test and test. And the
company needs to assist you by making a risk evaluation which
applications are worth testing and which are worth loosing and
reinstalling and configuring. When we did a domain rename in our
environment, we had a product for software distribution which was not
yet supported for a domain rename. However we decided that we won't
have much issues loosing the history and we'd be able to rebuild that
environment in a reasonable time, so we went ahead.
> One main concern I have is how the rendom utility will affect the domain
> SIDs. Meaning, I don't want to have to remove and add servers or
> workstations back to the domain, all PCs are XP and all member servers
> are 2000 or 2003. I guess my question here is how does the rendom utility
> affect SIDs, user accounts, machine accounts, and user profiles. Printers
> are a concern too, as well as Terminal Services.this customer has TS
> users all over the world. Is the rendom utility pretty seamless to the
> users or is profile and account info screwed up in some way? Are all the
> SIDs left alone and unchanged?
>
SIDs wont change. However I'd recommend keeping the Netbios name if
possible - most application issues will more likely store the NetBios
name anywhere than the DNS-Domainname. (e.g. if a application uses a
specific account and does not store the sid, it'll store it most likely
as domain\accountname).
Windows XP and 2003 Machines will need to reboot twice before you are
finishing the domain rename - that means you'll have to stay in a
environment where no major changes to the domain (such as adding
additional DCs) will be allowed until every machine rebooted twice in
the network.
I'm not sure about 2000. Guess same behaviour as XP with a current SP.
NT would need to rejoin the domain, good that you don't have any.
Useraccounts will be fine, the SID stays. I don't see any issues with
printers. Terminal Servers depend on the applications running on them,
I'd test those.
> Any help with this would be great. Once I can get all this resolved, I'll
> definitely propose the idea of more domain controllers, there's no
> redundancy right now.
>
I'd go for at least two DCs prior to that change. And first of all -
the customer needs to be aware of his situation and be glad that you
help him getting this fixed. MS recommends not to stick with a single
label domain name - I'm pretty sure that they'll have bigger problems
in the future than they have right now.
Then make sure you have a 100% Fallback path in place. I'd go for
RAID-mirrors, get additional harddrives and take one mirror out and
resync to a new harddrive so you have a fallback of the DC(s).
You didn't mention how many memberservers and clients are affected. Be
aware that each of them needs to reboot twice in the domain (do you
have laptops?) - there's a downtime on services. And if you need to
rollback than you'll need to take every server out of the domain and
rejoin the domain again.
Read the domain rename guides and make sure you are using the
up-to-date tools from the MS-website. And if I didn't mention it
before: test, test, test, ... make yourself 100% familiar with what to
do, what might happen, how to approach failures, when and how to decide
to do a rollback. And make sure you have the full understanding and
support of your customer.
Here are some things you want to read:
Windows Server 2003 Domain Rename Tools
http://www.microsoft.com/windowsserver2003/downloads/domainrename.mspx
Step-by-Step Guide to Implementing Domain Rename
http://download.microsoft.com/download/c/f/c/cfcbff04-97ca-4fca-9e8c-3a9c90a2a2e2/Domain-Rename-Procedure.doc
Windows Server 2003 Active Directory Domain Rename Tools
http://download.microsoft.com/download/5/6/d/56df978b-9a76-487e-80b7-0250289f2579/domainrename.exe
-- Gruesse - Sincerely, Ulf B. Simon-Weidner This posting is provided "AS IS" with no warranties, and confers no rights.
- Next message: Adil: "INSTALL Application via logon script"
- Previous message: AW: "How do I change Domain password length, age, lockouts etc?"
- In reply to: 1Tech: "single label domain on win 2000, upgrade to 2003 and rename?"
- Next in thread: 1Tech: "Re: single label domain on win 2000, upgrade to 2003 and rename?"
- Reply: 1Tech: "Re: single label domain on win 2000, upgrade to 2003 and rename?"
- Reply: 1Tech: "Re: single label domain on win 2000, upgrade to 2003 and rename?"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
