Re: Windows NT 4.0 BDC Upgrade

From: Scott Harding - MS MVP (scrockel_at_**NO_SPAM**hotmail.com)
Date: 08/12/04 

Date: Thu, 12 Aug 2004 14:18:14 -0700

You cannot add DC to other domain without reinstalling them in NT4. Netdom
will reset the secure channel password but will not change the computer to
the new domain. 

-- 
Scott Harding
MCSE, MCSA, A+, Network+
Microsoft MVP - Windows NT Server
<Brandon@discussions.microsoft.com> wrote in message
news:511701c4809d$2c7e1de0$a501280a@phx.gbl...
> OK...I can see that.  But...shouldn't the machine get a
> new SID when it is added to a domain?
>
> I added it to a domain that it's never been a memeber of
> before....and got that message.
>
> thanks!
>
> >-----Original Message-----
> >That error is because the SIDS don't match. You could try
> NewSid from
> >Sysinternals.com to try and get it into the new domain
> but I don't think it
> >will work.
> >
> >-- 
> >Scott Harding
> >MCSE, MCSA, A+, Network+
> >Microsoft MVP - Windows NT Server
> >
> ><brandon@discussions.microsoft.com> wrote in message
> >news:4d1101c4808a$045b48f0$a301280a@phx.gbl...
> >> yeah...I know what you mean.  I probably should.  Now
> it's
> >> more the point of just trying to do it. :)  And it's a
> >> great big nasty cluster...and I really don't want to
> have
> >> to rebuild all that cluster crap.
> >>
> >> Intresting though...I've been using netdom to move it
> >> around from domain to domain.  I moved it to an old NT40
> >> domain we have, and it moved just fine.  Started going
> >> through the AD wizard and it didnt like that the PDC for
> >> that domain hadn't been upgraded yet.  SO...I really
> >> couldn't mess with that one.  Next I moved it to
> >> the "temp" domain I setup last night...which is a w2K AD
> >> box.  It moved to that domain as well.  I figured that
> >> would be really good...because when it moves back to
> that
> >> domain it gets a new SID.  Well...no luck there
> >> either..get some message about security database and
> >> trust.  Which I think has something to do with the trust
> >> relationship that this box had before it was upgraded to
> >> W2K.  So....now I really don't know what I am going to
> >> do.  not in any real big hurry.  Like I said...it's a
> >> cluster and the other node has already been upgraded and
> >> the cluster started fine.  So...I have some time with
> this
> >> one.
> >>
> >>
> >>
> >> >-----Original Message-----
> >> >Hmmm. Thought might work but I guess not. The new
> domain
> >> will not work as
> >> >the SID's are different and Netdom will only reset the
> >> secure channel
> >> >password and not change the SID's. At this point I
> would
> >> scratch the whole
> >> >thing and do a fresh install of Win2k and forget about
> >> this whole process.
> >> >You've probably spent more time at this point trying to
> >> make this work than
> >> >it would have taken you to reinstall Win2k and all the
> >> apps. Your trying to
> >> >fit a square peg in a round hole and even if you get
> this
> >> to work you could
> >> >have issues. Just my $0.02 :) Good Luck!
> >> >
> >> >-- 
> >> >Scott Harding
> >> >MCSE, MCSA, A+, Network+
> >> >Microsoft MVP - Windows NT Server
> >> >
> >> ><anonymous@discussions.microsoft.com> wrote in message
> >> >news:48ea01c47ff8$53f79d10$a601280a@phx.gbl...
> >> >> ok...well I tried that switch, and no luck.  Same
> thing.
> >> >> I am guessing that during the w2k upgrade it logs
> >> >> somewhere within the w2k upgrade weither or not its a
> >> bdc
> >> >> or pdc.
> >> >>
> >> >> However, I tried my little idea of creating a new ad
> >> with
> >> >> the old name of the domain the problem computer is
> in.
> >> >>
> >> >> I got a little futher...but not much.  Now, when
> going
> >> >> through the active directory wizard it cranks along
> >> pretty
> >> >> far, and I can actually hear the new DC working away
> >> (it's
> >> >> a super old desktop sitting right next to me).  So
> when
> >> I
> >> >> click on the last "next" in the AD wizard the machine
> >> >> right next to me starts working away...so I know
> that at
> >> >> least the problem machine is talking to the new DC.
> But
> >> >> now the problem is the following message..."the
> security
> >> >> database on the server does not have a computer
> account
> >> >> for this workstation trust relationship".
> >> >>
> >> >> The only thought I have hear is that the computer
> >> account
> >> >> passwords probably don't match....since I had to
> >> manually
> >> >> make the computer account on the DC.  Wonder if I can
> >> run
> >> >> netdom.exe to fix that.  Hmmmm...I might try that in
> the
> >> >> morning.
> >> >>
> >> >> Any ideas?
> >> >>
> >> >> thanks!
> >> >> >-----Original Message-----
> >> >> >
> >> >> >"what if I took another 2000 member server, upgraded
> >> it to
> >> >> >a DC with the name of the domain the current problem
> >> >> >server is in. "
> >> >> >
> >> >> >I don't think that will work because this will not
> be
> >> the
> >> >> same domain. The
> >> >> >registry key I was after is the following.
> >> >> >
> >> >> >HKEY_LOCAL_MACHINE\SECURITY\Policy\PolSrvRo - I
> believe
> >> >> that value 3 is a
> >> >> >PDC and 2 is a BDC and 4?(can't remember) is a
> member
> >> >> server. You will have
> >> >> >to give the administrator full control to each of
> these
> >> >> keys to be able to
> >> >> >navigate to this key. Note this key will not work to
> >> >> change a member server
> >> >> >into a DC or vice versa. The only way to make a
> member
> >> >> server a DC or vice
> >> >> >versa is to reinstall w/o using a 3rd party product.
> >> You
> >> >> might want to wait
> >> >> >for some more ideas before trying this but I think
> this
> >> >> may be your only
> >> >> >option. You can also confirm after restart by
> >> typing 'net
> >> >> accounts' at a cmd
> >> >> >prompt and see if change to Primary(after changing
> key)
> >> >> from Backup which is
> >> >> >should currently state.
> >> >> >-- 
> >> >> >Scott Harding
> >> >> >MCSE, MCSA, A+, Network+
> >> >> >Microsoft MVP - Windows NT Server
> >> >> >
> >> >> >"Scott Harding - MS MVP"
> >> >> <scrockel@**NO_SPAM**hotmail.com> wrote in message
> >> >> >news:OzmVfy%23fEHA.3428@TK2MSFTNGP11.phx.gbl...
> >> >> >> Ok, there is a registry key that you can change
> from
> >> a
> >> >> 2 to 3, if I
> >> >> >remember
> >> >> >> correctly to manually change a BDC to a PDC. My
> >> thought
> >> >> is that if you can
> >> >> >> change this key, then reboot, this machine will
> think
> >> >> it is a PDC and then
> >> >> >> the AD wizard should work. I haven't tried it
> before
> >> >> but in theory it
> >> >> >should
> >> >> >> work. I am having a hard time remembering where
> this
> >> >> key is though. I'll
> >> >> >dig
> >> >> >> a little , maybe someone else will chime in with
> >> >> another idea. Also you
> >> >> >> could just reinstall Win2k and not format the
> system
> >> >> but of course all
> >> >> >apps,
> >> >> >> setting will have to be redone. Let me see if I
> can
> >> >> find this key. Of
> >> >> >course
> >> >> >> before trying this make sure your backups are good
> >> >> because it could
> >> >> >fail...
> >> >> >>
> >> >> >> -- 
> >> >> >> Scott Harding
> >> >> >> MCSE, MCSA, A+, Network+
> >> >> >> Microsoft MVP - Windows NT Server
> >> >> >>
> >> >> >> "Scott Harding - MS MVP"
> >> >> <scrockel@**NO_SPAM**hotmail.com> wrote in
> >> >> >message
> >> >> >> news:%23wedZs%23fEHA.140@TK2MSFTNGP12.phx.gbl...
> >> >> >> > Oops....forgot you've already upgraded to
> Windows
> >> >> 2000. Let me think
> >> >> >about
> >> >> >> > this.....
> >> >> >> >
> >> >> >> > -- 
> >> >> >> > Scott Harding
> >> >> >> > MCSE, MCSA, A+, Network+
> >> >> >> > Microsoft MVP - Windows NT Server
> >> >> >> >
> >> >> >> > "brandon" <anonymous@discussions.microsoft.com>
> >> wrote
> >> >> in message
> >> >> >> > news:432d01c47fe5$130fafd0$a301280a@phx.gbl...
> >> >> >> > > well...i might have myself in a mess.
> >> >> >> > >
> >> >> >> > > I had two machines that were in a MS Cluster,
> >> >> running
> >> >> >> > > nt40, and needed to be upgraded to W2K.  One
> was
> >> a
> >> >> PDC and
> >> >> >> > > the other a BDC.  However, neither one of them
> >> >> needs to be
> >> >> >> > > any longers and they both just need to be
> member
> >> >> servers.
> >> >> >> > >
> >> >> >> > > The first machine which happened to be the
> DC...I
> >> >> upgraded
> >> >> >> > > to W2K installed AD, and new forest and all
> that
> >> >> crap.
> >> >> >> > > Next I ran dcpromo and demoted it to a member
> >> >> server and
> >> >> >> > > then added it to my active directory domain.
> All
> >> >> is good
> >> >> >> > > with that machine.
> >> >> >> > >
> >> >> >> > > The problem is with the second machine.  The
> >> >> upgrade went
> >> >> >> > > well...but now the AD wizard comes up and
> wants
> >> to
> >> >> make
> >> >> >> > > the machine a member server or a domain
> >> >> controller.  When
> >> >> >> > > I choose to make it a member server I get a
> >> prompt
> >> >> asking
> >> >> >> > > for a username, password and domain of an
> account
> >> >> that has
> >> >> >> > > privledges to do so.   At this point I have
> tried
> >> >> about
> >> >> >> > > every account possible, and I get an error
> >> stating
> >> >> it
> >> >> >> > > can't find the domain.
> >> >> >> > >
> >> >> >> > > If I choose to make it a domain controller, it
> >> >> comes back
> >> >> >> > > and states that the PDC of the domain hasn't
> been
> >> >> upgraded
> >> >> >> > > to w2k and to upgrade it first.  Well...did
> that
> >> >> but it's
> >> >> >> > > not a DC anymore.
> >> >> >> > >
> >> >> >> > > So...basically I have a W2K machine I need to
> be
> >> a
> >> >> member
> >> >> >> > > server that is stuck at the AD wizard.  Any
> >> ideas?
> >> >> >> > >
> >> >> >> > > thanks
> >> >> >> >
> >> >> >> >
> >> >> >>
> >> >> >>
> >> >> >
> >> >> >
> >> >> >.
> >> >> >
> >> >
> >> >
> >> >.
> >> >
> >
> >
> >.
> >

Relevant Pages

  • Re: Setting a password on an AD account...
    ... I assume it's running in a restricted account right? ... You don't use SSL to bind, and as this runs from a server which is not a domain member (a ... this one fails when the current user is not an administrator on the DC. ...
    (microsoft.public.dotnet.languages.csharp)
  • RE: Bypass Traverse Checking?
    ... Either one will satisfy your needs for your server, and IIS. ... uses the anonymous account IUSR_COMPNAME and is a member of the Guest Group. ... "ACL's" to your IUSR account it should not need this privilege. ...
    (Focus-Microsoft)
  • Re: In-place Upgrade from WIN NT4.0 to Windows 2003 AD
    ... You can put the member server offline but I still suggest you put them ... As well as, it is no matter you put it online or offline, the memeber ... In-place Upgrade from WIN NT4.0 to Windows 2003 AD ...
    (microsoft.public.windows.server.migration)
  • Re: Deciding which way to go - terminal server or client/server??
    ... workgroup with one xp pro and rest xp home machines. ... main application which has runtime sql server database. ... services, but for the licenses and the cost of the server upgrade, it may be ... It is FREE and requires NO ISP's Usenet account. ...
    (microsoft.public.windows.server.networking)
  • Re: Users Logging on to Domains
    ... There are some applications that will not run properly unless you are logged on as a member of the domain. ... The OP's problem is that either he or his users think for some reason there is an advantage logging onto a local user account rather than the standard domain account. ... The only local accounts domain member PC's under my control have are, say, where the user takes it home and wants to allow his kids to use it, the user always uses his domain account but local accounts are created for the kids. ... I have several non-domain PC's reporting to and totally under the control of WSUS on my SBS, it's a simple regedit on the PC, no server change required. ...
    (microsoft.public.windows.server.sbs)