Re: Windows NT 4.0 BDC Upgrade

anonymous_at_discussions.microsoft.com
Date: 08/13/04 

Date: Fri, 13 Aug 2004 07:52:22 -0700

really? Maybe with the old netdom it was that way.

but with the newer one...you can clearly move machines
into domains. Check out....

netdome move /help

>-----Original Message-----
>You cannot add DC to other domain without reinstalling
them in NT4. Netdom
>will reset the secure channel password but will not
change the computer to
>the new domain.
>
>--
>Scott Harding
>MCSE, MCSA, A+, Network+
>Microsoft MVP - Windows NT Server
>
><Brandon@discussions.microsoft.com> wrote in message
>news:511701c4809d$2c7e1de0$a501280a@phx.gbl...
>> OK...I can see that. But...shouldn't the machine get a
>> new SID when it is added to a domain?
>>
>> I added it to a domain that it's never been a memeber of
>> before....and got that message.
>>
>> thanks!
>>
>> >-----Original Message-----
>> >That error is because the SIDS don't match. You could
try
>> NewSid from
>> >Sysinternals.com to try and get it into the new domain
>> but I don't think it
>> >will work.
>> >
>> >--
>> >Scott Harding
>> >MCSE, MCSA, A+, Network+
>> >Microsoft MVP - Windows NT Server
>> >
>> ><brandon@discussions.microsoft.com> wrote in message
>> >news:4d1101c4808a$045b48f0$a301280a@phx.gbl...
>> >> yeah...I know what you mean. I probably should. Now
>> it's
>> >> more the point of just trying to do it. :) And it's
a
>> >> great big nasty cluster...and I really don't want to
>> have
>> >> to rebuild all that cluster crap.
>> >>
>> >> Intresting though...I've been using netdom to move it
>> >> around from domain to domain. I moved it to an old
NT40
>> >> domain we have, and it moved just fine. Started
going
>> >> through the AD wizard and it didnt like that the PDC
for
>> >> that domain hadn't been upgraded yet. SO...I really
>> >> couldn't mess with that one. Next I moved it to
>> >> the "temp" domain I setup last night...which is a
w2K AD
>> >> box. It moved to that domain as well. I figured
that
>> >> would be really good...because when it moves back to
>> that
>> >> domain it gets a new SID. Well...no luck there
>> >> either..get some message about security database and
>> >> trust. Which I think has something to do with the
trust
>> >> relationship that this box had before it was
upgraded to
>> >> W2K. So....now I really don't know what I am going
to
>> >> do. not in any real big hurry. Like I said...it's a
>> >> cluster and the other node has already been upgraded
and
>> >> the cluster started fine. So...I have some time with
>> this
>> >> one.
>> >>
>> >>
>> >>
>> >> >-----Original Message-----
>> >> >Hmmm. Thought might work but I guess not. The new
>> domain
>> >> will not work as
>> >> >the SID's are different and Netdom will only reset
the
>> >> secure channel
>> >> >password and not change the SID's. At this point I
>> would
>> >> scratch the whole
>> >> >thing and do a fresh install of Win2k and forget
about
>> >> this whole process.
>> >> >You've probably spent more time at this point
trying to
>> >> make this work than
>> >> >it would have taken you to reinstall Win2k and all
the
>> >> apps. Your trying to
>> >> >fit a square peg in a round hole and even if you get
>> this
>> >> to work you could
>> >> >have issues. Just my $0.02 :) Good Luck!
>> >> >
>> >> >--
>> >> >Scott Harding
>> >> >MCSE, MCSA, A+, Network+
>> >> >Microsoft MVP - Windows NT Server
>> >> >
>> >> ><anonymous@discussions.microsoft.com> wrote in
message
>> >> >news:48ea01c47ff8$53f79d10$a601280a@phx.gbl...
>> >> >> ok...well I tried that switch, and no luck. Same
>> thing.
>> >> >> I am guessing that during the w2k upgrade it logs
>> >> >> somewhere within the w2k upgrade weither or not
its a
>> >> bdc
>> >> >> or pdc.
>> >> >>
>> >> >> However, I tried my little idea of creating a new
ad
>> >> with
>> >> >> the old name of the domain the problem computer is
>> in.
>> >> >>
>> >> >> I got a little futher...but not much. Now, when
>> going
>> >> >> through the active directory wizard it cranks
along
>> >> pretty
>> >> >> far, and I can actually hear the new DC working
away
>> >> (it's
>> >> >> a super old desktop sitting right next to me). So
>> when
>> >> I
>> >> >> click on the last "next" in the AD wizard the
machine
>> >> >> right next to me starts working away...so I know
>> that at
>> >> >> least the problem machine is talking to the new
DC.
>> But
>> >> >> now the problem is the following message..."the
>> security
>> >> >> database on the server does not have a computer
>> account
>> >> >> for this workstation trust relationship".
>> >> >>
>> >> >> The only thought I have hear is that the computer
>> >> account
>> >> >> passwords probably don't match....since I had to
>> >> manually
>> >> >> make the computer account on the DC. Wonder if I
can
>> >> run
>> >> >> netdom.exe to fix that. Hmmmm...I might try that
in
>> the
>> >> >> morning.
>> >> >>
>> >> >> Any ideas?
>> >> >>
>> >> >> thanks!
>> >> >> >-----Original Message-----
>> >> >> >
>> >> >> >"what if I took another 2000 member server,
upgraded
>> >> it to
>> >> >> >a DC with the name of the domain the current
problem
>> >> >> >server is in. "
>> >> >> >
>> >> >> >I don't think that will work because this will
not
>> be
>> >> the
>> >> >> same domain. The
>> >> >> >registry key I was after is the following.
>> >> >> >
>> >> >> >HKEY_LOCAL_MACHINE\SECURITY\Policy\PolSrvRo - I
>> believe
>> >> >> that value 3 is a
>> >> >> >PDC and 2 is a BDC and 4?(can't remember) is a
>> member
>> >> >> server. You will have
>> >> >> >to give the administrator full control to each of
>> these
>> >> >> keys to be able to
>> >> >> >navigate to this key. Note this key will not
work to
>> >> >> change a member server
>> >> >> >into a DC or vice versa. The only way to make a
>> member
>> >> >> server a DC or vice
>> >> >> >versa is to reinstall w/o using a 3rd party
product.
>> >> You
>> >> >> might want to wait
>> >> >> >for some more ideas before trying this but I
think
>> this
>> >> >> may be your only
>> >> >> >option. You can also confirm after restart by
>> >> typing 'net
>> >> >> accounts' at a cmd
>> >> >> >prompt and see if change to Primary(after
changing
>> key)
>> >> >> from Backup which is
>> >> >> >should currently state.
>> >> >> >--
>> >> >> >Scott Harding
>> >> >> >MCSE, MCSA, A+, Network+
>> >> >> >Microsoft MVP - Windows NT Server
>> >> >> >
>> >> >> >"Scott Harding - MS MVP"
>> >> >> <scrockel@**NO_SPAM**hotmail.com> wrote in message
>> >> >> >news:OzmVfy%23fEHA.3428@TK2MSFTNGP11.phx.gbl...
>> >> >> >> Ok, there is a registry key that you can change
>> from
>> >> a
>> >> >> 2 to 3, if I
>> >> >> >remember
>> >> >> >> correctly to manually change a BDC to a PDC. My
>> >> thought
>> >> >> is that if you can
>> >> >> >> change this key, then reboot, this machine will
>> think
>> >> >> it is a PDC and then
>> >> >> >> the AD wizard should work. I haven't tried it
>> before
>> >> >> but in theory it
>> >> >> >should
>> >> >> >> work. I am having a hard time remembering where
>> this
>> >> >> key is though. I'll
>> >> >> >dig
>> >> >> >> a little , maybe someone else will chime in
with
>> >> >> another idea. Also you
>> >> >> >> could just reinstall Win2k and not format the
>> system
>> >> >> but of course all
>> >> >> >apps,
>> >> >> >> setting will have to be redone. Let me see if I
>> can
>> >> >> find this key. Of
>> >> >> >course
>> >> >> >> before trying this make sure your backups are
good
>> >> >> because it could
>> >> >> >fail...
>> >> >> >>
>> >> >> >> --
>> >> >> >> Scott Harding
>> >> >> >> MCSE, MCSA, A+, Network+
>> >> >> >> Microsoft MVP - Windows NT Server
>> >> >> >>
>> >> >> >> "Scott Harding - MS MVP"
>> >> >> <scrockel@**NO_SPAM**hotmail.com> wrote in
>> >> >> >message
>> >> >> >> news:%23wedZs%
23fEHA.140@TK2MSFTNGP12.phx.gbl...
>> >> >> >> > Oops....forgot you've already upgraded to
>> Windows
>> >> >> 2000. Let me think
>> >> >> >about
>> >> >> >> > this.....
>> >> >> >> >
>> >> >> >> > --
>> >> >> >> > Scott Harding
>> >> >> >> > MCSE, MCSA, A+, Network+
>> >> >> >> > Microsoft MVP - Windows NT Server
>> >> >> >> >
>> >> >> >> > "brandon"
<anonymous@discussions.microsoft.com>
>> >> wrote
>> >> >> in message
>> >> >> >> > news:432d01c47fe5$130fafd0
$a301280a@phx.gbl...
>> >> >> >> > > well...i might have myself in a mess.
>> >> >> >> > >
>> >> >> >> > > I had two machines that were in a MS
Cluster,
>> >> >> running
>> >> >> >> > > nt40, and needed to be upgraded to W2K.
One
>> was
>> >> a
>> >> >> PDC and
>> >> >> >> > > the other a BDC. However, neither one of
them
>> >> >> needs to be
>> >> >> >> > > any longers and they both just need to be
>> member
>> >> >> servers.
>> >> >> >> > >
>> >> >> >> > > The first machine which happened to be the
>> DC...I
>> >> >> upgraded
>> >> >> >> > > to W2K installed AD, and new forest and all
>> that
>> >> >> crap.
>> >> >> >> > > Next I ran dcpromo and demoted it to a
member
>> >> >> server and
>> >> >> >> > > then added it to my active directory
domain.
>> All
>> >> >> is good
>> >> >> >> > > with that machine.
>> >> >> >> > >
>> >> >> >> > > The problem is with the second machine.
The
>> >> >> upgrade went
>> >> >> >> > > well...but now the AD wizard comes up and
>> wants
>> >> to
>> >> >> make
>> >> >> >> > > the machine a member server or a domain
>> >> >> controller. When
>> >> >> >> > > I choose to make it a member server I get a
>> >> prompt
>> >> >> asking
>> >> >> >> > > for a username, password and domain of an
>> account
>> >> >> that has
>> >> >> >> > > privledges to do so. At this point I have
>> tried
>> >> >> about
>> >> >> >> > > every account possible, and I get an error
>> >> stating
>> >> >> it
>> >> >> >> > > can't find the domain.
>> >> >> >> > >
>> >> >> >> > > If I choose to make it a domain
controller, it
>> >> >> comes back
>> >> >> >> > > and states that the PDC of the domain
hasn't
>> been
>> >> >> upgraded
>> >> >> >> > > to w2k and to upgrade it first. Well...did
>> that
>> >> >> but it's
>> >> >> >> > > not a DC anymore.
>> >> >> >> > >
>> >> >> >> > > So...basically I have a W2K machine I need
to
>> be
>> >> a
>> >> >> member
>> >> >> >> > > server that is stuck at the AD wizard. Any
>> >> ideas?
>> >> >> >> > >
>> >> >> >> > > thanks
>> >> >> >> >
>> >> >> >> >
>> >> >> >>
>> >> >> >>
>> >> >> >
>> >> >> >
>> >> >> >.
>> >> >> >
>> >> >
>> >> >
>> >> >.
>> >> >
>> >
>> >
>> >.
>> >
>
>
>.
>

Relevant Pages

  • Re: Too many groups problem
    ... Thanks for that response Mike, not quite what I wanted to hear, but at least ... project work, so if you happen to be senior manager, it is feasible that you ... end up being a member of a huge amount of groups, ... >> This only happens to those accounts, so i have ruled out the machines ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Joining a domain while connected via VPN
    ... You might look into using netdom the next time they are connected, ... Suppose you have a domain member named DOMAINMEMBER in a domain called MYDOMAIN. ... > then rejoin the domain. ...
    (microsoft.public.win2000.security)
  • Re: Simple way to how domain users log on as restricted users?
    ... This makes all members of Domain Users local restricted users. ... A restricted user is just an account that is a member of the local ... >>Make certain that the Domain Users group is a member ... >>> Just installed XP Pro machines in one of our labs. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Local Admins
    ... > Is there an easy way to scan 2K/XP machines to determine who is a member of ... > the administrator groups? ... > have over 1000 machines in our domain and I really don't want to try and run ... firewall security suite that prevent Web applications attacks, ...
    (Focus-Microsoft)
  • Re: char data[0]
    ... types have the alignment of their most restrictive member. ... compilers on most 32-bit machines today set up ... to be independant of struct alignment, ...
    (comp.lang.c)