Taking over an AD Mess 2003 mixed with 2000

Archived from groups: microsoft.public.win2000.setup_deployment (More info?)

I have recently taken over a network that the previous guy just through 2003
into a 2000 domain. I don't know if any prep of the domain was done. When
the 2003 servers (that are DC's) are on users can't get anywhere. I have run
DCDIAG's off the 2000 DC and haven't seen a ton wrong but know something is
dorked up. Any suggestions on how to back track or figure out what this guy
did? Thanks
10 answers Last reply
More about taking mess 2003 mixed 2000
  1. Archived from groups: microsoft.public.win2000.setup_deployment (More info?)

    Hi Glenn,

    The usual problem is the DNS configuration. Make sure the AD DNS servers
    can forward to an outside DNS server or can do their own lookups; they point
    to themselves or other AD DNS servers for DNS resolution. Client
    workstations all should point to the AD DNS servers and not any outside DNS.

    --
    Scott Baldridge
    Windows Server MVP, MCSE

    "glennw"
    >I have recently taken over a network that the previous guy just through
    >2003
    > into a 2000 domain. I don't know if any prep of the domain was done.
    > When
    > the 2003 servers (that are DC's) are on users can't get anywhere. I have
    > run
    > DCDIAG's off the 2000 DC and haven't seen a ton wrong but know something
    > is
    > dorked up. Any suggestions on how to back track or figure out what this
    > guy
    > did? Thanks
  2. Archived from groups: microsoft.public.win2000.setup_deployment (More info?)

    This was the first thing I checked but trying to get caught up on what needs
    to be done to have a mixed 2003 and 2000 DC in the same network. What I mean
    is does the 03 have to be the primary or does it matter? Was there any prep
    that needed to happen prior to introducing an 03 DC? Etc. I want to push
    the new 03's in and demote the 2000's to member servers to get rid of them.
    So I am looking for the proper steps. I have build 2000 Domains and 2003
    domains but I haven't done a mixed enviroment. So making sure I straighten
    it out right.


    "glennw" wrote:

    > I have recently taken over a network that the previous guy just through 2003
    > into a 2000 domain. I don't know if any prep of the domain was done. When
    > the 2003 servers (that are DC's) are on users can't get anywhere. I have run
    > DCDIAG's off the 2000 DC and haven't seen a ton wrong but know something is
    > dorked up. Any suggestions on how to back track or figure out what this guy
    > did? Thanks
  3. Archived from groups: microsoft.public.win2000.setup_deployment (More info?)

    Hi Glenn,

    ADPREP had to be run on both the forest and the domain for a 2003 server to
    be dcpromo'd into a DC.

    Your domain is probably the same functional level as before the 2003
    introduction, ie if your domain was 2000 native, then it is still 2000
    native. If you still have 2000 dc's then you can't be at a 2003 functional
    level. Your domain should function well with both 2000 and 2003 dc's, but
    you obviously can't raise the functional level to take advantage of the cool
    2003 features with 2000 dc's present.

    It sounds like you have some underlying configuration issues that may not be
    related to the presence of 2000 dcs, especially since you stated that "users
    can't get anywhere". Maybe if you could provide some specifics we could be
    more helpful. Our environment ran well for quite a while with 2000 & 2003
    dcs mixed, but we have moved on to 2003 these days.

    --
    Scott Baldridge
    Windows Server MVP, MCSE

    "glennw"
    > This was the first thing I checked but trying to get caught up on what
    > needs
    > to be done to have a mixed 2003 and 2000 DC in the same network. What I
    > mean
    > is does the 03 have to be the primary or does it matter? Was there any
    > prep
    > that needed to happen prior to introducing an 03 DC? Etc. I want to push
    > the new 03's in and demote the 2000's to member servers to get rid of
    > them.
    > So I am looking for the proper steps. I have build 2000 Domains and 2003
    > domains but I haven't done a mixed enviroment. So making sure I
    > straighten
    > it out right.
    >
    >
    > "glennw" wrote:
    >
    >> I have recently taken over a network that the previous guy just through
    >> 2003
    >> into a 2000 domain. I don't know if any prep of the domain was done.
    >> When
    >> the 2003 servers (that are DC's) are on users can't get anywhere. I have
    >> run
    >> DCDIAG's off the 2000 DC and haven't seen a ton wrong but know something
    >> is
    >> dorked up. Any suggestions on how to back track or figure out what this
    >> guy
    >> did? Thanks
  4. Archived from groups: microsoft.public.win2000.setup_deployment (More info?)

    The error message I get is the following. Whenever I try to navigate the
    network or try to join the domain.

    "DomainName" is not accessible. You might not have permission to use this
    network resource. Contact the administrator of this server to find out if
    you have access permissions.

    Windows cannot find the network path. Verify that the network path is
    correct and the destination computer is not busy or turned off. If windows
    still cannot find the network path, contact your network administrator.


    "NIC Student" wrote:

    > Hi Glenn,
    >
    > ADPREP had to be run on both the forest and the domain for a 2003 server to
    > be dcpromo'd into a DC.
    >
    > Your domain is probably the same functional level as before the 2003
    > introduction, ie if your domain was 2000 native, then it is still 2000
    > native. If you still have 2000 dc's then you can't be at a 2003 functional
    > level. Your domain should function well with both 2000 and 2003 dc's, but
    > you obviously can't raise the functional level to take advantage of the cool
    > 2003 features with 2000 dc's present.
    >
    > It sounds like you have some underlying configuration issues that may not be
    > related to the presence of 2000 dcs, especially since you stated that "users
    > can't get anywhere". Maybe if you could provide some specifics we could be
    > more helpful. Our environment ran well for quite a while with 2000 & 2003
    > dcs mixed, but we have moved on to 2003 these days.
    >
    > --
    > Scott Baldridge
    > Windows Server MVP, MCSE
    >
    > "glennw"
    > > This was the first thing I checked but trying to get caught up on what
    > > needs
    > > to be done to have a mixed 2003 and 2000 DC in the same network. What I
    > > mean
    > > is does the 03 have to be the primary or does it matter? Was there any
    > > prep
    > > that needed to happen prior to introducing an 03 DC? Etc. I want to push
    > > the new 03's in and demote the 2000's to member servers to get rid of
    > > them.
    > > So I am looking for the proper steps. I have build 2000 Domains and 2003
    > > domains but I haven't done a mixed enviroment. So making sure I
    > > straighten
    > > it out right.
    > >
    > >
    > > "glennw" wrote:
    > >
    > >> I have recently taken over a network that the previous guy just through
    > >> 2003
    > >> into a 2000 domain. I don't know if any prep of the domain was done.
    > >> When
    > >> the 2003 servers (that are DC's) are on users can't get anywhere. I have
    > >> run
    > >> DCDIAG's off the 2000 DC and haven't seen a ton wrong but know something
    > >> is
    > >> dorked up. Any suggestions on how to back track or figure out what this
    > >> guy
    > >> did? Thanks
    >
    >
    >
  5. Archived from groups: microsoft.public.win2000.setup_deployment (More info?)

    Hi Glenn,

    Thanks for the info. You may be experiencing some problems with SMB
    signing. We had some issues when we moved to 2003 since it wants to enable
    SMB signing and we have downlevel clients. Look at your GPOs to see what is
    being enforced: Computer>Windows Settings>Local Policies>Domain Member/MS
    Network Client/MS Network Server/System Cryptography. Use the GPMC utility
    to get a resultant set of policies on both your servers and clients to see
    what is wrong. Take a look at the server and workstation event logs for
    more clues:

    You cannot open file shares or Group Policy snap-ins when you disable SMB
    signing for the Workstation or Server service on a domain controller
    http://support.microsoft.com/default.aspx?scid=kb;en-us;839499

    I assume you have done the normal troubleshooting to eliminate common tcp/ip
    problems.. ie, you can ping the machines by name and fully quallified, etc.

    "An Invalid Operation Was Attempted on an Active Network Connection" Error
    Message Occurs If You Try to Browse the Network
    http://support.microsoft.com/default.aspx?scid=kb;en-us;318245

    --
    Scott Baldridge
    Windows Server MVP, MCSE

    "glennw"
    > The error message I get is the following. Whenever I try to navigate the
    > network or try to join the domain.
    >
    > "DomainName" is not accessible. You might not have permission to use this
    > network resource. Contact the administrator of this server to find out if
    > you have access permissions.
    >
    > Windows cannot find the network path. Verify that the network path is
    > correct and the destination computer is not busy or turned off. If
    > windows
    > still cannot find the network path, contact your network administrator.
    >
    >
    > "NIC Student" wrote:
    >
    >> Hi Glenn,
    >>
    >> ADPREP had to be run on both the forest and the domain for a 2003 server
    >> to
    >> be dcpromo'd into a DC.
    >>
    >> Your domain is probably the same functional level as before the 2003
    >> introduction, ie if your domain was 2000 native, then it is still 2000
    >> native. If you still have 2000 dc's then you can't be at a 2003
    >> functional
    >> level. Your domain should function well with both 2000 and 2003 dc's,
    >> but
    >> you obviously can't raise the functional level to take advantage of the
    >> cool
    >> 2003 features with 2000 dc's present.
    >>
    >> It sounds like you have some underlying configuration issues that may not
    >> be
    >> related to the presence of 2000 dcs, especially since you stated that
    >> "users
    >> can't get anywhere". Maybe if you could provide some specifics we could
    >> be
    >> more helpful. Our environment ran well for quite a while with 2000 &
    >> 2003
    >> dcs mixed, but we have moved on to 2003 these days.
    >>
    >> --
    >> Scott Baldridge
    >> Windows Server MVP, MCSE
    >>
    >> "glennw"
    >> > This was the first thing I checked but trying to get caught up on what
    >> > needs
    >> > to be done to have a mixed 2003 and 2000 DC in the same network. What
    >> > I
    >> > mean
    >> > is does the 03 have to be the primary or does it matter? Was there any
    >> > prep
    >> > that needed to happen prior to introducing an 03 DC? Etc. I want to
    >> > push
    >> > the new 03's in and demote the 2000's to member servers to get rid of
    >> > them.
    >> > So I am looking for the proper steps. I have build 2000 Domains and
    >> > 2003
    >> > domains but I haven't done a mixed enviroment. So making sure I
    >> > straighten
    >> > it out right.
    >> >
    >> >
    >> > "glennw" wrote:
    >> >
    >> >> I have recently taken over a network that the previous guy just
    >> >> through
    >> >> 2003
    >> >> into a 2000 domain. I don't know if any prep of the domain was done.
    >> >> When
    >> >> the 2003 servers (that are DC's) are on users can't get anywhere. I
    >> >> have
    >> >> run
    >> >> DCDIAG's off the 2000 DC and haven't seen a ton wrong but know
    >> >> something
    >> >> is
    >> >> dorked up. Any suggestions on how to back track or figure out what
    >> >> this
    >> >> guy
    >> >> did? Thanks
    >>
    >>
    >>
  6. Archived from groups: microsoft.public.win2000.setup_deployment (More info?)

    Hi Scott,

    > You cannot open file shares or Group Policy snap-ins when you disable SMB
    > signing for the Workstation or Server service on a domain controller
    > http://support.microsoft.com/default.aspx?scid=kb;en-us;839499

    I don't like the look of this, what is the correct way to set things up
    so that this never happens in the first place?

    --
    Gerry Hickman (London UK)
  7. Archived from groups: microsoft.public.win2000.setup_deployment (More info?)

    Hi Gerry,

    I just use a GPO and apply it on the workstations & servers:


    Domain member: Digitally encrypt or sign secure channel data (always)
    Disabled
    Domain member: Digitally encrypt secure channel data (when possible)
    Enabled
    Domain member: Digitally sign secure channel data (when possible)
    Enabled

    Microsoft network client: Digitally sign communications (always)
    Disabled
    Microsoft network client: Digitally sign communications (if server
    agrees) Enabled
    Microsoft network client: Send unencrypted password to third-party SMB
    servers Disabled

    Microsoft network server: Digitally sign communications (always)
    Disabled
    Microsoft network server: Digitally sign communications (if client
    agrees) Enabled

    System cryptography: Use FIPS compliant algorithms for encryption,
    hashing, and signing Disabled


    We determined that was the best setting for us since we have downlevel
    clients that we cannot upgrade. Some secure servers have "always" enabled.
    I actually had to do the reg hack described in article 839499 one time
    because the local policies were set by hand instead of by GPO.

    --
    Scott Baldridge
    Windows Server MVP, MCSE

    "Gerry Hickman"

    > Hi Scott,
    >
    >> You cannot open file shares or Group Policy snap-ins when you disable SMB
    >> signing for the Workstation or Server service on a domain controller
    >> http://support.microsoft.com/default.aspx?scid=kb;en-us;839499
    >
    > I don't like the look of this, what is the correct way to set things up so
    > that this never happens in the first place?
    >
    > --
    > Gerry Hickman (London UK)
  8. Archived from groups: microsoft.public.win2000.setup_deployment (More info?)

    Hi Scott,

    Thanks for the GPO settings, but I still don't understand the
    fundamental issue here? Is this a problem with Win2003 server only, and
    what kinds of member servers and clients does it affect?

    I don't like relying on Group policy for this type of thing because
    sooner or later it will fall over and suddenly none of the machines will
    be able to talk to each other. That's why I'm trying to work out how it
    should work with default settings...

    NIC Student wrote:

    > Hi Gerry,
    >
    > I just use a GPO and apply it on the workstations & servers:
    >
    >
    > Domain member: Digitally encrypt or sign secure channel data (always)
    > Disabled
    > Domain member: Digitally encrypt secure channel data (when possible)
    > Enabled
    > Domain member: Digitally sign secure channel data (when possible)
    > Enabled
    >
    > Microsoft network client: Digitally sign communications (always)
    > Disabled
    > Microsoft network client: Digitally sign communications (if server
    > agrees) Enabled
    > Microsoft network client: Send unencrypted password to third-party SMB
    > servers Disabled
    >
    > Microsoft network server: Digitally sign communications (always)
    > Disabled
    > Microsoft network server: Digitally sign communications (if client
    > agrees) Enabled
    >
    > System cryptography: Use FIPS compliant algorithms for encryption,
    > hashing, and signing Disabled
    >
    >
    > We determined that was the best setting for us since we have downlevel
    > clients that we cannot upgrade. Some secure servers have "always" enabled.
    > I actually had to do the reg hack described in article 839499 one time
    > because the local policies were set by hand instead of by GPO.
    >


    --
    Gerry Hickman (London UK)
  9. Archived from groups: microsoft.public.win2000.setup_deployment (More info?)

    Hi Gerry,

    The issue for our environment was SMB signing is required by default for
    2003 domain controllers. There is a warning when you promo up a 2003 dc
    about Win95 and older Macs not understanding SMB. In our environment, we
    have tons of old macs to support.

    In my case, I applied a security template to a server that locked the box
    down well, but I missed the fact that it then required FIPS, which basically
    buggered the machine and required the registry hack I mentioned. Our OP may
    have some servers that had the security templates applied (I downloaded mine
    from MS).

    The following article describes the default settings, which by themselves
    won't lock you out (as described by the OP) because the defaults are
    *enabled* but they can be changed to *required*. As I mentioned, 2003 dcs
    require signing.

    Overview of Server Message Block signing
    http://support.microsoft.com/default.aspx?scid=kb;en-us;887429

    --
    Scott Baldridge
    Windows Server MVP, MCSE


    "Gerry Hickman"
    > Hi Scott,
    >
    > Thanks for the GPO settings, but I still don't understand the fundamental
    > issue here? Is this a problem with Win2003 server only, and what kinds of
    > member servers and clients does it affect?
    >
    > I don't like relying on Group policy for this type of thing because sooner
    > or later it will fall over and suddenly none of the machines will be able
    > to talk to each other. That's why I'm trying to work out how it should
    > work with default settings...
    >
    > NIC Student wrote:
    >
    >> Hi Gerry,
    >>
    >> I just use a GPO and apply it on the workstations & servers:
    >>
    >>
    >> Domain member: Digitally encrypt or sign secure channel data
    >> (always) Disabled
    >> Domain member: Digitally encrypt secure channel data (when
    >> possible) Enabled
    >> Domain member: Digitally sign secure channel data (when possible)
    >> Enabled
    >>
    >> Microsoft network client: Digitally sign communications (always)
    >> Disabled
    >> Microsoft network client: Digitally sign communications (if server
    >> agrees) Enabled
    >> Microsoft network client: Send unencrypted password to third-party
    >> SMB servers Disabled
    >>
    >> Microsoft network server: Digitally sign communications (always)
    >> Disabled
    >> Microsoft network server: Digitally sign communications (if client
    >> agrees) Enabled
    >>
    >> System cryptography: Use FIPS compliant algorithms for encryption,
    >> hashing, and signing Disabled
    >>
    >>
    >> We determined that was the best setting for us since we have downlevel
    >> clients that we cannot upgrade. Some secure servers have "always"
    >> enabled. I actually had to do the reg hack described in article 839499
    >> one time because the local policies were set by hand instead of by GPO.
    >>
    >
    >
    > --
    > Gerry Hickman (London UK)
  10. Archived from groups: microsoft.public.win2000.setup_deployment (More info?)

    Hi Scott,

    > The issue for our environment was SMB signing is required by default for
    > 2003 domain controllers. There is a warning when you promo up a 2003 dc
    > about Win95 and older Macs not understanding SMB. In our environment, we
    > have tons of old macs to support.

    > Overview of Server Message Block signing
    > http://support.microsoft.com/default.aspx?scid=kb;en-us;887429

    That's great, the article is very helpful.

    My concern was that head office are about to put some 2003 DCs on-line
    and my member servers and workstations are on Windows 2000.

    --
    Gerry Hickman (London UK)
Ask a new question

Read More

Domain Microsoft Windows