Taking over an AD Mess 2003 mixed with 2000

G

Guest

Guest
Archived from groups: microsoft.public.win2000.setup_deployment (More info?)

I have recently taken over a network that the previous guy just through 2003
into a 2000 domain. I don't know if any prep of the domain was done. When
the 2003 servers (that are DC's) are on users can't get anywhere. I have run
DCDIAG's off the 2000 DC and haven't seen a ton wrong but know something is
dorked up. Any suggestions on how to back track or figure out what this guy
did? Thanks
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.setup_deployment (More info?)

Hi Glenn,

The usual problem is the DNS configuration. Make sure the AD DNS servers
can forward to an outside DNS server or can do their own lookups; they point
to themselves or other AD DNS servers for DNS resolution. Client
workstations all should point to the AD DNS servers and not any outside DNS.

--
Scott Baldridge
Windows Server MVP, MCSE

"glennw"
>I have recently taken over a network that the previous guy just through
>2003
> into a 2000 domain. I don't know if any prep of the domain was done.
> When
> the 2003 servers (that are DC's) are on users can't get anywhere. I have
> run
> DCDIAG's off the 2000 DC and haven't seen a ton wrong but know something
> is
> dorked up. Any suggestions on how to back track or figure out what this
> guy
> did? Thanks
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.setup_deployment (More info?)

This was the first thing I checked but trying to get caught up on what needs
to be done to have a mixed 2003 and 2000 DC in the same network. What I mean
is does the 03 have to be the primary or does it matter? Was there any prep
that needed to happen prior to introducing an 03 DC? Etc. I want to push
the new 03's in and demote the 2000's to member servers to get rid of them.
So I am looking for the proper steps. I have build 2000 Domains and 2003
domains but I haven't done a mixed enviroment. So making sure I straighten
it out right.


"glennw" wrote:

> I have recently taken over a network that the previous guy just through 2003
> into a 2000 domain. I don't know if any prep of the domain was done. When
> the 2003 servers (that are DC's) are on users can't get anywhere. I have run
> DCDIAG's off the 2000 DC and haven't seen a ton wrong but know something is
> dorked up. Any suggestions on how to back track or figure out what this guy
> did? Thanks
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.setup_deployment (More info?)

Hi Glenn,

ADPREP had to be run on both the forest and the domain for a 2003 server to
be dcpromo'd into a DC.

Your domain is probably the same functional level as before the 2003
introduction, ie if your domain was 2000 native, then it is still 2000
native. If you still have 2000 dc's then you can't be at a 2003 functional
level. Your domain should function well with both 2000 and 2003 dc's, but
you obviously can't raise the functional level to take advantage of the cool
2003 features with 2000 dc's present.

It sounds like you have some underlying configuration issues that may not be
related to the presence of 2000 dcs, especially since you stated that "users
can't get anywhere". Maybe if you could provide some specifics we could be
more helpful. Our environment ran well for quite a while with 2000 & 2003
dcs mixed, but we have moved on to 2003 these days.

--
Scott Baldridge
Windows Server MVP, MCSE

"glennw"
> This was the first thing I checked but trying to get caught up on what
> needs
> to be done to have a mixed 2003 and 2000 DC in the same network. What I
> mean
> is does the 03 have to be the primary or does it matter? Was there any
> prep
> that needed to happen prior to introducing an 03 DC? Etc. I want to push
> the new 03's in and demote the 2000's to member servers to get rid of
> them.
> So I am looking for the proper steps. I have build 2000 Domains and 2003
> domains but I haven't done a mixed enviroment. So making sure I
> straighten
> it out right.
>
>
> "glennw" wrote:
>
>> I have recently taken over a network that the previous guy just through
>> 2003
>> into a 2000 domain. I don't know if any prep of the domain was done.
>> When
>> the 2003 servers (that are DC's) are on users can't get anywhere. I have
>> run
>> DCDIAG's off the 2000 DC and haven't seen a ton wrong but know something
>> is
>> dorked up. Any suggestions on how to back track or figure out what this
>> guy
>> did? Thanks
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.setup_deployment (More info?)

The error message I get is the following. Whenever I try to navigate the
network or try to join the domain.

"DomainName" is not accessible. You might not have permission to use this
network resource. Contact the administrator of this server to find out if
you have access permissions.

Windows cannot find the network path. Verify that the network path is
correct and the destination computer is not busy or turned off. If windows
still cannot find the network path, contact your network administrator.


"NIC Student" wrote:

> Hi Glenn,
>
> ADPREP had to be run on both the forest and the domain for a 2003 server to
> be dcpromo'd into a DC.
>
> Your domain is probably the same functional level as before the 2003
> introduction, ie if your domain was 2000 native, then it is still 2000
> native. If you still have 2000 dc's then you can't be at a 2003 functional
> level. Your domain should function well with both 2000 and 2003 dc's, but
> you obviously can't raise the functional level to take advantage of the cool
> 2003 features with 2000 dc's present.
>
> It sounds like you have some underlying configuration issues that may not be
> related to the presence of 2000 dcs, especially since you stated that "users
> can't get anywhere". Maybe if you could provide some specifics we could be
> more helpful. Our environment ran well for quite a while with 2000 & 2003
> dcs mixed, but we have moved on to 2003 these days.
>
> --
> Scott Baldridge
> Windows Server MVP, MCSE
>
> "glennw"
> > This was the first thing I checked but trying to get caught up on what
> > needs
> > to be done to have a mixed 2003 and 2000 DC in the same network. What I
> > mean
> > is does the 03 have to be the primary or does it matter? Was there any
> > prep
> > that needed to happen prior to introducing an 03 DC? Etc. I want to push
> > the new 03's in and demote the 2000's to member servers to get rid of
> > them.
> > So I am looking for the proper steps. I have build 2000 Domains and 2003
> > domains but I haven't done a mixed enviroment. So making sure I
> > straighten
> > it out right.
> >
> >
> > "glennw" wrote:
> >
> >> I have recently taken over a network that the previous guy just through
> >> 2003
> >> into a 2000 domain. I don't know if any prep of the domain was done.
> >> When
> >> the 2003 servers (that are DC's) are on users can't get anywhere. I have
> >> run
> >> DCDIAG's off the 2000 DC and haven't seen a ton wrong but know something
> >> is
> >> dorked up. Any suggestions on how to back track or figure out what this
> >> guy
> >> did? Thanks
>
>
>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.setup_deployment (More info?)

Hi Glenn,

Thanks for the info. You may be experiencing some problems with SMB
signing. We had some issues when we moved to 2003 since it wants to enable
SMB signing and we have downlevel clients. Look at your GPOs to see what is
being enforced: Computer>Windows Settings>Local Policies>Domain Member/MS
Network Client/MS Network Server/System Cryptography. Use the GPMC utility
to get a resultant set of policies on both your servers and clients to see
what is wrong. Take a look at the server and workstation event logs for
more clues:

You cannot open file shares or Group Policy snap-ins when you disable SMB
signing for the Workstation or Server service on a domain controller
http://support.microsoft.com/default.aspx?scid=kb;en-us;839499

I assume you have done the normal troubleshooting to eliminate common tcp/ip
problems.. ie, you can ping the machines by name and fully quallified, etc.

"An Invalid Operation Was Attempted on an Active Network Connection" Error
Message Occurs If You Try to Browse the Network
http://support.microsoft.com/default.aspx?scid=kb;en-us;318245

--
Scott Baldridge
Windows Server MVP, MCSE

"glennw"
> The error message I get is the following. Whenever I try to navigate the
> network or try to join the domain.
>
> "DomainName" is not accessible. You might not have permission to use this
> network resource. Contact the administrator of this server to find out if
> you have access permissions.
>
> Windows cannot find the network path. Verify that the network path is
> correct and the destination computer is not busy or turned off. If
> windows
> still cannot find the network path, contact your network administrator.
>
>
> "NIC Student" wrote:
>
>> Hi Glenn,
>>
>> ADPREP had to be run on both the forest and the domain for a 2003 server
>> to
>> be dcpromo'd into a DC.
>>
>> Your domain is probably the same functional level as before the 2003
>> introduction, ie if your domain was 2000 native, then it is still 2000
>> native. If you still have 2000 dc's then you can't be at a 2003
>> functional
>> level. Your domain should function well with both 2000 and 2003 dc's,
>> but
>> you obviously can't raise the functional level to take advantage of the
>> cool
>> 2003 features with 2000 dc's present.
>>
>> It sounds like you have some underlying configuration issues that may not
>> be
>> related to the presence of 2000 dcs, especially since you stated that
>> "users
>> can't get anywhere". Maybe if you could provide some specifics we could
>> be
>> more helpful. Our environment ran well for quite a while with 2000 &
>> 2003
>> dcs mixed, but we have moved on to 2003 these days.
>>
>> --
>> Scott Baldridge
>> Windows Server MVP, MCSE
>>
>> "glennw"
>> > This was the first thing I checked but trying to get caught up on what
>> > needs
>> > to be done to have a mixed 2003 and 2000 DC in the same network. What
>> > I
>> > mean
>> > is does the 03 have to be the primary or does it matter? Was there any
>> > prep
>> > that needed to happen prior to introducing an 03 DC? Etc. I want to
>> > push
>> > the new 03's in and demote the 2000's to member servers to get rid of
>> > them.
>> > So I am looking for the proper steps. I have build 2000 Domains and
>> > 2003
>> > domains but I haven't done a mixed enviroment. So making sure I
>> > straighten
>> > it out right.
>> >
>> >
>> > "glennw" wrote:
>> >
>> >> I have recently taken over a network that the previous guy just
>> >> through
>> >> 2003
>> >> into a 2000 domain. I don't know if any prep of the domain was done.
>> >> When
>> >> the 2003 servers (that are DC's) are on users can't get anywhere. I
>> >> have
>> >> run
>> >> DCDIAG's off the 2000 DC and haven't seen a ton wrong but know
>> >> something
>> >> is
>> >> dorked up. Any suggestions on how to back track or figure out what
>> >> this
>> >> guy
>> >> did? Thanks
>>
>>
>>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.setup_deployment (More info?)

Hi Scott,

> You cannot open file shares or Group Policy snap-ins when you disable SMB
> signing for the Workstation or Server service on a domain controller
> http://support.microsoft.com/default.aspx?scid=kb;en-us;839499

I don't like the look of this, what is the correct way to set things up
so that this never happens in the first place?

--
Gerry Hickman (London UK)
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.setup_deployment (More info?)

Hi Gerry,

I just use a GPO and apply it on the workstations & servers:


Domain member: Digitally encrypt or sign secure channel data (always)
Disabled
Domain member: Digitally encrypt secure channel data (when possible)
Enabled
Domain member: Digitally sign secure channel data (when possible)
Enabled

Microsoft network client: Digitally sign communications (always)
Disabled
Microsoft network client: Digitally sign communications (if server
agrees) Enabled
Microsoft network client: Send unencrypted password to third-party SMB
servers Disabled

Microsoft network server: Digitally sign communications (always)
Disabled
Microsoft network server: Digitally sign communications (if client
agrees) Enabled

System cryptography: Use FIPS compliant algorithms for encryption,
hashing, and signing Disabled


We determined that was the best setting for us since we have downlevel
clients that we cannot upgrade. Some secure servers have "always" enabled.
I actually had to do the reg hack described in article 839499 one time
because the local policies were set by hand instead of by GPO.

--
Scott Baldridge
Windows Server MVP, MCSE

"Gerry Hickman"

> Hi Scott,
>
>> You cannot open file shares or Group Policy snap-ins when you disable SMB
>> signing for the Workstation or Server service on a domain controller
>> http://support.microsoft.com/default.aspx?scid=kb;en-us;839499
>
> I don't like the look of this, what is the correct way to set things up so
> that this never happens in the first place?
>
> --
> Gerry Hickman (London UK)
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.setup_deployment (More info?)

Hi Scott,

Thanks for the GPO settings, but I still don't understand the
fundamental issue here? Is this a problem with Win2003 server only, and
what kinds of member servers and clients does it affect?

I don't like relying on Group policy for this type of thing because
sooner or later it will fall over and suddenly none of the machines will
be able to talk to each other. That's why I'm trying to work out how it
should work with default settings...

NIC Student wrote:

> Hi Gerry,
>
> I just use a GPO and apply it on the workstations & servers:
>
>
> Domain member: Digitally encrypt or sign secure channel data (always)
> Disabled
> Domain member: Digitally encrypt secure channel data (when possible)
> Enabled
> Domain member: Digitally sign secure channel data (when possible)
> Enabled
>
> Microsoft network client: Digitally sign communications (always)
> Disabled
> Microsoft network client: Digitally sign communications (if server
> agrees) Enabled
> Microsoft network client: Send unencrypted password to third-party SMB
> servers Disabled
>
> Microsoft network server: Digitally sign communications (always)
> Disabled
> Microsoft network server: Digitally sign communications (if client
> agrees) Enabled
>
> System cryptography: Use FIPS compliant algorithms for encryption,
> hashing, and signing Disabled
>
>
> We determined that was the best setting for us since we have downlevel
> clients that we cannot upgrade. Some secure servers have "always" enabled.
> I actually had to do the reg hack described in article 839499 one time
> because the local policies were set by hand instead of by GPO.
>


--
Gerry Hickman (London UK)
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.setup_deployment (More info?)

Hi Gerry,

The issue for our environment was SMB signing is required by default for
2003 domain controllers. There is a warning when you promo up a 2003 dc
about Win95 and older Macs not understanding SMB. In our environment, we
have tons of old macs to support.

In my case, I applied a security template to a server that locked the box
down well, but I missed the fact that it then required FIPS, which basically
buggered the machine and required the registry hack I mentioned. Our OP may
have some servers that had the security templates applied (I downloaded mine
from MS).

The following article describes the default settings, which by themselves
won't lock you out (as described by the OP) because the defaults are
*enabled* but they can be changed to *required*. As I mentioned, 2003 dcs
require signing.

Overview of Server Message Block signing
http://support.microsoft.com/default.aspx?scid=kb;en-us;887429

--
Scott Baldridge
Windows Server MVP, MCSE


"Gerry Hickman"
> Hi Scott,
>
> Thanks for the GPO settings, but I still don't understand the fundamental
> issue here? Is this a problem with Win2003 server only, and what kinds of
> member servers and clients does it affect?
>
> I don't like relying on Group policy for this type of thing because sooner
> or later it will fall over and suddenly none of the machines will be able
> to talk to each other. That's why I'm trying to work out how it should
> work with default settings...
>
> NIC Student wrote:
>
>> Hi Gerry,
>>
>> I just use a GPO and apply it on the workstations & servers:
>>
>>
>> Domain member: Digitally encrypt or sign secure channel data
>> (always) Disabled
>> Domain member: Digitally encrypt secure channel data (when
>> possible) Enabled
>> Domain member: Digitally sign secure channel data (when possible)
>> Enabled
>>
>> Microsoft network client: Digitally sign communications (always)
>> Disabled
>> Microsoft network client: Digitally sign communications (if server
>> agrees) Enabled
>> Microsoft network client: Send unencrypted password to third-party
>> SMB servers Disabled
>>
>> Microsoft network server: Digitally sign communications (always)
>> Disabled
>> Microsoft network server: Digitally sign communications (if client
>> agrees) Enabled
>>
>> System cryptography: Use FIPS compliant algorithms for encryption,
>> hashing, and signing Disabled
>>
>>
>> We determined that was the best setting for us since we have downlevel
>> clients that we cannot upgrade. Some secure servers have "always"
>> enabled. I actually had to do the reg hack described in article 839499
>> one time because the local policies were set by hand instead of by GPO.
>>
>
>
> --
> Gerry Hickman (London UK)
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.setup_deployment (More info?)

Hi Scott,

> The issue for our environment was SMB signing is required by default for
> 2003 domain controllers. There is a warning when you promo up a 2003 dc
> about Win95 and older Macs not understanding SMB. In our environment, we
> have tons of old macs to support.

> Overview of Server Message Block signing
> http://support.microsoft.com/default.aspx?scid=kb;en-us;887429

That's great, the article is very helpful.

My concern was that head office are about to put some 2003 DCs on-line
and my member servers and workstations are on Windows 2000.

--
Gerry Hickman (London UK)