# TCP/IP Network Admin Questions (OT/NT)



## Dwight Ennis (Jan 2, 2008)

We had a catastrophic hardware failure at work on Tuesday, taking out the Domain Controller. As a result, I've been darn busy the last three days building a new domain from the ground up. I have a few questions for you Network whizzes out there. 

First a little background. The network that just died was an old NT4 TCP/IP over NETBEUI|NETBIOS system that I built up starting in '98. It had a PDC and a BDC. As the years have gone by, and XP Pro machines started coming online, I was able to integrate them into the network using TCP/IP only on those machines without having to add NETBEUI to them. At the same time, the older Win95 and Win98 machines began dropping offline as they were replaced. We picked up a 2003 server a few years back which I had running as a member server (Server-A) on the NT4 network and it became our primary data repository and file server. 

Not too long ago, we bought a second 2003 server, which I configured as a domain controller for a new TCP/IP based domain using the now standard Active Directory model, etc. It wasn't doing much on the network yet - mostly acting as the DHCP server - but I had a trust established between its domain and the old NT4 domain. My plan was to start migrating the company over to the new domain and slowly phase out the old NT4 machines. We still had two old Win98 machines that were on the manufacturing floor, and these allowed people to log on and off different jobs for cost accounting purposes. While these machines were still functioning, I still needed the old NT4 domain for them to talk to. 

As luck would have it, these two old Win98 machines recently died and were replaced by XP Pro machines. I just hadn't gotten around to starting the domain migration. Then the NT4 PDC died on Tuesday, and no one could get on the network or do their jobs. I brought the BDC back online (it had been offline for a few months), but for whatever reason, it wouldn't do its job. I tried promoting it to PDC, but that didn't work either. So now I HAD to do the migration ASAP. 

As of the end of yesterday, I have 99% of everything back up and running. I had to build the Active Directory from the ground up, and I "unjoined" Server-A from the old domain and added it to the new. I also went to each workstation and did the same thing, also importing people's documents, favorites, emails, etc. to their new user IDs. Each workstation also now has the domain controllers IP address as its primary DNS server. I have one more machine to migrate today (the guy's on vacation), and then everyone will be functioning in the new domain model. 

Now to my questions: 

1 - Server-B is now the domain controller and DHCP/DNS server, and also hosts some files. Server-A is still primarily a file server/data repository. Should I add Active Directory to Server-A? As I understand it, there isn't any "Primary Domain Controller" in the 2003 Server domain model. Would adding Active Directory to Server-A spread the domain controller responsibilities over both servers? 

2 - do I need WINS? Everything seems to be working just fine without it. Our network doesn't function as an Intranet, and people still look for their files by going to the appropriate server (there are only two) via My Network Places or Windows Explorer (mostly they have shortcuts on their desktops to what they need). Workstation-to-workstation communication is minimal if not non-existent - everything lives on the two servers for easy backup. What would WINS do for me? If I do need it, should it go on the same server which performs DNS/DHCP? 

Thanks for any info you can provide. It's been a busy few days. hehehe


----------



## K27_463 (Jan 2, 2008)

Dwight:you are correct no pdc in Active directory. However, the FIRST AD server in the tree is also known as the Fismo machine, this means something like first single master of operations( need to look that up again), so it does have background duties not shared by other site controllers or any other DC in the network. If you ad another server to AD, they will each be aware of each other existence, and can share authentication for example, which builds both redundancy and speed. Plus, if they are both on AD, changes such as account structure made in a single place will propagate, which also makes like easier. 

You do not need WINS as I understand it, especially if you are going to be all XP or betterfor clients. WINS might be nice, but not mandatory. If I recall, we shut wins off a while ago. 

Jonathan


----------



## Bill Swindell (Jan 2, 2008)

I got an AD domain running at our train club a few weeks ago. I am still going to convert that old NT4 server to 2003 Server with AD. You definitely should make both servers domain controllers. That way, you only have to manage user IDs and passwords in one place instead of 2.


----------



## Semper Vaporo (Jan 2, 2008)

Thanks Dwight! You made my day... maybe my whole week! 

Dear Lord God Almighty, I'm glad, glad, glad, I'm retired!!!!!!!!


----------



## Greg Elmassian (Jan 3, 2008)

I agree completely with Jonathan. Also, not using a wins server will help performance a bit, since you won't have that junk flying over your network. 

If you have AD then you want two of them. 

I've had exactly the same problem with promoting a BDC to a PDC.... I have seen that if it was not online at the time, promoting it fails. 

(I have AD on my home network and (obviously) a Windows server. With 10 computers, just not having to manage passwords separately makes it worth it) 

Regards, Greg


----------



## Duncan (Jan 2, 2008)

Here's all you need... 








For high speed data transfer, woven kite string is recommended, otherwise, plain old twisted jute is fine... 
/DesktopModules/NTForums/themes/mls/emoticons/laugh.gif" border=0>


----------



## Semper Vaporo (Jan 2, 2008)

Whoa That is the heavy duty model... I always used the paper Dixie (tm) cup model.


----------



## ShadsTrains (Dec 27, 2007)

Jonathan's got it right Dwight.. Yes, add AD to the other server and no, you don't need wins.


----------



## Mike Reilley (Jan 2, 2008)

Amazing....totally OFF topic...highly complicated...and a corroborated answer with 90 minutes on some pretty technical stuff. And....here all along I thought Dwight knew everything...


----------



## Semper Vaporo (Jan 2, 2008)

113 reads of the thread (so far) and I bet only about 5 or 6 people could make heads or tails out of that alphabet soup! (NT4 TCP/IP NETBEUI NETBIOS AD PDC BDC WINS ASAP and a Partridge in a Pear Tree).


----------



## Dwight Ennis (Jan 2, 2008)

Thank you very much for the answers and info guys. This place is terrific!!!  The last workstation has been completed and several more brush fires extinguished - mostly concerned with user permissions I forgot to assign. Full backups have been done of the data in its new home. Things are pretty much back to normal. I've decided tonight I'm gonna get tanked!  

And....here all along I thought Dwight knew everything...
Where did you _that_ idea get ever? Certainly not from me!!! hehehe


----------



## Dwight Ennis (Jan 2, 2008)

Dear Lord God Almighty, I'm glad, glad, glad, I'm retired!!!!!!!!
Oh yeah... another 4 years, 9 months, 2 days, 9 hours, 31 minutes, and 20 seconds, and I'll join you (but who's counting).


----------



## Curmudgeon (Jan 11, 2008)

Reminds me of our "official" USN short-timer's calendars.......and chains.


----------



## R.W. Marty (Jan 2, 2008)

Oh yea, 
Short-timers calanders. Don't know anything about the chains. 
The calanders I remember were usually a pinup marked off in small 
sections and each one colored in as the days went by. Seems to me it was 
the last 60 days but may have been longer. That was a long time ago. 
I do remember that there was a big starburst added on FIGMO day. 
Thanks for the memory. 
Rick


----------



## barnmichael (Jan 2, 2008)

The requirements said "XP or better" so I installed Linux. 

Being a cheapskate and hating complex licensing issues, I'd go with Samba and LDAP, etc. any day. 

Glad to see it all come together and get your system on line. 

Michael


----------



## thespottedcat (Jan 2, 2008)

Dwight, 
Glad to hear your up and running. Been there, it's not nice. 

Just some things to watch out for over the next few day. 
1. File shares, check your 2003 file servers allow users to modify their files. 2003 doesn't have "modify" on as a default. This caused me some issues 
2. When you get time, work out an AD scheme for your users, it's easier to implement early on, rather than later. 
2. Get up to speed on your AD GPO and Policy stuff. It's a vast improvement over what was in NT 
2. If you're using drive mapping via a NT logon script, try using GPO's 

If you need any help, contact me. All the best 

Stan


----------



## ohioriverrailway (Jan 2, 2008)

Short timer's calendar -- so many days and a wake-up. That was 48 years ago and I still remember it! 
But what the heck is a chain??


----------



## Dwight Ennis (Jan 2, 2008)

1. File shares, check your 2003 file servers allow users to modify their files. 2003 doesn't have "modify" on as a default. This caused me some issues
Got it. Thanks. 
2. When you get time, work out an AD scheme for your users, it's easier to implement early on, rather than later.
I assume you're referring to group membership, etc. How well do groups work in 2003 for permission assignment? It worked well in NT. 

Another thing about groups... 2003 has a whole slew of built-in groups, most of which I will never use. Makes it harder to to find what I'm looking for having to wade through all these extraneous groups. Can I safely delete those I don't need? 
2. Get up to speed on your AD GPO and Policy stuff. It's a vast improvement over what was in NT
I'm unfamiliar with "GPO" - what's that? 
2. If you're using drive mapping via a NT logon script, try using GPO's 
N/A 

Thanks for the tips BTW.


----------



## thespottedcat (Jan 2, 2008)

Dwight, 
AD schemes 
Much better than NT, What I do is control access by using the groups rather than individual permissions. 
For example if your accounts area need a secure file store, create a group in AD users and groups called accounts, put the accounts team in it, and then only allow that group permissions to that folder (under the folder permissions). Even if there is only one member in a group, it still easier to manage, because if they leave, you drop there replacement into the same group and they have the same access. Your users can be in as many groups as they need too. The only time you will run into trouble if one group had an explicit deny on a resource and another group is allowed, and a user is a member of both, windows will favour the deny. You can also apply this to specific computers, so a computer in a public accessible area has very limited access, no matter who is logged on. 

Remember it's not just permissions for windows folders, it's anything on the network, so you can control access to printers, databases, software even access to computers. 

With the built in-group it depends. I know if you migrate from a NT domain it will create some stuff so AD can access the NT resources. Are any of your users members of these groups? Personally I'd leave them for now, the last thing you would want it to create more instability on your network at this point. When everything is bedded down, google the folder names, and then disable them for a while and delete later. Take it slow with deleting stuff. 

GPO is group policy objects. Once you have your users pigeon holed in their groups you can apply policies to them. For example at my work which has a number of retail outlets, the sales staff cannot change the screensaver or back group from the corporate one I set, the screen saver kick in quicker than default, and is password protected. The POS computers are also locked down using GPO and straight AD users and Groups to have restricted access to network resources. You can do some realy cool stuff here. Worth learning more, a lot of stuff there. 

The beaut' thing is that if a person moves from a sales role to the back office, then you just swap the group they are in. 

Unfortunately you can have the best set-up in the world, but what will bring you down are your users. The more you lock down, the more people will try to get around. The hard part is getting the balance right between network access and network security. It only take a duff head in accounts to give their password to someone in sales and all of sudden you have a security hole. Get a good paper based IT Policy in place, that can be enforced, and train your users. 

Stan


----------



## Dwight Ennis (Jan 2, 2008)

Thanks Stan. Sounds like groups function pretty much the same as they did in NT. I used them pretty much exclusively (with one or two exceptions) to manage resource access in the old NT domain. 

Can you recommend a good book or web site to learn about policies?


----------



## thespottedcat (Jan 2, 2008)

Dwight, 
I did some training and I found that was the best way. You can play with it on someone else's network. One of the MCSE modules is just on it. I think it's only a 3 day course and most training places will let you do just that. 

There is some great stuff on the Microsoft website. I've get the links at work. I'll post them on Monday. 

Stan


----------



## Dwight Ennis (Jan 2, 2008)

Thanks again Stan.


----------



## thespottedcat (Jan 2, 2008)

Dwight, 
First link is an overview of GPO's 
http://technet.microsoft.com/en-us/library/bb742376.aspx 

Second link is the 2003 version. 
http://www.microsoft.com/technet/pr...ectory/activedirectory/stepbystep/gpfeat.mspx 

Have you flicked over to 2000/2003 native mode yet? 
Stan


----------



## Roland Seavey (Jan 4, 2008)

Dwight, 
Yea what they said, thats it i am sure of it, or is that full of it. 
I am with Duncan here. 
Now what did you say./DesktopModules/NTForums/themes/mls/emoticons/crazy.gif 
Oh yea I have no idea. 
Now's where's the on button. 
See ya in a few days, hehehe 
Roland


----------



## Dwight Ennis (Jan 2, 2008)

Thanks once again Stan. Now I just need to find time to study 'em.&nbsp


----------



## Dwight Ennis (Jan 2, 2008)

A simple question... It's my understanding that as the domain admin in 2003 Server, I should have full remote access to every workstation hard drive on the network. True? If so, how do I get this without going to every workstation and manually sharing the drive(s) and giving myself permissions?


----------



## thespottedcat (Jan 2, 2008)

Dwight, 
Can you map the root drive of a desktop using \\ipaddress\c$ (from windows file manager) 

If you are doing the C$ map to a 2003 servers it could disabled by default (id have to check that one) 

The domain admin should be in the local admin group (on the desktop) by default, if it's not, then you would need to add it. 

There are logon scripts that could automate it. But it should be there. 

Also there are gpo's that can disable the C$ root logon. I'd check that before running scripts on all the desktop fleet. 


Everyone got that? Finally a topic I know something about!


----------



## seadawg (Jan 2, 2008)

Posted By ohioriverrailway on 04/12/2008 9:13 AM
Short timer's calendar -- so many days and a wake-up. That was 48 years ago and I still remember it! 
But what the heck is a chain??




I had a short timers chain made out of steel beads (one for each day left), like a dog tag chain on steroids, that I hung from my belt. Every morning as we gathered for quarters, I made great ceremony by using a screwdriver and a large hammer to disconnect the bead and smash it on the deck of the forecastle with the large hammer and saying somthing like "Another day done in YOUR Navy". Of course that was only at the end of my first enlistment.


Less than 90 days later I had reupped for another 4. And before I knew 20 years had slipped by. 




Oh and as far as the topic goes, move forward slowly with changing GPOs. It can screw things up for everyone with the click of a mouse. And if you delete one that you need to function, you better hope you have an AD lag site, because recovery is nearly impossible. We disabled our entire intranet whene one of our guys was tinkerin'.


----------



## Dwight Ennis (Jan 2, 2008)

Thanks once again Stan. I didn't have time to mess with it today, but hopefully tomorrow. 

Dave - can you define an AD lag site? 

Damn, I'm getting too old to have to learn all this new stuff. &nbsp  Half my gray matter has ALREADY leaked out through my hair roots! &nbsp /DesktopModules/NTForums/themes/mls/emoticons/blink.gif I'd just want to play with trains. &nbsp /DesktopModules/NTForums/themes/mls/emoticons/laugh.gif


----------



## 22train (Mar 13, 2008)

If you have applications that are vital to run the business, I would consider clustering 
your servers and use backup systems such as raid to ensure you have 
maximum up time. 

22train


----------



## afinegan (Jan 2, 2008)

If you where running linux, you would be playing with trains.... or Novell 3.12



Joking...I had to be the linux troll /DesktopModules/NTForums/themes/mls/emoticons/tongue.gif



(I am a MCSE in NT 4.0 Days, oldschool windows network guy, now I am a linux guy (in the corporate enviroment)).


----------



## thespottedcat (Jan 2, 2008)

Dwight, 
AD lag is when you AD servers take a while to Sync due to being on a WAN or what ever. 

You can choose have you AD servers sync after house to save bandwith. 

If you screwed once of of them up, you could basicaly stop the bad change from going out to the other AD servers, and push a good version to the damaged AD server 

Stan


----------



## seadawg (Jan 2, 2008)

Posted By Dwight Ennis on 04/17/2008 8:09 PM
Thanks once again Stan. I didn't have time to mess with it today, but hopefully tomorrow. 
Dave - can you define an AD lag site? 
Damn, I'm getting too old to have to learn all this new stuff. &nbsp " Half my gray matter has ALREADY leaked out through my hair roots! &nbsp /DesktopModules/NTForums/themes/mls/emoticons/blink.gif" I'd just want to play with trains. &nbsp /DesktopModules/NTForums/themes/mls/emoticons/laugh.gif"




Dwight, an AD lag site is a DC that has the replication site link set to once every so many hours (like 168 for a week). What it allows you to do is copy certian AD properties back to the main DCs (using what they call authoritative restore). We run a couple of virtual servers for this function. My point of the comment was be extremely careful before you delete anything, it is better to disable or move to an OU or group that does not have any GPOs or access applied. 



We have over 3000 PCs of various O/Ss and versions and over 300 servers. I'm the hardware geek who handles all server hardware issuse and server O/S issues. I tinker with AD but leave the hard stuff to the younger guys that like to stay up late at night in their home lab (Like I used to have.). I was a CNE 4,5 and NT4 MCSE and now there trying to make me jump through the W2K3 and 2008 hoops. My brain cell is not as agile as it once was.



If I understand your shop from your description, a lag site is probably overkill. Back up your DC with the FSMO roles (the server you first did DCpromo on unless you moved them) with tape and google "AD authoritative restore" and you'll be able to get the stuff back, but I prefer to err on the side of caution.



Sorry for all this mumbo jumbo. My job is what drives me to the old school technology of live steam, WAY more easier to understand.


----------



## Dwight Ennis (Jan 2, 2008)

My job is what drives me to the old school technology of live steam, WAY more easier to understand.
Now THAT comment I FULLY understand without further research! &nbsp /DesktopModules/NTForums/themes/mls/emoticons/laugh.gif 

I want to thank everyone for their comments and help. You guys are great!


----------

