 |
| Register | FAQ | Members List | Calendar | Links | Search | Today's Posts | Mark Forums Read |
|
||||||||
|
|
#1
02-22-2006, 07:36 PM
|
two domains question
We have an old NT domain, with a PDC & BDC. (And we currently have users' home
folders on one of these boxes.) About a year ago, when we migrated from Lotus Notes to ES2k3, we created a new domain, and migrated all *users* to the new domain. We started, slowly, adding machines to the new domain as they were being serviced/replaced. Now, all *new* We just added trusts between the two domains. For *whatever* reason, they didn't exist. (Until we looked, we didn't know if they didn't exist, weren't set up correctly, were broken, or "whatever".) Things have improved. But not entirely. Now, users don't have to "login" to connect to their home folder, which as I mentioned is on the box in the old domain. I believe the problem has to do with users trying to access their home folders' contents. (I don't seem to be able to get a very good explanation of just what the remaining problem is.) We were "supposed" to be moving all the "old" stuff to the new domain. A year ago. Obviously, we haven't. And when I asked why we can't just do it now, I was told that we don't have our SAN, so we don't have enough space... yada... yada... yada... But I don't see why we can't migrate all the remaining users' computers to the new domain (which we have to do at some point ANYWAY), then move the older servers to the new domain. Who cares about the SAN? I mean, sure we need more space, we need the network upgraded, we need our Vmware, etc. But why can't we just move the old domain boxes to the new domain? Why do we need to get our SAN first? (Personally, I'm thinking it's just an excuse, so as to not have to redo certain work. But that's just me.) Hmmm... I wonder if the AS/400 is part of this problem. I'm pretty sure *it's* on the old domain... Any thoughts, suggestions, etc., are gladly welcomed and appreciated. Thanks in advance, Tom Tcs 
|
|
#2
02-22-2006, 09:58 PM
|
|||
|
|||
|
Re: two domains question
"Tcs" <TSmithATEastPointCityDOTorg@> wrote in message
news:(E-Mail Removed)... > We have an old NT domain, with a PDC & BDC. (And we currently have users' > home > folders on one of these boxes.) > > About a year ago, when we migrated from Lotus Notes to ES2k3, we created a > new > domain, and migrated all *users* to the new domain. We started, slowly, > adding > machines to the new domain as they were being serviced/replaced. Now, all > *new* > We just added trusts between the two domains. For *whatever* reason, they > didn't exist. (Until we looked, we didn't know if they didn't exist, > weren't > set up correctly, were broken, or "whatever".) Why did you add trusts? And did you add them in both directions without a positive reason? (Don't add trusts "just because"...) > Things have improved. But not > entirely. Now, users don't have to "login" to connect to their home > folder, > which as I mentioned is on the box in the old domain. I believe the > problem has > to do with users trying to access their home folders' contents. (I don't > seem > to be able to get a very good explanation of just what the remaining > problem > is.) If you cannot state the problem we are unlikely to be able to help solve it.... > We were "supposed" to be moving all the "old" stuff to the new domain. A > year > ago. Obviously, we haven't. And when I asked why we can't just do it > now, I > was told that we don't have our SAN, so we don't have enough space... > yada... > yada... yada... The easy answer would have been to just upgrade the old domain (back then). > But I don't see why we can't migrate all the remaining users' > computers to the new domain (which we have to do at some point ANYWAY), > then > move the older servers to the new domain. Oddly enough, you might be best served by actually upgrading the old NT domain to Win2000+ so you can easily DCPromo those DCs to non-DC and then add them to the new domain. > Who cares about the SAN? I mean, > sure we need more space, we need the network upgraded, we need our Vmware, > etc. Somebody cares or else they wouldn't be preventing YOU from doing it that way. > But why can't we just move the old domain boxes to the new domain? For one, they are STILL PDC or BDCs from what you said. > Why do we > need to get our SAN first? (Personally, I'm thinking it's just an excuse, > so as > to not have to redo certain work. But that's just me.) Disk space is cheap. SAN disk space is somewhat more expensive.... > Hmmm... I wonder if the AS/400 is part of this problem. I'm pretty sure > *it's* > on the old domain... Odds are that the AS/400 is not "on the old domain" -- unless you have special software installed it is likely just "there". > Any thoughts, suggestions, etc., are gladly welcomed and appreciated. > Thanks in > advance, What do you want to happen? How can we help you? -- Herb Martin, MCSE, MVP Accelerated MCSE http://www.LearnQuick.Com [phone number on web site] > Tom
|
|
#3
02-23-2006, 02:42 AM
|
|||
|
|||
|
Re: two domains question
On Wed, 22 Feb 2006 15:58:09 -0600, "Herb Martin"
<(E-Mail Removed)> wrote: Oh...where do I begin? *I* am not doing this. (I'm the DB Admin. I used to be the IT manager, in a previous life.) My supervisor did the network work. But both the junior tech and I have been frustrated by at least one problem we both shared. My logons were taking about a minute and half. Plus I was having to wait...wait...wait...every time I went to export data to an Excel spreadsheet from Access. I tried to explain my problem to him. He was *not* interested in listening. His response was basically, "It's only a slight delay. It's not like you can't get your work done.". (Gee, *that* was really helpful.) The junior tech was having to wait a full 15 minutes to log on. I told him of my solution. His problem disappeared too. He was happy. And still is. But in dealing with the users, he's frustrated by working "around" the problem, instead of fixing "the" problem. When he asks our supervisor about moving the remaining machines into the new domain, all he gets is the "We need our SAN..." speech. He's been told to screw around with login scripts, and remove the manual drive mapping, which is a problem for users, because they have to login due to the multiple domains... So I went looking. Not changing, just looking. What I found was...*OUR* DNS servers were not in the dns list distributed by the DHCP server. I modified the DNS on my PC only. I added our two dns servers. My problems DISAPPEARED. I tried to tell my supervisor. Once again, he was only too glad to tell me, er, excuse me, I mean, "Explain to me...", why he did what he did. But he gave me absolutely *NO* indication he was wanting to, or even willing to, listen to what I had to say. And it's not like I was trying to say it was all wrong. I just think it was only 99.5% right. >Why did you add trusts? And did you add them in both >directions without a positive reason? (Don't add trusts >"just because"...) I suggested he look at trusts, because from what I remembered from class, and what I read in the knowledgebase article on MS's website the other day, it sounded like this just might solve our problem. Did he add them in *both* directions? I *assume* so. I know it's what *I* meant by "trusts", and not "trust". I'll have to check with him. Aren't they *required* in both directions? >If you cannot state the problem we are unlikely to be able to help >solve it.... Agreed. I'll have to check on this too. >The easy answer would have been to just upgrade the old >domain (back then). Don't we wish. >Oddly enough, you might be best served by actually >upgrading the old NT domain to Win2000+ so you can >easily DCPromo those DCs to non-DC and then add them >to the new domain. Hmmm... Now here's an idea. I wonder... >For one, they are STILL PDC or BDCs from what you said. I know, but once we migrate all the users' PCs to the new domain, can't we just "turn off" the old domain? (You can tell that I haven't done this before, can't you?) >Disk space is cheap. SAN disk space is somewhat more expensive.... I know, I know. And it was just this week that our SAN was *finally* approved by Council. But it seems to me, that if he *really* wanted to fix the problem, we could do it without worrying about disk space. I know we need the SAN to be compliant and all. (At least least that's all I keep hearing.) >Odds are that the AS/400 is not "on the old domain" -- unless you >have special software installed it is likely just "there". I'll have to check on this too. I wouldn't bet against it. When the 400 came in the door 7 years ago, even using an IBM partner, the network was set up...less than ideally. All bridged instead of routed. (We have over a dozen different sites.) We *still* haven't gotten this fixed. We expect to get it fixed when we get a new phone system. But before we do the phone system, we have to see where a significant portion of staff will wind up. We're trying to buy some office park building so we can move most of the remaining staff out of City Hall and elsewhere. Once we're sure where we're going, we can move forward on the new phone system. And a large portion of it is supposed to be fiber with T1s to outlying locations. We'll have a new modern phone system and a network that works the way it's *supposed* to work. With routers that actually route. >What do you want to happen? How can we help you? I want to help the junior tech, to make his job easier and help him to help the end users. I'm not trying to "push" him though. I tell him, "*I* think this might work, but I'm *not* telling you what to do. I'm not your supervisor. And I don't want to get *either* of us into trouble. It's your decision." ----- I'll have to find out tomorrow what the remaining problem(s) is/are that end users are having. Thanks for your response. I do appreciate it.
|
|
#4
02-23-2006, 04:16 AM
|
|||
|
|||
|
Re: two domains question
"Tcs" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)... > On Wed, 22 Feb 2006 15:58:09 -0600, "Herb Martin" > <(E-Mail Removed)> wrote: > > problem we both shared. My logons were taking about a minute and > half. Plus I was having to wait...wait...wait...every time I went to > The junior tech was having to wait a full 15 minutes to log on. I > told him of my solution. His problem disappeared too. He was happy. Usually such issues are due to DNS problems (not trusts); most common are these: 1) Non-Dynamic DNS for AD 2) DCs not using STRICTLY the (internal) DNS servers which can allow them to register themselves. 3) Other machines (clients) not using STRICTLY the (internal) DNS servers which can allow them to resolve those DCs. > So I went looking. Not changing, just looking. What I found > was...*OUR* DNS servers were not in the dns list distributed by the > DHCP server. This jibes with the most likely issue.... > I modified the DNS on my PC only. I added our two dns servers. My > problems DISAPPEARED. I tried to tell my supervisor. Once again, he Exactly. >>If you cannot state the problem we are unlikely to be able to help >>solve it.... > Agreed. I'll have to check on this too. NSlookup and DCDiag are you main tools (maybe NetDiag too) to discover if DNS is your problem. Run (or get someone to run) DCDiag on every DC. Run NetDiag on affected clients. Check for DNS records with NSlookup. >>Oddly enough, you might be best served by actually >>upgrading the old NT domain to Win2000+ so you can >>easily DCPromo those DCs to non-DC and then add them >>to the new domain. > > Hmmm... Now here's an idea. I wonder... > >>For one, they are STILL PDC or BDCs from what you said. > > I know, but once we migrate all the users' PCs to the new domain, > can't we just "turn off" the old domain? (You can tell that I haven't > done this before, can't you?) Yes. You can just turn them off but my idea was to keep them so the file shares would not be lost (if they have enough space and space is the supposed problem. >>What do you want to happen? How can we help you? > > I want to help the junior tech, to make his job easier and help him to > help the end users. I'm not trying to "push" him though. I tell him, > "*I* think this might work, but I'm *not* telling you what to do. I'm > not your supervisor. And I don't want to get *either* of us into > trouble. It's your decision." Then you will need to detail specific issues (like the "slow logon" above.) -- Herb Martin, MCSE, MVP Accelerated MCSE http://www.LearnQuick.Com [phone number on web site] "Tcs" <(E-Mail Removed)> wrote in message news:(E-Mail Removed)... > On Wed, 22 Feb 2006 15:58:09 -0600, "Herb Martin" > <(E-Mail Removed)> wrote: > > Oh...where do I begin? > > *I* am not doing this. (I'm the DB Admin. I used to be the IT > manager, in a previous life.) My supervisor did the network work. But > both the junior tech and I have been frustrated by at least one > problem we both shared. My logons were taking about a minute and > half. Plus I was having to wait...wait...wait...every time I went to > export data to an Excel spreadsheet from Access. I tried to explain > my problem to him. He was *not* interested in listening. His > response was basically, "It's only a slight delay. It's not like you > can't get your work done.". (Gee, *that* was really helpful.) > > The junior tech was having to wait a full 15 minutes to log on. I > told him of my solution. His problem disappeared too. He was happy. > And still is. But in dealing with the users, he's frustrated by > working "around" the problem, instead of fixing "the" problem. When > he asks our supervisor about moving the remaining machines into the > new domain, all he gets is the "We need our SAN..." speech. He's been > told to screw around with login scripts, and remove the manual drive > mapping, which is a problem for users, because they have to login due > to the multiple domains... > > So I went looking. Not changing, just looking. What I found > was...*OUR* DNS servers were not in the dns list distributed by the > DHCP server. > > I modified the DNS on my PC only. I added our two dns servers. My > problems DISAPPEARED. I tried to tell my supervisor. Once again, he > was only too glad to tell me, er, excuse me, I mean, "Explain to > me...", why he did what he did. But he gave me absolutely *NO* > indication he was wanting to, or even willing to, listen to what I had > to say. And it's not like I was trying to say it was all wrong. I > just think it was only 99.5% right. > >>Why did you add trusts? And did you add them in both >>directions without a positive reason? (Don't add trusts >>"just because"...) > > I suggested he look at trusts, because from what I remembered from > class, and what I read in the knowledgebase article on MS's website > the other day, it sounded like this just might solve our problem. Did > he add them in *both* directions? I *assume* so. I know it's what > *I* meant by "trusts", and not "trust". I'll have to check with him. > Aren't they *required* in both directions? > >>If you cannot state the problem we are unlikely to be able to help >>solve it.... > > Agreed. I'll have to check on this too. > >>The easy answer would have been to just upgrade the old >>domain (back then). > > Don't we wish. > >>Oddly enough, you might be best served by actually >>upgrading the old NT domain to Win2000+ so you can >>easily DCPromo those DCs to non-DC and then add them >>to the new domain. > > Hmmm... Now here's an idea. I wonder... > >>For one, they are STILL PDC or BDCs from what you said. > > I know, but once we migrate all the users' PCs to the new domain, > can't we just "turn off" the old domain? (You can tell that I haven't > done this before, can't you?) > >>Disk space is cheap. SAN disk space is somewhat more expensive.... > > I know, I know. And it was just this week that our SAN was *finally* > approved by Council. But it seems to me, that if he *really* wanted > to fix the problem, we could do it without worrying about disk space. > I know we need the SAN to be compliant and all. (At least least > that's all I keep hearing.) > >>Odds are that the AS/400 is not "on the old domain" -- unless you >>have special software installed it is likely just "there". > > I'll have to check on this too. I wouldn't bet against it. When the > 400 came in the door 7 years ago, even using an IBM partner, the > network was set up...less than ideally. All bridged instead of > routed. (We have over a dozen different sites.) We *still* haven't > gotten this fixed. We expect to get it fixed when we get a new > phone system. But before we do the phone system, we have to see where > a significant portion of staff will wind up. We're trying to buy some > office park building so we can move most of the remaining staff out of > City Hall and elsewhere. Once we're sure where we're going, we can > move forward on the new phone system. And a large portion of it is > supposed to be fiber with T1s to outlying locations. We'll have a new > modern phone system and a network that works the way it's *supposed* > to work. With routers that actually route. > >>What do you want to happen? How can we help you? > > I want to help the junior tech, to make his job easier and help him to > help the end users. I'm not trying to "push" him though. I tell him, > "*I* think this might work, but I'm *not* telling you what to do. I'm > not your supervisor. And I don't want to get *either* of us into > trouble. It's your decision." > > ----- > > I'll have to find out tomorrow what the remaining problem(s) is/are > that end users are having. > > Thanks for your response. I do appreciate it.
|
|
#5
02-23-2006, 02:18 PM
|
|||
|
|||
|
Re: two domains question
On Wed, 22 Feb 2006 15:58:09 -0600, "Herb Martin" <(E-Mail Removed)> wrote:
>And did you add them in both >directions without a positive reason? (Don't add trusts >"just because"...) 1.) Even if I would say, "Because I thought..."? Seriously, I thought they had to be created in both directions, although I never specifically told him to do that, and had never done so before. (Never created them that is, regardless of the number.) I handed him the knowledgebase article that I had found on MS's website. 2.) He *did* create a trust in both directions. We discussed this, this morning when I went to him to get clarification for you. We are both thinking perhaps we only need a trust in the new domain to trust the old domain? Does this sound right? 3.) He removed them both, when they didn't work...entirely. >If you cannot state the problem we are unlikely to be able to help >solve it.... 4.) Why did he remove them? Because the "home" directories are on the BDC (in the old domain). And he says...that no one could get to their files in their home directories. Logging on was fine. In fact, better than before. But their data was inacessable. >Oddly enough, you might be best served by actually >upgrading the old NT domain to Win2000+ so you can >easily DCPromo those DCs to non-DC and then add them >to the new domain. 5.) I'm giving him this info for him to look into also... I'll let you know when I have more to report. Thanks again, Tom
|
|
#6
02-23-2006, 03:20 PM
|
|||
|
|||
|
Re: two domains question
"Tcs" <TSmithATEastPointCityDOTorg@> wrote in message
news:(E-Mail Removed)... > On Wed, 22 Feb 2006 15:58:09 -0600, "Herb Martin" <(E-Mail Removed)> > wrote: > >>And did you add them in both >>directions without a positive reason? (Don't add trusts >>"just because"...) > > 1.) Even if I would say, "Because I thought..."? Seriously, I thought > they had > to be created in both directions, although I never specifically told him > to do > that, and had never done so before. (Never created them that is, > regardless of > the number.) I handed him the knowledgebase article that I had found on > MS's > website. A trust means that you have Resources on the trusting side, Users on the Trusted side, and INTEND to SHARE those resources with those users. Specifically if you logon AT a machine you need that machine's domain to trust your user's domain. > 2.) He *did* create a trust in both directions. We discussed this, this > morning when I went to him to get clarification for you. We are both > thinking > perhaps we only need a trust in the new domain to trust the old domain? > Does > this sound right? Not necessarily. Unless it fits the rules given above in answer to #1. "Slow" never implies trusts. Failure to create required trust causes thing to NOT work; rather than work slowly. > 3.) He removed them both, when they didn't work...entirely. Unclear what you mean here after the part about "removed". "...didn't work...entirely." ???? Removing trusts to "fix" something never makes sense. They might be unnecessary, even a security risk, but trusts that are useless would NOT prevent things from working. >>If you cannot state the problem we are unlikely to be able to help >>solve it.... > > 4.) Why did he remove them? Because the "home" directories are on the > BDC (in > the old domain). And he says...that no one could get to their files in > their > home directories. Logging on was fine. In fact, better than before. But > their > data was inacessable. > >>Oddly enough, you might be best served by actually >>upgrading the old NT domain to Win2000+ so you can >>easily DCPromo those DCs to non-DC and then add them >>to the new domain. > > 5.) I'm giving him this info for him to look into also... > -- Herb Martin, MCSE, MVP Accelerated MCSE http://www.LearnQuick.Com [phone number on web site] > I'll let you know when I have more to report. > > Thanks again, > > Tom
|
|
#7
02-23-2006, 08:16 PM
|
|||
|
|||
|
Re: two domains question
"Tcs" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)... > I'll have to check on this too. I wouldn't bet against it. When the > 400 came in the door 7 years ago, even using an IBM partner, the > network was set up...less than ideally. All bridged instead of > routed. Bridging is perfectly fine. Most people setup routing when they *don't* need to and there is no point in it,....because they really have no idea what Layer3 segmenting gives them or don't give them....vs...what Layer2 segmenting (switching) gives them or don't give them. If you don't suffer from broadcast packets overloading the links and you don't have any special security needs to run ACLs on the routers between the segments,..then the routing is needless and pointless. -- Phillip Windell [MCP, MVP, CCNA] www.wandtv.com ----------------------------------------------------- Understanding the ISA 2004 Access Rule Processing http://www.isaserver.org/articles/IS...cessRules.html Microsoft Internet Security & Acceleration Server: Guidance http://www.microsoft.com/isaserver/t...dance/2004.asp http://www.microsoft.com/isaserver/t...dance/2000.asp Microsoft Internet Security & Acceleration Server: Partners http://www.microsoft.com/isaserver/partners/default.asp Deployment Guidelines for ISA Server 2004 Enterprise Edition http://www.microsoft.com/technet/pro...isaserver.mspx -----------------------------------------------------
|
 |
| Tags |
| domains, question |
| Thread Tools | |
| Display Modes | |
|
|
Linear Mode
