two domains question

We have an old NT domain, with a PDC & BDC. (And we currently have users' home
folders on one of these boxes.)

About a year ago, when we migrated from Lotus Notes to ES2k3, we created a new
domain, and migrated all *users* to the new domain. We started, slowly, adding
machines to the new domain as they were being serviced/replaced. Now, all *new*
We just added trusts between the two domains. For *whatever* reason, they
didn't exist. (Until we looked, we didn't know if they didn't exist, weren't
set up correctly, were broken, or "whatever".) Things have improved. But not
entirely. Now, users don't have to "login" to connect to their home folder,
which as I mentioned is on the box in the old domain. I believe the problem has
to do with users trying to access their home folders' contents. (I don't seem
to be able to get a very good explanation of just what the remaining problem
is.)

We were "supposed" to be moving all the "old" stuff to the new domain. A year
ago. Obviously, we haven't. And when I asked why we can't just do it now, I
was told that we don't have our SAN, so we don't have enough space... yada...
yada... yada... But I don't see why we can't migrate all the remaining users'
computers to the new domain (which we have to do at some point ANYWAY), then
move the older servers to the new domain. Who cares about the SAN? I mean,
sure we need more space, we need the network upgraded, we need our Vmware, etc.
But why can't we just move the old domain boxes to the new domain? Why do we
need to get our SAN first? (Personally, I'm thinking it's just an excuse, so as
to not have to redo certain work. But that's just me.)

Hmmm... I wonder if the AS/400 is part of this problem. I'm pretty sure *it's*
on the old domain...

Any thoughts, suggestions, etc., are gladly welcomed and appreciated. Thanks in
advance,

Tom

"Tcs" <TSmithATEastPointCityDOTorg@> wrote in message
news:(E-Mail Removed)...
> We have an old NT domain, with a PDC & BDC. (And we currently have users'
> home
> folders on one of these boxes.)
>
> About a year ago, when we migrated from Lotus Notes to ES2k3, we created a
> new
> domain, and migrated all *users* to the new domain. We started, slowly,
> adding
> machines to the new domain as they were being serviced/replaced. Now, all
> *new*
> We just added trusts between the two domains. For *whatever* reason, they
> didn't exist. (Until we looked, we didn't know if they didn't exist,
> weren't
> set up correctly, were broken, or "whatever".)

Why did you add trusts? And did you add them in both
directions without a positive reason? (Don't add trusts
"just because"...)

> Things have improved. But not
> entirely. Now, users don't have to "login" to connect to their home
> folder,
> which as I mentioned is on the box in the old domain. I believe the
> problem has
> to do with users trying to access their home folders' contents. (I don't
> seem
> to be able to get a very good explanation of just what the remaining
> problem
> is.)

If you cannot state the problem we are unlikely to be able to help
solve it....

> We were "supposed" to be moving all the "old" stuff to the new domain. A
> year
> ago. Obviously, we haven't. And when I asked why we can't just do it
> now, I
> was told that we don't have our SAN, so we don't have enough space...
> yada...
> yada... yada...

The easy answer would have been to just upgrade the old
domain (back then).

> But I don't see why we can't migrate all the remaining users'
> computers to the new domain (which we have to do at some point ANYWAY),
> then
> move the older servers to the new domain.

Oddly enough, you might be best served by actually
upgrading the old NT domain to Win2000+ so you can
easily DCPromo those DCs to non-DC and then add them
to the new domain.

> Who cares about the SAN? I mean,
> sure we need more space, we need the network upgraded, we need our Vmware,
> etc.

Somebody cares or else they wouldn't be preventing YOU
from doing it that way.

> But why can't we just move the old domain boxes to the new domain?

For one, they are STILL PDC or BDCs from what you said.

> Why do we
> need to get our SAN first? (Personally, I'm thinking it's just an excuse,
> so as
> to not have to redo certain work. But that's just me.)

Disk space is cheap. SAN disk space is somewhat more expensive....

> Hmmm... I wonder if the AS/400 is part of this problem. I'm pretty sure
> *it's*
> on the old domain...

Odds are that the AS/400 is not "on the old domain" -- unless you
have special software installed it is likely just "there".


> Any thoughts, suggestions, etc., are gladly welcomed and appreciated.
> Thanks in
> advance,

What do you want to happen? How can we help you?

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]


> Tom

On Wed, 22 Feb 2006 15:58:09 -0600, "Herb Martin"
<(E-Mail Removed)> wrote:

Oh...where do I begin?

*I* am not doing this. (I'm the DB Admin. I used to be the IT
manager, in a previous life.) My supervisor did the network work. But
both the junior tech and I have been frustrated by at least one
problem we both shared. My logons were taking about a minute and
half. Plus I was having to wait...wait...wait...every time I went to
export data to an Excel spreadsheet from Access. I tried to explain
my problem to him. He was *not* interested in listening. His
response was basically, "It's only a slight delay. It's not like you
can't get your work done.". (Gee, *that* was really helpful.)

The junior tech was having to wait a full 15 minutes to log on. I
told him of my solution. His problem disappeared too. He was happy.
And still is. But in dealing with the users, he's frustrated by
working "around" the problem, instead of fixing "the" problem. When
he asks our supervisor about moving the remaining machines into the
new domain, all he gets is the "We need our SAN..." speech. He's been
told to screw around with login scripts, and remove the manual drive
mapping, which is a problem for users, because they have to login due
to the multiple domains...

So I went looking. Not changing, just looking. What I found
was...*OUR* DNS servers were not in the dns list distributed by the
DHCP server.

I modified the DNS on my PC only. I added our two dns servers. My
problems DISAPPEARED. I tried to tell my supervisor. Once again, he
was only too glad to tell me, er, excuse me, I mean, "Explain to
me...", why he did what he did. But he gave me absolutely *NO*
indication he was wanting to, or even willing to, listen to what I had
to say. And it's not like I was trying to say it was all wrong. I
just think it was only 99.5% right.

>Why did you add trusts? And did you add them in both
>directions without a positive reason? (Don't add trusts
>"just because"...)

I suggested he look at trusts, because from what I remembered from
class, and what I read in the knowledgebase article on MS's website
the other day, it sounded like this just might solve our problem. Did
he add them in *both* directions? I *assume* so. I know it's what
*I* meant by "trusts", and not "trust". I'll have to check with him.
Aren't they *required* in both directions?

>If you cannot state the problem we are unlikely to be able to help
>solve it....

Agreed. I'll have to check on this too.

>The easy answer would have been to just upgrade the old
>domain (back then).

Don't we wish.

>Oddly enough, you might be best served by actually
>upgrading the old NT domain to Win2000+ so you can
>easily DCPromo those DCs to non-DC and then add them
>to the new domain.

Hmmm... Now here's an idea. I wonder...

>For one, they are STILL PDC or BDCs from what you said.

I know, but once we migrate all the users' PCs to the new domain,
can't we just "turn off" the old domain? (You can tell that I haven't
done this before, can't you?)

>Disk space is cheap. SAN disk space is somewhat more expensive....

I know, I know. And it was just this week that our SAN was *finally*
approved by Council. But it seems to me, that if he *really* wanted
to fix the problem, we could do it without worrying about disk space.
I know we need the SAN to be compliant and all. (At least least
that's all I keep hearing.)

>Odds are that the AS/400 is not "on the old domain" -- unless you
>have special software installed it is likely just "there".

I'll have to check on this too. I wouldn't bet against it. When the
400 came in the door 7 years ago, even using an IBM partner, the
network was set up...less than ideally. All bridged instead of
routed. (We have over a dozen different sites.) We *still* haven't
gotten this fixed. We expect to get it fixed when we get a new
phone system. But before we do the phone system, we have to see where
a significant portion of staff will wind up. We're trying to buy some
office park building so we can move most of the remaining staff out of
City Hall and elsewhere. Once we're sure where we're going, we can
move forward on the new phone system. And a large portion of it is
supposed to be fiber with T1s to outlying locations. We'll have a new
modern phone system and a network that works the way it's *supposed*
to work. With routers that actually route.

>What do you want to happen? How can we help you?

I want to help the junior tech, to make his job easier and help him to
help the end users. I'm not trying to "push" him though. I tell him,
"*I* think this might work, but I'm *not* telling you what to do. I'm
not your supervisor. And I don't want to get *either* of us into
trouble. It's your decision."

-----

I'll have to find out tomorrow what the remaining problem(s) is/are
that end users are having.

Thanks for your response. I do appreciate it.

"Tcs" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> On Wed, 22 Feb 2006 15:58:09 -0600, "Herb Martin"
> <(E-Mail Removed)> wrote:
>
> problem we both shared. My logons were taking about a minute and
> half. Plus I was having to wait...wait...wait...every time I went to

> The junior tech was having to wait a full 15 minutes to log on. I
> told him of my solution. His problem disappeared too. He was happy.


Usually such issues are due to DNS problems (not trusts);
most common are these:

1) Non-Dynamic DNS for AD
2) DCs not using STRICTLY the (internal) DNS servers which
can allow them to register themselves.
3) Other machines (clients) not using STRICTLY the (internal) DNS
servers which can allow them to resolve those DCs.


> So I went looking. Not changing, just looking. What I found
> was...*OUR* DNS servers were not in the dns list distributed by the
> DHCP server.

This jibes with the most likely issue....

> I modified the DNS on my PC only. I added our two dns servers. My
> problems DISAPPEARED. I tried to tell my supervisor. Once again, he

Exactly.


>>If you cannot state the problem we are unlikely to be able to help
>>solve it....

> Agreed. I'll have to check on this too.

NSlookup and DCDiag are you main tools (maybe NetDiag too)
to discover if DNS is your problem.

Run (or get someone to run) DCDiag on every DC.

Run NetDiag on affected clients.

Check for DNS records with NSlookup.


>>Oddly enough, you might be best served by actually
>>upgrading the old NT domain to Win2000+ so you can
>>easily DCPromo those DCs to non-DC and then add them
>>to the new domain.
>
> Hmmm... Now here's an idea. I wonder...
>
>>For one, they are STILL PDC or BDCs from what you said.
>
> I know, but once we migrate all the users' PCs to the new domain,
> can't we just "turn off" the old domain? (You can tell that I haven't
> done this before, can't you?)

Yes. You can just turn them off but my idea was to keep them
so the file shares would not be lost (if they have enough space
and space is the supposed problem.


>>What do you want to happen? How can we help you?
>
> I want to help the junior tech, to make his job easier and help him to
> help the end users. I'm not trying to "push" him though. I tell him,
> "*I* think this might work, but I'm *not* telling you what to do. I'm
> not your supervisor. And I don't want to get *either* of us into
> trouble. It's your decision."

Then you will need to detail specific issues (like the "slow logon"
above.)




--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

"Tcs" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> On Wed, 22 Feb 2006 15:58:09 -0600, "Herb Martin"
> <(E-Mail Removed)> wrote:
>
> Oh...where do I begin?
>
> *I* am not doing this. (I'm the DB Admin. I used to be the IT
> manager, in a previous life.) My supervisor did the network work. But
> both the junior tech and I have been frustrated by at least one
> problem we both shared. My logons were taking about a minute and
> half. Plus I was having to wait...wait...wait...every time I went to
> export data to an Excel spreadsheet from Access. I tried to explain
> my problem to him. He was *not* interested in listening. His
> response was basically, "It's only a slight delay. It's not like you
> can't get your work done.". (Gee, *that* was really helpful.)
>
> The junior tech was having to wait a full 15 minutes to log on. I
> told him of my solution. His problem disappeared too. He was happy.
> And still is. But in dealing with the users, he's frustrated by
> working "around" the problem, instead of fixing "the" problem. When
> he asks our supervisor about moving the remaining machines into the
> new domain, all he gets is the "We need our SAN..." speech. He's been
> told to screw around with login scripts, and remove the manual drive
> mapping, which is a problem for users, because they have to login due
> to the multiple domains...
>
> So I went looking. Not changing, just looking. What I found
> was...*OUR* DNS servers were not in the dns list distributed by the
> DHCP server.
>
> I modified the DNS on my PC only. I added our two dns servers. My
> problems DISAPPEARED. I tried to tell my supervisor. Once again, he
> was only too glad to tell me, er, excuse me, I mean, "Explain to
> me...", why he did what he did. But he gave me absolutely *NO*
> indication he was wanting to, or even willing to, listen to what I had
> to say. And it's not like I was trying to say it was all wrong. I
> just think it was only 99.5% right.
>
>>Why did you add trusts? And did you add them in both
>>directions without a positive reason? (Don't add trusts
>>"just because"...)
>
> I suggested he look at trusts, because from what I remembered from
> class, and what I read in the knowledgebase article on MS's website
> the other day, it sounded like this just might solve our problem. Did
> he add them in *both* directions? I *assume* so. I know it's what
> *I* meant by "trusts", and not "trust". I'll have to check with him.
> Aren't they *required* in both directions?
>
>>If you cannot state the problem we are unlikely to be able to help
>>solve it....
>
> Agreed. I'll have to check on this too.
>
>>The easy answer would have been to just upgrade the old
>>domain (back then).
>
> Don't we wish.
>
>>Oddly enough, you might be best served by actually
>>upgrading the old NT domain to Win2000+ so you can
>>easily DCPromo those DCs to non-DC and then add them
>>to the new domain.
>
> Hmmm... Now here's an idea. I wonder...
>
>>For one, they are STILL PDC or BDCs from what you said.
>
> I know, but once we migrate all the users' PCs to the new domain,
> can't we just "turn off" the old domain? (You can tell that I haven't
> done this before, can't you?)
>
>>Disk space is cheap. SAN disk space is somewhat more expensive....
>
> I know, I know. And it was just this week that our SAN was *finally*
> approved by Council. But it seems to me, that if he *really* wanted
> to fix the problem, we could do it without worrying about disk space.
> I know we need the SAN to be compliant and all. (At least least
> that's all I keep hearing.)
>
>>Odds are that the AS/400 is not "on the old domain" -- unless you
>>have special software installed it is likely just "there".
>
> I'll have to check on this too. I wouldn't bet against it. When the
> 400 came in the door 7 years ago, even using an IBM partner, the
> network was set up...less than ideally. All bridged instead of
> routed. (We have over a dozen different sites.) We *still* haven't
> gotten this fixed. We expect to get it fixed when we get a new
> phone system. But before we do the phone system, we have to see where
> a significant portion of staff will wind up. We're trying to buy some
> office park building so we can move most of the remaining staff out of
> City Hall and elsewhere. Once we're sure where we're going, we can
> move forward on the new phone system. And a large portion of it is
> supposed to be fiber with T1s to outlying locations. We'll have a new
> modern phone system and a network that works the way it's *supposed*
> to work. With routers that actually route.
>
>>What do you want to happen? How can we help you?
>
> I want to help the junior tech, to make his job easier and help him to
> help the end users. I'm not trying to "push" him though. I tell him,
> "*I* think this might work, but I'm *not* telling you what to do. I'm
> not your supervisor. And I don't want to get *either* of us into
> trouble. It's your decision."
>
> -----
>
> I'll have to find out tomorrow what the remaining problem(s) is/are
> that end users are having.
>
> Thanks for your response. I do appreciate it.

On Wed, 22 Feb 2006 15:58:09 -0600, "Herb Martin" <(E-Mail Removed)> wrote:

>And did you add them in both
>directions without a positive reason? (Don't add trusts
>"just because"...)

1.) Even if I would say, "Because I thought..."? Seriously, I thought they had
to be created in both directions, although I never specifically told him to do
that, and had never done so before. (Never created them that is, regardless of
the number.) I handed him the knowledgebase article that I had found on MS's
website.

2.) He *did* create a trust in both directions. We discussed this, this
morning when I went to him to get clarification for you. We are both thinking
perhaps we only need a trust in the new domain to trust the old domain? Does
this sound right?

3.) He removed them both, when they didn't work...entirely.

>If you cannot state the problem we are unlikely to be able to help
>solve it....

4.) Why did he remove them? Because the "home" directories are on the BDC (in
the old domain). And he says...that no one could get to their files in their
home directories. Logging on was fine. In fact, better than before. But their
data was inacessable.

>Oddly enough, you might be best served by actually
>upgrading the old NT domain to Win2000+ so you can
>easily DCPromo those DCs to non-DC and then add them
>to the new domain.

5.) I'm giving him this info for him to look into also...

I'll let you know when I have more to report.

Thanks again,

Tom

"Tcs" <TSmithATEastPointCityDOTorg@> wrote in message
news:(E-Mail Removed)...
> On Wed, 22 Feb 2006 15:58:09 -0600, "Herb Martin" <(E-Mail Removed)>
> wrote:
>
>>And did you add them in both
>>directions without a positive reason? (Don't add trusts
>>"just because"...)
>
> 1.) Even if I would say, "Because I thought..."? Seriously, I thought
> they had
> to be created in both directions, although I never specifically told him
> to do
> that, and had never done so before. (Never created them that is,
> regardless of
> the number.) I handed him the knowledgebase article that I had found on
> MS's
> website.

A trust means that you have Resources on the trusting side,
Users on the Trusted side, and INTEND to SHARE those
resources with those users.

Specifically if you logon AT a machine you need that machine's
domain to trust your user's domain.

> 2.) He *did* create a trust in both directions. We discussed this, this
> morning when I went to him to get clarification for you. We are both
> thinking
> perhaps we only need a trust in the new domain to trust the old domain?
> Does
> this sound right?

Not necessarily. Unless it fits the rules given above in answer
to #1.

"Slow" never implies trusts. Failure to create required trust
causes thing to NOT work; rather than work slowly.

> 3.) He removed them both, when they didn't work...entirely.

Unclear what you mean here after the part about "removed".

"...didn't work...entirely." ????

Removing trusts to "fix" something never makes sense. They
might be unnecessary, even a security risk, but trusts that
are useless would NOT prevent things from working.

>>If you cannot state the problem we are unlikely to be able to help
>>solve it....
>
> 4.) Why did he remove them? Because the "home" directories are on the
> BDC (in
> the old domain). And he says...that no one could get to their files in
> their
> home directories. Logging on was fine. In fact, better than before. But
> their
> data was inacessable.
>
>>Oddly enough, you might be best served by actually
>>upgrading the old NT domain to Win2000+ so you can
>>easily DCPromo those DCs to non-DC and then add them
>>to the new domain.
>
> 5.) I'm giving him this info for him to look into also...
>


--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

> I'll let you know when I have more to report.
>
> Thanks again,
>
> Tom

"Tcs" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> I'll have to check on this too. I wouldn't bet against it. When the
> 400 came in the door 7 years ago, even using an IBM partner, the
> network was set up...less than ideally. All bridged instead of
> routed.

Bridging is perfectly fine. Most people setup routing when they *don't*
need to and there is no point in it,....because they really have no idea
what Layer3 segmenting gives them or don't give them....vs...what Layer2
segmenting (switching) gives them or don't give them.

If you don't suffer from broadcast packets overloading the links and you
don't have any special security needs to run ACLs on the routers between the
segments,..then the routing is needless and pointless.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/IS...cessRules.html

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/t...dance/2004.asp
http://www.microsoft.com/isaserver/t...dance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Deployment Guidelines for ISA Server 2004 Enterprise Edition
http://www.microsoft.com/technet/pro...isaserver.mspx
-----------------------------------------------------