New SBS Domain controller advice

bluegreenturtle · May 23, 2007

This weekend I have a little job to complete - I have done something like this before but just wanted to get any opinions on best approach.

THE WAY IT IS NOW: W2k Domain controller (is very old), a few other servers (just file servers), about 30 workstations, various printers and other devices. Email is currently POP3 hosted elsewhere.

WHAT I'M DOING: New W2k3 SBS server going in - old domain controller will be demoted but soldier on as a file server and license server for some floating licenses. When the domain was originally setup, the wag who put it in named the internal domain the same thing as the external domain (.com). I fixed this by simply putting in pointers in DNS to our externally hosted sites but it's annoying. When I put in the new controller I am changing the internal domain to a .local.

I want the fastest (but good) approach possible to finish this. It's not a big deal to create active domain accounts since there are only 30 users or so but I would rather not. What I don't want to do is spend a huge amount of time migrating each local user profile at the individual workstations (or heaven forbid corrupting user profiles).

MY GAME PLAN:

Plan 1: Turn on the new domain controller, and try to use ADMT to copy the accounts over to the new controller. If that doesn't work then:

Plan 2: Create each account separately on the new DC and use "CONNECT COMPUTER" (the sbs wizard) on each workstation to join the new domain. (This will preserve local user profiles, right??)

Plan 3: If these just don't work, create each account, join each workstation to the domain, then copy the old local user account over manually to the new local user account.

Advice? Also I would like to if this takes not very long, then start the Exchange migration, using just for now, a pop3 connector. Is there some best way to do that? My plan was to create the exchange mailbox for each person, then join their outlook to it, then copy the contents of their .PST into the exchange mailbox (doing this locally on each workstation). There are some good reasons not to do everything this weekend and instead use a pop3 connector for a month or so - there are some laptops that I will not get access to (they are Macs to boot) and also I am just haven't prepared everything for a DNS switch (changing it to point to us instead of the external pop).

Thank you very much in advance to anybody who replies - I just want a little guidance.

RebateMonger · May 23, 2007

For thirty accounts, I'd likely just start with a new SBS domain. I'd name it xxxx.LAN to avoid older model Macintosh issues with the .LOCAL suffix.

1) Create .PST backups of everyone's email.
2) Make sure you have the Local Administrator passwords for all the workstations.
3) Unjoin them from the old Domain. I have a technique for migrating older Domain profiles to a new Domain profile that only involves Registry changes, but I don't have it available at this moment.
4) Join the new Domain with //Connectcomputer, importing the old user profile.
5) Import the .PST backups into the user's Exchange mailbox using Outlook.

I always do the migration from POP to Exchange as part of the initial migration to the new server. I believe that stretching it out just costs time and money. If you really need to keep some POP accounts, then, yeah, you can always turn on the POP3 Exchange Connector that's part of SBS.

It's much better to prepare for the DNS switch in ADVANCE of something like this, though.

bluegreenturtle · May 23, 2007

Thanks - if you have that technique I'd like to read it.

On exchange, it's just not possible - the two mac laptops that I don't have access to are the Boss and the Number One in the company and they won't leave them over the weekend while I do this. I won't be in the office when they return. So I need to make sure they still have access via the POP - so I can't redirect the DNS. I have to setup RPC over HTTP for all the laptop users and fiddle with these two Macs to get them to the mac equivilant. Also the macs need to be upgraded to Entourage 2004 as I understand it to do the rpc thing.

her209 · May 23, 2007

What I would recommend:

Don't mess with the internal .com domain name.

Install SBS server. Join SBS to current domain. dcpromo it. Transfer FSO roles to SBS. dcpromo other DC to a member server. Create mailboxes for each user. If you have the correct connectivity to e-mail server (assuming its Exchange 2000 or newer), easiest way is to use ExMerge and extract all the e-mails out of each mailbox and ExMerge it onto the SBS server. Go to each user desktop and connect the Outlook to SBS.

No messing with new accounts. No having to recreate user accounts on desktops. No having to recreate printers and reconnect in each user profile.

EDIT: I need to add that you should confirm that you're allowed to have multiple domain controllers in the same domain (due to SBS) before attempting.

bluegreenturtle · May 23, 2007

Unfortunately it's too late for that - the SBS is an OEM - already setup. Also there is no other exchange server - we are moving from POP.

But can't I sort of do this by running the ADMT and moving the user profiles from old DC to new DC?

I likely will end up doing just what rebatemonger has suggested because I know how to do this without messing about.

RebateMonger · May 23, 2007

Re: Migrating User profiles from old Domain to new Domain

This isn't exactly the method I use, but it's the same concept. This quote comes from the public Windows Server newsgroup:

"This method came in from M.J. Shoer (MSh...@jenaly.com), who attended the
SMB Nation Summit in Boston in May. He writes:

This method has worked for us without fail. We can retain the complete
profile customizations for a PC that was logged into one domain and must now
be logged into a new one.

The method works for both Win2K and WinXP. It has also worked for upgrading
SBS 2000 to SBS 2003, where it is happening on the same server, meaning that
you have to reformat the SBS 2000 server and load "freshie," as you would
say, with SBS 2003. Here's how it works.

Once the SBS 2003 server is set up and the computers are set up on the
server side, log into the client PC and run the connectcomputer URL. When
that step is completed, log in as the user. Then immediately log off and log
on as the domain administrator.

Be sure the domain user account is in the local administrator's group. Then
open Registry Editor and navigate to
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ProfileList.
You will see a listing for each SID. Within each SID key, you will see an
entry for ProfileImagePath with a path to the users profile in the form of
%SystemDrive%\Documents and Settings\UserName.

The trick is to find the new key that was set up at logon to the SBS 2003
server and edit the path to refer back to the original profile path. So, for
example, if you are migrating and changing domains, you want to have a path
like %SystemDrive%\Documents and Settings\UserName.OldDomain. You then have
a new SID key with a path like %SystemDrive%\Documents and
Settings\UserName.NewDomain. You can edit this key and replace NewDomain
with OldDomain to point to the old profile.

In the case of a server migration within the same domain, you have a path to
the effect of %SystemDrive%\Documents and Settings\UserName.Domain and
%SystemDrive%\Documents and Settings\UserName.Domain.000. In this instance,
you delete the .000 to point back to the original profile."

Concerning the internal Domain name:
I think it's a great time to correct the Domain name error. I had one client with a mis-spelled Domain name (the name of the owner was mis-spelled). They never corrected it and kept adding more and more servers. Now they have five servers in their domain and could NEVER afford to correct the Domain name. Fix it now that you have the opportunity.

bluegreenturtle · May 24, 2007

Thank you, I am going to add that to my folder of things to remember.

Thank you also to remind me to make a backup of the PST - I probably would have just worked with the original PST, but that violates my first rule: "Before every action, ask yourself, 'now, what's the worst thing that could happen here?'"

Also, this part I haven't done before: What will be the reaction of the other domain controller and of the SBS server when I turn on the SBS on the network? (Give it an ip in the current subnet). I don't want to demote the other domain controller until the new one is up and proven working fine in it's duties.

RebateMonger · May 24, 2007

Be sure to turn off the other DC's DHCP Server. SBS won't tolerate a second DHCP server on the same network.

Also, obviously, if both servers have the same NetBIOS name, then there will be complaints.

Otherwise, SBS shouldn't care.

bluegreenturtle · May 24, 2007

Ok - thanks. Although, I thought one of the ironclad stipulations was that SBS will not tolerate 2 domain controllers in the same domain? If that's not the case then I would like to leave the other one as a backup. I wasn't planning on doing that though.

Also, I am planning on expanding the Exchange Store from the default 18GB to around 40 or 50 GB right off the bat via the registry change that is documented by MS (I can't remember where...) My understanding is that it can kick up to 75GB max (It's 2003 R2). Is there a good reason not to do so? I believe my 30 users average a 1GB pst each. That equals a 30GB store, right? Or does it not translate exactly? Some of the users struggle to keep it under 2GB but I have given them tools (how to export a folder in the PST, etc) to keep it under.

RebateMonger · May 24, 2007

You can have other DCs, both from the SBS Domain and from another Domain, on the same network. But SBS won't "Trust" another Domain.

You can have as many DCs in the SBS Domain as you wish, at least up to the 75 User/Device connection limit. But SBS won't tolerate not being the Root DC (with all of the FSMO roles) for more than a few days.

No problem increasing the mail store size. Just be sure you can stand the added backup and restoration sizes and times. Be sure to REMOVE the Default mailbox size limits before importing the PST, or you will have complications in the import. Unfortunately, Exchange 2003 CAN'T set an individual mailbox limit larger than 2.1GB. So you have to turn the limit OFF.

bluegreenturtle · May 24, 2007

Ok.

No problem on the backup. I backup 1TB+ weekly for these guys.

Thanks for all your replies, I feel much more confident going into this.

One last question - in your initial post, step #3 - can't I skip this? Can't I just join each workstation to the domain and import the old user profile? I am unclear on what I am doing by unjoining them from the domain or performing the registry trick, if I am just importing the user profile after anyway.

Thanks for your time, I appreciate it and value it.

RebateMonger · May 24, 2007

Originally posted by: bluegreenturtle
Can't I just join each workstation to the domain and import the old user profile?

Yeah, you can do that.

bluegreenturtle · May 26, 2007

Thanks Rebate Monger -

I am in the middle of this right now and that registry change is the thing that is working the most reliably. Connect computer is a little quirky.

As it turns out the boss agreed to bring in his Mac for me later in the weekend and the other Mac guy left his for me to work on it. So I may be able to phone in the dns change sunday night and hope it takes by tuesday. Now I just gotta configure that rpc over http for the mac - and one of them doesn't have entourage 2004...

Also gotta figure out how to work with the Mac's mail store - not sure where it is kept like the pst.

RebateMonger · May 26, 2007

Originally posted by: bluegreenturtle
I am in the middle of this right now and that registry change is the thing that is working the most reliably. Connect computer is a little quirky.

ConnectComputer usually works fine. Three issues can affect it:

1) DNS issues
2) Multiple enabled NICs on a client PC
3) "Private" folders on the client PC. There's diagnostics information available on the PC, but normally all you do is simply reset the permissions for that User's "Documents and Settings Folder".

After you've done it a few hundred times, it becomes second nature.

bluegreenturtle · May 26, 2007

What's happening is that I created all the user accounts and computer accounts, some computers, when I run connectcomputer, don't have their name to choose from in the list of computers. Yet in active directory there they are. In this case doing everything manually works (unjoining the old domain, then joining the new one). In another instance the connect computer just stalled - it didn't complete. It's not really a big deal - I can do it all manually. I appreciate your help - that registry trick alone has saved me some grief already.

RebateMonger · May 26, 2007

The problem is the computer name. If the actual computer name is the same as a name in AD, it won't work. The Computer Name won't show up in the list.

Either use a different set of computer names or else temporarily change the name of the computer first before you run ConnectComputer. I always use new names for the computers to avoid this problem.

Double-check the functionality of any computers you add manually. Be sure to move them to the proper OU, or you'll have issues.

Also, when you add your old servers to the new Domain, use "ConnectComputer", too.

bluegreenturtle · Jun 2, 2007

So I am all finished - it was a tough go for some things - problems I did not expect etc. Mostly users who didn't pay attention when I gave them the new webmail address, explaned the difference in concepts between exchange and pop, etc.

One problem I am struggling with is poor performance - outlook pops up the "trying to communicate" quite a bit sometimes (sometimes it's ok). I don't understand this - the server is a quad core xeon with 15krpm sas disks and 4gb of ram - it should be entirely sufficient for 30 users. I have installed SBS on machines with a quarter the specs and had no performance issues at all. The disks *are* in a raid-5, and I know this is not the "best" practices - supposed to be a different spindle for the exchange db, etc, but why do I not have these issues then with the very pedestrian other servers doing the same service - several of them running raid 5 on regular sata 7.2k rpm, or one even doing raid 1 on an ata array? The only difference is there is a mac on this network.

I guess I am going to buy a couple more SAS drives and separate out the DB and transaction logs, but it still seems weird. Also this server is not doing any functions other than DHCP, DNS and PDC - it's not a file server, so there isn't an access load on the disks.

RebateMonger · Jun 2, 2007

Exchange/Outook issues often DNS related. Is the SBS Server your sole DNS Server on your network? Do all the client PCs use it as their only DNS server? As you said, I have an SBS Server with 1/4 the processing power of your Server running a 30-person office with no problems. Including four Macintosh client PCs. Outlook 2003 barely does any communication anyway, since you usually use it in Cached mode.

bluegreenturtle · Jun 2, 2007

After running ExTRA - it always says "extremely high RPC activity". Also the paged pool memory keeps slipping above the threshold - 245mb. I am planning on restarting tonight to see if that helps any. This is the only DNS server.

Thanks for your replys btw.

RebateMonger · Jun 3, 2007

What is "ExTRA"?

bluegreenturtle · Jun 3, 2007

It's the exchange troubleshooting assistant - http://www.microsoft.com/downl...56CAF9A&displaylang=en
it analyzes traffic and your exchange installation and makes suggestions based on performace measured over about 5 minutes. Give it a try - it's small and simple to use and you will see how it works - very self explanitory when you see what it does. (needs to be installed on an exchange server).

RebateMonger · Jun 3, 2007

Originally posted by: bluegreenturtle
After running ExTRA - it always says "extremely high RPC activity".

I only have ONE person connected to my office SBS 2003 Server (me on my desktop and my WM5 phone) and the ExTRA tools says I have "unusually high user activity detected, RPC Operations per second rates indicate a user or users on this server are unusually active".

It sounds like this warning doesn't mean much. I have zero issues connecting to my office SBS Server.

I sent a single test email during the monitoring time and received no emails at all. The five minute RPC Performance Counter Details section says that "high" user activity level was .495 operations per second per user.

Thanks for information about the tool, though. I'll try it on a large client's SBS Server where they've been having weird delayed sends (most likely because of Postini, though).

kevnich2 · Jun 3, 2007

Your exchange issues have nothing to do with the server performance, it's either DNS related or network related (look at the cabling). Those specs of the server are adequete for a thousand user environment.

bluegreenturtle · Jun 4, 2007

I think the cabling is ok - this went into an existing network that was fine. It's possible I missed something in the DNS but these SBS dns setups are pretty no-brainer.

RebateMonger · Jun 4, 2007

Ah. The joys of troubleshooting networking issues. LOL.

Do you actually get "Disconnected" messages on the Outlook status bar? Does this happen to ALL the PCs at one time or another?

New SBS Domain controller advice

Member

Elite Member

Member

No Lifer

Member

Elite Member

Member

Elite Member

Member

Elite Member

Member

Elite Member

Member

Elite Member

Member

Elite Member

Member

Elite Member

Member

Elite Member

Member

Elite Member

Platinum Member

Member

Elite Member