RE: [ActiveDir] Changing DHCP Servers
Title: Message I agree, but in my case I have no choice. But, as to your question, yes it is as simple as that. Just deactivate the scope on the win2k box, and activate it on your w2k3 box. One thing I noticed, shutting down DHCP server on the w2k3 box and restarting it was necessary. Don't ask me why, it just was. -Original Message-From: Roger Seielstad [mailto:[EMAIL PROTECTED]Sent: Tuesday, February 10, 2004 10:38 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Changing DHCP Servers I'd suggest against running DHCP on a domain controller, due to a know security issue. However, its a fairly small window of opportunity, but it is a ugly hole if it is exploited. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Jerry Johnson [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 10, 2004 8:52 AMTo: [EMAIL PROTECTED]Subject: [ActiveDir] Changing DHCP Servers Everyone I have added a w2k3 DC into our network and am gradually giving it more responsibility, so far so good. The next thing I want to do is make it our DHCP server (currently being held by win2k server that is going to be formatted and made into w2k3). I have created an identical scope on the new box but have not activated it. Is it just a matter of deactivating the old and activating the new, or is it more involved than that? Thank You Jerry Scicom Data Services Minnetonka,Mn
[ActiveDir] Moved DC out of DMZ
One more questions guys.. As you know, I successfully moved a DC out of the DMZ. I have other 2000 servers sitting in the DMZ that no longer can see a DC. How do I force them to see the DC that is on the inside now that there is no longer a DC in the DMZ? TIA List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Moved DC out of DMZ
Never mind... duh. I figured it out. (It's a 2 cup morning...) :^) -Original Message- From: Frank Buechler Sent: Friday, February 06, 2004 9:46 AM To: ActiveDir (E-mail) Subject: [ActiveDir] Moved DC out of DMZ One more questions guys.. As you know, I successfully moved a DC out of the DMZ. I have other 2000 servers sitting in the DMZ that no longer can see a DC. How do I force them to see the DC that is on the inside now that there is no longer a DC in the DMZ? TIA List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Moved DC out of DMZ
Yep! Thanks Rich! Now I can focus my weekend plans on something a little more relaxing.. namely drinking beer! :^) -Original Message- From: Rich Milburn [mailto:[EMAIL PROTECTED] Sent: Friday, February 06, 2004 10:21 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moved DC out of DMZ Sounds like you're doing pretty well over there, well done. And you thought you'd be spending the weekend on it :) -Original Message- From: Frank Buechler [mailto:[EMAIL PROTECTED] Sent: Friday, February 06, 2004 9:13 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moved DC out of DMZ Never mind... duh. I figured it out. (It's a 2 cup morning...) :^) -Original Message- From: Frank Buechler Sent: Friday, February 06, 2004 9:46 AM To: ActiveDir (E-mail) Subject: [ActiveDir] Moved DC out of DMZ One more questions guys.. As you know, I successfully moved a DC out of the DMZ. I have other 2000 servers sitting in the DMZ that no longer can see a DC. How do I force them to see the DC that is on the inside now that there is no longer a DC in the DMZ? TIA List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Moved DC out of DMZ
Speaking of beer.. a sampler platter tonight at Applebee's sounds great! I really love those riblets!! -Original Message- From: Rich Milburn [mailto:[EMAIL PROTECTED] Sent: Friday, February 06, 2004 10:21 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moved DC out of DMZ Sounds like you're doing pretty well over there, well done. And you thought you'd be spending the weekend on it :) -Original Message- From: Frank Buechler [mailto:[EMAIL PROTECTED] Sent: Friday, February 06, 2004 9:13 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moved DC out of DMZ Never mind... duh. I figured it out. (It's a 2 cup morning...) :^) -Original Message- From: Frank Buechler Sent: Friday, February 06, 2004 9:46 AM To: ActiveDir (E-mail) Subject: [ActiveDir] Moved DC out of DMZ One more questions guys.. As you know, I successfully moved a DC out of the DMZ. I have other 2000 servers sitting in the DMZ that no longer can see a DC. How do I force them to see the DC that is on the inside now that there is no longer a DC in the DMZ? TIA List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ---APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE--- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Moving Schema Master (continued...)
Hm Not a bad idea shipmate. -Original Message- From: Adams, Kenneth W (Ken) [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 04, 2004 6:55 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) Don't you have a desktop PC that you could temporarily use? If not, you might want to consider moving your internal DC into the DMZ long enough to move the FSMO instead of the other way around. Kenneth W. (Ken) Adams, MCSA, MCSE -Original Message- From: Frank Buechler [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 04, 2004 4:26 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) Wish I could.. Roger had the same idea, placing a server in the DMZ, moving the role, then bringing the server inside to transfer it to a trusted DC. He called it a swing server. Great idea, but I don't have another box to do that with. -Original Message- From: Myrick, Todd (NIH/CIT) [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 04, 2004 2:33 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Moving Schema Master (continued...) Have you tried standing up a server in the DMZ next to the Schema Master Server (IE. New server in the DMZ). Then transfer the FSMO role to new server. Just an Idea, Todd -Original Message- From: Frank Buechler [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 04, 2004 12:46 PM To: ActiveDir (E-mail) Subject: [ActiveDir] Moving Schema Master (continued...) Greetings All If you have been following this thread, you know that I am having problems moving the Schema Master role from a server sitting in my DMZ to one sitting in trusted. I have opened up all ports between these two servers, and I am still getting the same error; current FSMO could not be contacted. I am really at a loss! I can't seize the role as the server currently acting as the Schema Master is also an Exchange server, and is hosting IIS. It is not a server that I can take offline and rebuild. I have verified that all requisite rights are in place, I have verified replication, I even called the mfgr. (Netscreen) of the firewall to verify that I did indeed have all ports open. I can't take this server offline to bring it inside, and I don't have a system that I can use as a swing server as Roger suggested. Is there anything else that may be preventing me from doing this? I am really getting frustrated! (And behind schedule...) TIA for any help. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Moving Schema Master (continued...)
Can I demote a DC running Exchange 2000? I know this is not supported with Exchange 2003, but I can't find any literature regarding 2000. Again, thanks for your help Michael (and everyone!) -Original Message- From: Michael Wassell [mailto:[EMAIL PROTECTED] Sent: Thursday, February 05, 2004 11:40 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) Yes you should be able to do it without rebuilding anything. It may require a domain synchronize to take effect. But you could force that. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank Buechler Sent: Thursday, February 05, 2004 11:38 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) Can I do this without having to rebuild the server in the DMZ? -Original Message- From: Michael Wassell [mailto:[EMAIL PROTECTED] Sent: Thursday, February 05, 2004 11:28 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) I thought I would throw this out there. A good option for you may be to use ntdsutil to enter the metabase to see if there is a tombstoned record in your metabase. After which you could delete the old record and manually enter a new record or seize the role with the internal DC. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank Buechler Sent: Thursday, February 05, 2004 10:18 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) I've done a little more research.. turns out I missed something. After running dcdiag /test:Knowsofroleholders /v, it turns out the server in the DMZ fails. What I get is this: Warning: CN=NTDS Settings ...blah blah.. is the Schema Owner, but is deleted Warning: CN=NTDS Settings ...blah blah.. is the Domain Owner, but is deleted PDC, RID, and Infrastructure Update Owner all passed, seeing the internal server as the role holders. I'm still researching this, but I think I'm getting closer the the problem... -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Thursday, February 05, 2004 8:29 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Moving Schema Master (continued...) I figured you knew that... Sorry. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Frank Buechler [mailto:[EMAIL PROTECTED] Sent: Thursday, February 05, 2004 8:15 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) Hm Not a bad idea shipmate. -Original Message- From: Adams, Kenneth W (Ken) [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 04, 2004 6:55 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) Don't you have a desktop PC that you could temporarily use? If not, you might want to consider moving your internal DC into the DMZ long enough to move the FSMO instead of the other way around. Kenneth W. (Ken) Adams, MCSA, MCSE -Original Message- From: Frank Buechler [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 04, 2004 4:26 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) Wish I could.. Roger had the same idea, placing a server in the DMZ, moving the role, then bringing the server inside to transfer it to a trusted DC. He called it a swing server. Great idea, but I don't have another box to do that with. -Original Message- From: Myrick, Todd (NIH/CIT) [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 04, 2004 2:33 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Moving Schema Master (continued...) Have you tried standing up a server in the DMZ next to the Schema Master Server (IE. New server in the DMZ). Then transfer the FSMO role to new server. Just an Idea, Todd -Original Message- From: Frank Buechler [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 04, 2004 12:46 PM To: ActiveDir (E-mail) Subject: [ActiveDir] Moving Schema Master (continued...) Greetings All If you have been following this thread, you know that I am having problems moving the Schema Master role from a server sitting in my DMZ to one sitting in trusted. I have opened up all ports between these two servers, and I am still getting the same error; current FSMO could not be contacted. I am really at a loss! I can't seize the role as the server currently acting as the Schema Master is also an Exchange server, and is hosting IIS. It is not a server that I can take offline and rebuild. I have verified that all requisite rights are in place, I have verified replication, I even called the mfgr. (Netscreen) of the firewall to verify that I did indeed have all ports open. I can't take this server offline to bring it inside
RE: [ActiveDir] Moving Schema Master (continued...)
Here's the scenario: I am upgrading this shop across the board to 2003, including Exchange. I want to get a 2003 DC in place before putting Exchange on a 2003 stand-alone server. To do this, I need to prep the domain for the new 2003 schema, and I need to do this on the 2000 server acting as the schema master. Maybe I am looking at this wrong. What do you think? -Original Message- From: Michael Wassell [mailto:[EMAIL PROTECTED] Sent: Thursday, February 05, 2004 12:19 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) Your very welcome Frank. Yes you can demote a DC running Exchange 2000. However, I'm not sure what effect that will have on the Exchange installation. I would do this in a test environment before doing that sort of thing in a production environment. Just curious, why would you want to do this? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank Buechler Sent: Thursday, February 05, 2004 12:11 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) Can I demote a DC running Exchange 2000? I know this is not supported with Exchange 2003, but I can't find any literature regarding 2000. Again, thanks for your help Michael (and everyone!) -Original Message- From: Michael Wassell [mailto:[EMAIL PROTECTED] Sent: Thursday, February 05, 2004 11:40 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) Yes you should be able to do it without rebuilding anything. It may require a domain synchronize to take effect. But you could force that. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank Buechler Sent: Thursday, February 05, 2004 11:38 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) Can I do this without having to rebuild the server in the DMZ? -Original Message- From: Michael Wassell [mailto:[EMAIL PROTECTED] Sent: Thursday, February 05, 2004 11:28 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) I thought I would throw this out there. A good option for you may be to use ntdsutil to enter the metabase to see if there is a tombstoned record in your metabase. After which you could delete the old record and manually enter a new record or seize the role with the internal DC. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank Buechler Sent: Thursday, February 05, 2004 10:18 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) I've done a little more research.. turns out I missed something. After running dcdiag /test:Knowsofroleholders /v, it turns out the server in the DMZ fails. What I get is this: Warning: CN=NTDS Settings ...blah blah.. is the Schema Owner, but is deleted Warning: CN=NTDS Settings ...blah blah.. is the Domain Owner, but is deleted PDC, RID, and Infrastructure Update Owner all passed, seeing the internal server as the role holders. I'm still researching this, but I think I'm getting closer the the problem... -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Thursday, February 05, 2004 8:29 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Moving Schema Master (continued...) I figured you knew that... Sorry. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Frank Buechler [mailto:[EMAIL PROTECTED] Sent: Thursday, February 05, 2004 8:15 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) Hm Not a bad idea shipmate. -Original Message- From: Adams, Kenneth W (Ken) [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 04, 2004 6:55 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) Don't you have a desktop PC that you could temporarily use? If not, you might want to consider moving your internal DC into the DMZ long enough to move the FSMO instead of the other way around. Kenneth W. (Ken) Adams, MCSA, MCSE -Original Message- From: Frank Buechler [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 04, 2004 4:26 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) Wish I could.. Roger had the same idea, placing a server in the DMZ, moving the role, then bringing the server inside to transfer it to a trusted DC. He called it a swing server. Great idea, but I don't have another box to do that with. -Original Message- From: Myrick, Todd (NIH/CIT) [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 04, 2004 2:33 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Moving Schema Master (continued...) Have you tried standing up a server in the DMZ next
RE: [ActiveDir] Moving Schema Master (continued...)
I have a new HP Prolient coming in, supposed to be here within the next couple of days. That will be a new DC/File server. I want to introduce that into the domain first. I will transfer all services and what-not off the existing file server, wipe it, and install it into the network as a 2003 stand-alone server. This will be the new 2003 Exchange server. Once the Exchange move is completed, and all other services are moved from the 2000 DC currently in the DMZ, I will remove it from the AD, wipe it, and install 2003 on it to act as an internal apps server. There are more servers than this in the loop, but I've only covered it from a DC perspective. Now, just so I understand, you're saying that I should be able to seize the schema master role on the internal 2000 DC without it adversely affecting the server in the DMZ because that server thinks it's been deleted anyway? -Original Message- From: Michael Wassell [mailto:[EMAIL PROTECTED] Sent: Thursday, February 05, 2004 12:47 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) Okay I would say your first step would be to seize the Schema Master role to the DC on the Internal network before considering anything else. All the while leaving the Exchange server running in the DMZ, it wont do much harm that hasn't already been done by it being there. Meaning, if the metabase already shows that the record has been deleted than it seems the server doesn't know it's a role holder to anything else but itself. Once you have done that it all depends on how you expect to migrate the data between the existing Exchange Server and the new Exchange server for your next hurtle? I'm sorry Frank. I don't mean to pry the subject, but where do you plan on finding the system to run the new Exchange server without taking down the existing server? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank Buechler Sent: Thursday, February 05, 2004 12:35 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) Here's the scenario: I am upgrading this shop across the board to 2003, including Exchange. I want to get a 2003 DC in place before putting Exchange on a 2003 stand-alone server. To do this, I need to prep the domain for the new 2003 schema, and I need to do this on the 2000 server acting as the schema master. Maybe I am looking at this wrong. What do you think? -Original Message- From: Michael Wassell [mailto:[EMAIL PROTECTED] Sent: Thursday, February 05, 2004 12:19 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) Your very welcome Frank. Yes you can demote a DC running Exchange 2000. However, I'm not sure what effect that will have on the Exchange installation. I would do this in a test environment before doing that sort of thing in a production environment. Just curious, why would you want to do this? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank Buechler Sent: Thursday, February 05, 2004 12:11 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) Can I demote a DC running Exchange 2000? I know this is not supported with Exchange 2003, but I can't find any literature regarding 2000. Again, thanks for your help Michael (and everyone!) -Original Message- From: Michael Wassell [mailto:[EMAIL PROTECTED] Sent: Thursday, February 05, 2004 11:40 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) Yes you should be able to do it without rebuilding anything. It may require a domain synchronize to take effect. But you could force that. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank Buechler Sent: Thursday, February 05, 2004 11:38 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) Can I do this without having to rebuild the server in the DMZ? -Original Message- From: Michael Wassell [mailto:[EMAIL PROTECTED] Sent: Thursday, February 05, 2004 11:28 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) I thought I would throw this out there. A good option for you may be to use ntdsutil to enter the metabase to see if there is a tombstoned record in your metabase. After which you could delete the old record and manually enter a new record or seize the role with the internal DC. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank Buechler Sent: Thursday, February 05, 2004 10:18 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) I've done a little more research.. turns out I missed something. After running dcdiag /test:Knowsofroleholders /v, it turns out the server in the DMZ fails. What I get is this: Warning: CN=NTDS Settings ...blah blah.. is the Schema Owner
RE: [ActiveDir] Moving Schema Master (continued...)
Should I demote the DMZ server first? I have to tell you, the thought of doing either (demoting, or seizing the roles) scares the you know what out of me because that server is so important to this organization. Any down time while I recover the thing will be a very_bad_thing. -Original Message- From: Michael Wassell [mailto:[EMAIL PROTECTED] Sent: Thursday, February 05, 2004 2:09 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) From what I gather if you have run a dcdiag on the server not in the DMZ and it returns that it does not know of a schema master role holder that would mean that for some reason the AD has somehow seen that the old schema role holder as a stale record and therefore deleted it from the metabase. So, the answer is yes, you should be able to seize the role with the internal DC if there aren't existing role holders. Please anyone feel free to correct me if I'm wrong. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank Buechler Sent: Thursday, February 05, 2004 1:25 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) I have a new HP Prolient coming in, supposed to be here within the next couple of days. That will be a new DC/File server. I want to introduce that into the domain first. I will transfer all services and what-not off the existing file server, wipe it, and install it into the network as a 2003 stand-alone server. This will be the new 2003 Exchange server. Once the Exchange move is completed, and all other services are moved from the 2000 DC currently in the DMZ, I will remove it from the AD, wipe it, and install 2003 on it to act as an internal apps server. There are more servers than this in the loop, but I've only covered it from a DC perspective. Now, just so I understand, you're saying that I should be able to seize the schema master role on the internal 2000 DC without it adversely affecting the server in the DMZ because that server thinks it's been deleted anyway? -Original Message- From: Michael Wassell [mailto:[EMAIL PROTECTED] Sent: Thursday, February 05, 2004 12:47 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) Okay I would say your first step would be to seize the Schema Master role to the DC on the Internal network before considering anything else. All the while leaving the Exchange server running in the DMZ, it wont do much harm that hasn't already been done by it being there. Meaning, if the metabase already shows that the record has been deleted than it seems the server doesn't know it's a role holder to anything else but itself. Once you have done that it all depends on how you expect to migrate the data between the existing Exchange Server and the new Exchange server for your next hurtle? I'm sorry Frank. I don't mean to pry the subject, but where do you plan on finding the system to run the new Exchange server without taking down the existing server? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank Buechler Sent: Thursday, February 05, 2004 12:35 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) Here's the scenario: I am upgrading this shop across the board to 2003, including Exchange. I want to get a 2003 DC in place before putting Exchange on a 2003 stand-alone server. To do this, I need to prep the domain for the new 2003 schema, and I need to do this on the 2000 server acting as the schema master. Maybe I am looking at this wrong. What do you think? -Original Message- From: Michael Wassell [mailto:[EMAIL PROTECTED] Sent: Thursday, February 05, 2004 12:19 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) Your very welcome Frank. Yes you can demote a DC running Exchange 2000. However, I'm not sure what effect that will have on the Exchange installation. I would do this in a test environment before doing that sort of thing in a production environment. Just curious, why would you want to do this? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank Buechler Sent: Thursday, February 05, 2004 12:11 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) Can I demote a DC running Exchange 2000? I know this is not supported with Exchange 2003, but I can't find any literature regarding 2000. Again, thanks for your help Michael (and everyone!) -Original Message- From: Michael Wassell [mailto:[EMAIL PROTECTED] Sent: Thursday, February 05, 2004 11:40 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master (continued...) Yes you should be able to do it without rebuilding anything. It may require a domain synchronize to take effect. But you could force that. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
[ActiveDir] Moving Schema Master (continued...)
Greetings All If you have been following this thread, you know that I am having problems moving the Schema Master role from a server sitting in my DMZ to one sitting in trusted. I have opened up all ports between these two servers, and I am still getting the same error; current FSMO could not be contacted. I am really at a loss! I can't seize the role as the server currently acting as the Schema Master is also an Exchange server, and is hosting IIS. It is not a server that I can take offline and rebuild. I have verified that all requisite rights are in place, I have verified replication, I even called the mfgr. (Netscreen) of the firewall to verify that I did indeed have all ports open. I can't take this server offline to bring it inside, and I don't have a system that I can use as a swing server as Roger suggested. Is there anything else that may be preventing me from doing this? I am really getting frustrated! (And behind schedule...) TIA for any help. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] More move Schema Master
A hypothetical.. Say I find that I simply cannot move the Schema Master role from the server sitting in the DMZ. I have tried everything, and nothing works. What would be the downside of running ADPREP /FORESTPREP on that server, and proceeding with the 2003 upgrade as planned? Anything? List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] More move Schema Master
You're talking about NETDOM. I tried that, it made no difference. I also ran NETDOM query fsmo on the trusted server, it is seeing the server in the DMZ fine. And I ran dcdiag /v on both servers, both are fine. Microsoft recommends that I bring the server inside to move the role off. This may be my only option at this point. I really want to get that role out of the DMZ. I don't want a DC out there period. -Original Message- From: Adams, Kenneth W (Ken) [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 04, 2004 1:14 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] More move Schema Master Before doing anything that drastic, check the event logs on both servers. With the server inside the DMZ being behind closed ports, its hidden account password may be out of sync with the DC inside the network. MS has a Knowledge Base article about how to change the hidden machine account password (can't remember the article number off the top of my head). Find the article and follow the instructions to change the machine account password before you do anything else. The reason I know about this issue is that I deleted some profiles from one of my home domain controllers and messed up my primary account profile. I performed a non-authoritative restore on that server and lost the ability to have secure connectivity with my other DC. Following the article corrected the problem. Basically, on the 'good' DC (in your case, the one inside your network, not the one in the DMZ) you open a command prompt and run a specific command with specific arguments. I've slept too many times since I did this to my machine, but the process worked like a charm. I was able to do whatever I needed from that point on using either DC. Kenneth W. (Ken) Adams, MCSA, MCSE -Original Message- From: Frank Buechler [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 04, 2004 12:51 PM To: ActiveDir (E-mail) Subject: [ActiveDir] More move Schema Master A hypothetical.. Say I find that I simply cannot move the Schema Master role from the server sitting in the DMZ. I have tried everything, and nothing works. What would be the downside of running ADPREP /FORESTPREP on that server, and proceeding with the 2003 upgrade as planned? Anything? List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Moving Schema Master (continued...)
Wish I could.. Roger had the same idea, placing a server in the DMZ, moving the role, then bringing the server inside to transfer it to a trusted DC. He called it a swing server. Great idea, but I don't have another box to do that with. -Original Message- From: Myrick, Todd (NIH/CIT) [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 04, 2004 2:33 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Moving Schema Master (continued...) Have you tried standing up a server in the DMZ next to the Schema Master Server (IE. New server in the DMZ). Then transfer the FSMO role to new server. Just an Idea, Todd -Original Message- From: Frank Buechler [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 04, 2004 12:46 PM To: ActiveDir (E-mail) Subject: [ActiveDir] Moving Schema Master (continued...) Greetings All If you have been following this thread, you know that I am having problems moving the Schema Master role from a server sitting in my DMZ to one sitting in trusted. I have opened up all ports between these two servers, and I am still getting the same error; current FSMO could not be contacted. I am really at a loss! I can't seize the role as the server currently acting as the Schema Master is also an Exchange server, and is hosting IIS. It is not a server that I can take offline and rebuild. I have verified that all requisite rights are in place, I have verified replication, I even called the mfgr. (Netscreen) of the firewall to verify that I did indeed have all ports open. I can't take this server offline to bring it inside, and I don't have a system that I can use as a swing server as Roger suggested. Is there anything else that may be preventing me from doing this? I am really getting frustrated! (And behind schedule...) TIA for any help. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Is this list still active?
Thanks Shawn! Then I will post my pesky little problem here shortly.. :^) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 03, 2004 10:40 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Is this list still active? Nobody here but us chickens... Just kidding this is a very active list...very informativelots of smart people not including myself -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank Buechler Sent: Tuesday, February 03, 2004 10:36 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Is this list still active? I have a couple of questions, and I really need help! List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
[ActiveDir] Moving Schema Master
Good Morning Folks I'm having a bit of a problem and I'm wondering if one of you fine people can help me out. First, let me give you a outline of the structure here. I have (2) 2000 servers, one in the DMZ (Exchange Server, our clients rely heavily on OWA), and the other sitting in trusted. The Operations Master is the server sitting on the inside, the Schema Master is the server sitting in the DMZ. I have been called here to upgrade everything to 2003 Server. Here's where I'm at: I have placed a 2003 server (brand new box) on the network. This box is currently sitting in trusted, but it will eventually be the new Exchange server. I want to run ADPREP /FORESTPREP on the Schema Master to bring the 2003 server into the AD. Since I really don't want to take the Exchange server off the network to do this, and since that box will be getting demoted anyway, I thought I would move the Schema Master role to the server currently sitting in trusted, and run ADPREP against it. However, when I attempt to do this, I get an error; The current FSMO holder could not be contacted. Does the Exchange server (Schema Master) need to come out of the DMZ? TIA! -Frank List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Moving Schema Master
Well, taking that machine out of the DMZ is going to have a few repurcussions. Not only will it down OWA, but the corporate web site is also being hosted there. Opening ports is last resort stuff.. If I did bring that machine inside, how long would it take to move the Schema Master role to the second server? Are there any gotchas involved in doing that, then simply placing the machine back in the DMZ? -Original Message- From: Adams, Kenneth W (Ken) [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 03, 2004 11:56 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master Either take the current Schema Master out of the DMZ or (shudder) open the appropriate ports through the interior firewall and point them explicitly to the server you want to become the Schema Master. Kenneth W. (Ken) Adams, MCSA, MCSE -Original Message- From: Frank Buechler [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 03, 2004 11:08 AM To: ActiveDir (E-mail) Subject: [ActiveDir] Moving Schema Master Good Morning Folks I'm having a bit of a problem and I'm wondering if one of you fine people can help me out. First, let me give you a outline of the structure here. I have (2) 2000 servers, one in the DMZ (Exchange Server, our clients rely heavily on OWA), and the other sitting in trusted. The Operations Master is the server sitting on the inside, the Schema Master is the server sitting in the DMZ. I have been called here to upgrade everything to 2003 Server. Here's where I'm at: I have placed a 2003 server (brand new box) on the network. This box is currently sitting in trusted, but it will eventually be the new Exchange server. I want to run ADPREP /FORESTPREP on the Schema Master to bring the 2003 server into the AD. Since I really don't want to take the Exchange server off the network to do this, and since that box will be getting demoted anyway, I thought I would move the Schema Master role to the server currently sitting in trusted, and run ADPREP against it. However, when I attempt to do this, I get an error; The current FSMO holder could not be contacted. Does the Exchange server (Schema Master) need to come out of the DMZ? TIA! -Frank List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Moving Schema Master
Roger! How many years have I seen your name floating around these (and Dean's) lists? Yours is definitely a trusted voice my friend! I agree with you, and Squid is a solution I am familiar with. But, this is a small shop and that particular box does more than just OWA. I know what you're thinking, but my hands are tied on this one. Can I simply move the FMSO role off that box (by very quickly placing it inside), then move it back into the DMZ with no grief? -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 03, 2004 12:30 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Moving Schema Master I'd suggest rearchitecting the network to be a more sane envrionment. Putting Exchange in the DMZ is fairly scary. IF your users are so intent on OWA from outside, it's a far better option, IMO, to put a proxy server (either ISA or Squid-proxy if you're Unix savvy) in the DMZ and putting the OWA box inside. You're putting an aweful lot of collateral into an untrusted section of your domain, and having to allow a LOT of traffic into the inside network. Permanently moving the Exchange box inside would make a LOT of sense - even if you end up just passing all OWA traffic all the way in. Second - the issue with the schema master is most likely because the necessary ports aren't open enough from the outside. One alternate, which is a bit ugly but could work, would be to set up IPSec tunneling between the two boxes - that way its 100% open traffic because all of it would get encapsulated and passed through the pipe. Personally, I'd permanantly move the Exchange box to address both issues at once. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Frank Buechler [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 03, 2004 11:08 AM To: ActiveDir (E-mail) Subject: [ActiveDir] Moving Schema Master Good Morning Folks I'm having a bit of a problem and I'm wondering if one of you fine people can help me out. First, let me give you a outline of the structure here. I have (2) 2000 servers, one in the DMZ (Exchange Server, our clients rely heavily on OWA), and the other sitting in trusted. The Operations Master is the server sitting on the inside, the Schema Master is the server sitting in the DMZ. I have been called here to upgrade everything to 2003 Server. Here's where I'm at: I have placed a 2003 server (brand new box) on the network. This box is currently sitting in trusted, but it will eventually be the new Exchange server. I want to run ADPREP /FORESTPREP on the Schema Master to bring the 2003 server into the AD. Since I really don't want to take the Exchange server off the network to do this, and since that box will be getting demoted anyway, I thought I would move the Schema Master role to the server currently sitting in trusted, and run ADPREP against it. However, when I attempt to do this, I get an error; The current FSMO holder could not be contacted. Does the Exchange server (Schema Master) need to come out of the DMZ? TIA! -Frank List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir% 40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Moving Schema Master
I am the firewall guy.. ;^) Thinking in longer terms, I am going to encounter this same dilemma when I migrate Exchange 2000 to Exchange 2003 on the new server.. Maybe IPSec is the solution.. -Original Message- From: Adams, Kenneth W (Ken) [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 03, 2004 12:42 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master The actual moving the Schema Master roll should take less than 15 minutes. Moving the server out of the DMZ would take longer. For the short time it would take to move the Schema Master roll, I would talk to the firewall guys to see if they would be willing to 'hover' near by to open the appropriate ports JUST long enough for the roll move. That action would be the least disruptive to your clients' access to OWA and the primary web site. Kenneth W. (Ken) Adams, MCSA, MCSE -Original Message- From: Frank Buechler [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 03, 2004 12:21 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master Well, taking that machine out of the DMZ is going to have a few repurcussions. Not only will it down OWA, but the corporate web site is also being hosted there. Opening ports is last resort stuff.. If I did bring that machine inside, how long would it take to move the Schema Master role to the second server? Are there any gotchas involved in doing that, then simply placing the machine back in the DMZ? -Original Message- From: Adams, Kenneth W (Ken) [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 03, 2004 11:56 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master Either take the current Schema Master out of the DMZ or (shudder) open the appropriate ports through the interior firewall and point them explicitly to the server you want to become the Schema Master. Kenneth W. (Ken) Adams, MCSA, MCSE -Original Message- From: Frank Buechler [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 03, 2004 11:08 AM To: ActiveDir (E-mail) Subject: [ActiveDir] Moving Schema Master Good Morning Folks I'm having a bit of a problem and I'm wondering if one of you fine people can help me out. First, let me give you a outline of the structure here. I have (2) 2000 servers, one in the DMZ (Exchange Server, our clients rely heavily on OWA), and the other sitting in trusted. The Operations Master is the server sitting on the inside, the Schema Master is the server sitting in the DMZ. I have been called here to upgrade everything to 2003 Server. Here's where I'm at: I have placed a 2003 server (brand new box) on the network. This box is currently sitting in trusted, but it will eventually be the new Exchange server. I want to run ADPREP /FORESTPREP on the Schema Master to bring the 2003 server into the AD. Since I really don't want to take the Exchange server off the network to do this, and since that box will be getting demoted anyway, I thought I would move the Schema Master role to the server currently sitting in trusted, and run ADPREP against it. However, when I attempt to do this, I get an error; The current FSMO holder could not be contacted. Does the Exchange server (Schema Master) need to come out of the DMZ? TIA! -Frank List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Moving Schema Master
Not much info.. small shop, few users. I'm looking at Ipsec. -Original Message- From: Craig Cerino [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 03, 2004 12:32 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master How much info are we talking about Frank? That is going to come into play when you're talking about how long it will take. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank Buechler Sent: Tuesday, February 03, 2004 12:21 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master Well, taking that machine out of the DMZ is going to have a few repurcussions. Not only will it down OWA, but the corporate web site is also being hosted there. Opening ports is last resort stuff.. If I did bring that machine inside, how long would it take to move the Schema Master role to the second server? Are there any gotchas involved in doing that, then simply placing the machine back in the DMZ? -Original Message- From: Adams, Kenneth W (Ken) [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 03, 2004 11:56 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master Either take the current Schema Master out of the DMZ or (shudder) open the appropriate ports through the interior firewall and point them explicitly to the server you want to become the Schema Master. Kenneth W. (Ken) Adams, MCSA, MCSE -Original Message- From: Frank Buechler [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 03, 2004 11:08 AM To: ActiveDir (E-mail) Subject: [ActiveDir] Moving Schema Master Good Morning Folks I'm having a bit of a problem and I'm wondering if one of you fine people can help me out. First, let me give you a outline of the structure here. I have (2) 2000 servers, one in the DMZ (Exchange Server, our clients rely heavily on OWA), and the other sitting in trusted. The Operations Master is the server sitting on the inside, the Schema Master is the server sitting in the DMZ. I have been called here to upgrade everything to 2003 Server. Here's where I'm at: I have placed a 2003 server (brand new box) on the network. This box is currently sitting in trusted, but it will eventually be the new Exchange server. I want to run ADPREP /FORESTPREP on the Schema Master to bring the 2003 server into the AD. Since I really don't want to take the Exchange server off the network to do this, and since that box will be getting demoted anyway, I thought I would move the Schema Master role to the server currently sitting in trusted, and run ADPREP against it. However, when I attempt to do this, I get an error; The current FSMO holder could not be contacted. Does the Exchange server (Schema Master) need to come out of the DMZ? TIA! -Frank List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Moving Schema Master
Okay, I'm trying to take the easy way out. Although I like your idea Roger, I don't have a box to do that with. I opened some ports in accordance with the following article: http://www.microsoft.com/serviceproviders/columns/config_ipsec_P63623.asp Using schmmgmt, I still cannot move the Schema Master role. I am getting the same error. What do you suppose I am missing? -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 03, 2004 1:26 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Moving Schema Master Probably not without grief, no. ReIP-ing domain controllers isn't pretty, and probably not something I'd want to do twice, and still need the box when its done. It might be better to build a swing box - take a desktop and make a swing server out of it. Put it in the DMZ and swing the Schema role onto it. Once replication settles (overnight?) move the swing box inside, reconfigure it for the internal network, and then move the Schema role to the interior box. Assuming you don't do anything stupid with the rulesets, there's no reason that the IP of that box while in the DMZ couldn't be wide open to the internal network, or better yet wide open to the internal DC. And for the record, I've been sticking my neck out in one forum or another for better than 7 years methinks... -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Frank Buechler [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 03, 2004 12:48 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Moving Schema Master Roger! How many years have I seen your name floating around these (and Dean's) lists? Yours is definitely a trusted voice my friend! I agree with you, and Squid is a solution I am familiar with. But, this is a small shop and that particular box does more than just OWA. I know what you're thinking, but my hands are tied on this one. Can I simply move the FMSO role off that box (by very quickly placing it inside), then move it back into the DMZ with no grief? -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 03, 2004 12:30 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Moving Schema Master I'd suggest rearchitecting the network to be a more sane envrionment. Putting Exchange in the DMZ is fairly scary. IF your users are so intent on OWA from outside, it's a far better option, IMO, to put a proxy server (either ISA or Squid-proxy if you're Unix savvy) in the DMZ and putting the OWA box inside. You're putting an aweful lot of collateral into an untrusted section of your domain, and having to allow a LOT of traffic into the inside network. Permanently moving the Exchange box inside would make a LOT of sense - even if you end up just passing all OWA traffic all the way in. Second - the issue with the schema master is most likely because the necessary ports aren't open enough from the outside. One alternate, which is a bit ugly but could work, would be to set up IPSec tunneling between the two boxes - that way its 100% open traffic because all of it would get encapsulated and passed through the pipe. Personally, I'd permanantly move the Exchange box to address both issues at once. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Frank Buechler [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 03, 2004 11:08 AM To: ActiveDir (E-mail) Subject: [ActiveDir] Moving Schema Master Good Morning Folks I'm having a bit of a problem and I'm wondering if one of you fine people can help me out. First, let me give you a outline of the structure here. I have (2) 2000 servers, one in the DMZ (Exchange Server, our clients rely heavily on OWA), and the other sitting in trusted. The Operations Master is the server sitting on the inside, the Schema Master is the server sitting in the DMZ. I have been called here to upgrade everything to 2003 Server. Here's where I'm at: I have placed a 2003 server (brand new box) on the network. This box is currently sitting in trusted, but it will eventually be the new Exchange server. I want to run ADPREP /FORESTPREP on the Schema Master to bring the 2003 server into the AD. Since I really don't want to take the Exchange server off the network to do this, and since that box will be getting demoted anyway, I thought I would move the Schema Master role to the server currently sitting in trusted, and run ADPREP against it. However, when I attempt to do this, I get an error; The current FSMO holder could not be contacted. Does the Exchange server (Schema Master) need to come out of the DMZ? TIA! -Frank