DC without .com extension in domain name

[Lightspeed1]

Hey Gang!
I recently picked up an engineering firm as a new customer and have a couple of sticky issues to deal with:

Site Overview - W2K server SP4, this is acting as the file server and also has Exchange2K installed (Yes, I know this is not optimal security-wise!)about 25 client PC's running W2K Pro and Outlook2K. DSL connection being Nat'ed by Sonicwall firewall. Static IP from ISP.

When they ran DCPROMO on the server to bring it up to a DC they named it without the .com extension so the domain looks like this \\server2.domain.
Rather than \\server2.domain.com
This has caused various DNS issues that I have been able to do work arounds for but I would like to get it set up correctly. A couple of questions that I would like people to chime in on:

1)They have a registered domain name and have a website being hosted by their ISP
A)when I reconfigure the internal domain name, should I name it the same as the registered domain name? (pro's and con's of this type of config?)
The reason that this is important is because they would like me to enable OWA. Presently, the ISP is hosting a basic website so the registered Domain name points at the ISP hosted site. In order to make OWA work I would need to have the ISP set up a reverse DNS entry to point at the static IP that lives on the public side of their firewall. Otherwise when the users type

http://servername.domainname.com/exchange

the DNS resolution isn't going to be there - result error 404!!

Obviously the issue with that is that when I set the reverse DNS entry up with the ISP to point at the "local" public IP the web site will no longer resolve. In my mind the solution to this is to host the web site internally right? So now I'll have security concerns not only with Exchange and OWA running on the DC /file server but also now a Web site that lives there too!! Am I in security hell here or what?!

2)My plan for the internal domain name reconfigure is as follows:
A)make a full system backup and a system state backup, run DCPROMO to demote the server to a member server, run DCPROMO again to make it a DC with the correct domain name structure (to include the .com extension)Then restore the system state backup to bring all of my user accts and permissions back to where they were. Is this going to work or was I way too hard on myself in the 80's??!!
Anybody know what this is going to do to Exchange2K?

Thanks for the help in advance and the patience to wade through all this!!

Regards,
Lightspeed1

 

[Lightspeed1]

Also seems to me I remember what a pain changing an exchange server name was in 5.5 but am I silly to hope that the 2000 version is easier?

Regards,
Lightspeed1

 

[Stevehewitt]

Oh dear! Look's like you were way to hard in the 80's!

OK, a system restore isn't going to work. If you want to rename your domain, you'd be best off demoting and re-creating AD. With a restore you can't just import users back into any domain.

Users have unique ID's (SID) that are used when accessing files etc. so when re-creating your domain not only are you going to have to reconfigure DNS (as AD is crap for setting it up) but also file & printer permissions.

I refuse to use exchange so I can't help - but from what I know about MS / AD technology - I would also remove / re-create that.

Regarding your question about DNS and domains. I have mine setup so that

http://www.domain.com

goes to our hosting company's servers but that any mail.domain.com goes to our on-site server. This way any user that goes to mail.domain.com/%username%/ ends up with a logon screen to their mailbox.

No pants reverse look up!

Well, it looks like its that time to get the thermos and sleeping bag out and give them a wipe over - could be a long night!

Good Luck,





Steve.

 

[mtompkins]

Been here - search Microsoft for 300684

It is a flat domain registry change.

Works like a charm.

 

[gschimenti]

I feel for you. I have dealt with a similar issue (Last year). Here is the difference. I had about 200 users on the LAN. This is how I would approach it given the info. MAKE A FULL SYSTEM BACK UP OF EXCHANGE AND STATE DATA. I WOULD SUGGEST GHOSTING THE SERVER DRIVE.

1-To demote the DC and Re promote the DC. I would set up a new box with Windows 2k server use the migration tool (in RESKIT) to move users to it (obviously after you have promoted it with the correct Domain name ComputerName.Domain.Com).
2-Demote the current DC. Promote it as the second DC in the forest. You will have two DC's now. You can bring down the Temp DC now.

Exchange:

1-Since this is Exchange 5.5 (This really Sux but it can be done).
I have copied the steps from MS below. I would use the temp server again to move data to it and move it back:
To move Exchange Server to a new computer consists of the following steps, which
are expanded later:

1. Backing up information from the original computer.

2. Installing Windows NT and Exchange Server on the new computer.

3. Installing Windows 2000 and Exchange Server on the new computer.

4. Restoring the Exchange Server data to the new computer.

5. Configuring the Key Management server (KM server).

6. Restoring and reconfiguring connectors.

Backing Up Information from the Original Computer:

1. At the original Exchange Server computer, start the Exchange Server
Administrator program. Note the following information:

- The organization and site names.

- The configuration parameters of any connectors that are installed on the
original computer. You may want to print screen dumps of the different
pages of the connector properties.

Quit the Exchange Server Administrator program, and then note the drive
configuration of the original computer.

2. At the original computer, stop all of the Exchange Server services.

3. Copy the entire Exchsrvr directory to another computer on the network, or to
a tape drive. If the log, database, and working directories are on different
drives, make sure that you copy the Exchsrvr directories from every drive.

4. Start the Exchange Server Performance Optimizer utility, and then note the
locations of the directory service, information store, message transfer agent
(MTA), and Internet Mail Service files. You can quit the Performance
Optimizer utility after you get the necessary information. You can also get
this information from the registry.

You may want to run the perfwiz -v command, and then note any customized
settings on the original computer.

Also, note the version and service pack number of Exchange Server that is
installed on the original computer.

5. If the KM server service is installed, stop the KM server service, and then
back up the Security directory. If the original computer is running Exchange
Server version 5.5, there is no Security directory, because the KM server
information is stored in the Exchsrvr\Kmsdata directory. Also back up the KM
server Startup disk.

6. Shut down the original computer, and then turn it off. Make sure that there
is an operational domain controller in the Windows NT domain.

Installing Windows NT and Exchange Server on the New Computer:

1. Using the Server Manager utility, remove the computer account for the
original computer, and then re-add it.

2. Install Windows NT on the new computer, using the same computer name that the
original computer used. If necessary, make the new computer a BDC. Ensure
that the original computer is turned off before you install Windows NT on the
new computer.

3. Reconfigure the drives on the new computer exactly as they were configured on
the original computer.

Installing Windows 2000 and Exchange Server on the New Computer:

NOTE:If the server is not a domain controller, do not perform step one and
proceed to step 2.

1. Run the Active Directory Installation Wizard (DCPROMO) to demote the server
to a member server.

2. To disjoin the server from the domain, click Properties, click the Network
Identification tab, click Properties, and then click Workgroup.

3. In Active Directory Users and Computers on a domain controller, remove the
computer account that corresponds to server that you have just removed from
the domain.

4. Install Windows 2000 on the new computer, and then name the computer the same
computer name that the original computer used. Ensure that you reconfigure
the drives on the new computer exactly as they were configured on the old
computer.

5. Join the server to the domain.

NOTE: It may be necessary to run the Active Directory Installation Wizard
(DCPROMO) to promote the member server to a domain controller.

Restoring the Exchange Server Data to the New Computer:

NOTE: When you install Exchange on the new server, create a new site with the
same site name, organization name, and server name as the previous server being
replaced. DO NOT join the site.

1. Install Microsoft Exchange 5.5 on the new server, and then click the option
to create a new organization. When you receive the prompt, use the same
organization and site names that were used on the original server. Install
the same service packs and hotfixes that were installed on the original
server.

2. Run the Performance Optimizer utility and verify that all of the paths are
the same as those noted in the previous steps.

3. Stop the Exchange System Attendant Service (MSExchangeSA) from either the
Control Panel services interface or from a command prompt type "Net Stop
MSExchange" (without the quotation marks). This procedure stops all other
Exchange services as well.

4. Copy the Exchsrvr directories that you backed up from the original computer
over the Exchsrvr directories on the new computer. Make sure that you copy
the directories to the correct drives.

If the original computer and the new computer do not have the same hardware
platform, then only copy the Dsadata, Dxadata, Imcdata, Mdbdata, and Mtadata
directories. You may also need to copy the Ccmcdata, Insdata, Kmsdata, and
Tracking.log directories if the corresponding components were installed or
enabled on the original computer.

5. Start the system attendant and directory services.

6. Start the information store service. If the Application event log states that
you need to run Isinteg -patch when you start the information store, at a
Windows NT command prompt, run the following command

isinteg -patch

and then restart the information store service.

Configuring the KM Server:

You installed the KM server in the "Installing Windows NT and Exchange Server on
the New Computer" section, step 7, before you restored the Exchange Server
directory from the original computer to the new computer.

1. Stop the KM server service on the new computer.

2. Copy the Kmspwd.ini file from the KM server Startup disk for the original
computer to another disk. Label the disk "KM Server Startup Disk - New
Computer."

3. Perform one of the following steps, depending on the version of Exchange
Server that the original computer was running and the new computer is
running:

- For Exchange Server version 4.0 or 5.0, at the new computer, rename the
Security\Mgrent directory to the Security\Mgrent.original directory. Copy
the Security\Mgrent directory from the backup of the Security directory of
the original computer (that you made in the "Backing up Information from
the Original Computer" section, step 5) to the Security directory on the
new computer.

- or -

- For Exchange Server version 5.5, at the new computer, rename the
Exchsrvr\Kmsdata directory to the Exchsrvr\Kmsdata.original directory.
Copy the Exchsrvr\Kmsdata directory from the backup of the Exchsrvr
directory of the original computer (that you made in the "Backing up
Information from the Original Computer" section, step 3) to the Exchsrvr
directory on the new computer.

4. Place the new KM server Startup disk for the new computer (labeled "KM Server
Startup Disk - New Computer&quot into the disk drive of the new computer.

5. Start the KM server service on the new computer.

6. Use the Performance Optimizer utility to make any desired changes.

7. Start all of the Exchange Server services.

Restoring and Reconfiguring Connectors:

Restore all of the information that relates to site connectors and X.400
Connectors on the new computer. You need to reconfigure any Internet Mail
Connector or Dynamic RAS Connectors. You may also need to reconfigure
third-party connectors.

Exchange Client Profiles
------------------------

After you complete the steps in this article, Exchange Server runs on the new
computer in the same way that it ran on the original computer. Exchange Clients
can connect to the new Exchange Server computer just as they connected to the
original computer.

Use of Offline Backups Instead of Online Backups
------------------------------------------------

In the procedures in this article, you use an offline backup, instead of an
online backup. This allows you to move all of the data that existed at the time
that the Exchange Server services were stopped to the new computer. This
includes data that may have arrived after the last online backup, as well as
transient data in the MTA or connector queues.

If you perform an online backup, to be sure that you move all of the data to the
new computer you need to copy transaction logs, as well as the MTA and Internet
Mail Service data files.

It is more effective to copy the entire Exchsrvr directory on each drive to the
new computer. This procedure requires that you configure the locations of the
different logs and databases exactly the way they were configured on the
original computer, but it guarantees that there is no loss of data.

 

[Lightspeed1]

Thanks Steve and M!!
Sometimes a little reassurance in knowing that so many other people have spent all-nighters correcting these kinds of messes is the best thing I take away from here!
So if I understand what you are saying Steve, is that even though I can back up the accts with a system state backup, once the domain is reconfigured the SID's are going to cause problems? Is this because the sid contains a "prefix" that identifies the domain as well?
Also, Steve as I see your excellent posts often here,<pauses to wipe off nose> there is a thread from a gentleman that far exceeds my modest talents, maybe you could take a look at it and give some of your input? thread96-713244 Thanks if you get the opportunity.

signed,
not afraid of hard work but smart enough to look for an easier way!! (AKA Lightspeed1)

Regards,
Lightspeed1
AKA Mike

 

[Lightspeed1]

gschimenti,
Thank you, I had been thinking about the possibility of bringing up a temp server to synchronize with but wasn't sure how to get them resynched once the domain name changes. I hadn't even thought about the ADMT tool...will definitely get a Ghost of the server first (you only make THAT mistake once!) I really appreciate the time you took to get the Exchange step by step for me!! I'll try to post back after the job is done and let you guys know how it went. Might make a great FAQ. Speaking of FAQ's, GSCH, I'm not sure if there is an existing FAQ in the exchange fora but the step by step you have here might be a swell addition.

Regards,
Lightspeed1
AKA Mike

 

[Stevehewitt]

Hey,

Thanks very much! ;-)

As gschimenti rightly states - it can be done. But it would be a hell of a lot less messy if you started again - and considoring that its just 25 users compared to 200, I think its worth the while.

By the time you take all the steps mentioned above, you could of reinstalled 2000, restore data files and then re-create the users; and still have time for a coffee and a fag whilst congratulating yourself!!!

It's obviously your choice, and if you are looking at moving up to a larger company in the not so distant future then maybe gschimenti has the right idea - but looking at it I personally would go with the trash the system and do a restore. It would probably give less headaches short-term and also long term.

Good Luck!

Steve.

 

[Big0range]

Another thought is to NOT change the private domain name at all. Leave it alone, it's a little more secure that making their entire private domain publicly accessible by name. Their sonicwall should have either a port for a DMZ, in which you can place the internet-available server; or you can request another static IP from the provider and provide a static mapping within the sonicwall and keep the net-accessible server inside the private network with a static IP mapped through NAT to only to that server.

If you rename their entire domain to a publicly used domain name, you introduce security issues they're largely exempt from currently, besided the headache of the Exchange migration.