Announcement

Collapse
No announcement yet.

Anyone Experienced with Server 2003 TS & AD ?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    Anyone Experienced with Server 2003 TS & AD ?

    Let me preface this by saying I have very little knowledge when it comes to handling server software and configuration.

    I have been thrust into a position with a client that requires me to become more knowledgeable about them, but the learning curve (for me) is very steep.

    I am dealing with many years of others "messing about" with 4 servers in a facility that has a VPN over a T1 to a second office 20 miles distant. The servers are Terminal Server (TS) 2003 R2, Active Directory which I am assuming is the Domain Server (Main) 2003, Applications (APP) 2003 R2, and Electronic Records (ER) 2008. All servers are HP Proliants ranging in age from 2-6 years old.

    A total of about 25-30 remote clients are on line at any point in the day. They all connect via RDP to the Terminal Server.

    The Situation:
    On Wednesday last, the TS unit suffered a hard drive failure. It was -supposed- to be setup as RAID 1, but I came to find out that about 2 years ago, someone had turned that off in BIOS and these drives where not mirrored. Simply running as separate drives. The latest date on the 2nd drive was 2010.

    I tried every method I have available to access the 1st drive, but to no avail. A non-recoverable boot sector failure / MBR missing error.

    After speaking with a drive recovery service and my client, I cloned the 2nd drive with hardware I have and sent both drives off to the recovery service. They subsequently reported a mechanical failure of the drive and estimated ~$2,500 for recovery over a 10-15 day time. Really not acceptable as this puts us out of service in many ways. They could do it faster but the price doubles as you halve the turnaround times. (Up to $10,000)

    The Dilemma:
    I installed the cloned drive in the TS and everything seemed to be okay. Windows comes up and runs, but I can not login at the console as admin on the Domain, only as admin on the machine. I have Googled this error message, but most of the answers regard the remote computer/client, not the server console.

    That happens when I use the correct password -
    "Windows cannot connect to the domain, either because the domain controller is down or otherwise unavailable, or because your computer account was not found. Please try again later. If this message continues to appear, contact your system administrator for assistance."

    If I use a wrong password, say 1234, it comes up with a different message. Something like "Windows cannot log you on because you username or password are incorrect"

    So, the messages indicate to me that it is seeing the password as correct, it just can't get to the Domain? Is that correct? How do I go about fixing that?

    Any direction would be helpful. A lot of hand holding is necessary.

    T
    Last edited by Toasty; 12-22-2012, 03:11 PM.
    veritas odium parit

    #2
    Re: Anyone Experienced with Server 2003 TS & AD ?

    You could try making the TS sever a "work group" computer then rejoin it to the domain. There may be better ways to correct your problem and this could cause other problems but it should work. Depending on how much time you have you may want to wait on other suggestions before trying this one.

    I think the problem is caused by the security certificate authentication on the domain so you may want to search on correcting it first.

    Comment


      #3
      Re: Anyone Experienced with Server 2003 TS & AD ?

      I'm a bit confused. The TS server with the drive failure was the domain controller and the only domain controller?
      Edit: ok I reread it and it isn't a DC. This is good.

      If the TS server isn't a domain controller (and I suspect it isn't because you shouldn't be able to log in to a DC with a local account) then what LDS said should do the trick.
      Last edited by smason; 12-22-2012, 06:17 PM.
      36 Monitors, 3 TVs, 4 Laptops, 1 motherboard, 1 Printer, 1 iMac, 2 hard drive docks and one IP Phone repaired so far....

      Comment


        #4
        Re: Anyone Experienced with Server 2003 TS & AD ?

        I understand what you are saying, I think.

        If I look in Explorer, what I find is that when I login to TS locally, under Doc & Set\administrator, the file date stamps are changing. The ones that are not changing are under Doc & Set\administrator.DOMAIN_NAME. Is that the one where I need to be?

        So, while in LOCAL mode, under System Properties - Computer Name tab, change the "Member of" from Domain to Workgroup and give it a pseudo name like WORKGROUP. Reboot, then do it again but set it back to "Member of" the DOMAIN_NAME.

        Is that correct?

        This is also way behind in updates... yuk! Hours of "watching the grass grow" in my future.

        Thanks for the tips!

        T
        Last edited by Toasty; 12-22-2012, 08:33 PM.
        veritas odium parit

        Comment


          #5
          Re: Anyone Experienced with Server 2003 TS & AD ?

          Originally posted by Toasty View Post
          So, while in LOCAL mode, under System Properties - Computer Name tab, change the "Member of" from Domain to Workgroup and give it a pseudo name like WORKGROUP. Reboot, then do it again but set it back to "Member of" the DOMAIN_NAME.

          Is that correct?
          Yes, that is essentially it. Good luck.

          Comment


            #6
            Re: Anyone Experienced with Server 2003 TS & AD ?

            The procedure is correct.
            But if I where you I would do all Windows Updates first.
            Because there have been big changes done to the Certificates for TS servers, and this indeed could prevent you from logging in to the AD server since it has those updates already...

            And also:
            Documents and Settings\Administrator = Local Account as you say.
            Documents and Settings\Administrator.DOMAIN_NAME = Domain name

            What they have in common is that they have a SID, so for example if you delete an account and create a new one with the same name their security permissions will not match.
            This might result in your server creating a new account like: Administrator.DOMAIN_NAME.001 or something like that when rejoining, but this is normal... (Albeit a headache, which is why I say Windows Updates first & hope for the best )

            http://www.dailytech.com/Microsoft+T...ticle25157.htm

            http://technet.microsoft.com/en-us/s...visory/2661254

            http://technet.microsoft.com/en-us/s...visory/2728973
            Last edited by Per Hansson; 12-23-2012, 03:36 AM.
            "The one who says it cannot be done should never interrupt the one who is doing it."

            Comment


              #7
              Re: Anyone Experienced with Server 2003 TS & AD ?

              Originally posted by Per Hansson View Post
              Documents and Settings\Administrator = Local Account as you say.
              Documents and Settings\Administrator.DOMAIN_NAME = Domain name

              What they have in common is that they have a SID, so for example if you delete an account and create a new one with the same name their security permissions will not match.
              This might result in your server creating a new account like: Administrator.DOMAIN_NAME.001 or something like that when rejoining, but this is normal... (Albeit a headache, which is why I say Windows Updates first & hope for the best )
              [/url]

              http://technet.microsoft.com/en-us/s...visory/2661254

              http://technet.microsoft.com/en-us/s...visory/2728973
              While this is possible, I've never seen it happen.
              I do this routinely (reverting to old VMWare shapshots, laptops that have been off the domain for a year etc) and I've never had a user SID change. The profile is always there, and stays linked to the domain ID/SID after a domain re-join.
              36 Monitors, 3 TVs, 4 Laptops, 1 motherboard, 1 Printer, 1 iMac, 2 hard drive docks and one IP Phone repaired so far....

              Comment


                #8
                Re: Anyone Experienced with Server 2003 TS & AD ?

                Originally posted by Per Hansson View Post
                The procedure is correct.
                But if I where you I would do all Windows Updates first...<snip>
                I had thought about that and you confirmed it. I will do them first.

                ---- The next bit ------

                Going by what I have been handed in setup of these systems, I've always had the feeling that certain programs should not be installed on some of these servers.

                Breakdown of what they have in place from paperwork I was handed that the previous company generated:

                TS - 192.168.xxx.200 - Terminal Server - Has their main software installed on it that everyone uses. Both offices are split as 2 businesses with separate primary programs. One uses the APP server for it's database, the other the ER.

                MAIN - 192.168.xxx.202 - DC/GC/DNS/DHCP/FSMO Roles, Symantec Backup Exec, Symantec A/V server - Is the AD server and I assume this is where the Domain comes from. I am not clear on AD's functionality and as I said, this is the steep curve I am trying to learn. I see some programs installed here and because disk space is at a premium, I question whether or not anything other than AD should be running off of this server.

                APP - 192.168.xxx.201 - DC/GC/DNS, SQL, Database for Business A - Where the database and other records such as financial are kept.

                ER - 192.168.xxx.203 - As this was installed after the previous company worked here and before I arrived, there is no specific info. Role(s) are unknown except that this is where Business B has their database and separate financial software. This is Server 2008.

                ER is really a private server setup by Business B. I don't want any conflict and what they do does not impact the other 3 servers too much.

                I find so many programs installed across these servers. I want to remove a lot of the unnecessary as time moves on.

                A question I have not been able to find a good answer to is...

                What exactly should be installed on TS and AD? What should -NOT- ?

                Again, thanks in advance!

                T
                veritas odium parit

                Comment


                  #9
                  Re: Anyone Experienced with Server 2003 TS & AD ?

                  Ideally on the TS you want only the programs that the remote users use.

                  Ideally on the DC, you don't want anything other than AD, DNS, and maybe DHCP.
                  If you don't have a second DC, you really don't want anything on there that could crash the server or consume disk space (Backup Exec database and log files can fill a drive and ruin your day in a hurry)
                  If it were my client, I'd add another DC, move the backup to it's own server, or to the app server.
                  36 Monitors, 3 TVs, 4 Laptops, 1 motherboard, 1 Printer, 1 iMac, 2 hard drive docks and one IP Phone repaired so far....

                  Comment


                    #10
                    Re: Anyone Experienced with Server 2003 TS & AD ?

                    I run a domain at home and I only have one box running it as I do not want to pay for the electricity nor hear the noise of a second server running. I did have it completely crap out on me once and it was a nightmare to get everything fixed, but since I only use it as leverage against my kids, it was not the end of the world. For a business however, running only one DC is kinda like playing Russian roulette and if it were to crash, it would make your current problem seem insignificant IMO. I do not know what options you have available but it is something you may want to look into as soon as you have your current problem resolved, especially if you are the one that will be held responsible.

                    Comment


                      #11
                      Re: Anyone Experienced with Server 2003 TS & AD ?

                      APP seems to be, according to the paper and above post, the second DC. The Primary DC (MAIN) should not have users on it, correct? I find a bunch of remote users in its D&S folder, many the same as in TS.

                      Always wondered which ones I was changing (and where) when I did GP updates/changes.

                      What does a second DC do and how do I administer that?

                      The procedure(s) LDSisHere, smason, and Per Hanson recommended worked! I can now login as admin to the Domain on TS and the connectivity has been restored to the remotes. Now we have to go back and install 2 years worth of software and updates.

                      Thanks a bunch guys!

                      T
                      veritas odium parit

                      Comment


                        #12
                        Re: Anyone Experienced with Server 2003 TS & AD ?

                        Originally posted by Toasty View Post
                        APP seems to be, according to the paper and above post, the second DC.
                        I did not catch that bit of information. I am sure that running a DC on that server would not be a recommended practice, but it should at least CYA in a pinch.

                        Without a DC there would be no network login and depending on the problem with the DC and how it was restored, every network computer could possibly have to be rejoined to the domain like you did with the TS server. A second DC allows you to seamlessly replicate back to a repaired DC instead of rebuilding\rejoining everything. This of course is a worst case example but you are dealing with Windows boxes and not something you want to chance lightly.

                        Comment


                          #13
                          Re: Anyone Experienced with Server 2003 TS & AD ?

                          How are or should the 2 DC's be joined? As I said, this is very unfamiliar territory to me. Why would running the 2nd DC on APP be a bad idea? Should it be on its own box?

                          Back to a previous query:
                          The Primary DC (MAIN) should not have users on it, correct? I find a bunch of remote users in its D&S folder, many the same as in TS.

                          What should be on the DC and what should not? There seems to be a lot of replication of applications. Sort of a "backup plan" in case something dies.

                          I was also told that to perform updates on TS, I should drag it out of Terminal Services on AD and place it in Computers, then run (command prompt) gpupdate. Once the updates are done to drag it back to TS and gpupdate again. Is that correct or necessary?

                          T
                          veritas odium parit

                          Comment


                            #14
                            Re: Anyone Experienced with Server 2003 TS & AD ?

                            Originally posted by Toasty View Post
                            How are or should the 2 DC's be joined? As I said, this is very unfamiliar territory to me.
                            If both controllers are active and on the same domain then they should already be joined.

                            Why would running the 2nd DC on APP be a bad idea?
                            1. Security
                            2. Stability - less stuff running means less chance of crashes
                            3. Microsoft "needs" to sells more licenses, therefore they encourage this idea.

                            Should it be on its own box?
                            Yes for the above reasons, however it is a judgement call in the end.

                            Back to a previous query:
                            The Primary DC (MAIN) should not have users on it, correct? I find a bunch of remote users in its D&S folder, many the same as in TS.
                            I am not sure what you mean by the D&S folder but my (limited) experience is mostly with Server 2008R2 and I am not sure how different it is from 2K3. You are going to have the network users listed under the domain like in the image I have attached (User names erased.) but I am not sure this is what you mean. Only network Administrators should be able to directly log onto the domain controller.

                            What should be on the DC and what should not? There seems to be a lot of replication of applications. Sort of a "backup plan" in case something dies.
                            I would say that is determined by the available resources and risk/reward analysis. If these are all the servers you are going to get and the network being available is more important than security I would leave them alone, but others on the forum may disagree with my logic and have good reasons for doing so.

                            I was also told that to perform updates on TS, I should drag it out of Terminal Services on AD and place it in Computers, then run (command prompt) gpupdate. Once the updates are done to drag it back to TS and gpupdate again. Is that correct or necessary?

                            T
                            I cannot answer this question so hopefully someone else will be able to do so.



                            I just want to be clear that my experience is mostly limited to my personal equipment, studying for MS certs and it is from working with 2K8 R2 opposed to 2K3. Hopefully others with more experience than me will also give you their opinions.

                            I was very glad to hear that you were able to get server back on the domain.
                            Attached Files
                            Last edited by LDSisHere; 12-24-2012, 01:07 AM. Reason: Typo

                            Comment


                              #15
                              Re: Anyone Experienced with Server 2003 TS & AD ?

                              D&S = Documents & Settings

                              I get the impression that these servers had different roles earlier in their life and accounts were left in place. Either from neglect or a fear of losing connectivity from the remotes.

                              It really is quite the mess and seems almost hodge-podge at times. Too many fingers in the pie, if you will. I'd love to have the knowledge/confidence to clean it up correctly and clear out the unneeded and unnecessary items.

                              MAIN, the primary DC, is very low on disk space and will typically throw an error on reboot giving a "Critical Foundation Agents Rising" message via email to me. To date, we have not figured out what that means, and researching it never gave anything conclusive. It has 2 hot swappable SCSI 73Gb drives in RAID as best I can see. Their space is at a premium because of the applications that are loaded.

                              Another issue that I've come across is a plethora of network printers in the system. I don't think 1/2 of them are real and I'm sure some have been removed yet they continue to appear in the system. Naming convention was not one of their strong suits.

                              More investigation since this crash is going to happen so I get a clearer picture. It's a pain though because of the office hours. Taking anything down is usually not possible until 10 or 11 PM and it's got to be back up by 7:30 AM. Sunday is the only generally "clear" day, but since they have remote access, sometimes there is work being done from home even then. Ugh!

                              They have had issues of network slowdowns, but I have straightened a lot of that out over several months. Things were actually running quite well for several months, until this drive crash. Had the RAID been turned on, this discussion would be moot as a simple drive swap would of had us back up in under an hour.

                              >> If both controllers are active and on the same domain then they should already be joined. <<

                              How do I verify that?
                              Are changes made on the main DC copied/mirrored automatically to the 2nd? Or, is that something I have to do manually?

                              >>If these are all the servers you are going to get and the network being available is more important than security I would leave them alone...<<

                              Most likely true unless I can convince them for some sound reasons to shell out some bucks for another DC. I don't see that happening in the near future.

                              Again, thanks for your advice!

                              T
                              Last edited by Toasty; 12-24-2012, 02:18 AM.
                              veritas odium parit

                              Comment


                                #16
                                Re: Anyone Experienced with Server 2003 TS & AD ?

                                Yea, please stop using personal made up shorts for "Documents & Settings", it just causes confusion

                                The DC should not have any users logging in, and therefore only admin accounts listed under "Documents & Settings"
                                You can check on the file dates of the users profile in that folder, if they are recent then people are still logging in this way, not recommended!

                                For doing installations on a Win2K3 Terminal Server go to "Add remove programs" in the control panel and select the entry "Add new programs"
                                This is the supported way of doing installations on a TS, in Server 2008 it is different, there exists a command line tool for this in that case:
                                Code:
                                change user /install
                                start /wait SETUP.EXE
                                change user /execute
                                "The one who says it cannot be done should never interrupt the one who is doing it."

                                Comment


                                  #17
                                  Re: Anyone Experienced with Server 2003 TS & AD ?

                                  Well, out of the frying pan and into the fire...

                                  Server would not handle more than 5 connections before it would start complaining. Since the 2nd drive was never switched back on in the RAID, it was running 2003 R2 Standard. Never was updated to 2003 R2 64 bit and would not see more than 4 Gigs of RAM.

                                  Ended up wiping the drive and reinstalling 2003 R2 x64 version. Everything seems okay and it sees the RAM (24GB) and is recognized on the domain and found the license server. However, we can not RDP into it any longer. Have tried many suggestions and all the switches seem correct. Users have been added to the Remote Desktop Group and the Allow Remote connection box is checked. The other servers see it okay also.

                                  Also - previous question:

                                  >> If both controllers are active and on the same domain then they should already be joined. <<

                                  How do I verify that?
                                  Are changes made on the main DC copied/mirrored automatically to the 2nd? Or, is that something I have to do manually?

                                  T
                                  Last edited by Toasty; 12-27-2012, 12:04 AM.
                                  veritas odium parit

                                  Comment


                                    #18
                                    Re: Anyone Experienced with Server 2003 TS & AD ?

                                    So the RAID stopped working when someone upgraded the TS server from Win2K3 32-bit to Win2K3 64-bit?
                                    I'm just asking because the 32-bit version can handle up to 128GB RAM, albeit for licensing reasons and general MS bullshit this only applies to the Enterprise Edition & Datacenter Edition
                                    This can be good to know because sometimes software and more importantly drivers for printers etc are not available in 64-bit versions...

                                    It's not so easy to help with the login problem, can you login via RDP directly to the TS server? (Not via domain login)
                                    What error messages do you get?
                                    "The one who says it cannot be done should never interrupt the one who is doing it."

                                    Comment


                                      #19
                                      Re: Anyone Experienced with Server 2003 TS & AD ?

                                      Originally posted by Toasty View Post
                                      Also - previous question:

                                      >> If both controllers are active and on the same domain then they should already be joined. <<

                                      How do I verify that?
                                      Are changes made on the main DC copied/mirrored automatically to the 2nd? Or, is that something I have to do manually?

                                      T
                                      Check the event logs, answer to the RDP issue may be in there. Also the event logs should show AD replication between the DCs.
                                      You can run netdiag and dcdiag to verify the health of your AD, DNS etc.

                                      Some obvious things for RDP firewall is off? DNS pointing to the correct server, clients can ping it?
                                      36 Monitors, 3 TVs, 4 Laptops, 1 motherboard, 1 Printer, 1 iMac, 2 hard drive docks and one IP Phone repaired so far....

                                      Comment


                                        #20
                                        Re: Anyone Experienced with Server 2003 TS & AD ?

                                        All I know is that the 2nd drive would only see 4 Gig of RAM and not the 24 Gig that is loaded. 2nd drive appears to have 2003 R2 32 bit version on it. I can not know what the old drive had, but it was working fine with 30+ clients RDP'ing.

                                        So, how do I turn on the rest of RAM if I were to revert back to that again? I have another clone plus the old 2nd drive is on it's way back from the recovery company.

                                        Why would TS not be working with RDP? It's what it was built for out of the box, yes?

                                        That is also what is missing, the Domain login option that we used to get on RDP. From various clients you would get the drop down box for the address 192.168.xxx.200, or the name TS or the domain. The domain is not there now...?

                                        T
                                        Last edited by Toasty; 12-27-2012, 07:53 AM.
                                        veritas odium parit

                                        Comment

                                        Working...
                                        X