Main Area and Open Discussion > General Software Discussion
Windows Networking, help me understand.
x16wda:
Replacing a DC is no problem really, just build a fresh server and run dcpromo to make the new one and then dcpromo the old one to remove it. Just make sure to have DNS installed on the new box before promotion and point it to the old one for DNS, then when the new DC is happy (always seems to take an extra reboot for me) point everything to it for DNS instead before decommissioning the old one. I haven't worked in a single-DC environment but I'd set the new box to be a global catalog too.
Of course if you're replacing it after 5 years you'd want to update the forest and domain schemas to the latest.
Much nicer now than the days of NT4 domains. (Though we found the Upromote utility late in the game, that makes it a little easier...)
CWuestefeld:
Replacing a DC is no problem really, just build a fresh server and run dcpromo to make the new one and then dcpromo the old one to remove it. Just make sure to have DNS installed on the new box before promotion and point it to the old one for DNS, then when the new DC is happy (always seems to take an extra reboot for me) point everything to it for DNS instead before decommissioning the old one.
-x16wda (October 15, 2013, 08:35 AM)
--- End quote ---
So now you've got to understand DNS, too, including how to properly configure your own domain, and how this interrelates with ActiveDirectory -- it's not as easy as just pointing to your ISP's DNS. And this is the part that I was never able to get to work properly (this may have been complicated by the fact that I own my own domain name as well, I use that for my email address, so I needed to be able to get name resolution to hosting provider's mail server that has my domain name).
I actually thought NT4 domains were simpler. Back then, you had a PDC and some set of BDCs, and it was perfectly clear which was which. So to replace an old PDC, you'd just bring up a new BDC, get him acquainted with the old PDC, and then promote him.
Stoic Joker:
Replacing a DC is no problem really, just build a fresh server and run dcpromo to make the new one and then dcpromo the old one to remove it. Just make sure to have DNS installed on the new box before promotion and point it to the old one for DNS, then when the new DC is happy (always seems to take an extra reboot for me) point everything to it for DNS instead before decommissioning the old one.
-x16wda (October 15, 2013, 08:35 AM)
--- End quote ---
So now you've got to understand DNS, too, including how to properly configure your own domain, and how this interrelates with ActiveDirectory -- it's not as easy as just pointing to your ISP's DNS.-CWuestefeld (October 15, 2013, 08:56 AM)
--- End quote ---
Actually it is. (assuming single server for simplicity) In an AD domain the DC handles DNS period. All clients point to, and only to the DC. External lookups are to be handled by forwarding either to the default internet root servers, or to the configured forwarders. The ISP's DNS servers can be configured as forwarders but personally I prefer OpenDNS. If the ISP's DNS servers appear anywhere else in the configuration problems will ensue.
I usually just let dcpromo handle the DNS installation on the fly (for Server 2000/2003/2008 - Server 2012 is a bit different..). Then verify the FSMO roles made it over safely and down the old box. Reboot the new server to make sure it can come online with out issue, and if the event logs are clean ... Spin up the old server one more time to demote it.
And this is the part that I was never able to get to work properly (this may have been complicated by the fact that I own my own domain name as well, I use that for my email address, so I needed to be able to get name resolution to hosting provider's mail server that has my domain name).-CWuestefeld (October 15, 2013, 08:56 AM)
--- End quote ---
having the same public and internal domain name is a bit of a no-no. But in a pinch you can just add the A records for www, mail, etc. to the internal DNS server with the external IP addresses.
I actually thought NT4 domains were simpler. Back then, you had a PDC and some set of BDCs, and it was perfectly clear which was which. So to replace an old PDC, you'd just bring up a new BDC, get him acquainted with the old PDC, and then promote him.-CWuestefeld (October 15, 2013, 08:56 AM)
--- End quote ---
The PDC (emulator) is still there an reasonably easy to find: netdom query fsmo
Vurbal:
Replacing a DC is no problem really, just build a fresh server and run dcpromo to make the new one and then dcpromo the old one to remove it. Just make sure to have DNS installed on the new box before promotion and point it to the old one for DNS, then when the new DC is happy (always seems to take an extra reboot for me) point everything to it for DNS instead before decommissioning the old one.
-x16wda (October 15, 2013, 08:35 AM)
--- End quote ---
So now you've got to understand DNS, too, including how to properly configure your own domain, and how this interrelates with ActiveDirectory -- it's not as easy as just pointing to your ISP's DNS. And this is the part that I was never able to get to work properly (this may have been complicated by the fact that I own my own domain name as well, I use that for my email address, so I needed to be able to get name resolution to hosting provider's mail server that has my domain name).
I actually thought NT4 domains were simpler. Back then, you had a PDC and some set of BDCs, and it was perfectly clear which was which. So to replace an old PDC, you'd just bring up a new BDC, get him acquainted with the old PDC, and then promote him.
-CWuestefeld (October 15, 2013, 08:56 AM)
--- End quote ---
I was clearly too tired when I wrote that - however when you're accessing via a share the 2 permissions aren't entirely separate - it's the most restrictive of the 2 that applies - more like a logical AND. The least restrictive part is when you have 2 sets of either Sharing or NTFS permissions like from your user and group or multiple groups.
The inheritance part is definitely where it can get particularly tricky, at least WRT non-system folders. That's one area where I find Posix ACLs vastly superior since you can change the inheritance mask (inherited acl) for a single user or group without blocking inheritance altogether.
Since my wife and kids use my computer from time to time I always start with extremely restrictive NTFS permissions on the root of my second hard drive and have a User folder where each of them has their own folder with full access. Then another folder off the root they all have most permissions (not Delete or Change Permissions) and a Temp folder off the root where everyone gets full control of the contents but not the folder itself.
The other oddball that can throw a monkey wrench into the works is using reparse points. Junction points and symlinks have separate permissions from the original file or folder and inheritance is based on where the junction or link is, not the file system object it references. So, for example, you can grant Write access to a folder under Program Files without changing the permissions or inheritance of the original. Just create a symlink to the folder somewhere else and it inherits from the path where the junction or symlink is located.
But not always. Depending on the Windows API call used a reparse point may be dereferenced and the context of the target object used instead. To make matters even more complicated junction points can get treated differently than symlinks in those cases. The easiest way to see that in action is to put them into Libraries. If you put a symlink in a Windows Library it gets dereferenced and the original location is actually added. If you put a junction point it gets added like any other folder.
While not related to permissions per se, that makes it a real PITA to add a network location to a library. That may even be the point although that would be stupid. Especially since you can get around it by creating a regular folder, adding it to a library, then deleting the folder and creating a symlink with the same name. Now the target of the symlink, network location or not, is in the library and can be accessed accordingly.
Stoic Joker:
You still a bit tired there V? Because you quoted the wrong post. :D
Either way, I hear Ya man! :Thmbsup:
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version