Windows 2000 relies on some network services much more heavily than does Windows NT 4.0. You'll need to ensure that all your core networking services are functioning correctly once you've migrated to Windows 2000. In this lesson, you'll learn what to if these networking services fail.
After this lesson, you will be able to
Estimated lesson time: 40 minutes
Name resolution problems can be critical during a migration from Windows NT 4.0 to Windows 2000. For example, if you can't perform name resolution properly, you'll be unable to run the Active Directory installation wizard in your Windows 2000 environment. A thorough understanding of the problems you might encounter with name resolution and how to solve them is essential if your Windows 2000 migration is to proceed smoothly.
To ensure that your name resolution problems are minimized, you should do the following:
If DNS is unavailable or doesn't support dynamic updates, the records for a new domain controller can't be created when you run the Active Directory installation wizard. The installation wizard will prompt you to confirm your DNS server settings at this point or ask whether you want to set up your own server as a DNS server.
NOTE
If you already have a DNS environment in place and are having network connectivity problems, you shouldn't create your own server as a DNS server while installing Active Directory. Doing so would result in two primary DNS servers for a particular zone. Instead, you should resolve the network connectivity problems and ensure that the DNS server information is correct in the TCP/IP settings of the server you're upgrading.
If name resolution isn't functioning as it should, it's quite possible that not all the records that should be in DNS are actually there. Ensure that you're using dynamic update on your DNS servers, or, if you've elected not to, ensure that all the records have been manually entered.
To ensure that the appropriate records are in DNS, you can use the DNS administrative tool or the Nslookup utility. To repopulate DNS with Active Directory information in the event of a failure, you can use the Netdiag utility. You might also need to run ipconfig /registerdns and restart the Netlogon service.
In this practice, you'll test network connectivity and recover from a DNS database corruption.
To check the status of DNS
Note how Netdiag tests all the key elements of your server, including the availability of DNS. (See Figure 11.9.) All the tests should either be shown as skipped or passed at this stage.
Note the number of tests listed in the log file and especially that the DNS test passed.
Now you're about to use the DNS administrative tool to do some drastic damage—but don't panic (and don't do this on your live systems).
Figure 11.9 Running a Netdiag test
To purposely bring down the DNS service
Figure 11.10 Corrupting the DNS database
To test the DNS service on MIGKIT1
You should see all DNS tests failing, as shown in Figure 11.11.
Figure 11.11 Confirming the DNS failure
To repair the DNS service
Netdiag is a useful troubleshooting tool for reporting and repairing problems.
Domain controllers need to replicate with one another successfully to maintain Active Directory information across your enterprise. If replication doesn't occur successfully, problems such as failed logons and failure to access resources can occur.
The site structure you've chosen will significantly affect the replication topology. Recall that all intrasite replication occurs via remote procedure call (RPC) mechanisms, and intersite replication must also occur over RPC if the servers are in the same domain (otherwise, they can use SMTP).
Replication can fail for a number of reasons. Here are some of the most common ones:
Two tools from the Microsoft Windows 2000 Server Resource Kit are particularly useful for troubleshooting replication problems: RepAdmin and Replmon. RepAdmin can be used to administer replication topologies and Replmon can be used to graphically locate and view replication topologies and instigate replication between partners. Figures 11.12 and 11.13 show some of the options available with Replmon.
Figure 11.12 Replmon options for a server
Figure 11.13 Replmon graphical representation of domain controllers in the trainkit forest and server properties of trainkit1
Once your migration is complete, if you have no NetBIOS applications, you'll have no real need for NetBIOS. However, during a migration, it's an important part of your Windows 2000 environment. Indeed, if NetBIOS applications remain, NetBIOS will also remain, potentially long after you're running Windows 2000 in native mode.
Failure of NetBIOS name resolution can occur in a number of situations. Some of the most common causes are listed here:
If NetBIOS name resolution does fail during a migration, legacy clients might be unable to contact domain controllers, and problems can occur with synchronization between the Windows 2000 PDC emulator and Windows NT 4.0 BDCs. Ensure that you implement a fault-tolerant mechanism such as backing up WINS servers for maintaining NetBIOS services during the migration.
Don't remove WINS from your environment until you're sure that it's no longer required. (As seen in Chapter 3, "Assessing Your Current Infrastructure," you can use Performance Monitor to analyze your WINS servers before removing them from the Windows 2000 infrastructure).
DHCP servers function under Windows 2000 in much the same way as they do under Windows NT, with one fundamental exception—they must be authorized in Active Directory to function. When you upgrade a Windows NT server running DHCP, it ceases to function as a DHCP server until the upgrade is complete and you authorize the server. In a migration scenario, it often makes sense to migrate this role onto servers already running Windows 2000 rather than upgrade the server and lose DHCP in the meantime.
If you do choose to migrate the role, remember that the considerations you had for DHCP under Windows NT 4.0 still apply. For example, if you migrate the role to a server in a different subnet and you want to service the same clients as you always did, you'll need the router(s) separating you from the old subnet to forward BOOTP requests, or you'll need to use DHCP Relay agents.
NOTE
BOOTP might be shown as RFC 1542 in some manuals.
Although authorizing DHCP servers gives you a measure of control over which servers hand out IP addresses, remember, this doesn't stop anyone from bringing a DHCP server onto the network that can service Windows 2000 DHCP clients. For example, your old Windows NT 4.0 servers can service DHCP clients, as can authorized DHCP servers from a separate Windows 2000 forest. By registering your DHCP servers in Active Directory, it's harder for rogue DHCP servers to service Active Directory clients.
One significant difference between Windows NT 4.0 DHCP clients and Windows 2000 DHCP clients is their behavior in the event of not being able to find a DHCP server. Windows NT 4.0 clients are configured with an address of 0.0.0.0 under these circumstances, whereas Windows 2000 clients are automatically assigned with an address in the range of 169.254.0.1 through 169.254.255.254. (Incidentally, Microsoft Windows 98 and Microsoft Windows Me clients also behave this way.) This feature is known as Automatic Private IP Addressing (APIPA). Unusual network behavior such as certain subsets of clients being able to communicate with each other but not with the rest of the network can be caused by this "self-assignment" of IP addresses.
If you'd like to check whether DHCP addresses are being handed out to the clients, perform these steps:
If the IP addresses begin with 169.254. and no DHCP server is listed, the clients might be having connection problems with the DHCP server because these addresses are self-assigned. The incorrect IP addresses will be confirmed if you try to access servers on the network and fail to connect.
It is also worth mentioning the important role of the DHCP client in Windows 2000. Regardless of whether addressing is automatic or static on a client in a Windows 2000 environment, the DHCP client service is still important because it's responsible for registering the client with DNS by default. So if clients aren't being registered in DNS, it could actually be the DHCP client service that isn't running.
In this lesson, you learned how to troubleshoot a variety of network service failures, including DNS, WINS, DHCP, and replication problems.