Domain controller management

We have two domain controllers at two different sites in India and the U.S. Some of the Windows XP and Windows 2000 clients in the U.S. are using the India domain controller as their logon server. This is causing the logon to be very slow. How can we solve this issue?

When attempting to log into the domain my machine takes a lot of time and sometimes does not even complete the process. I am using Windows 2000 Server and the domain controllers are using Windows 2003 Server. Can you help?

Without additional information it's hard to point to a specific culprit. Though, some general troubleshooting steps you should take include checking the Event Viewer on the client that is having trouble logging on, as well as on your domain controllers. You should also test network connectivity using PING and TRACERT, as well as using netdiag and nslookup on your domain controllers to verify that your DNS records are set up properly, particularly your SRV records that indicate the location of your domain controllers.

We have two sites. I put my main domain controller with AD and DNA at the primary site and an additional domain controller (DC) at the other site with DNS. Both the sites were connected with high-speed link. I gave both the DCs global catalog role for fault tolerance. But when the link was down, none of my users were able to log on to the other site where I kept the additional domain controller. All of my clients are either NT or Windows 98. What is the problem in authenticating and how do I solve this?

We are running a Windows Server 2003 Active Directory domain. We are replacing one of our production Windows 2000 member servers with newer hardware running Windows Server 2003 and want it to keep its hostname and IP address. What must I do to ensure a smooth transition for this machine?

It's generally a bad idea to rename a server once you have promoted it to DC status. Let's say that your current DC is called DC1. Installing your new server as a member server called SERVER1 would be your best bet. Then, I suggest installing a third machine as a domain controller, call it DC2. Once DC2 has been installed as a domain controller, transfer all 5 FSMO roles from DC1 to DC2, and run dcpromo to gracefully remove the old DC1 from your network. Once you've removed the old DC1 from your network, you can rename the SERVER1 member server to DC1. Then you can run dcpromo on the new DC1 to introduce it to your network gracefully.

The local administration has gone and no one knows what the DC password is (Windows 2003). A locksmith allowed me to reset the local administration password and now the account has very limited access. I can access the server but I cannot do much. How do I restore those local administration rights?

If you've forgotten or lost the domain administrator's password and you do not have another user with administrative rights, you can perform a parallel installation of the OS onto a different partition, or use a password recovery utility to reset the password.

I run a network of about 2500 PCs and 200 servers. I have an Active Directory in native 2003 mode and I have 23 domain controllers (I only have one domain). I would like to upgrade to Windows 2003 Server SP1. Before I upgrade, are there any known issues with SP1 on a domain controller I should know about?

I have a client who is running Windows 2000 Server/Exchange 2000 Server domain that has had domain user names in a certain format (eg. jsmith) for a few years. My client just recently changed their Internet e-mail address scheme to be joes@domain.com. Now my client wants to change the domain accounts to match the new e-mail format (joes@domain.com) and delete the other SMTP addresses with the old scheme. I have 75 users that I need changed. What are the ramifications of doing a broad scale change to domain accounts to match SMTP Internet e-mail address schemes?

Instead of recreating and deleting accounts, consider using the Dsmove command with the –newname switch to rename the accounts as they are. User accounts are assigned unique identifiers that are independent of the user name. Start with a small group of users as a test, and be sure to give your domain controllers time to replicate the change if you are split over multiple sites.