So domains aren't usually my territory, but I believe I have a functional understanding of this manner of system. Anyway, the problems I'm encountering (seemingly) simple ones offset by the fact that I am, for all intents and purposes, completely green when it comes to domains.
The local network is mediated by a single Server 2000 system acting as the sole domain controller for an office of 17 systems. Users log in, do their work, log out. The problem, however, is that the old domain controller needs to be retired due to a number of complications developing within its domain infrastructure (stemming from physical data corruption). A new server was constructed to take its place, running Server 2003 Standard R2.
I am now at a fork where I need to decide which course of action to take. Do I attempt to migrate the old domain over to the new system? And if so, then how would I go about doing such a thing reliably? Or do I simply create a new domain on the new server and port the existing machines over to said infrastructure, moving account data and user profiles with the aid of the user hive migration tools?
(Pardon the wordy nature of this, but I feel I should explain my state before explaining the problem itself) The second genuine problem stems from an experiment with the latter, namely in attempting to completely reconstruct the user rights assignments on the domain. Right now, they really do not exist. Corruption has claimed a few user accounts and people without the slightest understanding of user rights have come in and made a complete mess. On top of this, I was looking to configuring the server in such a way as to offer four tiers of regular user rights (Editor < Designer < Developer < Management < Domain), so I felt it would be worth attempting to model this on an isolated test network connected to the new domain controller instead of doing so on the primary server.
I've managed to hit a brick wall from this point on. I somehow cannot seem to create a user group that allows an account to have local administrative privileges on whatever system it is logged in to without making it a domain administrator (I wish for this user level to have full system access, but no domain controller access). I have a feeling that perhaps I should investigate finding a means of denying the Domain Administrator direct access to the server and instead promoting those with server access to Enterprise Admins and/or Schema Admins, but this seems like it might have some unintended side-effects. This has been a consistent stumbling point, as I want both Designers and Developers to have access to the system, but do not want editors (typically short-term employees) to have the same. (I'm also tempted to deny the dangerously curious management access of any sort, instead loading up a pretty picture/movie or other distraction to keep them from touching anything while making them feel productive But I suspect that wouldn't go so well once they tried to actually do anything... )
My thoughts remain that I am torn between the two possibilities. While the porting of the systems to the entirely new domain would be chaotic, I would be able to start from scratch and abandon the nearly nine years of packed-in crap. But the easiest, most transparent solution would be to do it the proper way...transfer the domain controller as intended by design through the built-in management system. But I have no clue where to even start when it comes to this, and the vast majority of the online guides seem to approach it from the perspective of someone with a great deal of knowledge and experience. I lack either in this territory. The last thing I want to do is leave the office with no domain whatsoever, which would be an absolute nightmare. The decision would best be made by tonight or early tomorrow as the weekend allows me a two day zone to get this done and smoothly running.
So everyone chime in on this. I'll be poking my head in occasionally.
The local network is mediated by a single Server 2000 system acting as the sole domain controller for an office of 17 systems. Users log in, do their work, log out. The problem, however, is that the old domain controller needs to be retired due to a number of complications developing within its domain infrastructure (stemming from physical data corruption). A new server was constructed to take its place, running Server 2003 Standard R2.
I am now at a fork where I need to decide which course of action to take. Do I attempt to migrate the old domain over to the new system? And if so, then how would I go about doing such a thing reliably? Or do I simply create a new domain on the new server and port the existing machines over to said infrastructure, moving account data and user profiles with the aid of the user hive migration tools?
(Pardon the wordy nature of this, but I feel I should explain my state before explaining the problem itself) The second genuine problem stems from an experiment with the latter, namely in attempting to completely reconstruct the user rights assignments on the domain. Right now, they really do not exist. Corruption has claimed a few user accounts and people without the slightest understanding of user rights have come in and made a complete mess. On top of this, I was looking to configuring the server in such a way as to offer four tiers of regular user rights (Editor < Designer < Developer < Management < Domain), so I felt it would be worth attempting to model this on an isolated test network connected to the new domain controller instead of doing so on the primary server.
I've managed to hit a brick wall from this point on. I somehow cannot seem to create a user group that allows an account to have local administrative privileges on whatever system it is logged in to without making it a domain administrator (I wish for this user level to have full system access, but no domain controller access). I have a feeling that perhaps I should investigate finding a means of denying the Domain Administrator direct access to the server and instead promoting those with server access to Enterprise Admins and/or Schema Admins, but this seems like it might have some unintended side-effects. This has been a consistent stumbling point, as I want both Designers and Developers to have access to the system, but do not want editors (typically short-term employees) to have the same. (I'm also tempted to deny the dangerously curious management access of any sort, instead loading up a pretty picture/movie or other distraction to keep them from touching anything while making them feel productive But I suspect that wouldn't go so well once they tried to actually do anything... )
My thoughts remain that I am torn between the two possibilities. While the porting of the systems to the entirely new domain would be chaotic, I would be able to start from scratch and abandon the nearly nine years of packed-in crap. But the easiest, most transparent solution would be to do it the proper way...transfer the domain controller as intended by design through the built-in management system. But I have no clue where to even start when it comes to this, and the vast majority of the online guides seem to approach it from the perspective of someone with a great deal of knowledge and experience. I lack either in this territory. The last thing I want to do is leave the office with no domain whatsoever, which would be an absolute nightmare. The decision would best be made by tonight or early tomorrow as the weekend allows me a two day zone to get this done and smoothly running.
So everyone chime in on this. I'll be poking my head in occasionally.