Ramblings From The Litter Tray of Life

Posts Tagged ‘Permissions’

Migrating DHCP Servers

Posted by graycat on 15 June 2008

We’re consolidating our servers at present so are shuffling a few roles about to their optimum places. One of which is moving the networking and AD roles in one office onto the one server rather then spread over a few. Migrating a brand new DHCP server is quite often as simple as copying the database from one to the other and restarting the service. However, if you want to move a love one with reservations and leases etc it becomes a bit tricker.

Microsoft very kindly provide information and even a “How To” for migrating between different versions (here). After reading it thoroughly I found it to be really useful but unfortunately it doesn’t cover my situation adequately. If you’re migrating from an NT4 / 2000 / 2003 member server to a 2003 member server then it is absolutely spot on. If you’re doing something else it becomes less so.

Anyway, before we go into the situation I tackled tonight (it is late saturday night / early sunday morning afterall!) here’s a brief outline of the MS page for those people who are migrating between two 2003 member servers:

  1. compact the source database using the jetpack command
  2. export the database using netsh dhcp server export c:\dhcp.txt all
  3. import the database using netsh dhcp server import c:\dhcp.txt all
  4. authorise the server if you haven’t already and away you go

As I said, the Microsoft step by step guide is really good for member server to member server migration. Unfortunately for me, I had to migrate from a member server to a domain controller and this proves a little trickier.

My first attempt resulted in an error message stating something like:

COMMAND FAILED: Unable to access audit file path as specified

Understandably this was a bit off putting but nothing I couldn’t deal with.
Initially I put it down to a file path issue as the source server has the OS installed on H:\ (no idea why, it just is ok?) and the new server has only the C:\ partition. My first attempt was to rejig the source set up to point to the C:\ partition for the backup and database path and try again. No change though so I tried a few more things like having services started or stopped at the various export / import phases but I still came back to the same message.

After reading the Microsoft document really in-depth, I spotted an almost through away line regarding importing on to a DC. The basis is that you need to explicitly be a member of the local administrators group and as there are no local user accounts on a DC, this could prove tricky.
The Microsoft article mentions in about half a line that you need to restart the server into Directory Restore mode and then use that local administrator account to import the database. This is a great idea ….. if you’re onsite and have physical access to the server to do this. If, on the other hand you are like me and are sat on the sofa watching a movie, having a glass of wine and working over a VPN then this really isn’t going to work all that well for you. Well, unless you happen to have either the server in your lounge or are sleeping at work. Again.

Worry not though! I found a trick that worked so smoothly I had to give myself a high-five. Sad, I know but it was the thing to do at the time.

My thinking at the time was that if I can’t logon in directory restore mode, what’s the highest local account I could access? Well, as the domain admin account I was using was second probably only to The Administrator account for admin rights I was a bit stuck. Until it hit me – I’m using a domain account but I need a local account on a machine that doesn’t have any ….. but all machines have a system account! So using the age old trick to kick off a command line box as the local system account (detail upon request if you don’t already know it) I ran through the import phase again…. and it worked a dream.

So in the end it turned out to be a permissions issue and that it could be resolved remotely by using the system account to do the final import. All that’s left for me to do tonight is clean the two servers up, deactivate the old scope before unauthorising the old server. Tomorrow I’m going to check in on the new server a few times to make sure it’s leasing correctly and all the settings have stuck after the transfer. To be honest, I’m 90% certain it’s going to work but there’s not point in risking it with a whole live network, is there?

Right, time for some more wine and a chill-out I think. Enjoy your weekend.

Posted in IT | Tagged: , , | 2 Comments »