More than one Administrator Account and Reinstalling OS on a DC

[Guest]

Dear All,

I am fairly new to Active Directory, so please forgive my questioning.

In our small network we have 2 domain controllers running Windows 2000
Advanced Server. I presume we have 2 for redundancy etc. Active Directory is
running in Native Mode.

I need to rebuild one of the domain controllers because the machine it's
running on is very old and very slow server. I want to know how I go about
removing the domain controller from the network so that I can rebuild it,
join it to the exisiting AD and promote it back. Does anyone have any
information on how to do this?

Also (very important), in AD Users & Computers, there seems to be 2 in built
accounts for administering the machine/domain...at the moment they are
renamed differently. Is this to be expected? These accounts co-exist in the
Administrators group. I can't remove one of them. I thought that there should
only be one Administrator's account for the domain. Or, is this because I
have 2 domain controllers.

Also, when removing domain controllers, how do I know which is the first
domain controller in the forest? Will removing the wrong domain controller
cause a big problem, or will the roles be given to the one remaining DC when
I demote and remove the other one?

I hope someone can help me. I am new to AD and my company.

Much Thanks,
Rob

Also, is there anything I should be aware of when I do this.

 

[Ryan Hanisco]

Robert,

What you will want to do is make sure that the DC you are keeping is running
your vital services... GC, DNS, DHCP, WINS, File/Print Share and the like.
Then you will use DCPROMO to demote the old controller. The FSMO roles and
all will be transferred to the other controller -- this way it doesn't
matter which one was the first. Just remember not to choose that option
that says that "this is the last controller in the forest."

With the admin accounts, which two are you referring to? You should have
the admin account, but then also domain admins and enterprise admins... is
there one there that was manually created?

Good luck.

 

[Chriss3 [MVP]]

Hello Robert, thanks for joining the microsoft community.

1. First to deal with the administrator question, there is only one built-in
administrator account (the one that you can't remove from the administrators
group), but best practices according to security is to rename the built-in
administrator account to something else and create a regular user named
administrator to avoid attacks on the real administrator account, another
thing that's common and best practices are to create and additional
administrator account, if you loose the password of the built-in one, or if
you setup admin accounts for each person that needs to have domain admin
rights, by this way when each admin have its own account, you can turn on
auditing and tack who did what.

2. When you remove an existing Domain Controller within Active Directory,
you have to demote it, as you once demoted it using DCPROMO. Have a look at
the KB: http://support.microsoft.com/kb/238369/EN-US/
What you have to think about is moving the FSMO roles if the Domain
Controller you trying to demote is a holder of any of there's.
See the KB below about how to transfer FSMO roles.
Using Ntdsutil.exe to seize or transfer FSMO roles to a domain
controller
http://support.microsoft.com/default.aspx?scid=kb;en-us;255504

If the Domain Controller also are set to be Global Catalog Server, you
have to ensure at least another Domain Controller are Global Catalog Server,
if not you have to make another Domain Controller Global Catalog Server,
before you demote it, Have a look at the KB below about how to do so.
How To Create or Move a Global Catalog in Windows 2000
http://support.microsoft.com/default.aspx?scid=kb;en-us;313994

Active Directory is depended on DNS, so if the Domain Controller you
are about to demote are holding the last replica of the DNS Zone for the
particular domain, you have to install and configure DNS with a replica of
the particular domain, at an other Domain Controller.

--
Regards
Christoffer Andersson
Microsoft MVP - Directory Services

No email replies please - reply in the newsgroup

 

[Guest]

Thanks for your quick reply - most appreciated. Pardon my lack of
understanding too.

The other roles you describe (Enter Admin, Domain Admin etc) do exist, but
there are still two "In-built account for administering the machine/domain".
Are these in AD Users and Computers because I have 2 domain controllers
currently... one for each machine?

Also, how do I check if the DC I am removing is the Global Catalog, and am I
right in thinking that this isn't one of the FSMO roles.

If the server I was demoting did have some of the FSMO roles, wouldn't they
get automatically transfered to the other DC? Or do I have to do that
manually?

DNS is installed on the other server so that should be OK, i.e. not the one
I am demoting. But do I need to remove the references to the DC I am demoting
on this DC.

Hope you can help

 

[Guest]

Thanks for your quick reply - most appreciated. Pardon my lack of
understanding too.

The other roles you describe (Enter Admin, Domain Admin etc) do exist, but
there are still two "In-built account for administering the machine/domain".
Are these in AD Users and Computers because I have 2 domain controllers
currently... one for each machine?

Also, how do I check if the DC I am removing is the Global Catalog, and am I
right in thinking that this isn't one of the FSMO roles.

If the server I was demoting did have some of the FSMO roles, wouldn't they
get automatically transfered to the other DC? Or do I have to do that
manually?

DNS is installed on the other server so that should be OK, i.e. not the one
I am demoting. But do I need to remove the references to the DC I am demoting
on this DC.

Hope you can help

 

[Chriss3 [MVP]]

Hello again Robert,
Some one has created a regular user account and may added that one to
administrative groups for the reasons I described earlier in my last reply.
There is only one built-in administrator peer domain.

You find how to check whether a domain controller are an global catalog
server or not in this KB. http://support.microsoft.com/?kbid=313994

FSMO roles are actually supposed to be transferred automatically during
demotion, if the dc having any fsmo roles during demotion, but in fact this
can failure, so the best way to do this manually before demotion.

Once more thing when demotion wizard has completed. you have to manually
remove the DC from Active Directory Sites and Service Snpain, from the
particular site where it existed.

--
Regards
Christoffer Andersson
Microsoft MVP - Directory Services

No email replies please - reply in the newsgroup