Win2K DC AD Problem

[Ash Ridley]

Hi,

I have a network consisting of 2 domains within a single forest. The
original domain now only contains a single server which now has an
intermittant problem authenticating clients from the other domain. I would
like to remove active directory from this server and then install it as a DC
in the other domain (I've been migrating to the new domain over time so I
dont need to keep the original domain which is why I'm not worried about
getting to the bottom of why the server is suddenly playing up)

This server is however the first DC in the domain and the forest, I know I
need to transfer the FSMO roles to another DC but I am concerned there are
other things that need to be done since this was the first domain in the
forest

Can anyone point me at at documentation for getting rid of the original
domain/forest DC but keeping another domain in the forest?

Thanks

Ash

 

[Jorge_de_Almeida_Pinto]

Hi,

I have a network consisting of 2 domains within a single
forest. The
original domain now only contains a single server which now
has an
intermittant problem authenticating clients from the other
domain. I would
like to remove active directory from this server and then
install it as a DC
in the other domain (I've been migrating to the new domain
over time so I
dont need to keep the original domain which is why I'm not
worried about
getting to the bottom of why the server is suddenly playing
up)

This server is however the first DC in the domain and the
forest, I know I
need to transfer the FSMO roles to another DC but I am
concerned there are
other things that need to be done since this was the first
domain in the
forest

Can anyone point me at at documentation for getting rid of the
original
domain/forest DC but keeping another domain in the forest?

Thanks

Ash

I’m not sure if I understand you, but are you saying you have a
forest root domain with 1 DC (not recommended!) and another child
domain (or even tree root domain) and you want to demote the single DC
and promote it again as DC to the child domain or the tree root
domain? If your answer is yes then:

It is NOT possible to make another domain in a forest the new forest
root (the first domain creating the forest) in an AD forest!

 

[Cary Shultz [A.D. MVP]]

Ash,

I am with Jorge on this. It is not really clear as to what type of
environment you have.

Assuming that you have a single domain/tree/forest environment then having
two Domain Controllers is a really really really good idea. Have I
mentioned that having two DCs is a really good idea? Having only one Domain
Controller is asking for a problem that you probably do not need/want.
Always hope for the best but plan for the worst. Having two Domain
Controllers will save your sanity.

So, the first DC that existed in the domain/forest holds all five of the
FSMO roles. It is also a Global Catalog Server. It is also ( probably )
the DNS server. As well as the DHCP server. If you were to dcpromo that DC
right now - without doing anything else - you would probably have a few
problems.

There should not be any problems with the five FSMO roles. They would be
transferred to another DC during the dcpromo process. However, I like to be
in control and do this manually. There are two ways: via the GUI and via
the command line. Please look at the following links:

Command Line
http://support.microsoft.com/?id=255504

GUI
http://support.microsoft.com/?id=255690

If you use ntdsutil to do this please note that you have to bind to the
existing DC.....not to the DC that is gone. This is a common error that is
pointed out in the article.

You would also need to make sure that the remaining DC is a Global Catalog
server. If you are in Native Mode or if you use Exchange 2000 in your
environment if there is no GC you will have problems.

With DNS and DHCP you might not have problems....well, your clients would
have problems finding a DC as I would assume that DHCP running on the DC
would be set up with the options ( and that information would now be less
than accurate ). So, you would want to make sure that you look at both
before you run dcpromo.

There are a few other things ( like Certificate Services ) that might come
into play.

Running dcpromo on a Domain Controller simply removes it from being a Domain
Controller in that Domain. It would now be a Member Server. You could
easily run dcpromo on it again and make it a Domain Controller in that same
Domain or in any other Domain ( just make sure that it has a correct static
IP Address and the correct subnet, default gateway and DNS information ).

Does this help?
--
Cary W. Shultz
Roanoke, VA 24012

WIN2000 Active Directory MVP
http://www.activedirectory-win2000.com
(soon to be updated!!!)
http://www.grouppolicy-win2000.com
(soon to be updated!!!)

 

[Ash Ridley]

Apologies for not being more specific

When the forest/domain was first set up it had several domain controllers in
the single domain. Since then the company has changed name and all but 1
DC's were then moved to a new (not child) domain in the same forest. Now I
want to get rid of the original domain completely (mainly because it is
causing problems) but since this was the first DC in the forest I need to
check if there are any specific tasks (other than moving FSMO) I need to do

 

[Cary Shultz]

If this problematic DC is from the first DC in the first domain of the
forest then that domain is what is called the root domain. You can not get
rid of it. Well, you can, but then your entire forest is pretty much done.
Although you have other trees, you can not get rid of the root domain.

Just in case you are not clear on what multiple trees in a forest are ( and
in case I have misunderstood what you have mean ) when you create the very
first DC in an environment you are creating what is called the root domain
in the forest. It is the first domain in the first tree in the forest. You
can add additional Domain Controller to this domain. That part is clear.
You can also add additional trees to the forest. This part is sometimes
confusing for people. You can also add children domains.

So, for an example. Let's say that you run dcpromo on a server and you
start out with yourdomain.com. This is the root domain. Without this
domain your entire forest is useless. Later, you decide to add a child
domain to this environment. So, you create hotshots.yourdomain.com. This
part should be clear. Now, you need to add an additional domain to your
environment, but it is not a *.yourdomain.com domain....it is
theirdomain.com. This is simply an additional tree in your forest.

However, not matter what happens, you can never never never get rid of the
very first 'yourdomain.com'. In this domain are two very important roles -
the Schema Master and the Domain Naming Master.

So, you need to fix this domain controller.....

HTH,

--
Cary W. Shultz
Roanoke, VA 24012

http://www.activedirectory-win2000.com
(soon to be updated!!!)
http://www.grouppolicy-win2000.com
(soon to be updated!!!)

 

[Ash Ridley]

Thanks for the reply Cary

Now, you need to add an additional domain to your
environment, but it is not a *.yourdomain.com domain....it is
theirdomain.com. This is simply an additional tree in your forest.

This is exactly what was done previously, leaving only 1 DC in the
'original' domain

However, not matter what happens, you can never never never get rid of the
very first 'yourdomain.com'. In this domain are two very important roles -
the Schema Master and the Domain Naming Master.

Are these not 2 of the FSMO roles that can be moved? Or are you saying that
cannot be moved out of the original domain?

Ash

 

[Cary Shultz]

Ash, you can not remove the root domain. It is simply not possible. Well,
of course it is possible but you will loose your entire environment.

You are correct - these are two of the fsmo roles that are 'moveable'. They
are all 'moveable'. The 'problem' is that you can only move them between
domain controllers in the correct domain. There are five fsmo roles. Two
of these are forest-wide. They are the Schema Master and the Domain Naming
Master. These must be in the root domain. The other three are domain-wide.
They are the PDC Emulator, the RID Master and the Infrastructure Master.
You will have these three roles in each domain. And you can transfer them
only between domain controllers in 'their' domain.

Also, think about the very important group Enterprise Admins.

So, in short, you can not 'remove' the first domain - aka root domain -
without destroying your environment.

--
Cary W. Shultz
Roanoke, VA 24012

http://www.activedirectory-win2000.com
(soon to be updated!!!)
http://www.grouppolicy-win2000.com
(soon to be updated!!!)

 

[Ash Ridley]

Cary,

Thanks for that, makes sence now

Ash, you can not remove the root domain. It is simply not possible. Well,
of course it is possible but you will loose your entire environment.

You are correct - these are two of the fsmo roles that are 'moveable'. They
are all 'moveable'. The 'problem' is that you can only move them between
domain controllers in the correct domain. There are five fsmo roles. Two
of these are forest-wide. They are the Schema Master and the Domain Naming
Master. These must be in the root domain. The other three are domain-wide.
They are the PDC Emulator, the RID Master and the Infrastructure Master.
You will have these three roles in each domain. And you can transfer them
only between domain controllers in 'their' domain.

Also, think about the very important group Enterprise Admins.

So, in short, you can not 'remove' the first domain - aka root domain -
without destroying your environment.

--
Cary W. Shultz
Roanoke, VA 24012

http://www.activedirectory-win2000.com
(soon to be updated!!!)
http://www.grouppolicy-win2000.com
(soon to be updated!!!)