quang051097
asked on
Windows 2000 authentification problem
I have a NT domain with 1 PDC and 1 BDC with Exchange Server 5.5 resides on BDC. Last month, I have upgraded all workstations to Win2000 prof. Then I upgraded all the server to Windows 2000 Server. Following is what I have done:
1- promote BDC containing Exchange Server to PDC. Now Exchange Server became PDC and old PDC became BDC.
2- upgrade this new PDC to Windows 2000 Server first as Active Directory controller (named as AD1).
3- upgraded BDC to Windows 2000 Server and promoted it to be an Active Directory Controller. However, this process failed. After changing something in DNS server, this server could finally be promoted to AD controller (named as AD2).
All are working fine until the day when I have a new staff and have her account created.
Now problem happened. The new account can access all shared folders on all other servers except one on AD2.
Thinking that the problem may be in the AD replication process, I tried to demoted AD2 to be a member server but it is impossible because of an "access denied" even with a domain administrator. Checking AD2, I just discovered that this server still use SAM and old domain user database existed on it for authetification instead of new AD user database. I now want to remove old SAM and domain user database but don't know how. Could you please tell me HOW TO:
1- EITHER remove old SAM and domain user database so that the Active Directory in AD2 could take over the authentification
2- OR remove AD database on AD2 to demote manually it to a normal member server and then promote it back to an AD controller later.
Thank you very much in advance.
1- promote BDC containing Exchange Server to PDC. Now Exchange Server became PDC and old PDC became BDC.
2- upgrade this new PDC to Windows 2000 Server first as Active Directory controller (named as AD1).
3- upgraded BDC to Windows 2000 Server and promoted it to be an Active Directory Controller. However, this process failed. After changing something in DNS server, this server could finally be promoted to AD controller (named as AD2).
All are working fine until the day when I have a new staff and have her account created.
Now problem happened. The new account can access all shared folders on all other servers except one on AD2.
Thinking that the problem may be in the AD replication process, I tried to demoted AD2 to be a member server but it is impossible because of an "access denied" even with a domain administrator. Checking AD2, I just discovered that this server still use SAM and old domain user database existed on it for authetification instead of new AD user database. I now want to remove old SAM and domain user database but don't know how. Could you please tell me HOW TO:
1- EITHER remove old SAM and domain user database so that the Active Directory in AD2 could take over the authentification
2- OR remove AD database on AD2 to demote manually it to a normal member server and then promote it back to an AD controller later.
Thank you very much in advance.
Are you running Native of Mixed mode?
Well first of all it is not wise to have your exchange server lower than Exchange Server 2000 on a PDC, should have left it on the BDC since this contains a completely different SAM table than used in AD. Also you needed to use the Active Directory Migrator tool
http://www.microsoft.com/windows2000/downloads/tools/admt/default.asp
If you did not then you are possibly stuck with the old SAM & Exchange for the alternated DC's. Once a PDC should stay a PDC unless it crashes according the AD. So unless AD1 is totally down you will not be able to demote the ad2 until there is NO AD for it to find or reference to it at all.
Now this is just my experience with this problem in the field in promoting and changing from NT4 to Win2k and AD only adds to the problems.
http://www.microsoft.com/windows2000/downloads/tools/admt/default.asp
If you did not then you are possibly stuck with the old SAM & Exchange for the alternated DC's. Once a PDC should stay a PDC unless it crashes according the AD. So unless AD1 is totally down you will not be able to demote the ad2 until there is NO AD for it to find or reference to it at all.
Now this is just my experience with this problem in the field in promoting and changing from NT4 to Win2k and AD only adds to the problems.
ASKER
darrenburke, I am running in Mixed Mode.
newwavepro, I now know it is not wise but because it is too rush to install SSL with Verisign certificate, I have very little time to do some investigation and planning for upgrading. Is it too late.
Is there any way to overcome the problem or do I have to upgrade Exchange Server 5.5 to Exchange Server 2000 and change to Native Mode?
Thank you very much and look forward to your reply soon.
newwavepro, I now know it is not wise but because it is too rush to install SSL with Verisign certificate, I have very little time to do some investigation and planning for upgrading. Is it too late.
Is there any way to overcome the problem or do I have to upgrade Exchange Server 5.5 to Exchange Server 2000 and change to Native Mode?
Thank you very much and look forward to your reply soon.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
NTDSUTIL metadata cleanup will remove incorrectly promoted Domain controllers
Your in a fix and this is the only fix without reinstalling the whole domain structure. You may need to reinstall The old bdc however you can remove this machine from the Directory with the Command Line utility NTDSUTIL
Use the MetatData cleanup to remove old SIDS for the other server.
Your in a fix and this is the only fix without reinstalling the whole domain structure. You may need to reinstall The old bdc however you can remove this machine from the Directory with the Command Line utility NTDSUTIL
Use the MetatData cleanup to remove old SIDS for the other server.
Hi quang
- This question is still open and needs to be closed. If any of the comments above helped you, please accept that comment as an answer. If not please send an update about your issue so that the question can be finalised. Thank you
- Experts, please feel free to add any comments in here, if you keep silent points of question can be removed
- *** PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER ***
Pasha
Cleanup Volunteer
- This question is still open and needs to be closed. If any of the comments above helped you, please accept that comment as an answer. If not please send an update about your issue so that the question can be finalised. Thank you
- Experts, please feel free to add any comments in here, if you keep silent points of question can be removed
- *** PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER ***
Pasha
Cleanup Volunteer
**** CLEAN UP ****
No comment has been added lately, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question is:
RECOMMENDATION: [ Award points to "newwavepro" ]
Please leave any comments here within the next seven days.
¡PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!
--------------------------
Rajiv Makhijani
EE Cleanup Volunteer
No comment has been added lately, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question is:
RECOMMENDATION: [ Award points to "newwavepro" ]
Please leave any comments here within the next seven days.
¡PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!
--------------------------
Rajiv Makhijani
EE Cleanup Volunteer
ASKER
Feel free to delete this question.