Windows 2000 authentification problem

I have a NT domain with 1 PDC and 1 BDC with Exchange Server 5.5 resides on BDC. Last month, I have upgraded all workstations to Win2000 prof. Then I upgraded all the server to Windows 2000 Server. Following is what I have done:
1- promote BDC containing Exchange Server to PDC. Now Exchange Server became PDC and old PDC became BDC.
2- upgrade this new PDC to Windows 2000 Server first as  Active Directory controller (named as AD1).
3- upgraded BDC to Windows 2000 Server and promoted it to be an Active Directory Controller. However, this process failed. After changing something in DNS server, this server could finally be promoted to AD controller (named as AD2).

All are working fine until the day when I have a new staff and have her account created.
Now problem happened. The new account can access all  shared folders on all other servers except one on AD2.
Thinking that the problem may be in the AD replication process, I tried to demoted AD2 to be a member server but it is impossible because of an "access denied" even with a domain administrator. Checking AD2, I just discovered that this server still use SAM and old domain user database existed on it for authetification instead of new AD user database. I now want to remove old SAM and domain user database but don't know how. Could you please tell me HOW TO:
1- EITHER remove old SAM and domain user database so that the Active Directory in AD2 could take over the authentification
2- OR remove AD database on AD2 to demote manually it to a normal member server and then promote it back to an AD controller later.

Thank you very much in advance.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Are you running Native of Mixed mode?
Well first of all it is not wise to have your exchange server lower than Exchange Server 2000 on a PDC, should have left it on the BDC since this contains a completely different SAM table than used in AD. Also you needed to use the Active Directory Migrator tool

If you did not then you are possibly stuck with the old SAM & Exchange for the alternated DC's.  Once a PDC should stay a PDC unless it crashes according the AD. So unless AD1 is totally down you will not be able to demote the ad2 until there is NO AD for it to find or reference to it at all.

Now this is just my experience with this problem in the field in promoting and changing from NT4 to Win2k and AD only adds to the problems.
quang051097Author Commented:
darrenburke, I am running in Mixed Mode.
newwavepro, I now know it is not wise but because it is too rush to install SSL with Verisign certificate, I have very little time to do some investigation and planning for upgrading. Is it too late.
Is there any way to overcome the problem or do I have to upgrade Exchange Server 5.5 to Exchange Server 2000 and change to Native Mode?
Thank you very much and look forward to your reply soon.
Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

well you have part of the steps needed but, I would still have the Exchange 2000 on the BDC no matter what once you put the Exchange and PDC together you are almost asking for a entire reformat, I had to do this with a Exchange 2000 server on a PDC of a Domain Tree and the highest tree in forest due to SAM overwrites,  The key will be NOT removing Exchange but to allow the AD Exchange directory to be migrated to the BDC which is the missing element

Make sure the connection agreement is communicating properly between exchange 5.5 and both PDC & BDC by using the dcpromo utility to demote the PDC and promote the BDC for the two to exchange the AD to each other since it require the equal log share file.

The link also gives the resource kit to help manage your group policies which is more likely the root of the problem since Exchange 5.5 is not designed for win2k

These requirements must not have been followed below to come to your problem.

If all your Windows 2000 domains are in native mode, you will be able to take advantage of all Windows 2000 features in all domains, including universal groups and nested groups. Windows 2000 groups replace Exchange 5.5 distribution lists (DLs) during the upgrade of your messaging system.

Exchange Version Prerequisites
To upgrade directly, Exchange 2000 requires that the Exchange-based server be running Exchange 5.5 Service Pack 3 (SP3). This is because the Active Directory service must connect to Exchange 5.5 SP3 servers to synchronize the directories of the two systems. Therefore, the prerequisites are:

In a single-server Exchange organization or site, that server must be running Exchange 5.5 SP3 to be upgraded.
In a multisite Exchange organization, there must be at least one Exchange 5.5 SP3 server in each site in which you plan to perform bidirectional directory synchronization.
In a multisite Exchange organization, there must be at least one Exchange 5.5 SP3 server in each site in which you plan to upgrade a server.
If you plan to install Exchange 2000 Server in a multiserver Exchange site, there must be at least one Exchange 5.5 SP3 server in the site. This allows for Active Directory/Exchange 5.5 directory replication.
If you plan to upgrade one of the servers in a multiserver Exchange site, that server must be running Exchange 5.5 SP3.

Then you have to make sure that you have a proper ADC (Active Directory Connection) which is part of this link of tools to follow

Once all that is resolved then it should work properly with the schemas set right.

I would Upgrade the Exchange 2000 AFTER you get your SAM fixed, by copying the user profile logs over to the BDC as it is from the PDC.

Sounds like a bunch of mess to me :(  but I was in a place where they didnt matter if i reformatted the whole thing they rather had it working properly.

Experts Exchange Solution brought to you by ConnectWise

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
NTDSUTIL metadata cleanup will remove incorrectly promoted Domain controllers

Your in a fix and this is the only fix without reinstalling the whole domain structure.  You may need to reinstall The old bdc however you can remove this machine from the Directory with the Command Line utility NTDSUTIL
Use the MetatData cleanup to remove old SIDS for the other server.
Hi quang

- This question is still open and needs to be closed. If any of the comments above helped you, please accept that comment as an answer. If not please send an update about your issue so that the question can be finalised. Thank you

- Experts, please feel free to add any comments in here, if you keep silent points of question can be removed



Cleanup Volunteer
**** CLEAN UP ****

No comment has been added lately, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question is:

RECOMMENDATION: [ Award points to "newwavepro" ]

Please leave any comments here within the next seven days.


Rajiv Makhijani
EE Cleanup Volunteer
quang051097Author Commented:
Feel free to delete this question.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.