Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Windows 2000 authentification problem

Posted on 2001-09-07
Medium Priority
Last Modified: 2010-04-13
I have a NT domain with 1 PDC and 1 BDC with Exchange Server 5.5 resides on BDC. Last month, I have upgraded all workstations to Win2000 prof. Then I upgraded all the server to Windows 2000 Server. Following is what I have done:
1- promote BDC containing Exchange Server to PDC. Now Exchange Server became PDC and old PDC became BDC.
2- upgrade this new PDC to Windows 2000 Server first as  Active Directory controller (named as AD1).
3- upgraded BDC to Windows 2000 Server and promoted it to be an Active Directory Controller. However, this process failed. After changing something in DNS server, this server could finally be promoted to AD controller (named as AD2).

All are working fine until the day when I have a new staff and have her account created.
Now problem happened. The new account can access all  shared folders on all other servers except one on AD2.
Thinking that the problem may be in the AD replication process, I tried to demoted AD2 to be a member server but it is impossible because of an "access denied" even with a domain administrator. Checking AD2, I just discovered that this server still use SAM and old domain user database existed on it for authetification instead of new AD user database. I now want to remove old SAM and domain user database but don't know how. Could you please tell me HOW TO:
1- EITHER remove old SAM and domain user database so that the Active Directory in AD2 could take over the authentification
2- OR remove AD database on AD2 to demote manually it to a normal member server and then promote it back to an AD controller later.

Thank you very much in advance.
Question by:quang051097

Expert Comment

ID: 6465519
Are you running Native of Mixed mode?

Expert Comment

ID: 6465551
Well first of all it is not wise to have your exchange server lower than Exchange Server 2000 on a PDC, should have left it on the BDC since this contains a completely different SAM table than used in AD. Also you needed to use the Active Directory Migrator tool


If you did not then you are possibly stuck with the old SAM & Exchange for the alternated DC's.  Once a PDC should stay a PDC unless it crashes according the AD. So unless AD1 is totally down you will not be able to demote the ad2 until there is NO AD for it to find or reference to it at all.

Now this is just my experience with this problem in the field in promoting and changing from NT4 to Win2k and AD only adds to the problems.

Author Comment

ID: 6465598
darrenburke, I am running in Mixed Mode.
newwavepro, I now know it is not wise but because it is too rush to install SSL with Verisign certificate, I have very little time to do some investigation and planning for upgrading. Is it too late.
Is there any way to overcome the problem or do I have to upgrade Exchange Server 5.5 to Exchange Server 2000 and change to Native Mode?
Thank you very much and look forward to your reply soon.
Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.


Accepted Solution

newwavepro earned 400 total points
ID: 6466293
well you have part of the steps needed but, I would still have the Exchange 2000 on the BDC no matter what once you put the Exchange and PDC together you are almost asking for a entire reformat, I had to do this with a Exchange 2000 server on a PDC of a Domain Tree and the highest tree in forest due to SAM overwrites,  The key will be NOT removing Exchange but to allow the AD Exchange directory to be migrated to the BDC which is the missing element

Make sure the connection agreement is communicating properly between exchange 5.5 and both PDC & BDC by using the dcpromo utility to demote the PDC and promote the BDC for the two to exchange the AD to each other since it require the equal log share file.

The link also gives the resource kit to help manage your group policies which is more likely the root of the problem since Exchange 5.5 is not designed for win2k


These requirements must not have been followed below to come to your problem.

If all your Windows 2000 domains are in native mode, you will be able to take advantage of all Windows 2000 features in all domains, including universal groups and nested groups. Windows 2000 groups replace Exchange 5.5 distribution lists (DLs) during the upgrade of your messaging system.

Exchange Version Prerequisites
To upgrade directly, Exchange 2000 requires that the Exchange-based server be running Exchange 5.5 Service Pack 3 (SP3). This is because the Active Directory service must connect to Exchange 5.5 SP3 servers to synchronize the directories of the two systems. Therefore, the prerequisites are:

In a single-server Exchange organization or site, that server must be running Exchange 5.5 SP3 to be upgraded.
In a multisite Exchange organization, there must be at least one Exchange 5.5 SP3 server in each site in which you plan to perform bidirectional directory synchronization.
In a multisite Exchange organization, there must be at least one Exchange 5.5 SP3 server in each site in which you plan to upgrade a server.
If you plan to install Exchange 2000 Server in a multiserver Exchange site, there must be at least one Exchange 5.5 SP3 server in the site. This allows for Active Directory/Exchange 5.5 directory replication.
If you plan to upgrade one of the servers in a multiserver Exchange site, that server must be running Exchange 5.5 SP3.

Then you have to make sure that you have a proper ADC (Active Directory Connection) which is part of this link of tools to follow


Once all that is resolved then it should work properly with the schemas set right.

I would Upgrade the Exchange 2000 AFTER you get your SAM fixed, by copying the user profile logs over to the BDC as it is from the PDC.

Sounds like a bunch of mess to me :(  but I was in a place where they didnt matter if i reformatted the whole thing they rather had it working properly.

Expert Comment

ID: 6477521
NTDSUTIL metadata cleanup will remove incorrectly promoted Domain controllers

Your in a fix and this is the only fix without reinstalling the whole domain structure.  You may need to reinstall The old bdc however you can remove this machine from the Directory with the Command Line utility NTDSUTIL
Use the MetatData cleanup to remove old SIDS for the other server.

Expert Comment

ID: 8493742
Hi quang

- This question is still open and needs to be closed. If any of the comments above helped you, please accept that comment as an answer. If not please send an update about your issue so that the question can be finalised. Thank you

- Experts, please feel free to add any comments in here, if you keep silent points of question can be removed



Cleanup Volunteer

Expert Comment

ID: 8958115
**** CLEAN UP ****

No comment has been added lately, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question is:

RECOMMENDATION: [ Award points to "newwavepro" ]

Please leave any comments here within the next seven days.


Rajiv Makhijani
EE Cleanup Volunteer

Author Comment

ID: 9816142
Feel free to delete this question.

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Machine Learning is one of the profound applications of AI and therefore, just like AI, it is surrounded by myths and fears. Check out these facts about ML that demystify the related myths.
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …
Loops Section Overview
Suggested Courses

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question