Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Windows 2000 authentification problem

Posted on 2001-09-07
Medium Priority
Last Modified: 2010-04-13
I have a NT domain with 1 PDC and 1 BDC with Exchange Server 5.5 resides on BDC. Last month, I have upgraded all workstations to Win2000 prof. Then I upgraded all the server to Windows 2000 Server. Following is what I have done:
1- promote BDC containing Exchange Server to PDC. Now Exchange Server became PDC and old PDC became BDC.
2- upgrade this new PDC to Windows 2000 Server first as  Active Directory controller (named as AD1).
3- upgraded BDC to Windows 2000 Server and promoted it to be an Active Directory Controller. However, this process failed. After changing something in DNS server, this server could finally be promoted to AD controller (named as AD2).

All are working fine until the day when I have a new staff and have her account created.
Now problem happened. The new account can access all  shared folders on all other servers except one on AD2.
Thinking that the problem may be in the AD replication process, I tried to demoted AD2 to be a member server but it is impossible because of an "access denied" even with a domain administrator. Checking AD2, I just discovered that this server still use SAM and old domain user database existed on it for authetification instead of new AD user database. I now want to remove old SAM and domain user database but don't know how. Could you please tell me HOW TO:
1- EITHER remove old SAM and domain user database so that the Active Directory in AD2 could take over the authentification
2- OR remove AD database on AD2 to demote manually it to a normal member server and then promote it back to an AD controller later.

Thank you very much in advance.
Question by:quang051097
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Expert Comment

ID: 6465519
Are you running Native of Mixed mode?

Expert Comment

ID: 6465551
Well first of all it is not wise to have your exchange server lower than Exchange Server 2000 on a PDC, should have left it on the BDC since this contains a completely different SAM table than used in AD. Also you needed to use the Active Directory Migrator tool


If you did not then you are possibly stuck with the old SAM & Exchange for the alternated DC's.  Once a PDC should stay a PDC unless it crashes according the AD. So unless AD1 is totally down you will not be able to demote the ad2 until there is NO AD for it to find or reference to it at all.

Now this is just my experience with this problem in the field in promoting and changing from NT4 to Win2k and AD only adds to the problems.

Author Comment

ID: 6465598
darrenburke, I am running in Mixed Mode.
newwavepro, I now know it is not wise but because it is too rush to install SSL with Verisign certificate, I have very little time to do some investigation and planning for upgrading. Is it too late.
Is there any way to overcome the problem or do I have to upgrade Exchange Server 5.5 to Exchange Server 2000 and change to Native Mode?
Thank you very much and look forward to your reply soon.
Ask an Anonymous Question!

Don't feel intimidated by what you don't know. Ask your question anonymously. It's easy! Learn more and upgrade.


Accepted Solution

newwavepro earned 400 total points
ID: 6466293
well you have part of the steps needed but, I would still have the Exchange 2000 on the BDC no matter what once you put the Exchange and PDC together you are almost asking for a entire reformat, I had to do this with a Exchange 2000 server on a PDC of a Domain Tree and the highest tree in forest due to SAM overwrites,  The key will be NOT removing Exchange but to allow the AD Exchange directory to be migrated to the BDC which is the missing element

Make sure the connection agreement is communicating properly between exchange 5.5 and both PDC & BDC by using the dcpromo utility to demote the PDC and promote the BDC for the two to exchange the AD to each other since it require the equal log share file.

The link also gives the resource kit to help manage your group policies which is more likely the root of the problem since Exchange 5.5 is not designed for win2k


These requirements must not have been followed below to come to your problem.

If all your Windows 2000 domains are in native mode, you will be able to take advantage of all Windows 2000 features in all domains, including universal groups and nested groups. Windows 2000 groups replace Exchange 5.5 distribution lists (DLs) during the upgrade of your messaging system.

Exchange Version Prerequisites
To upgrade directly, Exchange 2000 requires that the Exchange-based server be running Exchange 5.5 Service Pack 3 (SP3). This is because the Active Directory service must connect to Exchange 5.5 SP3 servers to synchronize the directories of the two systems. Therefore, the prerequisites are:

In a single-server Exchange organization or site, that server must be running Exchange 5.5 SP3 to be upgraded.
In a multisite Exchange organization, there must be at least one Exchange 5.5 SP3 server in each site in which you plan to perform bidirectional directory synchronization.
In a multisite Exchange organization, there must be at least one Exchange 5.5 SP3 server in each site in which you plan to upgrade a server.
If you plan to install Exchange 2000 Server in a multiserver Exchange site, there must be at least one Exchange 5.5 SP3 server in the site. This allows for Active Directory/Exchange 5.5 directory replication.
If you plan to upgrade one of the servers in a multiserver Exchange site, that server must be running Exchange 5.5 SP3.

Then you have to make sure that you have a proper ADC (Active Directory Connection) which is part of this link of tools to follow


Once all that is resolved then it should work properly with the schemas set right.

I would Upgrade the Exchange 2000 AFTER you get your SAM fixed, by copying the user profile logs over to the BDC as it is from the PDC.

Sounds like a bunch of mess to me :(  but I was in a place where they didnt matter if i reformatted the whole thing they rather had it working properly.

Expert Comment

ID: 6477521
NTDSUTIL metadata cleanup will remove incorrectly promoted Domain controllers

Your in a fix and this is the only fix without reinstalling the whole domain structure.  You may need to reinstall The old bdc however you can remove this machine from the Directory with the Command Line utility NTDSUTIL
Use the MetatData cleanup to remove old SIDS for the other server.

Expert Comment

ID: 8493742
Hi quang

- This question is still open and needs to be closed. If any of the comments above helped you, please accept that comment as an answer. If not please send an update about your issue so that the question can be finalised. Thank you

- Experts, please feel free to add any comments in here, if you keep silent points of question can be removed



Cleanup Volunteer

Expert Comment

ID: 8958115
**** CLEAN UP ****

No comment has been added lately, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question is:

RECOMMENDATION: [ Award points to "newwavepro" ]

Please leave any comments here within the next seven days.


Rajiv Makhijani
EE Cleanup Volunteer

Author Comment

ID: 9816142
Feel free to delete this question.

Featured Post

[Webinar] Lessons on Recovering from Petya

Skyport is working hard to help customers recover from recent attacks, like the Petya worm. This work has brought to light some important lessons. New malware attacks like this can take down your entire environment. Learn from others mistakes on how to prevent Petya like worms.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Working from home is a dream for many people who aren’t happy about getting up early, going to the office, and spending long hours at work. There are lots of benefits of remote work for employees.
In this video, Percona Solution Engineer Rick Golba discuss how (and why) you implement high availability in a database environment. To discuss how Percona Consulting can help with your design and architecture needs for your database and infrastr…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question