Solved

Security problems after Active Directory Domain Controller Demote/Promote

Posted on 2008-10-20
10
453 Views
Last Modified: 2012-05-05
I set up a Windows 2003 Small Business Server R2 as an AD Domain controller.  It was set up on one network then moved to another (different private IP's).  DNS didn't work properly (since there were values from the prior IP within the DNS setup (I assume).  After trying to change the IP's in DNS (unsuccessfully) I gave up and demoted the Server (making it a stand alone) and then promoted it back to a AD Domain Controller using the wizard.  This solved the DNS problem but has created a mess with security   AT this point there are no other computers in the Domain.

There are bunches of invalid security entries for S-1-5-32-547 (many of them I have removed manually) and now I cannot create new users properly (get a message that the Administrator does not have create writes on the server when creating a new user's home directory-which already exists anyway) and it will not allow new users to log in interactively.

I need to correct the problem without wiping the system if at all possible.
0
Comment
Question by:GroupIII-GPhillips
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
10 Comments
 
LVL 85

Accepted Solution

by:
oBdA earned 250 total points
ID: 22762353
Sorry, but you will have to wipe this and re-install SBS from scratch. By demoting the SBS, you've destroyed your former domain (whether or not you've used the same name when promoting it again doesn't matter), and unless you have a backup of the original domain, it can't be restored.
In addition, SBS is *very* particular when it comes to its setup, and I doubt that you will be able to restore everything in such a way that it will work again as it should.
0
 

Author Comment

by:GroupIII-GPhillips
ID: 22768743
Thanks for the response.  The Domain being destroyed is not a problem since I was setting this up as a new domain and the loss of the users etc. is not a problem and it does not need to be restored.  The problem seems to be that demoting doesn't really clean up the server but rather leaves previous SID's from the domain users scattered through the file system resulting in a total mess.  I'm trying to avoid wiping the server and starting over since there is a considerable time investment in software installation and setup that will have to be redone (and relicensing/activating).

Unless someone can come up with a decent way to fix this I may be stuck.  Any other ideas?
0
 
LVL 85

Expert Comment

by:oBdA
ID: 22769066
Demoting does exactly that: it removes the AD role from the machine. There is absolutely no way that dcpromo would be able to "really clean up" the server; how would that be possible? For example: what should it do with domain groups in NTFS permissions if the domain doesn't exist anymore? dcpromo is not supposed to change anything except the machine's role; it has no business anywhere else.
Unless you have a backup of the machine before you demoted it, and are able restore that backup and fix the DNS issue without demoting it (which would in all likelihood have been possible), your only way to fix in such a way that you will be able to sleep at night is to wipe out this installation and start over.
0
Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

 

Author Comment

by:GroupIII-GPhillips
ID: 23618120
Unfortunately had to wipe the system, lose everything and start over.  Thanks for the input.
0
 
LVL 85

Expert Comment

by:oBdA
ID: 23620213
GroupIII-GPhillips,
I've said from the very beginning that this installation would either have to be restored from backup or wiped out.
Please check the help under http://www.experts-exchange.com/help.jsp > 'The correct answer to some questions is "You can't do that."':
"Sometimes, you will get an answer that isn't what you want to read, but it still may be the correct answer, and you should award points to the Expert that gave you that answer."
0
 

Author Comment

by:GroupIII-GPhillips
ID: 23638405
Possibly, you are probably more familiar with the nuances of the point allocation system than I am.  I would be willing to award 50% of the points for the "you can't do it" answer, if that is acceptable.  The 250 points were intended for a method to solve the problem without starting over.
0
 
LVL 85

Expert Comment

by:oBdA
ID: 23642797
Points for a question can't be reduced (unless through an admin).
And a correct answer deserves the points, whether you like the outcome or not -- after all, you want an expert opinion, not a courtesy.
Not to mention that, in a case like this, it can be very helpful to know that something isn't possible, instead of fruitlessly trying to fix it for days.
The problems after the IP change could have been fixed, in all likelihood; a creation of a completely new SBS domain on the remnants of an old SBS domain simply can't. The complete SBS machinery was based on your old domain, and by demoting and re-promoting the machine, you still had the old base installation, but now a completely new domain on top of it. This is nothing you can recover from.
0
 

Author Comment

by:GroupIII-GPhillips
ID: 23652064
So be it.  
0

Featured Post

MS Dynamics Made Instantly Simpler

Make Your Microsoft Dynamics Investment Count  & Drastically Decrease Training Time by Providing Intuitive Step-By-Step WalkThru Tutorials.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article shows the method of using the Resultant Set of Policy Tool to locate Group Policy that applies a particular setting.
Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

696 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question