Solved

Security problems after Active Directory Domain Controller Demote/Promote

Posted on 2008-10-20
10
447 Views
Last Modified: 2012-05-05
I set up a Windows 2003 Small Business Server R2 as an AD Domain controller.  It was set up on one network then moved to another (different private IP's).  DNS didn't work properly (since there were values from the prior IP within the DNS setup (I assume).  After trying to change the IP's in DNS (unsuccessfully) I gave up and demoted the Server (making it a stand alone) and then promoted it back to a AD Domain Controller using the wizard.  This solved the DNS problem but has created a mess with security   AT this point there are no other computers in the Domain.

There are bunches of invalid security entries for S-1-5-32-547 (many of them I have removed manually) and now I cannot create new users properly (get a message that the Administrator does not have create writes on the server when creating a new user's home directory-which already exists anyway) and it will not allow new users to log in interactively.

I need to correct the problem without wiping the system if at all possible.
0
Comment
Question by:GroupIII-GPhillips
  • 4
  • 4
10 Comments
 
LVL 82

Accepted Solution

by:
oBdA earned 250 total points
Comment Utility
Sorry, but you will have to wipe this and re-install SBS from scratch. By demoting the SBS, you've destroyed your former domain (whether or not you've used the same name when promoting it again doesn't matter), and unless you have a backup of the original domain, it can't be restored.
In addition, SBS is *very* particular when it comes to its setup, and I doubt that you will be able to restore everything in such a way that it will work again as it should.
0
 

Author Comment

by:GroupIII-GPhillips
Comment Utility
Thanks for the response.  The Domain being destroyed is not a problem since I was setting this up as a new domain and the loss of the users etc. is not a problem and it does not need to be restored.  The problem seems to be that demoting doesn't really clean up the server but rather leaves previous SID's from the domain users scattered through the file system resulting in a total mess.  I'm trying to avoid wiping the server and starting over since there is a considerable time investment in software installation and setup that will have to be redone (and relicensing/activating).

Unless someone can come up with a decent way to fix this I may be stuck.  Any other ideas?
0
 
LVL 82

Expert Comment

by:oBdA
Comment Utility
Demoting does exactly that: it removes the AD role from the machine. There is absolutely no way that dcpromo would be able to "really clean up" the server; how would that be possible? For example: what should it do with domain groups in NTFS permissions if the domain doesn't exist anymore? dcpromo is not supposed to change anything except the machine's role; it has no business anywhere else.
Unless you have a backup of the machine before you demoted it, and are able restore that backup and fix the DNS issue without demoting it (which would in all likelihood have been possible), your only way to fix in such a way that you will be able to sleep at night is to wipe out this installation and start over.
0
 

Author Comment

by:GroupIII-GPhillips
Comment Utility
Unfortunately had to wipe the system, lose everything and start over.  Thanks for the input.
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 82

Expert Comment

by:oBdA
Comment Utility
GroupIII-GPhillips,
I've said from the very beginning that this installation would either have to be restored from backup or wiped out.
Please check the help under http://www.experts-exchange.com/help.jsp > 'The correct answer to some questions is "You can't do that."':
"Sometimes, you will get an answer that isn't what you want to read, but it still may be the correct answer, and you should award points to the Expert that gave you that answer."
0
 

Author Comment

by:GroupIII-GPhillips
Comment Utility
Possibly, you are probably more familiar with the nuances of the point allocation system than I am.  I would be willing to award 50% of the points for the "you can't do it" answer, if that is acceptable.  The 250 points were intended for a method to solve the problem without starting over.
0
 
LVL 82

Expert Comment

by:oBdA
Comment Utility
Points for a question can't be reduced (unless through an admin).
And a correct answer deserves the points, whether you like the outcome or not -- after all, you want an expert opinion, not a courtesy.
Not to mention that, in a case like this, it can be very helpful to know that something isn't possible, instead of fruitlessly trying to fix it for days.
The problems after the IP change could have been fixed, in all likelihood; a creation of a completely new SBS domain on the remnants of an old SBS domain simply can't. The complete SBS machinery was based on your old domain, and by demoting and re-promoting the machine, you still had the old base installation, but now a completely new domain on top of it. This is nothing you can recover from.
0
 

Author Comment

by:GroupIII-GPhillips
Comment Utility
So be it.  
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now