Security problems after Active Directory Domain Controller Demote/Promote
Posted on 2008-10-20
I set up a Windows 2003 Small Business Server R2 as an AD Domain controller. It was set up on one network then moved to another (different private IP's). DNS didn't work properly (since there were values from the prior IP within the DNS setup (I assume). After trying to change the IP's in DNS (unsuccessfully) I gave up and demoted the Server (making it a stand alone) and then promoted it back to a AD Domain Controller using the wizard. This solved the DNS problem but has created a mess with security AT this point there are no other computers in the Domain.
There are bunches of invalid security entries for S-1-5-32-547 (many of them I have removed manually) and now I cannot create new users properly (get a message that the Administrator does not have create writes on the server when creating a new user's home directory-which already exists anyway) and it will not allow new users to log in interactively.
I need to correct the problem without wiping the system if at all possible.