how to demote DC and joining it on a remote DC
Hi Experts,
How to demote DC and join it on a remote DC with different subnet?
I need a step by step guide please. many thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
No, DCPromo is used to either create an AD structure in the server to promote the machine as a domain controller.
Once the machine is promoted to a domain controller, if you run the dcpromo again, it will demote the machine back to the workgroup.
however, after adding the PC to the remote DC, you dont need to run the dcpromo command.
Once the machine is promoted to a domain controller, if you run the dcpromo again, it will demote the machine back to the workgroup.
however, after adding the PC to the remote DC, you dont need to run the dcpromo command.
ASKER
thanks but i want that DC to be part of the remote DC.
Have you installed your DC as a part of the existing Forest of the Remote DC?
ASKER
i think not yet, can you tell me how to install?
ragot
To give you an accurate answer we will need to know your topology.
Do you have a seperate AD forest at this remote site you want this DC to be a part of?
Is this DC just moving to a seperate subnet within your company and will still be apart of the same forest?
Here is a link on how to run DCPromo, but it may not fit your senerio.
http://www.petri.co.il/how_to_install_active_directory_on_windows_2003.htm
To give you an accurate answer we will need to know your topology.
Do you have a seperate AD forest at this remote site you want this DC to be a part of?
Is this DC just moving to a seperate subnet within your company and will still be apart of the same forest?
Here is a link on how to run DCPromo, but it may not fit your senerio.
http://www.petri.co.il/how_to_install_active_directory_on_windows_2003.htm
ASKER
Do you have a seperate AD forest at this remote site you want this DC to be a part of? - this is the one.
i already joined the dc into another AD forest. i can logon administrator with the same domain on different subnet. problem is i cannot login my new created user account from AD. i got the error message " The local policy of this system does not permit you to logon interactively "
i already joined the dc into another AD forest. i can logon administrator with the same domain on different subnet. problem is i cannot login my new created user account from AD. i got the error message " The local policy of this system does not permit you to logon interactively "
Are you trying to login to a Domain Controller with a user account you created? or it is juts a server?
If it is a server make sure that user is at least in the Remote Desktop User group. If it is the Domain Controller the user will need to be in the domain admins group.
If it is a server make sure that user is at least in the Remote Desktop User group. If it is the Domain Controller the user will need to be in the domain admins group.
ASKER
wow it works now after setting it as a member of remote desktop user group.
will there be no problem if i created a user account and logon to client machine?
and is there any DNS forwarding that needs to be setup on the instructions above? ( please refer to logideepak's first reply )
thanks!
If you need to get name resolution for the other domain you can setup conditional forwaders in each domain. See link below
You should be able to login into client computers with new accounts on the same domain.
http://msmvps.com/blogs/ad/archive/2008/09/05/how-to-configure-conditional-forwarders-in-windows-server-2008.aspx
You should be able to login into client computers with new accounts on the same domain.
http://msmvps.com/blogs/ad/archive/2008/09/05/how-to-configure-conditional-forwarders-in-windows-server-2008.aspx
ASKER
thanks KenMcF, how will i know if i need to get name resolution for the other domain?
do you have link for server 2003? thanks
do you have link for server 2003? thanks
That link has a screen shot from 2003. It is labled old way.
If you do not need to access any resources on the other domain then you should not need to configure the forwarders.
If you do not need to access any resources on the other domain then you should not need to configure the forwarders.
ASKER
oh i see. we need to access files on both domain. can you help me how to do the configuration for forwarders? many thanks
Look at this link for setting up conditional forwaders.
You would just put the domain name in for the remote domain and the IP of the DNS server.
http://www.windowsnetworking.com/articles_tutorials/DNS_Conditional_Forwarding_in_Windows_Server_2003.html
You would just put the domain name in for the remote domain and the IP of the DNS server.
http://www.windowsnetworking.com/articles_tutorials/DNS_Conditional_Forwarding_in_Windows_Server_2003.html
ASKER
scenario
DC1 - " other DC "
DC2 - demoted and join " other DC "
you mean i will input the DNS of DC2 into forwarder settings? am i correct?
You have two forests now. So call them forest1 and forest2
forest1 = domain1.local
forest2 = domain2.dns
in forest1 create a conditional forwader for domain2.dns and points to a DNS server in domain2.dns
in forest2 create a conditional forwader for domain1.local and points to a DNS server in domain1.local
forest1 = domain1.local
forest2 = domain2.dns
in forest1 create a conditional forwader for domain2.dns and points to a DNS server in domain2.dns
in forest2 create a conditional forwader for domain1.local and points to a DNS server in domain1.local
ASKER
thanks KenMcF! if i demote the DC, do i need to reconfigure the DHCP server after joining it to other domain?
You will need to authorize the DHCP server in the new domain and I would verify the settings are correct like the DNS servers.
ASKER
thanks. how about the files?, they will not be deleted right? i just have to reassign access rights to them?
Files will not be deleted. Since it is a new domain you will need to reassign permissions.
ASKER
thanks. no need to create another AD on forest2 right? i will just use the forest1 AD ( which is the one i joined to ) or it better to create?
ASKER
awesome! thanks
ASKER