Sign in with
Sign up | Sign in
Your question

More than one Administrator Account and Reinstalling OS on..

Tags:
  • Domain
  • Domain Controller
  • Active Directory
  • Windows
Last response: in Windows 2000/NT
Share
January 31, 2005 10:53:03 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Dear All,

I am fairly new to Active Directory, so please forgive my questioning.

In our small network we have 2 domain controllers running Windows 2000
Advanced Server. I presume we have 2 for redundancy etc. Active Directory is
running in Native Mode.

I need to rebuild one of the domain controllers because the machine it's
running on is very old and very slow server. I want to know how I go about
removing the domain controller from the network so that I can rebuild it,
join it to the exisiting AD and promote it back. Does anyone have any
information on how to do this?

Also (very important), in AD Users & Computers, there seems to be 2 in built
accounts for administering the machine/domain...at the moment they are
renamed differently. Is this to be expected? These accounts co-exist in the
Administrators group. I can't remove one of them. I thought that there should
only be one Administrator's account for the domain. Or, is this because I
have 2 domain controllers.

Also, when removing domain controllers, how do I know which is the first
domain controller in the forest? Will removing the wrong domain controller
cause a big problem, or will the roles be given to the one remaining DC when
I demote and remove the other one?

I hope someone can help me. I am new to AD and my company.

Much Thanks,
Rob

Also, is there anything I should be aware of when I do this.

More about : administrator account reinstalling

Anonymous
January 31, 2005 1:25:28 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Robert,

What you will want to do is make sure that the DC you are keeping is running
your vital services... GC, DNS, DHCP, WINS, File/Print Share and the like.
Then you will use DCPROMO to demote the old controller. The FSMO roles and
all will be transferred to the other controller -- this way it doesn't
matter which one was the first. Just remember not to choose that option
that says that "this is the last controller in the forest."

With the admin accounts, which two are you referring to? You should have
the admin account, but then also domain admins and enterprise admins... is
there one there that was manually created?

Good luck.

--
Ryan Hanisco
MCSE, MCDBA
Flagship Integration Services

"Robert" <Robert@discussions.microsoft.com> wrote in message
news:54B9F7FF-D15B-4253-9540-9B433ACE36D0@microsoft.com...
> Dear All,
>
> I am fairly new to Active Directory, so please forgive my questioning.
>
> In our small network we have 2 domain controllers running Windows 2000
> Advanced Server. I presume we have 2 for redundancy etc. Active Directory
is
> running in Native Mode.
>
> I need to rebuild one of the domain controllers because the machine it's
> running on is very old and very slow server. I want to know how I go about
> removing the domain controller from the network so that I can rebuild it,
> join it to the exisiting AD and promote it back. Does anyone have any
> information on how to do this?
>
> Also (very important), in AD Users & Computers, there seems to be 2 in
built
> accounts for administering the machine/domain...at the moment they are
> renamed differently. Is this to be expected? These accounts co-exist in
the
> Administrators group. I can't remove one of them. I thought that there
should
> only be one Administrator's account for the domain. Or, is this because I
> have 2 domain controllers.
>
> Also, when removing domain controllers, how do I know which is the first
> domain controller in the forest? Will removing the wrong domain controller
> cause a big problem, or will the roles be given to the one remaining DC
when
> I demote and remove the other one?
>
> I hope someone can help me. I am new to AD and my company.
>
> Much Thanks,
> Rob
>
> Also, is there anything I should be aware of when I do this.
>
January 31, 2005 1:25:29 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Thanks for your quick reply - most appreciated. Pardon my lack of
understanding too.

The other roles you describe (Enter Admin, Domain Admin etc) do exist, but
there are still two "In-built account for administering the machine/domain".
Are these in AD Users and Computers because I have 2 domain controllers
currently... one for each machine?

Also, how do I check if the DC I am removing is the Global Catalog, and am I
right in thinking that this isn't one of the FSMO roles.

If the server I was demoting did have some of the FSMO roles, wouldn't they
get automatically transfered to the other DC? Or do I have to do that
manually?

DNS is installed on the other server so that should be OK, i.e. not the one
I am demoting. But do I need to remove the references to the DC I am demoting
on this DC.

Hope you can help


"Ryan Hanisco" wrote:

> Robert,
>
> What you will want to do is make sure that the DC you are keeping is running
> your vital services... GC, DNS, DHCP, WINS, File/Print Share and the like.
> Then you will use DCPROMO to demote the old controller. The FSMO roles and
> all will be transferred to the other controller -- this way it doesn't
> matter which one was the first. Just remember not to choose that option
> that says that "this is the last controller in the forest."
>
> With the admin accounts, which two are you referring to? You should have
> the admin account, but then also domain admins and enterprise admins... is
> there one there that was manually created?
>
> Good luck.
>
> --
> Ryan Hanisco
> MCSE, MCDBA
> Flagship Integration Services
>
> "Robert" <Robert@discussions.microsoft.com> wrote in message
> news:54B9F7FF-D15B-4253-9540-9B433ACE36D0@microsoft.com...
> > Dear All,
> >
> > I am fairly new to Active Directory, so please forgive my questioning.
> >
> > In our small network we have 2 domain controllers running Windows 2000
> > Advanced Server. I presume we have 2 for redundancy etc. Active Directory
> is
> > running in Native Mode.
> >
> > I need to rebuild one of the domain controllers because the machine it's
> > running on is very old and very slow server. I want to know how I go about
> > removing the domain controller from the network so that I can rebuild it,
> > join it to the exisiting AD and promote it back. Does anyone have any
> > information on how to do this?
> >
> > Also (very important), in AD Users & Computers, there seems to be 2 in
> built
> > accounts for administering the machine/domain...at the moment they are
> > renamed differently. Is this to be expected? These accounts co-exist in
> the
> > Administrators group. I can't remove one of them. I thought that there
> should
> > only be one Administrator's account for the domain. Or, is this because I
> > have 2 domain controllers.
> >
> > Also, when removing domain controllers, how do I know which is the first
> > domain controller in the forest? Will removing the wrong domain controller
> > cause a big problem, or will the roles be given to the one remaining DC
> when
> > I demote and remove the other one?
> >
> > I hope someone can help me. I am new to AD and my company.
> >
> > Much Thanks,
> > Rob
> >
> > Also, is there anything I should be aware of when I do this.
> >
>
>
>
Related resources
Anonymous
January 31, 2005 8:40:34 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hello Robert, thanks for joining the microsoft community.

1. First to deal with the administrator question, there is only one built-in
administrator account (the one that you can't remove from the administrators
group), but best practices according to security is to rename the built-in
administrator account to something else and create a regular user named
administrator to avoid attacks on the real administrator account, another
thing that's common and best practices are to create and additional
administrator account, if you loose the password of the built-in one, or if
you setup admin accounts for each person that needs to have domain admin
rights, by this way when each admin have its own account, you can turn on
auditing and tack who did what.

2. When you remove an existing Domain Controller within Active Directory,
you have to demote it, as you once demoted it using DCPROMO. Have a look at
the KB: http://support.microsoft.com/kb/238369/EN-US/
What you have to think about is moving the FSMO roles if the Domain
Controller you trying to demote is a holder of any of there's.
See the KB below about how to transfer FSMO roles.
Using Ntdsutil.exe to seize or transfer FSMO roles to a domain
controller
http://support.microsoft.com/default.aspx?scid=kb;en-us;255504

If the Domain Controller also are set to be Global Catalog Server, you
have to ensure at least another Domain Controller are Global Catalog Server,
if not you have to make another Domain Controller Global Catalog Server,
before you demote it, Have a look at the KB below about how to do so.
How To Create or Move a Global Catalog in Windows 2000
http://support.microsoft.com/default.aspx?scid=kb;en-us;313994

Active Directory is depended on DNS, so if the Domain Controller you
are about to demote are holding the last replica of the DNS Zone for the
particular domain, you have to install and configure DNS with a replica of
the particular domain, at an other Domain Controller.

--
Regards
Christoffer Andersson
Microsoft MVP - Directory Services

No email replies please - reply in the newsgroup
------------------------------------------------
http://www.chrisse.se - Active Directory Tips

"Robert" <Robert@discussions.microsoft.com> skrev i meddelandet
news:54B9F7FF-D15B-4253-9540-9B433ACE36D0@microsoft.com...
> Dear All,
>
> I am fairly new to Active Directory, so please forgive my questioning.
>
> In our small network we have 2 domain controllers running Windows 2000
> Advanced Server. I presume we have 2 for redundancy etc. Active Directory
> is
> running in Native Mode.
>
> I need to rebuild one of the domain controllers because the machine it's
> running on is very old and very slow server. I want to know how I go about
> removing the domain controller from the network so that I can rebuild it,
> join it to the exisiting AD and promote it back. Does anyone have any
> information on how to do this?
>
> Also (very important), in AD Users & Computers, there seems to be 2 in
> built
> accounts for administering the machine/domain...at the moment they are
> renamed differently. Is this to be expected? These accounts co-exist in
> the
> Administrators group. I can't remove one of them. I thought that there
> should
> only be one Administrator's account for the domain. Or, is this because I
> have 2 domain controllers.
>
> Also, when removing domain controllers, how do I know which is the first
> domain controller in the forest? Will removing the wrong domain controller
> cause a big problem, or will the roles be given to the one remaining DC
> when
> I demote and remove the other one?
>
> I hope someone can help me. I am new to AD and my company.
>
> Much Thanks,
> Rob
>
> Also, is there anything I should be aware of when I do this.
>
January 31, 2005 8:40:35 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Thanks for your quick reply - most appreciated. Pardon my lack of
understanding too.

The other roles you describe (Enter Admin, Domain Admin etc) do exist, but
there are still two "In-built account for administering the machine/domain".
Are these in AD Users and Computers because I have 2 domain controllers
currently... one for each machine?

Also, how do I check if the DC I am removing is the Global Catalog, and am I
right in thinking that this isn't one of the FSMO roles.

If the server I was demoting did have some of the FSMO roles, wouldn't they
get automatically transfered to the other DC? Or do I have to do that
manually?

DNS is installed on the other server so that should be OK, i.e. not the one
I am demoting. But do I need to remove the references to the DC I am demoting
on this DC.

Hope you can help

"Chriss3 [MVP]" wrote:

> Hello Robert, thanks for joining the microsoft community.
>
> 1. First to deal with the administrator question, there is only one built-in
> administrator account (the one that you can't remove from the administrators
> group), but best practices according to security is to rename the built-in
> administrator account to something else and create a regular user named
> administrator to avoid attacks on the real administrator account, another
> thing that's common and best practices are to create and additional
> administrator account, if you loose the password of the built-in one, or if
> you setup admin accounts for each person that needs to have domain admin
> rights, by this way when each admin have its own account, you can turn on
> auditing and tack who did what.
>
> 2. When you remove an existing Domain Controller within Active Directory,
> you have to demote it, as you once demoted it using DCPROMO. Have a look at
> the KB: http://support.microsoft.com/kb/238369/EN-US/
> What you have to think about is moving the FSMO roles if the Domain
> Controller you trying to demote is a holder of any of there's.
> See the KB below about how to transfer FSMO roles.
> Using Ntdsutil.exe to seize or transfer FSMO roles to a domain
> controller
> http://support.microsoft.com/default.aspx?scid=kb;en-us;255504
>
> If the Domain Controller also are set to be Global Catalog Server, you
> have to ensure at least another Domain Controller are Global Catalog Server,
> if not you have to make another Domain Controller Global Catalog Server,
> before you demote it, Have a look at the KB below about how to do so.
> How To Create or Move a Global Catalog in Windows 2000
> http://support.microsoft.com/default.aspx?scid=kb;en-us;313994
>
> Active Directory is depended on DNS, so if the Domain Controller you
> are about to demote are holding the last replica of the DNS Zone for the
> particular domain, you have to install and configure DNS with a replica of
> the particular domain, at an other Domain Controller.
>
> --
> Regards
> Christoffer Andersson
> Microsoft MVP - Directory Services
>
> No email replies please - reply in the newsgroup
> ------------------------------------------------
> http://www.chrisse.se - Active Directory Tips
>
> "Robert" <Robert@discussions.microsoft.com> skrev i meddelandet
> news:54B9F7FF-D15B-4253-9540-9B433ACE36D0@microsoft.com...
> > Dear All,
> >
> > I am fairly new to Active Directory, so please forgive my questioning.
> >
> > In our small network we have 2 domain controllers running Windows 2000
> > Advanced Server. I presume we have 2 for redundancy etc. Active Directory
> > is
> > running in Native Mode.
> >
> > I need to rebuild one of the domain controllers because the machine it's
> > running on is very old and very slow server. I want to know how I go about
> > removing the domain controller from the network so that I can rebuild it,
> > join it to the exisiting AD and promote it back. Does anyone have any
> > information on how to do this?
> >
> > Also (very important), in AD Users & Computers, there seems to be 2 in
> > built
> > accounts for administering the machine/domain...at the moment they are
> > renamed differently. Is this to be expected? These accounts co-exist in
> > the
> > Administrators group. I can't remove one of them. I thought that there
> > should
> > only be one Administrator's account for the domain. Or, is this because I
> > have 2 domain controllers.
> >
> > Also, when removing domain controllers, how do I know which is the first
> > domain controller in the forest? Will removing the wrong domain controller
> > cause a big problem, or will the roles be given to the one remaining DC
> > when
> > I demote and remove the other one?
> >
> > I hope someone can help me. I am new to AD and my company.
> >
> > Much Thanks,
> > Rob
> >
> > Also, is there anything I should be aware of when I do this.
> >
>
>
>
Anonymous
January 31, 2005 10:26:35 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hello again Robert,
Some one has created a regular user account and may added that one to
administrative groups for the reasons I described earlier in my last reply.
There is only one built-in administrator peer domain.

You find how to check whether a domain controller are an global catalog
server or not in this KB. http://support.microsoft.com/?kbid=313994

FSMO roles are actually supposed to be transferred automatically during
demotion, if the dc having any fsmo roles during demotion, but in fact this
can failure, so the best way to do this manually before demotion.

Once more thing when demotion wizard has completed. you have to manually
remove the DC from Active Directory Sites and Service Snpain, from the
particular site where it existed.

--
Regards
Christoffer Andersson
Microsoft MVP - Directory Services

No email replies please - reply in the newsgroup
------------------------------------------------
http://www.chrisse.se - Active Directory Tips

"Robert" <Robert@discussions.microsoft.com> skrev i meddelandet
news:B2562C7F-DC01-4876-B3C3-A5C5A2CA327C@microsoft.com...
>
> Thanks for your quick reply - most appreciated. Pardon my lack of
> understanding too.
>
> The other roles you describe (Enter Admin, Domain Admin etc) do exist, but
> there are still two "In-built account for administering the
> machine/domain".
> Are these in AD Users and Computers because I have 2 domain controllers
> currently... one for each machine?
>
> Also, how do I check if the DC I am removing is the Global Catalog, and am
> I
> right in thinking that this isn't one of the FSMO roles.
>
> If the server I was demoting did have some of the FSMO roles, wouldn't
> they
> get automatically transfered to the other DC? Or do I have to do that
> manually?
>
> DNS is installed on the other server so that should be OK, i.e. not the
> one
> I am demoting. But do I need to remove the references to the DC I am
> demoting
> on this DC.
>
> Hope you can help
>
> "Chriss3 [MVP]" wrote:
>
>> Hello Robert, thanks for joining the microsoft community.
>>
>> 1. First to deal with the administrator question, there is only one
>> built-in
>> administrator account (the one that you can't remove from the
>> administrators
>> group), but best practices according to security is to rename the
>> built-in
>> administrator account to something else and create a regular user named
>> administrator to avoid attacks on the real administrator account, another
>> thing that's common and best practices are to create and additional
>> administrator account, if you loose the password of the built-in one, or
>> if
>> you setup admin accounts for each person that needs to have domain admin
>> rights, by this way when each admin have its own account, you can turn on
>> auditing and tack who did what.
>>
>> 2. When you remove an existing Domain Controller within Active Directory,
>> you have to demote it, as you once demoted it using DCPROMO. Have a look
>> at
>> the KB: http://support.microsoft.com/kb/238369/EN-US/
>> What you have to think about is moving the FSMO roles if the Domain
>> Controller you trying to demote is a holder of any of there's.
>> See the KB below about how to transfer FSMO roles.
>> Using Ntdsutil.exe to seize or transfer FSMO roles to a domain
>> controller
>> http://support.microsoft.com/default.aspx?scid=kb;en-us;255504
>>
>> If the Domain Controller also are set to be Global Catalog Server,
>> you
>> have to ensure at least another Domain Controller are Global Catalog
>> Server,
>> if not you have to make another Domain Controller Global Catalog Server,
>> before you demote it, Have a look at the KB below about how to do so.
>> How To Create or Move a Global Catalog in Windows 2000
>>
>> http://support.microsoft.com/default.aspx?scid=kb;en-us;313994
>>
>> Active Directory is depended on DNS, so if the Domain Controller
>> you
>> are about to demote are holding the last replica of the DNS Zone for the
>> particular domain, you have to install and configure DNS with a replica
>> of
>> the particular domain, at an other Domain Controller.
>>
>> --
>> Regards
>> Christoffer Andersson
>> Microsoft MVP - Directory Services
>>
>> No email replies please - reply in the newsgroup
>> ------------------------------------------------
>> http://www.chrisse.se - Active Directory Tips
>>
>> "Robert" <Robert@discussions.microsoft.com> skrev i meddelandet
>> news:54B9F7FF-D15B-4253-9540-9B433ACE36D0@microsoft.com...
>> > Dear All,
>> >
>> > I am fairly new to Active Directory, so please forgive my questioning.
>> >
>> > In our small network we have 2 domain controllers running Windows 2000
>> > Advanced Server. I presume we have 2 for redundancy etc. Active
>> > Directory
>> > is
>> > running in Native Mode.
>> >
>> > I need to rebuild one of the domain controllers because the machine
>> > it's
>> > running on is very old and very slow server. I want to know how I go
>> > about
>> > removing the domain controller from the network so that I can rebuild
>> > it,
>> > join it to the exisiting AD and promote it back. Does anyone have any
>> > information on how to do this?
>> >
>> > Also (very important), in AD Users & Computers, there seems to be 2 in
>> > built
>> > accounts for administering the machine/domain...at the moment they are
>> > renamed differently. Is this to be expected? These accounts co-exist in
>> > the
>> > Administrators group. I can't remove one of them. I thought that there
>> > should
>> > only be one Administrator's account for the domain. Or, is this because
>> > I
>> > have 2 domain controllers.
>> >
>> > Also, when removing domain controllers, how do I know which is the
>> > first
>> > domain controller in the forest? Will removing the wrong domain
>> > controller
>> > cause a big problem, or will the roles be given to the one remaining DC
>> > when
>> > I demote and remove the other one?
>> >
>> > I hope someone can help me. I am new to AD and my company.
>> >
>> > Much Thanks,
>> > Rob
>> >
>> > Also, is there anything I should be aware of when I do this.
>> >
>>
>>
>>
!