Archived from groups: microsoft.public.win2000.active_directory (
More info?)
Hello again Robert,
Some one has created a regular user account and may added that one to
administrative groups for the reasons I described earlier in my last reply.
There is only one built-in administrator peer domain.
You find how to check whether a domain controller are an global catalog
server or not in this KB.
http://support.microsoft.com/?kbid=313994
FSMO roles are actually supposed to be transferred automatically during
demotion, if the dc having any fsmo roles during demotion, but in fact this
can failure, so the best way to do this manually before demotion.
Once more thing when demotion wizard has completed. you have to manually
remove the DC from Active Directory Sites and Service Snpain, from the
particular site where it existed.
--
Regards
Christoffer Andersson
Microsoft MVP - Directory Services
No email replies please - reply in the newsgroup
------------------------------------------------
http://www.chrisse.se - Active Directory Tips
"Robert" <Robert@discussions.microsoft.com> skrev i meddelandet
news:B2562C7F-DC01-4876-B3C3-A5C5A2CA327C@microsoft.com...
>
> Thanks for your quick reply - most appreciated. Pardon my lack of
> understanding too.
>
> The other roles you describe (Enter Admin, Domain Admin etc) do exist, but
> there are still two "In-built account for administering the
> machine/domain".
> Are these in AD Users and Computers because I have 2 domain controllers
> currently... one for each machine?
>
> Also, how do I check if the DC I am removing is the Global Catalog, and am
> I
> right in thinking that this isn't one of the FSMO roles.
>
> If the server I was demoting did have some of the FSMO roles, wouldn't
> they
> get automatically transfered to the other DC? Or do I have to do that
> manually?
>
> DNS is installed on the other server so that should be OK, i.e. not the
> one
> I am demoting. But do I need to remove the references to the DC I am
> demoting
> on this DC.
>
> Hope you can help
>
> "Chriss3 [MVP]" wrote:
>
>> Hello Robert, thanks for joining the microsoft community.
>>
>> 1. First to deal with the administrator question, there is only one
>> built-in
>> administrator account (the one that you can't remove from the
>> administrators
>> group), but best practices according to security is to rename the
>> built-in
>> administrator account to something else and create a regular user named
>> administrator to avoid attacks on the real administrator account, another
>> thing that's common and best practices are to create and additional
>> administrator account, if you loose the password of the built-in one, or
>> if
>> you setup admin accounts for each person that needs to have domain admin
>> rights, by this way when each admin have its own account, you can turn on
>> auditing and tack who did what.
>>
>> 2. When you remove an existing Domain Controller within Active Directory,
>> you have to demote it, as you once demoted it using DCPROMO. Have a look
>> at
>> the KB: http://support.microsoft.com/kb/238369/EN-US/
>> What you have to think about is moving the FSMO roles if the Domain
>> Controller you trying to demote is a holder of any of there's.
>> See the KB below about how to transfer FSMO roles.
>> Using Ntdsutil.exe to seize or transfer FSMO roles to a domain
>> controller
>>
http://support.microsoft.com/default.aspx?scid=kb;en-us;255504
>>
>> If the Domain Controller also are set to be Global Catalog Server,
>> you
>> have to ensure at least another Domain Controller are Global Catalog
>> Server,
>> if not you have to make another Domain Controller Global Catalog Server,
>> before you demote it, Have a look at the KB below about how to do so.
>> How To Create or Move a Global Catalog in Windows 2000
>>
>>
http://support.microsoft.com/default.aspx?scid=kb;en-us;313994
>>
>> Active Directory is depended on DNS, so if the Domain Controller
>> you
>> are about to demote are holding the last replica of the DNS Zone for the
>> particular domain, you have to install and configure DNS with a replica
>> of
>> the particular domain, at an other Domain Controller.
>>
>> --
>> Regards
>> Christoffer Andersson
>> Microsoft MVP - Directory Services
>>
>> No email replies please - reply in the newsgroup
>> ------------------------------------------------
>>
http://www.chrisse.se - Active Directory Tips
>>
>> "Robert" <Robert@discussions.microsoft.com> skrev i meddelandet
>> news:54B9F7FF-D15B-4253-9540-9B433ACE36D0@microsoft.com...
>> > Dear All,
>> >
>> > I am fairly new to Active Directory, so please forgive my questioning.
>> >
>> > In our small network we have 2 domain controllers running Windows 2000
>> > Advanced Server. I presume we have 2 for redundancy etc. Active
>> > Directory
>> > is
>> > running in Native Mode.
>> >
>> > I need to rebuild one of the domain controllers because the machine
>> > it's
>> > running on is very old and very slow server. I want to know how I go
>> > about
>> > removing the domain controller from the network so that I can rebuild
>> > it,
>> > join it to the exisiting AD and promote it back. Does anyone have any
>> > information on how to do this?
>> >
>> > Also (very important), in AD Users & Computers, there seems to be 2 in
>> > built
>> > accounts for administering the machine/domain...at the moment they are
>> > renamed differently. Is this to be expected? These accounts co-exist in
>> > the
>> > Administrators group. I can't remove one of them. I thought that there
>> > should
>> > only be one Administrator's account for the domain. Or, is this because
>> > I
>> > have 2 domain controllers.
>> >
>> > Also, when removing domain controllers, how do I know which is the
>> > first
>> > domain controller in the forest? Will removing the wrong domain
>> > controller
>> > cause a big problem, or will the roles be given to the one remaining DC
>> > when
>> > I demote and remove the other one?
>> >
>> > I hope someone can help me. I am new to AD and my company.
>> >
>> > Much Thanks,
>> > Rob
>> >
>> > Also, is there anything I should be aware of when I do this.
>> >
>>
>>
>>
Facebook
Twitter
Instagram