Issues with completely replacing Domain Controller

[bigugly]

I have a win2k server that has been severly comprimised (and has been for some time). Even though I have done the forensics and gotten the biggest problems taken care of, I do not hold any confidence in the security of this server. Soooo....

Here's what I'd like to do:
This box's main mission in life is to serve up SQL. We're primarily a Novell shop. The only thing we're really using AD for is management features. It does not provide email, file services, etc. We only have 15 users.

I'd like to take the server out of production. I'd would then completely wipe out everything and do a reinstall. AD was minimally configured in the first place, so re-doing it from scratch shouldn't take more than a half hour or so.

After reinstall and configuring AD to match to old configuration, I should be able to drop it straight back in, right?

Other than losing user passwords by doing the above are there any issues I'm not thinking of that I would run into?

 

[dk87]

I think if you do that all of your SID's for your users and machines would be invalid. Can you install another server - even if only temporarily - do be your AD controller? If you can do that you can save yourself headaches.

 

[bigugly]

Well, I do have (in this case) the luxury of having just a few client machines. I would think that if I disjoined (unjoined?) them from the domain before I kill the domain controller and then rejoin when the new dc comes up, I would be fine. Right?

 

[dk87]

Yes, if you remove the clients from the old domain, wipe out the server and start a new domain, and add the clients to the new domain you should have no problem. You will, however, lose any permissions etc that have been set up. Your old domain will cease to exist. Also, make sure you can log on as an admin locally to each machine or you will not be able to do anything with them when the old domain is removed. To clarify: if a Windows based machine is a member of a domain, the domain admins have full rights to the machine. Once you remove the machine from the domain, the domain admins no longer have that same access, and you will need to log on locally to each machine in order to join the new domain. I would suggest to first log on as an administrator to each machine to make sure that you can. You can use computer management for this. When you know you have full control over each machine independently, then go to each machine and remove them from the domain. Then wipe out the server, reinstall a new domain, and join the new domain. Keep in mind that at this point I am assuming that the clients are members of the Windows domain. If they are not clients of the domain but simply access domain resources, you don't need to do all this. You can simply wipe out the server and set up your user names and passwords. Depending on how your clints connect to the domain, any cached SIDs will cause errors. I hope what I am trying to say here is clear...

 

[GlenJohnson]

What version of Novell are you using? Does the Novell server sync at all with the W2K server? (Some custom software allows limited interaction between the two.) Might want to run dcpromo on the W2K server to demote it to a stand alone server before removing it.

Click here to learn How to help with tsunami relief...

http://www.google.com/tsunami_relief.html

Glen A. Johnson
If you're from Northern Illinois/Southern Wisconsin feel free to join the Tek-Tips in Chicago, Illinois Forum.
Don't forget to shop @ theTek-Tips Store

 

[bigugly]

Nope, no Novell/Win2k interaction at all (other than backup exec remote agent to backup the win2k box to a novell backup media server).

My main worry is migrating ms sql server correctly. Also, I hope I'm not leaving anything behind. Normally, I'd grab an image of the server. That's not practical right now, so I'm grabbing everything by hand off the drives that I can think of

OK, I'm off to down that DC. Wish me luck!