Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Local Users and DCPROMO remove AD

Status
Not open for further replies.
ScottSN

ScottSN

MIS
Dec 26, 2001
12
US
Converted a Windows 2000 Server in workgroup mode to a DC (single server network). All local users were migrated to AD (good). Named the local domain the actual valid domain name (not good). Want to remove AD to change domain name (change .com to .local).

If I run DCPROMO to remove the AD domain, all documentation, warnings, etc. say that I will lose all users.

Will they revert back to local users, or will I be left with no user accounts and have all the files and folders orphaned with sids that don't associate with any users? In other words, if I remove the AD via DCPROMO, will the server and local user accounts be as it was before the DCPROMO (AD installation)?

I assume that at the very least, it has to preserve or revert some accounts (like administrator)as a local users, otherwise you'd be completely locked out of the box.

Has anyone out there done this before, and if so, what happened to the local users?

Thanks in advance for any input.

Scott
 
Sort by date Sort by votes
as far as I remember you will lose the domain user accounts but administrator etc will revert back to the local one

the domain user accounts will not change into local workgroup ones

"Work to live, don't live to work"

"The problem with troubleshooting is that sometimes it shoots back"
 
Upvote 0 Downvote
Immacola, thanks for responding. Since this box was previously the server on a workgroup network, all the user accounts to access the data on it were local (to the server) accounts. When I did the DCPROMO to implement AD, all the local user accounts became AD domain accounts.

My hope is that if I do a DCPROMO to remove the AD structure, the local accounts would be there again. However if I remove AD and they aren't there, I'm toast because now all the user files and folders will be orphaned and the users will not have access.

I am not concerned about losing anything related to the domain configuation because I didn't create any additional users and only added two computers to the domain (which I deleted).

Rather than cross my fingers and pull the trigger, hoping that it will behave as I predict, I would like to know if anyone else has done it before and can tell me what happened.

Otherwise, I will probably need to config a temp box as a nt4 BDC to "hold" the users as I shuffle the AD deck.

Thanks again.

Scott
 
Upvote 0 Downvote
The easiest way to do this would be to create a new forest and domain with the correct name. This would require another server. Then you can use ADMT to migrate the user accounts to the new domain.
 
Upvote 0 Downvote
milchstein:

Thanks for the response. Actually, I could put up another box running nt4 and have it hold the users because it only cares about the netbios domain name without the .com or .local extension. I could change the AD domain extension and the nt4 box wouldn't know the difference.

I am trying to avoid having to put up another box just to hold the users. I don't have any extra servers at this site.

(I've had mixed results with ADMT as well, so the NT4 server solution seems like more of a "slam-dunk" if I have to end up putting up another box.)

Thanks for your help.

Scott
 
Upvote 0 Downvote
It may or may not work. It depends on the AD mode you're in. If you're native, you can't add an NT 4 BDC. In that case, mlichstein is correct; the best approach would be ADMT. The only problem with the ADMT approach would be abblications like SQL in the environment. If you were using SQL integrated security, you'll need a tool like Aelita DMW to swap out the SIDs. This goes for MSDE based apps as well. File & Print and Exchange are handled well by ADMT v2, and shouldn't require a third party tool. I wonder if you could find references to this effect in Utopia.

 
Upvote 0 Downvote
xmsre:

Thanks for your response. I am in mixed mode, so nt4 is supposed to work. There is no SQL, etc. It was a basic file and print server in workgroup mode with local accounts for the users prior to the DCPROMO, the only exception is there is Services for Macintosh is being used.

Sorry for my ignorance, but what is Utopia?

Thanks

Scott
 
Upvote 0 Downvote
Why not re-name the site?
1)Active Directory Sites and Services
2)Sites
3)site that you want to rename
4)Right click the server and choose rename.
5)Type the new site name.
See if this works. (Make sure you have a backup first.

This is from MSDN.
Remove AD

Troubleshooting
If you remove Active Directory from all domain controllers in a domain, you also delete the directory database for the domain. The domain no longer exists. Computers that are joined to this domain can no longer log on to the domain or use domain services.
The Active Directory Wizard removes the shortcuts to Group Policy security settings for a member server or standalone server.

Glen A. Johnson
If you're from Northern Illinois/Southern Wisconsin check out Tek-Tips in Chicago, Illinois Forum.

TTinChicago
 
Upvote 0 Downvote
With the accounts held in the NT 4 SAM of a BDC, you could effectively roll back and start over. Another thought would be to go W2K3 instead and do a domain rename, as long as you have not yet introduced Exchange 2000/2003 into the environment.

 
Upvote 0 Downvote
A domain rename is a possibility, but depending on how large the network is, it will be a major undertaking. The whitepaper from MS on a domain rename is over 80 pages.

Even without Exchange on the network, it will require a lot of planning and downtime. Every machine in the domain will need to be rebooted at least once, including all DCs.

But it's definitely an option to consider.
 
Upvote 0 Downvote
It sounded like just the one server, ScottSN would have to clarify. A domain rename is not something to be taken lightly, and as mlichstein states you would want to read the whitepaper and prepare for it.

 
Upvote 0 Downvote
Thanks to everyone for your responses. Actually, I don't mind if everything related to the domain goes away because I just recently did the DCPROMO and only had two test workstations join the domain. The current domain user accounts consist of the local users accounts on the server that existed prior to the DCPROMO.

The $64,000 question is what local users accounts will be there after a DCPROMO remove. Would the local user accounts that allowed the users to access their files and folders when the server was in standalone/workgroup mode be there or does AD actually convert them in a "one way" process? Obviously, some builtin users, like administrator, etc. would have to exist after the remove or the server would be totally inaccessable.

Thanks

Scott

P.S. Glen: I'll check out the forum, but I'm a little west of Chicago, (in Honolulu!). Thanks for the offer though!
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

rzammit82
  • Locked
  • Question
Windows Server 2016 - DNS/AD problem
Replies
1
Views
331
suncit
suncit
tscstl
  • Locked
  • Question
access to local folder
Replies
1
Views
130
hairlessupportmonkey
hairlessupportmonkey
DrB0b
  • Locked
  • Question
Hybrid on prem AD with Azure AD
Replies
2
Views
144
DrB0b
DrB0b
DTGMI
  • Locked
  • Question
WIN 10 Pro PC & Adding back to our Network
Replies
0
Views
215
DTGMI
DTGMI
mangentle
  • Locked
  • Question
What are the key advantages of using Microsoft Windows Servers for businesses?
Replies
1
Views
417
gbaughma
gbaughma

Part and Inventory Search

Sponsor

Back
Top