Re: More than one Administrator Account and Reinstalling OS on a DC
From: Chriss3 [MVP] (noSpamHere_at_chrisse.se)
Date: 01/31/05
- Next message: jswift: "SFU on Windows 2003"
- Previous message: Ryan Hanisco: "Re: Enterprise Admins"
- In reply to: Robert: "More than one Administrator Account and Reinstalling OS on a DC"
- Next in thread: Robert: "Re: More than one Administrator Account and Reinstalling OS on a D"
- Reply: Robert: "Re: More than one Administrator Account and Reinstalling OS on a D"
- Messages sorted by: [ date ] [ thread ]
Date: Mon, 31 Jan 2005 17:40:34 +0100
Hello Robert, thanks for joining the microsoft community.
1. First to deal with the administrator question, there is only one built-in
administrator account (the one that you can't remove from the administrators
group), but best practices according to security is to rename the built-in
administrator account to something else and create a regular user named
administrator to avoid attacks on the real administrator account, another
thing that's common and best practices are to create and additional
administrator account, if you loose the password of the built-in one, or if
you setup admin accounts for each person that needs to have domain admin
rights, by this way when each admin have its own account, you can turn on
auditing and tack who did what.
2. When you remove an existing Domain Controller within Active Directory,
you have to demote it, as you once demoted it using DCPROMO. Have a look at
the KB: http://support.microsoft.com/kb/238369/EN-US/
What you have to think about is moving the FSMO roles if the Domain
Controller you trying to demote is a holder of any of there's.
See the KB below about how to transfer FSMO roles.
Using Ntdsutil.exe to seize or transfer FSMO roles to a domain
controller
http://support.microsoft.com/default.aspx?scid=kb;en-us;255504
If the Domain Controller also are set to be Global Catalog Server, you
have to ensure at least another Domain Controller are Global Catalog Server,
if not you have to make another Domain Controller Global Catalog Server,
before you demote it, Have a look at the KB below about how to do so.
How To Create or Move a Global Catalog in Windows 2000
http://support.microsoft.com/default.aspx?scid=kb;en-us;313994
Active Directory is depended on DNS, so if the Domain Controller you
are about to demote are holding the last replica of the DNS Zone for the
particular domain, you have to install and configure DNS with a replica of
the particular domain, at an other Domain Controller.
-- Regards Christoffer Andersson Microsoft MVP - Directory Services No email replies please - reply in the newsgroup ------------------------------------------------ http://www.chrisse.se - Active Directory Tips "Robert" <Robert@discussions.microsoft.com> skrev i meddelandet news:54B9F7FF-D15B-4253-9540-9B433ACE36D0@microsoft.com... > Dear All, > > I am fairly new to Active Directory, so please forgive my questioning. > > In our small network we have 2 domain controllers running Windows 2000 > Advanced Server. I presume we have 2 for redundancy etc. Active Directory > is > running in Native Mode. > > I need to rebuild one of the domain controllers because the machine it's > running on is very old and very slow server. I want to know how I go about > removing the domain controller from the network so that I can rebuild it, > join it to the exisiting AD and promote it back. Does anyone have any > information on how to do this? > > Also (very important), in AD Users & Computers, there seems to be 2 in > built > accounts for administering the machine/domain...at the moment they are > renamed differently. Is this to be expected? These accounts co-exist in > the > Administrators group. I can't remove one of them. I thought that there > should > only be one Administrator's account for the domain. Or, is this because I > have 2 domain controllers. > > Also, when removing domain controllers, how do I know which is the first > domain controller in the forest? Will removing the wrong domain controller > cause a big problem, or will the roles be given to the one remaining DC > when > I demote and remove the other one? > > I hope someone can help me. I am new to AD and my company. > > Much Thanks, > Rob > > Also, is there anything I should be aware of when I do this. >
- Next message: jswift: "SFU on Windows 2003"
- Previous message: Ryan Hanisco: "Re: Enterprise Admins"
- In reply to: Robert: "More than one Administrator Account and Reinstalling OS on a DC"
- Next in thread: Robert: "Re: More than one Administrator Account and Reinstalling OS on a D"
- Reply: Robert: "Re: More than one Administrator Account and Reinstalling OS on a D"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
