Re: More than one Administrator Account and Reinstalling OS on a D
From: Robert (Robert_at_discussions.microsoft.com)
Date: 01/31/05
- Next message: Robert: "Re: More than one Administrator Account and Reinstalling OS on a D"
- Previous message: Thelazyadmin.com: "Re: SBS 2000 and SBS 2003: additional Domain Controllers"
- In reply to: Chriss3 [MVP]: "Re: More than one Administrator Account and Reinstalling OS on a DC"
- Next in thread: Chriss3 [MVP]: "Re: More than one Administrator Account and Reinstalling OS on a D"
- Reply: Chriss3 [MVP]: "Re: More than one Administrator Account and Reinstalling OS on a D"
- Messages sorted by: [ date ] [ thread ]
Date: Mon, 31 Jan 2005 09:11:02 -0800
Thanks for your quick reply - most appreciated. Pardon my lack of
understanding too.
The other roles you describe (Enter Admin, Domain Admin etc) do exist, but
there are still two "In-built account for administering the machine/domain".
Are these in AD Users and Computers because I have 2 domain controllers
currently... one for each machine?
Also, how do I check if the DC I am removing is the Global Catalog, and am I
right in thinking that this isn't one of the FSMO roles.
If the server I was demoting did have some of the FSMO roles, wouldn't they
get automatically transfered to the other DC? Or do I have to do that
manually?
DNS is installed on the other server so that should be OK, i.e. not the one
I am demoting. But do I need to remove the references to the DC I am demoting
on this DC.
Hope you can help
"Chriss3 [MVP]" wrote:
> Hello Robert, thanks for joining the microsoft community.
>
> 1. First to deal with the administrator question, there is only one built-in
> administrator account (the one that you can't remove from the administrators
> group), but best practices according to security is to rename the built-in
> administrator account to something else and create a regular user named
> administrator to avoid attacks on the real administrator account, another
> thing that's common and best practices are to create and additional
> administrator account, if you loose the password of the built-in one, or if
> you setup admin accounts for each person that needs to have domain admin
> rights, by this way when each admin have its own account, you can turn on
> auditing and tack who did what.
>
> 2. When you remove an existing Domain Controller within Active Directory,
> you have to demote it, as you once demoted it using DCPROMO. Have a look at
> the KB: http://support.microsoft.com/kb/238369/EN-US/
> What you have to think about is moving the FSMO roles if the Domain
> Controller you trying to demote is a holder of any of there's.
> See the KB below about how to transfer FSMO roles.
> Using Ntdsutil.exe to seize or transfer FSMO roles to a domain
> controller
> http://support.microsoft.com/default.aspx?scid=kb;en-us;255504
>
> If the Domain Controller also are set to be Global Catalog Server, you
> have to ensure at least another Domain Controller are Global Catalog Server,
> if not you have to make another Domain Controller Global Catalog Server,
> before you demote it, Have a look at the KB below about how to do so.
> How To Create or Move a Global Catalog in Windows 2000
> http://support.microsoft.com/default.aspx?scid=kb;en-us;313994
>
> Active Directory is depended on DNS, so if the Domain Controller you
> are about to demote are holding the last replica of the DNS Zone for the
> particular domain, you have to install and configure DNS with a replica of
> the particular domain, at an other Domain Controller.
>
> --
> Regards
> Christoffer Andersson
> Microsoft MVP - Directory Services
>
> No email replies please - reply in the newsgroup
> ------------------------------------------------
> http://www.chrisse.se - Active Directory Tips
>
> "Robert" <Robert@discussions.microsoft.com> skrev i meddelandet
> news:54B9F7FF-D15B-4253-9540-9B433ACE36D0@microsoft.com...
> > Dear All,
> >
> > I am fairly new to Active Directory, so please forgive my questioning.
> >
> > In our small network we have 2 domain controllers running Windows 2000
> > Advanced Server. I presume we have 2 for redundancy etc. Active Directory
> > is
> > running in Native Mode.
> >
> > I need to rebuild one of the domain controllers because the machine it's
> > running on is very old and very slow server. I want to know how I go about
> > removing the domain controller from the network so that I can rebuild it,
> > join it to the exisiting AD and promote it back. Does anyone have any
> > information on how to do this?
> >
> > Also (very important), in AD Users & Computers, there seems to be 2 in
> > built
> > accounts for administering the machine/domain...at the moment they are
> > renamed differently. Is this to be expected? These accounts co-exist in
> > the
> > Administrators group. I can't remove one of them. I thought that there
> > should
> > only be one Administrator's account for the domain. Or, is this because I
> > have 2 domain controllers.
> >
> > Also, when removing domain controllers, how do I know which is the first
> > domain controller in the forest? Will removing the wrong domain controller
> > cause a big problem, or will the roles be given to the one remaining DC
> > when
> > I demote and remove the other one?
> >
> > I hope someone can help me. I am new to AD and my company.
> >
> > Much Thanks,
> > Rob
> >
> > Also, is there anything I should be aware of when I do this.
> >
>
>
>
- Next message: Robert: "Re: More than one Administrator Account and Reinstalling OS on a D"
- Previous message: Thelazyadmin.com: "Re: SBS 2000 and SBS 2003: additional Domain Controllers"
- In reply to: Chriss3 [MVP]: "Re: More than one Administrator Account and Reinstalling OS on a DC"
- Next in thread: Chriss3 [MVP]: "Re: More than one Administrator Account and Reinstalling OS on a D"
- Reply: Chriss3 [MVP]: "Re: More than one Administrator Account and Reinstalling OS on a D"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
