Permission issues in Domain after Promoting a Member Server to DC

Discussion in 'Active Directory' started by Kev, Jan 18, 2008.

  1. Kev

    Kev Guest

    I was working at a Single Domain Client Site last week. The Domain had 2
    DC's in it. I was to demote one of the DC's in order that the box could be
    rebuilt for other purposes. The demotion was successful.
    I was then instructed to Promote a designated Member Server to a DC. This
    went fairly well, but there were some issues inherent on the Domain after the
    promotion.
    The issues were as follows
    1) The new DC could not be browsed to from Domain workstations without
    getting prompted for authentication,
    2) The new DC picked up all of the FSMO roles for some reason. So
    effectively I was left with a 2 Domain Controllers that each thought that
    they were holding all 5 FSMO roles.

    Has anyone seen this unorthodox behavior prior? Does anyone have any
    recommendations that would provide a solution to this problem?

    Thanks

    Kevin
     
    Kev, Jan 18, 2008
    #1
    1. Advertisements

  2. Kev

    Jason Silva Guest

    Kev, it sounds like you created another domain when you promoted the dc.
     
    Jason Silva, Jan 18, 2008
    #2
    1. Advertisements

  3. Kev

    Jorge Silva Guest

    Hi
    Easy way, start by openning the Active directory sites and services and
    check if all DCs exist in the new DC and the existing ones.

    If yes, use dcdiag and netdiag tools to diagnose any output error.

    --
    I hope that the information above helps you.
    Have a Nice day.

    Jorge Silva
    MCSE, MVP Directory Services
     
    Jorge Silva, Jan 18, 2008
    #3
  4. I was working at a Single Domain Client Site last week. The Domain had 2
    This took out you existing domain. The AD/user information was held on this
    DC. Now there is no domain.

    This created a new domain. Even if you name it the same name, the SID is
    different. As far as your clients are concerned different SID = different
    domain.

    The proper way to do this would have been to promote the member server to DC
    BEFORE you demoted the existing DC. When you promote the member server to DC
    while the original DC is on line, the AD/user info is replicated to the new
    DC and your DC is seen by your clients as being in the same domain and no
    prompts for authentication accessing files because the two DCs are in the
    *same* domain. At this point you can demote the original DC without those
    problems.

    You might as well start over from scratch and add the user computers to the
    new domain. If you need to get back the original domain I hope you have
    backups and I would suggest using a consultant.

    Don't use whoever gave you the advice you used to get into this mess.

    Hate to tell you but this is the kind of mess that looses jobs.

    DDS
     
    Danny Sanders, Jan 18, 2008
    #4
  5. Kev

    Kev Guest

    Jorge

    I didnt create any new Domain as some of the other feedback has suggested.
    I did a demotion on one of two DC's in the Domain. Thereafter, I promoted
    the Member Server to DC. Which effectively brought the DC count in the
    Domain back to 2.

    Both were present under Servers in AD Sites and Services at that time. The
    former DC was not listed.

    I had forgotten about Netdiag and DCdiag; I should have used those last
    week. When I attempt the DC promotion again on Monday, I will use these
    tools if the problem persists.

    Thanks for your input.

    Kevin Melton
     
    Kev, Jan 18, 2008
    #5
  6. Kev

    Jorge Silva Guest

    Ok, good luck.

    --
    I hope that the information above helps you.
    Have a Nice day.

    Jorge Silva
    MCSE, MVP Directory Services
     
    Jorge Silva, Jan 18, 2008
    #6
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.