UPromote - Promote and Demote your NT Server between PDC,BDC and Standalone


	Home Products Support Register	Information \| Site Map \| Contact us


	Search

Home › Products › UPromote › FAQ

	Product Home
	More Information
	FAQ
	UPromote Operation
	UPromote Users
	Licensing
	Requirements
	Pricelist
	Technical Support
	Print page
	Vendor website

Version
1.518
04/03/2005

Related Categories
Algin Technology
Migration
System Administration

FAQ

Windows Server 2000 and 2003

Q: Does UPromote run on Windows Server 2000 or Windows Server 2003?

A: Windows Server 2000 and Windows Server 2003 use a radically different method for domain control called Active Directory (AD). AD is based on the Lightweight Directory Application Protocol (LDAP), which in turn is based on a subset of the international OSI X.500 standards for directory search and management.

AD requires that you install the Domain Name System (DNS) and maintain directory trees for all machines in your organisation. Windows Server 2000 and 2003 have a built-in utility, DCPROMO.EXE, that will install Active Directory on your standalone server and promote it to a domain controller.

NT 4 does not support AD directly. If your Windows 2000/2003 domain controller is running in pre-Windows 2000 compatibility mode ("mixed" mode), you can use UPromote to create an NT 4 DC that can join the Active Directory domain as a Backup Domain Controller (BDC). UPromote does not otherwise support Windows 2000/2003 Active Directory.

Q: Can I use UPromote to demote a Windows NT 4.0 BDC from an Active Directory domain?

A: Yes. You can use UPromote to remove your remaining NT domain controllers from your AD domain. Run UPromote and select "standalone server". After you are finished, go to "Active Directory Users & Computers" and delete the BDC from the folder "Domain Controllers". In some cases you may need to also delete it from "Active Directory Sites & Services" (Q216364).

Afterwards you can join the computer to the domain as a member computer. Create the member computer object in the AD folder "Computers". (Check the box "Allow pre-Windows 2000 computers to use this account".) On the NT computer run the Control Panel Networking applet to join the computer to the domain.

Server Manager

Q: Shortly after I promoted/demoted my server, I ran Server Manager (SRVMGR.EXE) on another computer. It reports that my server has not changed. Is something wrong?

A: This is normal. It can take up to 60 minutes for Server Manager to notice the change. Exit and rerun SRVMGR.EXE and it will eventually correct itself. For technical details see The Network Neighborhood.

Security Identifiers

Q: When I run UPromote to create a Backup Domain Controller (BDC), the program asks for permission to change the security identifier (SID) of my computer. What is a Security Identifier?

A: A security identifier is a number that uniquely identifies a computer in a network. Each member computer in a domain has a unique SID. Windows networking requires that all the domain controllers in a domain must share the same SID. So when you add the BDC, its SID must be changed to match the PDC.

Q: Why does every domain need a unique SID?

A: The SID uniquely identifies a domain on the network. If two or more domains share the same SID, the member machines will appear to belong to both domains simultaneously. It is very important that each domain have a unique SID.

If you are using the DC on an isolated network (e.g., for testing or training), you do not need to change the SID.

Q: When UPromote changes the SID, it takes several minutes. What is it doing?

A: To change the SID, UPromote scans your entire registry and all of your files. It changes the registry keys and the ownership of the files to use the new SID.

Q: I heard I can move a BDC by using a SID-changing tool such as newsid or Symantec Ghost. Will this work?

A: No. While SID-changing tools may work fine for NT Workstation, they do not work for NT Server. Changing the SID is necessary but not sufficient to move a BDC. For example, the database serial number must be synchronized with the PDC. Otherwise password replication will fail. UPromote will update all necessary registry values, in addition to changing the SID.

Q: Why does UPromote ask to change the SID when it converts a DC back to a standalone machine?

A: If you convert a domain controller back to a standalone machine, UPromote must change the SID to avoid a clash with the remaining domain controllers. The only time you do not need to change the SID is if you are destroying the domain; i.e., you know for certain that no other DCs exist and that no member computers belong to the domain. During testing, for example.

Moving Between Domains

Q: I promoted a computer that was not originally a member of the domain. Will any applications be affected?

A: If you join a new domain (or are creating a new domain), you may need to update the embedded domain name(s) in some applications.

SQL Server 6.5
If you are using integrated security in SQL Server 6.5 you will need to update the "Default Domain" field in the SQL Security Manager. (No changes are required for SQL Server 7 or SQL Server 2000.)
Exchange Server
If you move Exchange Server to another domain users will not be able to authenticate their mailbox passwords. You may also need to change the service account. For more information see UPromote and Microsoft Exchange Server.
System Management Server 1.2
If you installed System Management Server 1.2 with primary or secondary sites, it will have to be uninstalled and then reinstalled with the new domain name. (No changes are required for SMS 2.0.)

Q: Can I use UPromote to move a BDC from one domain to another?

A: Yes. You need to run UPromote twice. Run it the first time to demote the BDC to a standalone server. Then run it the second time to promote the standalone server to a BDC in the new domain.

Note: A SID-changing tool such as newsid, and Symantec Ghost will change only the SID. Some web sites have claimed (e.g., the John Savill NT FAQ sites) that by changing only the SID you can move a BDC to another domain. This is not true. UPromote updates several additional registry keys which are essential in order to move a BDC from one domain to another safely and reliably. These registry keys include the password database serial number and the password database timestamp.

Q: What happened to my old user accounts? Can I move user accounts between domains?

A: When you move a BDC, its user accounts will be overwritten by the user accounts from the new PDC. If you need to preserve the old user accounts, you can use tools such as the Domain Migration Wizard from Aelita or the FastLane DM Consolidator from Quest Software to copy the user accounts to the new domain. Afterwards you can use UPromote to move the computer to the new domain as a BDC.

Rejoining the Same Domain

Q: I want to demote a BDC and rejoin it back to the same domain as a member server. Are there any special steps required?

A: If your computer provides shared disks, you will probably want to preserve the ownership of the shared files on those disks so that your domain users can continue to access them. For all disks that offer shared files, select "Do not change these disks" on the UPromote SID ownership panel. This will preserve the domain SIDs in the ACLs of those files. For technical details see Changing the Security ID on Disks.

After you rejoin the domain, run EXPLORER.EXE and re-add your domain groups to the share-level permission list of your shared folders and shared printers so that your domain users can continue to access them. For technical details see Security IDs and the Registry.

When you are all done and satisfied that everything is working ok, you can delete the redundant local user accounts from the member server. Do not delete any special accounts used by services (e.g., used by Exchange Server or SQL Server).

Q: I re-added my domain groups to the share-level permissions list for my shared folders and shared printers. (See previous question.) But my users report that they are still denied access. What is wrong?

A: On your new member computer run USRMGR.EXE. Select the local computer. (Look at the title bar and check that it shows the name of the local computer not the name of the domain.) Click on Policies -> User Rights. For each domain group (e.g., "Domain Users") grant the User Right to "Access this computer from the network". Also add "Log on locally" if you want to allow your users to log on locally.

Q: I have hundreds of file shares. Is there any way that I can preserve the share-level permissions so I don't have to re-create them?

If you have numerous file shares and/or numerous groups listed under the file shares, you can preserve the permissions by exporting the registry key HKLM\System\CurrentControlSet\Services\LanManServer\Shares\Security. Do this before you run UPromote. After you rejoin the computer back to the domain as a member server, reload the registry key. This will restore the share-level permissions.

Q: I demoted my BDC to a standalone server. However SRVMGR.EXE reports that it is still a BDC. This prevents me from rejoining the domain as a member server. What is wrong?

A: This is usually due to a WINS server with out-of-date domain records. WINS will retain old records for 7 days before deleting them. After you demote the computer, you need to delete from WINS all domain records that have the computer's Internet address. The domain records will have type <1Bh> (PDC) or <1Ch> (PDC/BDC). To delete the domain records, run the WINS manager and locate each old domain record with type <1Bh> or <1Ch>. Right-click and select "Delete Mapping". Select "Tombstone" (not "Delete") so that the deletion will be replicated to all of the other WINS servers in your network. For technical details see Locating a DC and WINS.

Windows NT Domain: If you are still having problems joining the domain, you can use NETDOM.EXE from the NT Resource Kit to force your computer to join the domain. On your standalone computer type the command NETDOM.EXE /DOMAIN:mydomain MEMBER mycomputer /JOINDOMAIN where mydomain is the name of your domain and mycomputer is the name of the standalone computer.

Active Directory Domain: In rare cases you cannot rejoin the domain because of an error in Active Directory ("DSA: Object cannot be deleted"). This is usually due to recovery of the AD database to a state prior to when you demoted the BDC. You will need to manually remove from AD all the old references to the BDC. See Q216498.

Orphan BDC

Q: My BDC lost contact with the PDC. How can I demote the BDC without the PDC?

A: UPromote will ask to contact the PDC in order to delete the machine account of the BDC. It will refuse to continue if it cannot locate the PDC.

This problem can occur if you upgrade your Active Directory domain from "mixed" mode to "native" mode while one or more NT BDCs are still present. When you do this your BDCs will lose contact with the Windows 2000/2003 domain controllers.

As a workaround, if your BDC becomes orphaned you can use the following procedure to demote it:

Temporarily disconnect the network cable.
Promote the BDC to PDC using SRVMGR.EXE.
Run UPromote to demote the computer to a standalone server. Because UPromote thinks the computer is a PDC, it will not attempt to contact the real PDC.
After you are done reconnect the network cable.
Run SRVMGR.EXE on the real PDC and manually delete the machine account for the BDC. On Active Directory delete the BDC object from the Domain Controllers folder.

Afterwards you can rejoin the computer to the domain as a member computer. See Rejoining the Same Domain.

Groups

Q: I used UPromote to demote my computer to a standalone server. What happened to my global groups?

A: Global groups have no meaning on a standalone server. If users were an indirect member of a local group via a global group, UPromote will move the users directly to the local group. For example, if user Fred is a member of the global group Domain Admins, and Domain Admins is a member of the local group Administrators, then UPromote will move Fred directly under Administrators.

Q: I used UPromote to demote my BDC to a standalone server and then rejoined it to the domain as a member server. I deleted all of the redundant local users with USRMGR.EXE. Later I tried to delete a redundant group. USRMGR.EXE refused, claiming that I needed to first remove all the members from the group. But I don't see any members. How can I delete the group?

A: This is due to a Microsoft bug in USRMGR.EXE. If you delete a large number of users in a single session, USRMGR.EXE will sometimes forget to delete some of the group members. This prevents you from deleting the groups. To fix your password database, type the command PROMOTE.EXE -GROUPFIX. This will delete all of the "ghost" user members from your groups. (Note: Requires UPromote version 1.435 or later.)

Backup and Recovery

Q: Why does UPromote back up the registry?

A: The registry contains all settings required to create a domain controller. Most importantly, it contains the password database. Backing up the registry ensures that if a problem occurs during the upgrade you can recover your machine by restoring your registry.

UPromote has been thoroughly tested and is safe and reliable. However factors outside of Algin's control, such as a corrupt registry hive or an unreliable disk controller could cause UPromote to fail.

Q: How do I recover the registry?

At the beginning of the conversion process, UPromote asks for permission to create an Emergency Recovery Disk (ERD). This is strongly recommended. If the conversion fails, you can restore the registry using the ERD.

Use the following procedure to restore the registry with the ERD:

Boot using the NT boot diskette. Type "R" when prompted.
Insert the Emergency Recovery Disk when prompted,
Check the box for "Inspect Registry". Uncheck all other items.
Check the box for the these registry keys:
- DEFAULT
- SOFTWARE
- SYSTEM
- SECURITY AND SAM

If you changed the SID, you need to restore the SID ownership of your files. To restore the ownership of your files, run PROMOTE.EXE -SID. Do this immediately after you restore your registry.

If your computer was originally a BDC, you need to rejoin the BDC to the domain. On the BDC run the utility NETDOM.EXE from the NT Resource Kit.

NETDOM.EXE BDC mybdc /ADD
NETDOM.EXE BDC mybdc /RESET

Where mybdc is the name of your BDC.

If done correctly these steps should completely restore your computer back to its original state.

Q: I created a BDC. I later changed my mind and demoted my computer back to a standalone server. What happened to my old user accounts?

A: A BDC is a read-only replica of the PDC's password database. When you created the BDC, you overwrote the old local accounts in the registry with accounts from the PDC. The only way to restore the old local accounts is to reload the original registry.

BDCs and NT Services

Q: I promoted a standalone server to a BDC. After I rebooted, some of my services no longer start. What happened?

A: A BDC is a read-only replica of the PDC's password database. When you created the BDC, you overwrote the old local accounts in the registry with accounts from the PDC. Most services run under the SYSTEM account and are not affected. However a few services may run under special accounts. (For example, Microsoft SQL Server runs under its own special account.) You need to recreate these accounts on the PDC. You also need set the the stored password for each service to match the password on the PDC. To set the stored password of each service,

Open the Control Panel and click on Services.
For each service that uses a special account (e.g., MSSQLServer), click on Startup.
Set the password to match the password of the corresponding account which you created on the PDC.
Click on Start to start the service.

Q: I promoted a standalone server to a BDC. After I rebooted, Internet Information Server (IIS) can no longer access the IUSR_ account. And it can no longer use the IWAM_ account to run a web site in a separate process. What happened?

A: (Note: It is generally a bad idea to run IIS on a DC for security reasons.) A BDC is a read-only replica of the PDC's password database. When you created the BDC, you overwrote the old local accounts in the registry with accounts from the PDC. This includes the IUSR_ account and the IWAM_ account. If you run IIS on the BDC, you will need to recreate these accounts manually. Run USRMGR.EXE and create the accounts. Make IUSR_ a member of the Guests group only. Make IWAM_ a member of the Guests group and the MTS Impersonators group. Give IWAM_ the right to Log On as a Batch Job.

After you recreate the accounts, you need to tell IIS the passwords. To tell IIS the password for the IUSR_ account, run the Internet Service Manager on the BDC. (Note: If you cannot locate the Internet Service Manager icon, create a console window and type MMC.EXE %windir%\system32\inetsrv\iis.msc) Click on IIS -> Default Web Site -> Properties -> Directory Security. Press the Edit button twice. Verify that the username is IUSR_. Check the box for "Enable Automatic Password Synchronisation" or enter a manual password that matches the password you assigned when you created the IUSR_ account.

To tell IIS the password for the IWAM_ account, do the following.

Create a DOS shell.
Type cd %windir%\system32\inetsrv\adminsamples
Type cscript adsutil.vbs set w3svc/WAMUserPass "password"

Use the password you assigned when you created the IWAM_ account.

Old NT Service Packs

Q: Can I use UPromote with NT Service Pack 3 or earlier?

A: NT Service Pack 4 (released in 1998) changed the internal format of the password database. The general rule is that all domain controllers must run SP 4 or later. This is a well known issue with NT (KB Q197488). UPromote will work with earlier service packs, and it will warn you if it detects two servers with incompatible service packs.

Trust Relationships

Q: When I try to downgrade my PDC, UPromote says that I must remove my Trust Relationships first. Why is that?

A: Mainly for security reasons. A standalone server should never have a trust relationship with another domain.

Compatibility Issues

Novell Directory Services

Q: Is UPromote compatible with Novell Directory Services (NDS)?

A: No. NDS changes the user password database structure. The changes are incompatible with UPromote. You must de-install NDS before using UPromote.

Windows NT Terminal Server

Q: Is UPromote compatible with Windows NT Terminal Server?

A: No. Terminal Server uses an incompatible password database structure.

Compaq SMART RAID Disk Controller

Q: Is UPromote compatible with the Compaq SMART RAID disk array controller?

A: The Compaq SMART RAID disk array controller has a known problem where it sometimes loses data when rebooting. This includes registry modifications. To prevent problems UPromote will warn you if it detects the presence of a Compaq SMART RAID disk array controller. For more information see Compaq SMART RAID.

Windows NT Small Business Server

Q: Is UPromote compatible with Windows NT Small Business Server?

A: No. SBS is hardwired to always act as a PDC. It cannot run as a BDC or as a standalone server.

More Information

For technical details on the operation of UPromote see UPromote Operation. For user feedback see UPromote Users.

Next Page - UPromote Operation


		Privacy Policy \| Contact Us \| 2809441 \| US \| 38.103.63.17	© Copyright 2008 PNLTools Limited