What happens to permissions after dcpromo demote?

K

Karandras

[H]ard|Gawd
Joined
Feb 16, 2001
Messages
1,873
I'm curious because I'm changing a server (Win 2k server) that is the domain controller to a Win2k3 SBS server which will be their DC, Exchange, Storage and Backup.

The way I was going to do it is demote the current DC to a member server, have it join the new DC and then copy all the files needed in storage to the new storage points then adjust permissions.

However, last Friday at the end of the day (of course) I found a document that showed the use of ADMT (Active Directory Migration Tool) so I thought I would use that instead to get the same permissions with the same users on the new server (there are only about 20 users in total), however I named the new server's domain the same as the old server so this tool will not work.

I'm implementing this tomorrow afternoon so I don't have time to rebuild the SBS server to a different local domain. That's why I'm wondering if the original way of me doing this will work or if I'm going to run into problems. I don't think I will but some community input on this would be great.

Thanks.!
 
Several different approaches will work fine.

So it sounds like this first physical server running 2K, will no longer be the head server, that you have a new physical server which is running SBS?

First...you can install SBS into existing active directory...if your current DC is running fine. This may be of value to you, since you wouldn't have to redo all the workstations.

And you would not have any permissions issues in transferring over data, plus this gives you time to move your data over from old server to the new SBS box as you see fit.

Another totally different approach, if you take your first route...demoting current DC doesn't really make sense. Just....shut her down when done. File transfers can take place from old server to new server right cross the network. On new server, at the top level of the folders you transferred...do a "take ownership" of all the files.

Another very "neutral" way, use a 3rd PC as a middle man. Stick a huge 2nd hard drive in it, formatted with FAT32. Since FAT32 does not support NTFS permissions, any/all permissions on the files will naturally be stripped away as you copy data to this drive from the old server. Then take this drive..and copy the data to the new server. Don't even need a PC for this, if your server hardware has an IDE or SATA controller on it, just stick the drive in there for a temporary bucket.
 
Thanks for the input.

The current server is a DHCP server as well so that will be staying in place but the AD portion will be dropped that's why I'm wondering about the dcpromo and permissions. Also going through the server there are some directories that the Administrator cannot access so the permissions would have to be stripped so I can copy it from the old server to the new server.

I would have liked to do the first option however the company thinks this server is going to be dying slowly so they want AD and their files off of it and put onto something with a backup solution. However they decided to keep it as a DHCP server... I dunno.
 
Well if you're going to SBS..you want your SBS box to be the DHCP server, it's best to let SBS do what it's supposed to do. It will be taking over as your DC, performing typical infrastructure roles such as DNS, WINS, DHCP, etc.

*note that 2x Windows DHCP services will normally not get along, so as SBS is being built..if it's plugged into the current network, it will detect your old servers DHCP and SBS will disable its own service. Thus...you shut off your old servers DHCP service before SBS is being built on the network.

This is one of Microsofts articles on installing SBS into existing active directory, I have done this about a half dozen times on various clients.
http://support.microsoft.com/kb/884453
 
Hmmm, I didn't think it mattered who was the DHCP server in a server environment like this. Will there be large problems if I leave the Win2k Server as the DHCP server and disable the SBS dhcp server? That is the way I've already constructed the server to bring to the site as I didn't think there would be any problems with that.

If that is going to be a problem, what does the SBS DHCP server do differently that a different DHCP server (example, Cisco DHCP or DLink DHCP or Windows DHCP)?

Thanks.
 
IMO it is better to let your DC run DHCP, it keeps active directory registrations "tighter", keeps it more in touch with its clients. It's easy enough to re-enable it. Turning off DHCP on the old server and turning it on with SBS should only take a few seconds. If you have tons of customized stuff like DHCP reservations on the old server, they are easy to transfer over also.

It won't cause problems if you leave the old server running it, I do have one client with several servers on their LAN, recently I introduced SBS using the above article (originally the network was run by an old 2K DC), and I haven't switched over DHCP to the SBS box yet. As long as the old server has its DHCP properties changed so that it hands out the SBS IP for DNS and WINS, removing the old DCs IP.
 
Ok,

Lets say I want to follow what you do for a setup.

Currently their setup is:

Dlink Router -> Barracuda Web Filter -> Win2k Server -> Switch -> clients

I was going to set it up:

DLink Router -> Barracuda Web Filter -> Win2k Server -> Switch w/ clients and SBS server

The way you would set it up would be:

DLinkRouter -> Barracuda Web Filter -> Win2k3 SBS -> Switch -> Clients ?

I somewhat liked it that the SBS server would be behind a couple of routers that would hinder hackers from getting through on rouge ports.
 
Are you planning on multi-homing the SBS box?

I would have
Router==>'Cuda==>Switch....and also into the switch all the other boxes, they are all equal on the switch.
 
Yeah I was discussing this here and we are going to change their network up a bit:

DLink -> Barracuda -> Switch -> SBS Server / Clients. Retire the other server. Call 'er done and simplify the network.
 
Ok, well now that the DHCP issue is outta the way then back tot he dcpromo question. Since I can't have two DCs with the same domain name, dns will point to one which won't be too much of a problem however I want to make sure that dcpromo isn't going to loose or lock any files. I'm guessing it should open permissions up or make everything owned by the Administrator if not I can take control and copy it that way, correct? The dcpromo is just to make sure I can copy files across, I guess I could bring a USB drive and copy everything onto there then onto the new server that way would work too.
 
You can have multiple DCs with the same domain name. That's how many larger networks are setup...with several DCs. Redundancy.

Anyways...a couple of choices...
1- Follow the above guide in installing the SBS server into existing active directory. This involves no changing of the workstations.

2- Build a new SBS box with new active directory, a totally new domain name. Add all the user accounts. Do a transfer of the "data" from the old server to the new one...doing whichever means you wish...across a network, or using a hard drive, etc. Workstations will naturally need to be totally reconfigured for the new active directory. Or give the AD user/computer migration utility a shot.
 
You must log in or register to reply here.
Back
Top