migrate domain controller to standalone server

aueddonlineaueddonline Member Posts: 611 ■■□□□□□□□□
Hey, I know this is going to sound a bit backwards but i'd like to know if it's possible to migrate from an active directory environment to a standalone win2k3 server.

I would like to preserve the permissions of active directory users for the data and have local users.

There will be about 100 users.

I currently have a single win2k3 domain controller with a dir called C:/data with all the, data in it.
What's another word for Thesaurus?

Comments

  • DevilsbaneDevilsbane Member Posts: 4,214 ■■■■■■■■□□
    You can run dcpromo again to demote the dc to a standalone server.
    Decide what to be and go be it.
  • aueddonlineaueddonline Member Posts: 611 ■■□□□□□□□□
    And you get to keep all the users and file permissions?
    What's another word for Thesaurus?
  • MrAgentMrAgent Member Posts: 1,310 ■■■■■■■■□□
    By standalone server do you mean just a server on the domain, or do you mean no domain at all?

    If youre on the domain, then permissions should stay. If you remove it from the domain, and just part of a workgroup, then obviously the permissions wont be there.

    Keep in mind though, that this is a DC so there probably wont be many permissions to worry about.
  • RobertKaucherRobertKaucher Member Posts: 4,299 ■■■■■■■■■■
    And you get to keep all the users and file permissions?
    If permissions are assigned to local users in the SAM db, running dcpromo will not change those permissions. Same if the server is just one DC of several in a domain.

    I think we need a bit more info. How many domain controllers are there? I get really nervous when someone asks a question like this and it involves running DCPROMO. Next thing you know he has to seize FSMO roles or he's restoring his entire AD or worse yet: he has to recreate the entire AD because he has no valid bacups.
  • jibbajabbajibbajabba Member Posts: 4,317 ■■■■■■■■□□
    Won't preserve the permissions unless the user exist locally. If you have a workstation and someone logs in using a domain user, the user doesn't automatically exists locally on that client and as a result, once the domains is gone, this user won't exist anymore. Under the security settings you likely to see just a random string instead of the username. If you talk about the DC then it depends whether those user existed before creating the domain controller as you cannot login locally to a DC. Most likely, once demoted, you will only have the local admin left.
    My own knowledge base made public: http://open902.com :p
  • RobertKaucherRobertKaucher Member Posts: 4,299 ■■■■■■■■■■
    jibbajabba wrote: »
    Won't preserve the permissions unless the user exist locally. If you have a workstation and someone logs in using a domain user, the user doesn't automatically exists locally on that client and as a result, once the domains is gone, this user won't exist anymore. Under the security settings you likely to see just a random string instead of the username. If you talk about the DC then it depends whether those user existed before creating the domain controller as you cannot login locally to a DC. Most likely, once demoted, you will only have the local admin left.
    I didn't think the SAM was deleted when DCPROMO was initially run. My understanding was that is would be accessible again once dcpromo was run a second time. But I have never actually tried that. Has anyone done this and seen the result?
  • DevilsbaneDevilsbane Member Posts: 4,214 ■■■■■■■■□□
    I didn't think the SAM was deleted when DCPROMO was initially run. My understanding was that is would be accessible again once dcpromo was run a second time. But I have never actually tried that. Has anyone done this and seen the result?

    The SAM can't be deleted, that is where the Directory Restore Mode credentials are stored. I don't know what would happen to the other entries though.
    Decide what to be and go be it.
  • RobertKaucherRobertKaucher Member Posts: 4,299 ■■■■■■■■■■
    Asif Dasl wrote: »
    You're right about it being backwards. Highly not recommended. A 100 user workgroup situation? Don't think so! icon_lol.gif
    Yeah, none of this is making sense to me. I thought initially he was just demoting the server but I guess he want to completely destroy the domain.

    The SIDs would still be there but the accounts would all be destroyed. Already having 100 local users does not make sense either. I'd really like to see more info from the OP.
  • Asif DaslAsif Dasl Member Posts: 2,116 ■■■■■■■■□□
    OK tried this out. Using Server 2003 R2 I created 3 users in the local database, I then DCPROMO'd and the users were imported in to AD, I then DCPROMO'd again and removed AD as the last domain controller and then checked the local database which was empty apart from the Administrator and the Guest accounts. So if you remove AD the local database will be empty.
  • jibbajabbajibbajabba Member Posts: 4,317 ■■■■■■■■□□
    If you really are serious and you want to be 100% sure, install a dc and client in a VM, configure some permissions and remove the domain and see what happens.
    My own knowledge base made public: http://open902.com :p
  • jibbajabbajibbajabba Member Posts: 4,317 ■■■■■■■■□□
    @Asif, like I said icon_wink.gif, you're left with the Admin ...
    My own knowledge base made public: http://open902.com :p
  • RobertKaucherRobertKaucher Member Posts: 4,299 ■■■■■■■■■■
    Asif Dasl wrote: »
    Nothing like hands-on personal experience! Not that your word is not good enough or anything! :D
    Another triumph for the scientific method!!!

    science.jpg
Sign In or Register to comment.