Options

migrate domain controller to standalone server

aueddonlineaueddonline Member Posts: 611 ■■□□□□□□□□
in Off-Topic
Hey, I know this is going to sound a bit backwards but i'd like to know if it's possible to migrate from an active directory environment to a standalone win2k3 server.

I would like to preserve the permissions of active directory users for the data and have local users.

There will be about 100 users.

I currently have a single win2k3 domain controller with a dir called C:/data with all the, data in it.
What's another word for Thesaurus?
· Share on FacebookShare on Twitter

Comments

  • Options
    DevilsbaneDevilsbane Member Posts: 4,214 ■■■■■■■■□□
    You can run dcpromo again to demote the dc to a standalone server.
    Decide what to be and go be it.
    · Share on FacebookShare on Twitter
  • Options
    aueddonlineaueddonline Member Posts: 611 ■■□□□□□□□□
    And you get to keep all the users and file permissions?
    What's another word for Thesaurus?
    · Share on FacebookShare on Twitter
  • Options
    MrAgentMrAgent Member Posts: 1,310 ■■■■■■■■□□
    By standalone server do you mean just a server on the domain, or do you mean no domain at all?

    If youre on the domain, then permissions should stay. If you remove it from the domain, and just part of a workgroup, then obviously the permissions wont be there.

    Keep in mind though, that this is a DC so there probably wont be many permissions to worry about.
    · Share on FacebookShare on Twitter
  • Options
    RobertKaucherRobertKaucher Member Posts: 4,299 ■■■■■■■■■■
    aueddonline wrote: »
    And you get to keep all the users and file permissions?
    If permissions are assigned to local users in the SAM db, running dcpromo will not change those permissions. Same if the server is just one DC of several in a domain.

    I think we need a bit more info. How many domain controllers are there? I get really nervous when someone asks a question like this and it involves running DCPROMO. Next thing you know he has to seize FSMO roles or he's restoring his entire AD or worse yet: he has to recreate the entire AD because he has no valid bacups.
    · Share on FacebookShare on Twitter
  • Options
    jibbajabbajibbajabba Member Posts: 4,317 ■■■■■■■■□□
    Won't preserve the permissions unless the user exist locally. If you have a workstation and someone logs in using a domain user, the user doesn't automatically exists locally on that client and as a result, once the domains is gone, this user won't exist anymore. Under the security settings you likely to see just a random string instead of the username. If you talk about the DC then it depends whether those user existed before creating the domain controller as you cannot login locally to a DC. Most likely, once demoted, you will only have the local admin left.
    My own knowledge base made public: http://open902.com :p
    · Share on FacebookShare on Twitter
  • Options
    Asif DaslAsif Dasl Member Posts: 2,116 ■■■■■■■■□□
    You're right about it being backwards. Highly not recommended. A 100 user workgroup situation? Don't think so! icon_lol.gif
    You can tell whether a man is clever by his answers. You can tell whether a man is wise by his questions. - Naguib Mahfouz

    The mind is the limit. As long as the mind can envision the fact that you can do something, you can do it, as long as you really believe 100 percent. - Arnold Schwarzenegger
    · Share on FacebookShare on Twitter
  • Options
    RobertKaucherRobertKaucher Member Posts: 4,299 ■■■■■■■■■■
    jibbajabba wrote: »
    Won't preserve the permissions unless the user exist locally. If you have a workstation and someone logs in using a domain user, the user doesn't automatically exists locally on that client and as a result, once the domains is gone, this user won't exist anymore. Under the security settings you likely to see just a random string instead of the username. If you talk about the DC then it depends whether those user existed before creating the domain controller as you cannot login locally to a DC. Most likely, once demoted, you will only have the local admin left.
    I didn't think the SAM was deleted when DCPROMO was initially run. My understanding was that is would be accessible again once dcpromo was run a second time. But I have never actually tried that. Has anyone done this and seen the result?
    · Share on FacebookShare on Twitter
  • Options
    DevilsbaneDevilsbane Member Posts: 4,214 ■■■■■■■■□□
    RobertKaucher wrote: »
    I didn't think the SAM was deleted when DCPROMO was initially run. My understanding was that is would be accessible again once dcpromo was run a second time. But I have never actually tried that. Has anyone done this and seen the result?

    The SAM can't be deleted, that is where the Directory Restore Mode credentials are stored. I don't know what would happen to the other entries though.
    Decide what to be and go be it.
    · Share on FacebookShare on Twitter
  • Options
    RobertKaucherRobertKaucher Member Posts: 4,299 ■■■■■■■■■■
    Asif Dasl wrote: »
    You're right about it being backwards. Highly not recommended. A 100 user workgroup situation? Don't think so! icon_lol.gif
    Yeah, none of this is making sense to me. I thought initially he was just demoting the server but I guess he want to completely destroy the domain.

    The SIDs would still be there but the accounts would all be destroyed. Already having 100 local users does not make sense either. I'd really like to see more info from the OP.
    · Share on FacebookShare on Twitter
  • Options
    Asif DaslAsif Dasl Member Posts: 2,116 ■■■■■■■■□□
    OK tried this out. Using Server 2003 R2 I created 3 users in the local database, I then DCPROMO'd and the users were imported in to AD, I then DCPROMO'd again and removed AD as the last domain controller and then checked the local database which was empty apart from the Administrator and the Guest accounts. So if you remove AD the local database will be empty.
    You can tell whether a man is clever by his answers. You can tell whether a man is wise by his questions. - Naguib Mahfouz

    The mind is the limit. As long as the mind can envision the fact that you can do something, you can do it, as long as you really believe 100 percent. - Arnold Schwarzenegger
    · Share on FacebookShare on Twitter
  • Options
    jibbajabbajibbajabba Member Posts: 4,317 ■■■■■■■■□□
    If you really are serious and you want to be 100% sure, install a dc and client in a VM, configure some permissions and remove the domain and see what happens.
    My own knowledge base made public: http://open902.com :p
    · Share on FacebookShare on Twitter
  • Options
    jibbajabbajibbajabba Member Posts: 4,317 ■■■■■■■■□□
    @Asif, like I said icon_wink.gif, you're left with the Admin ...
    My own knowledge base made public: http://open902.com :p
    · Share on FacebookShare on Twitter
  • Options
    Asif DaslAsif Dasl Member Posts: 2,116 ■■■■■■■■□□
    jibbajabba wrote: »
    @Asif, like I said icon_wink.gif, you're left with the Admin ...
    Nothing like hands-on personal experience! Not that your word is not good enough or anything! :D
    You can tell whether a man is clever by his answers. You can tell whether a man is wise by his questions. - Naguib Mahfouz

    The mind is the limit. As long as the mind can envision the fact that you can do something, you can do it, as long as you really believe 100 percent. - Arnold Schwarzenegger
    · Share on FacebookShare on Twitter
  • Options
    RobertKaucherRobertKaucher Member Posts: 4,299 ■■■■■■■■■■
    Asif Dasl wrote: »
    Nothing like hands-on personal experience! Not that your word is not good enough or anything! :D
    Another triumph for the scientific method!!!

    science.jpg
    · Share on FacebookShare on Twitter
Sign In or Register to comment.