Mixed Mode Catch

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Our network topography includes a Primary Domain Controller (Win 2K) and a
vestigial BDC (Windows NT) which operates in a branch office. Our subnetted
network operates over a dedicated VPN service, which is 99.9% reliable.

Recently we encountered a prolonged down time due to some network changes we
initiated, and one of the branch office IT guys promoted the NT BDC to a PDC
(or it promoted itself!)

When we restored the interoffice VPN, we discovered that the field office DC
(now a PDC) showed the original PDC (Win2K) located in our main office as a
BDC. And, the original PDC (main office) showed the branch office PDC as a
BDC (correct to the orignal PDC, but not, actually, how the branch office
machine was currently configured).

In either case, we brought the VPN link back up and, to our dismay, we can't
find a way to get the NT (branch office) PDC demoted back to BDC. We tried
using the SRVMGR tool in the NT RK to promote the original PDC (listed as a
BDC on the NT branch office machine) back to PDC, but that action fails with
an "error 0050. Network request is not supported."

We've tried to remove and restore the NT machine, but to no avail. The
secure channels appear to be working, but we have TWO PDCs in the domain from
the NT machine's POV, and it's causing NETLOGON problems.

How do we fix this?
 
The NT4 machine did not promote itself. Period. Anyone who told you
that, stop listening to them, it did not happen.

Your option is to destroy the NT4 machine or buy UPROMOTE and demote it
to a member machine. You are in a bad configuration right now and the OS
is not going to let you correct it because you shouldn't have been able
to get there. You were because of 2 main things:

1. Someone who didn't know what they were doing had too many rights to
the domain controller.

2. Someone who didn't know what they were doing did something on the
domain controller.

Had they not had the rights or not done anything you would be fine, this
is just one of hundreds of reasons why you shouldn't give out rights on
domain controllers.

Hopefully no one created any accounts or groups or workstations in the
branch because you are going to lose them and there could be SID related
issues.

joe

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm
 
Thanks, Joe.

We've got a Compaq Array on this machine, it's old, and it should have been
replaced years ago. Seems I've got more than personnel problems.

Thanks for the advice.

J Smith
 
Back
Top