domain controllers:
to another. Remember that security is applied within the domain boundary. When
you move a domain controller, you move its SAM and Security db. No can do.
OK. OK. Thats Microsoft’s party line. There are 3rd party tools to do this.
The function is controlled by registry settings. I am still not comfortable with
them but I am waffling. In particular, U-Promote looks interesting.
It lets you demote a domain controller to a member server and promote a member
server to a domain controller. If the servers stay under tight physical
controls,
www.sysinternals.com has released the freeware utility, NewSID , which has
SIDsynchronizing features. The domain controllers within a domain share the
common domain SID. Using NewSID, logon to the BDC to be moved, run NewSID, click
Synchronize SID and enter the name of the PDC for the
new domain. I would then reboot the BDC and synchronize the new BDC with its new
PDC.
I haven’t used these tools yet in a real environment. The process seems
reasonable. I am a little more likely to use these techniques. Its just that I
keep coming back to the core issue:
The domain controller is the heart of NT security.
member servers :
workstation and can easily be moved from domain to domain. Go ahead. Start /
Setting / Control Panel / Network
NT 2000 is supposed to supports such moves. But NT2000 uses the directory as
it security model, not the domain.
Change BDC to standalone/member server :
approach is to disable the BDCs netlogon service so it will not act as a domain
controller. Equivalent to standalone server with a common SAM.
