U-Tools: Unique Tools for Windows System Administrators

Rejoining the Same Domain

Q: I want to demote a BDC and rejoin it back to the same domain as a member server. Are there any special steps required?

A: If your computer provides shared disks, you will probably want to preserve the ownership of the shared files on those disks so that your domain users can continue to access them. For all disks that offer shared files, select "Do not change these disks" on the UPromote SID ownership panel. This will preserve the domain SIDs in the ACLs of those files. For technical details see Changing the Security ID on Disks.

After you rejoin the domain, run EXPLORER.EXE and re-add your domain groups to the share-level permission list of your shared folders and shared printers so that your domain users can continue to access them. For technical details see Security IDs and the Registry.

When you are all done and satisfied that everything is working ok, you can delete the redundant local user accounts from the member server. Do not delete any special accounts used by services (e.g., used by Exchange Server or SQL Server).

Q: I re-added my domain groups to the share-level permissions list for my shared folders and shared printers. (See previous question.) But my users report that they are still denied access. What is wrong?

A: On your new member computer run USRMGR.EXE. Select the local computer. (Look at the title bar and check that it shows the name of the local computer not the name of the domain.) Click on Policies -> User Rights. For each domain group (e.g., "Domain Users") grant the User Right to "Access this computer from the network". Also add "Log on locally" if you want to allow your users to log on locally.

Q: I have hundreds of file shares. Is there any way that I can preserve the share-level permissions so I don't have to re-create them?

If you have numerous file shares and/or numerous groups listed under the file shares, you can preserve the permissions by exporting the registry key HKLM\System\CurrentControlSet\Services\LanManServer\Shares\Security. Do this before you run UPromote. After you rejoin the computer back to the domain as a member server, reload the registry key. This will restore the share-level permissions.

Q: I demoted my BDC to a standalone server. However SRVMGR.EXE reports that it is still a BDC. This prevents me from rejoining the domain as a member server. What is wrong?

A: This is usually due to a WINS server with out-of-date domain records. WINS will retain old records for 7 days before deleting them. After you demote the computer, you need to delete from WINS all domain records that have the computer's Internet address. The domain records will have type <1Bh> (PDC) or <1Ch> (PDC/BDC). To delete the domain records, run the WINS manager and locate each old domain record with type <1Bh> or <1Ch>. Right-click and select "Delete Mapping". Select "Tombstone" (not "Delete") so that the deletion will be replicated to all of the other WINS servers in your network. For technical details see Locating a DC and WINS.

Windows NT Domain: If you are still having problems joining the domain, you can use NETDOM.EXE from the NT Resource Kit to force your computer to join the domain. On your standalone computer type the command
where mydomain is the name of your domain and mycomputer is the name of the standalone computer.

Active Directory Domain: In rare cases you cannot rejoin the domain because of an error in Active Directory ("DSA: Object cannot be deleted"). This is usually due to recovery of the AD database to a state prior to when you demoted the BDC. You will need to manually remove from AD all the old references to the BDC. See Q216498.

UPromote Frequently Asked Questions