OK. OK. Thats Microsoft's party line. There are 3rd party tools to do this. The function is controlled by registry settings. I am still not comfortable with them but I am waffling. In particular, U-Promote looks interesting. It lets you demote a domain controller to a member server and promote a member server to a domain controller. If the servers stay under tight physical controls,
www.sysinternals.com has released the freeware utility, NewSID , which has SIDsynchronizing features. The domain controllers within a domain share the common domain SID. Using NewSID, logon to the BDC to be moved, run NewSID, click Synchronize SID and enter the name of the PDC for the new domain. I would then reboot the BDC and synchronize the new BDC with its new PDC.
I haven't used these tools yet in a real environment. The process seems reasonable. I am a little more likely to use these techniques. Its just that I keep coming back to the core issue:
The domain controller is the heart of NT security.
member servers :
NT 2000 is supposed to supports such moves. But NT2000 uses the directory as it security model, not the domain.
Change BDC to standalone/member server :