Move Windows NT servers to another domain or change from member to domain controller

by Wayne Maples [Published on 20 April 2004 / Last Updated on 20 April 2004]

domain controllers:

You can not move domain controllers from one domain to another. Remember that security is applied within the domain boundary. When you move a domain controller, you move its SAM and Security db. No can do.

OK. OK. Thats Microsoft's party line. There are 3rd party tools to do this. The function is controlled by registry settings. I am still not comfortable with them but I am waffling. In particular, U-Promote looks interesting. It lets you demote a domain controller to a member server and promote a member server to a domain controller. If the servers stay under tight physical controls,

www.sysinternals.com has released the freeware utility, NewSID , which has SIDsynchronizing features. The domain controllers within a domain share the common domain SID. Using NewSID, logon to the BDC to be moved, run NewSID, click Synchronize SID and enter the name of the PDC for the new domain. I would then reboot the BDC and synchronize the new BDC with its new PDC.

I haven't used these tools yet in a real environment. The process seems reasonable. I am a little more likely to use these techniques. Its just that I keep coming back to the core issue:

The domain controller is the heart of NT security.

member servers :

Member server (additional servers) have its own security context just like a workstation and can easily be moved from domain to domain. Go ahead. Start / Setting / Control Panel / Network

NT 2000 is supposed to supports such moves. But NT2000 uses the directory as it security model, not the domain.

Change BDC to standalone/member server :

There are advantages in servers having access to the domain SAM. A simple approach is to disable the BDCs netlogon service so it will not act as a domain controller. Equivalent to standalone server with a common SAM.

See Also

Featured Links