Permissions Are Affected After You Demote a Domain Controller
- Change the domain mode to Native mode to expand the scope of groups to all domain members. Note that this also prevents Windows NT 4.0 backup domain controllers from replicating. In Windows Server 2003, Windows NT 4.0 is not supported in the Windows 2000 functional level. Only Windows 2000 and Windows 2003 are supported at the Windows 2000 functional level.Note By default, domains in a Windows Server 2003 environment operate at the Windows 2000 mixed functional level. At this level, Windows NT 4.0, Windows 2000, and the Windows Server 2003 family are all supported.
- Create a new local group (or domain global group), and then use the Active Directory Migration tool version 2 to translate the references from the domain local group to the newly-created group. You can do so by using the Security Translation feature with a SID mapping file. The SID mapping file contains the SID from the domain local group and the SID for the replacement group. The Active Directory Migration tool searches and replaces (or adds) the old SID with the new one.
- You can use the Subinacl tool from the Microsoft Windows NT Resource Kit.
For more information, visit the following Microsoft Web site:
When a domain controller is demoted, the SIDs of the local groups remain in the access control lists, and can still be resolved to their friendly names. However, after the demotion, they cannot be used for authorization. Also, they cannot be added to either file or share permissions until the domain is switched to Native mode.
Switching the domain to Native mode provides the group flexibility to add domain local groups to the resources on non-domain controllers. For Windows 2000, this rule applies to Windows 2000 domain controllers that have been demoted and to Windows NT 4.0 domain controllers that have been upgraded and left as member servers during the upgrade process. For additional information about domain local groups, click the article number below to view the article in the Microsoft Knowledge Base:
Article ID: 320230 - Last Review: 03/02/2007 00:21:53 - Revision: 5.3
- kbnetwork kbprb kbui KB320230