>>> I know there's a really good how-to out there somewhere on using NTDSUTIL >>> for this purpose
Talking about this http://www.akomolafe.com/Portals/1/Docs/xferfsmos.htm? :-p Sincerely, _____ (, / | /) /) /) /---| (/_ ______ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Laura A. Robinson Sent: Thu 11/16/2006 11:42 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Kerberos is Killing Me! You can leave the IP the same. If the demotion fails or goes awry in some respect, you may have to do some metadata cleanup in addition to the DNS cleanup (which I'm guessing is what Deji meant by "AD/DNS/Sites", but just in case...). Given the, um, quirkiness of this environment, I suspect you may have a difficult demotion ahead. I assume you've done metadata cleanup before? If not, feel free to post, or just spend a lot of time typing "?" at the ntdstuil prompts. I know there's a really good how-to out there somewhere on using NTDSUTIL for this purpose, but to be honest, I'm pooped and I have to be up early to talk NAP with one customer and convince another that Volume License Activation isn't Evil Empire Voodoo designed to suck all of the money out of their bank accounts. Otherwise, I'd dig it up for you. Then again, I may be thinking of something I wrote, in which case it'll be hard to find by searching the Internet. ;-) Seriously, though, if you can't find anything helpful, I'm sure any number of people on this list have either great links or great documents they wrote on using NTDSUTIL for metadata cleanup. Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of hboogz Sent: Friday, November 17, 2006 2:09 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Kerberos is Killing Me! Thanks Deji. I understand. I will re-examine the event log in the morning and plan for a demotion over the weekend. besides removing the reference from AD/DNS/Sites, is there something else i should do or look to remove the reference ? Also, should i change the IP address ? This i really don't want to do if i really don't have to... ? Thanks. On 11/16/06, Akomolafe, Deji <[EMAIL PROTECTED]> wrote: I believe I recommended this early on in the thread. Sometimes, it's easier (wiser) to not fight the fire. Demote, clean it out of AD/DNS/Sites. If you have the luxury, wipe and reinstall the box, otherwise, just do a rename of the box. Renaming it is strongly recommended unless you have scripts and applications into which you have hard-coded the name. Sincerely, _____ (, / | /) /) /) /---| (/_ ______ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: hboogz Sent: Thu 11/16/2006 7:35 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Kerberos is Killing Me! AD sites. 3 one including the DR-site. regarding the question about demoting then promoting...if i have to go that route, should i keep the same server name ? On 11/16/06, Laura A. Robinson <mailto:[EMAIL PROTECTED]> wrote: I apologize if I keep asking questions you've already answered, but how many sites are involved here? Of course, by the time this hits the list, any replication that hasn't yet occurred probably will have. :-) Laura From: [EMAIL PROTECTED] [mailto:mailto:[EMAIL PROTECTED] On Behalf Of hboogz Sent: Thursday, November 16, 2006 5:49 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Kerberos is Killing Me! **Update*** i changed the user account control attribute using the following direction: Did you follow: When using adsiedit: * Connect to the domain NC * Navigate to the Domain Controllers OU * Right click on the DC for which you want to change the UserAccountControl value and select properties * Goto the UserAccountControl attribute * You should see a value (from what you have described): 536576 * Change that value to: 532480 i teh followed the instructions found here: Re: access denied http://technet2.microsoft.com/WindowsServer/en/library/22764cb5-9860-4f8f-95e7-337df24edf741033.mspx?mfr=true i did this from the phmaindc1 server net stop kdc clear ticket cache reset machine pawd open sites and services and forced replication with phprint -- which succeced opened replmon and synchronized with phprint1. net start kdc ran: repadmin /showreps. replication to phprint1 came up as succesfull however, i still get an error to the child domain indicating access denied. should i wait for AD replication for this to work ? -- No virus found in this outgoing message. Checked by AVG Free Edition. -- HBooGz:\> -- HBooGz:\> -- No virus found in this incoming message. Checked by AVG Free Edition. -- No virus found in this outgoing message. Checked by AVG Free Edition.