DB Upgrade/DC Promotion/DC Demotion
Applies To: Windows Server 2008
The Security Accounts Manager (SAM) database changes state (active or inactive):
- During an operating system upgrade.
- When a server becomes a domain controller.
- When a server is no longer a domain controller.
The database upgrade, domain controller installation, and domain controller removal processes are designed to track events that are related to SAM state changes.
Aspects
The following is a list of all aspects that are part of this managed entity:
| Name | Description |
|---|---|
When a computer is promoted to become a domain controller, the promotion process imports user accounts from the local computer's Security Accounts Manager (SAM) database into the Active Directory database. |
|
When a computer is promoted to become a domain controller, the promotion process converts the Security Accounts Manager (SAM) database into an Active Directory database. |
|
Domain controllers use the machine account of other domain controllers for authentication. Domain controllers must authenticate with each other before they can communicate with each other. |
|
You can use the Active Directory Domain Services Installation Wizard (Dcpromo.exe) to promote a server to a domain controller and to demote a domain controller to a member server (or to a stand-alone server in a workgroup if the domain controller is the last domain controller in the domain). As part of the demotion process, the wizard removes the configuration data for the domain controller from Active Directory Domain Services (AD DS). This data takes the form of an NTDS Settings object that exists as a child of the server object in Active Directory Sites and Services. The information is in the following location in AD DS: CN=NTDS Settings,CN=server,CN=Servers,CN=site,CN=Sites,CN=Configuration,DC=domain The attributes of the NTDS Settings object include data that represents how the domain controller is identified in relation to its replication partners, the naming contexts that are maintained on the machine, whether the domain controller is a global catalog server, and the default query policy. The NTDS Settings object is also a container that may have child objects that represent the domain controller's direct replication partners. This data is required for the domain controller to operate in the environment, but it is retired at demotion of the domain controller. |
|
When a computer is promoted to become a domain controller, the promotion process converts the existing trust relationships from the previous Security Accounts Manager (SAM) database to the newly created Active Directory database. |
|
The Local Security Authority (LSA) stores the domain name and the domain security identifier (SID). During a domain rename operation, the LSA domain name is updated. |
|
When a computer is promoted to become a domain controller, the promotion process adds all Security Accounts Manager (SAM) database accounts to the appropriate security groups in the Active Directory Domain Services (AD DS) database. |
|
When a computer is promoted to become a domain controller, the promotion process updates the status of the computer to indicate that it holds the primary domain controller (PDC) emulator operations master role (also known as flexible single master operations or FSMO) for the domain. The PDC emulator operations master acts as a Windows NT primary domain controller. It processes password changes from clients and replicates updates to the backup domain controllers (BDCs). At any time, there can be only one domain controller acting as the PDC emulator master in each domain in the forest. By default, the PDC emulator is responsible for synchronizing the time on all domain controllers throughout the domain. The PDC emulator receives preferential replication of password changes that are performed by other domain controllers in the domain. If a password was changed recently, that change takes time to replicate to every domain controller in the domain. If a logon authentication fails at another domain controller as a result of a bad password, that domain controller will forward the authentication request to the PDC emulator before rejecting the logon attempt. |
|
When a computer is promoted to become a domain controller, the promotion process recreates the required well-known groups and local groups that are not present when you install Active Directory Domain Services (AD DS) to make a computer a domain controller. |
|
When a computer is promoted to become a domain controller, the Well-Known Group Upgrade process recreates required well-known groups and local groups that are not present when you install Active Directory Domain Services (AD DS) to make a computer a domain controller. |
|
When a computer is promoted to become a domain controller, the Well-Known Security Principals Upgrade process adds the security principals to the Well-Known Security Principals container in Active Directory Domain Services (AD DS). |