Domain to workgroup and back 1

[SUSANVV]

I am consulting on a network that originally was setup as an active directory domain. The person who administered it changed it to a workgroup with two logons. You can see the domain and log on using active directory but there is no access to any data on the domain controller as that is now part of the workgroup. When you try to access the domain server and data from a workstation that logs on with active directory, the message is "the server is not accessable. the list of servers for this workgroup is not currently available. When you look at the Entire Network you see both the domain name and the workgroup at equal levels (the workgroup is not part of the domain). Any idea of how to get the domain network back? TIA for any help. I have other problems but they will be for another question.

Sue Van

 

[trusted]

Sue it sounds like the person who created the workgroup never ran dcpromo on one or more of the original domains domain controllers. If you know the Administrator's password for the old domain you could log on and run dcpromo. After you have demoted the old domain controller join it to the workgroup and add the user accounts that need to access the resources.


Hope it helps.

JC

 

[SUSANVV]

Thanks for the answer. So long as they are on the workgroup, they can access the shared resources. As soon as I remove a workstation from the workgroup and put it into the domain, they can no longer access any of the resources. I would like to re-establish the domain and do away with the workgroup for better security. Right now everyone logs on as administrator with an administrator password-all the same for everyone. They currently have 2 logons which I would like to do away with. How would the workgroup get established and there still be a domain? Needless to say I am trying things with an unused workstation but I am coming to the concousion that this is a weekend project. TIA for more ideas.

Sue

 

[trusted]

It sounds like the server(s) that your shared resources are stored on is/are a memeber of your workgroup. Is that correct? If that is the case then all that needs to be done is that the server needs to be joined to the domain and the shares then need to be recreated.

You could test this by joining an additional workstation to the domain and then creating a file share on it, with permissions to allow a domain user account to access it. Then log on as that domain user, map a drive to the share and then try to access it. If you can access it then the aboved mention solution would work.

You can create any combination of domains and workgroups. Remember the main difference between the two is the domain provide you with centralized administration where workgroups provide decentralized administration. Workgroup should only be considered in situation where there are 20 users or less and even then they are combersome to manage at best.

Users who are members of a workgroup cannot access resources on a domain and visa versa, because their SIDs (security IDs) are different. For example a administrator of a workgroup would be considered a local administrator and the SID would reflect this and be store locally on the server, where an administrator's SID on a domain would be centrally stored in Active Directory on the domain controller.

 

[SUSANVV]

Thanks for all of your help. I am going to try your idea of sharing on a second workstation. I feel the same way about workgroups. AD is a much better solution. I will keep you posted on my progress. When I rejoin the server to the domain I will do it on a Friday night so that I have the weekend if something goes horribly wrong. I don't think the guy who setup the workgroup did it on purpose. I think he messed with something in the domain and then couldn't get it to work so he found instructions on the workgroup and managed to get that to work. So I am expecting something else to be wrong. Everything that I have checked so far though looks OK. I can log onto the domain, create accounts, join a computer to the domain, etc. It will be a bit before I do this but I will let you know. Thanks again.

Sue

 

[SUSANVV]

I have a few more questions. Everyone is logging on to both the workgroup and the domain. The server appears to be the domain controller as the option to change the name of the server is greyed out. I removed a workstation from the workgroup and then joined it to the domain and added a new user. The user cannot access any resources on the domain. I even added the user in the Security tab for the shared folder on the network-still no access. Other than through System, Network ID I do not know how I could change anthing and that option is greyed out. Everyone is logging on twice, once to to the workgroup? and definately once onto the domain as an administrator. My first goal is to stop the two loggons and to change how everyone is logging on as administrator-they are not logging on as AN administrator, they are logging on as THE administrator! And why is the Workgroup and the Domain listed in Windows Explorer on the same level and any idea of how that was done. If I can figure out how that was done, I may be able to undo it. TIA for any suggestions.

Sue

 

[SUSANVV]

This is kind of a resubmission of the above problem, hoping for more ideas. What I do not understand is why I can add a user to AD, give them rights directly to network resources, give authenticated users rights and still have the user not be able to access the database on the server that the administrators can access. The created user is logging onto the network but cannot see anything or go anywhere. I figure I am missing something simple. Any help or ideas where to look is appreciated. I am being cautious as this company'sentire business depends upon the server and the Internet. For the moment they are able to work, but they should not have to log on as THE administrator.
TIA for anything.

Sue

 

[Seaspray0]

There are two sets of permissions you must deal with: NTFS permissions and share permissons. Make sure you check both.

In a domain environment, make sure the PC's are joined to the domain, and make sure the users are logging into the domain (when you log onto the PC, the 3rd line should be the name of your domain). If they are logging into the local PC, they will not get permissions to domain shared resources.

Start, Help. You'll be surprised what's there. A+/MCP/MCSE/MCDBA

 

[SUSANVV]

I would not be surprised. Checked all of the above. Did this with one user. If I log on as administrator and then the administrator password, I have access to the domain and the programs and files on the domain. If I join a computer to the domain, I see it in AD. If I add a user to the AD I can logon and yes the third line has the domain name. I have given that user explicit rights both NTFS and Shared and still nothing. When you try to access the domain server and data from a workstation that logs on with active directory, the message is "the server is not accessable. the list of servers for this workgroup is not currently available. When you look at the Entire Network you see both the domain name and the workgroup at equal levels (the workgroup is not part of the domain). Everything SHOULD have worked. But the person who originally set this up had no idea of what he was doing and they are the wort type to try to undo what they have done as it is not logical. There are also doubles and triplicates of files and folders that all seem to update. Please keep the ideas coming.

Sue
A+/MCP/MCSE/MDCST