Demoting a PDC to a BDC

[Editor's Note: Do you have something to share with other readers who visit Windows NT Magazine online? We want to know about it. Write for Reader to Reader online, and you can tell others about your NT discoveries, comments, problems, solutions, and experiences. Email your contributions (300 to 700 words) to [email protected] along with your name and phone number. We edit submissions for style, grammar, and length. If we print your submission, you'll get $100.]

I recently started supporting Windows NT for my company. My first task turned out to be an interesting issue. I arrived at one of our offices that had an NT server (PDC) and about 40 workstations. My plan was to replace the existing PDC with a new NT server that I'd configured as a PDC. I concluded that the best way to make the replacement was to add the new server to the network as a BDC and synchronize the accounts and scripts to make the job easier. The only problem I had to address was deciding what to do with the SID (security identifier) issue. I couldn't just change the domain of the new server and add it to the new domain as a BDC. Fortunately, I was carrying a copy of System Internals' NewSID software, which can synchronize your system with a domain controller and change the computer's SID to match the ID of any connected domain controller. When I was certain that my NewSID idea would work, I tried to synchronize the new PDC with the old one. After several failed attempts, I figured out (i.e., I read the manual) that I needed a BDC to synchronize with the old PDC. Now I was facing a new problem: How could I demote the new standalone PDC when I didn't have a BDC? I assumed that a small Registry change must be responsible for demoting a PDC to a BDC, so after I researched this subject on the Web, I discovered that such a setting does exist (for more information on this setting, go to http://129.13.170.200/ mirror/www.nthelp.com/pdc2bdc.htm).

Microsoft doesn't support this change, so I suggest that you back up your Registry before you attempt this Registry edit. Using a Registry editor, go to HKEY_LOCAL_MACHINESECURITYPolicy and change the PolSrvRo setting from 3 to 2. (To make this change, you'll have to change the security access on the SECURITY key.) When you reboot the server, NT will demote it to a BDC.

Although I've tested this change on my small environment and it worked great, your results may vary. Try this procedure at your own risk (neither I nor Windows NT Magazine will be liable for any lost or corrupt data resulting from this procedure). In any case, this Registry edit can be an easy solution (unfortunately, I didn't know that when I switched out my PDCs, and I had to reinstall the domain controller as a BDC so that I could add it to the domain).

—Dori Fisher
[email protected]