What to check before demoting your DC?
The most important things to look out for are the following components that are either running or registered against the system:
- Global Catalog
- FSMO Roles
- Bridgehead server
- General server checks
- You have enterprise admin credentials
Global Catalog
If you remove the last remaining Global Catalog server from a domain,
you will experience logon issues across the domain along with other
functions like searches and lookups.
If you remove the last Global Catalog server from a site,
users/machines will have to contact a Global Catalog server from a
different site. This may not cause problems with small branch offices,
however large sites may suffer with the additional overhead in traffic.
To check what servers are functioning as a Domain Controller in your domain, type the following command:
1 | dsquery server -domain #DomainName# | dsget server -isgc -dnsname |
Note: replace #DomainName# with the domain of the DC that you are demoting. The output should look similar to this:
If you have more than just the DC that you are preparing the demote,
then you have nothing else to do as the DCPROMO steps will remove it
automatically. If you don’t have any more, follow MS article 296882 to
make another DC a GC.
Resources:
FSMO roles
Flexible Single Master Operation roles (FSMO) are a feature of
Microsoft’s Active Directory and you need to make sure they are not
present on the server you are demoting.
To check that the the current server is not a FSMO role holder, simply run the following command:
The output should look similar to this:
If none of the server names are the one you are demoting then you
have nothing else to do. If you are then follow the MS KB Article 324801
noted below.
Resources:
Bridgehead Server
As Microsoft have described it
here,
‘A bridgehead server is a domain controller that has been either
administratively assigned or automatically chosen to replicate changes
collected from other domain controllers in the site to bridgehead
servers in other sites.’ If you have multiple sites you want to make
sure the server you are demoting is not a Bridgehead server. To check if
this server is, run the following command
on the server console that is being demoted:
The output should be all the bridgeheads that are configured on that
server. If it looks like the below screenshot, then you dont have any
configured, otherwise you will need to reconfigure this before
proceeding.
To do a whole check on the site, simply extend the command to
1 | repadmin /bridgeheads site:#sitename# |
where #sitename# is the name if the Active Directory site. The output for that looks like this:
Resources:
General Server Checks
There are some general server checks that you should run on your
servers/domain to make sure it is healthy before running a DCPromo.
There are a couple of reports that give you plenty of info, and they are
quite easy to read. Search for the term ‘error’ or ‘fail’ on dcdiag and
netdiag reports to locate the problem areas, but i do recommend reading
through the entire logs to familiarise yourself.
DCDiag (part of WS03 SP1 Support tools) displays all information about Domain Controller information.
1 | dcdiag.exe /V /C /D /E /s:#DomainControllerName# > c:\dcdiag.log |
NetDiag provides information about specific network configuration for the local machine.
1 | netdiag.exe /v > c:\netdiag.log |
RepAdmin helps diagnise AD replication issues with WS03 and WS08 DC’s.
1 | repadmin.exe /showrepl dc* /verbose /all /intersite > c:\repl.txt |
DNSLint is a Microsoft Windows utility that helps you to diagnose common DNS name resolution issues.
1 | dnslint /ad /s #IPAddressOfServer# |
Resources
Admin Credentials
There are two types of Administrator Credentials you may need to use:
If you need to move all FSMO roles the logged-on user should be a
member of the Enterprise Administrators group. This is required to
transfer Schema master or Domain naming master roles.The rest of the
operations can be done with a user who is a member of the Domain
Administrators group.
How to decommission a Windows Server 2003/2008
The procedure involved is fairly straight forward so I will only
document the steps. For more details and screenshots of the steps, refer
to the resources below.
To demote a domain controller
- On a domain controller, click Start, and then click Run.
- In Open (or Run), type dcpromo to open the Active Directory Installation Wizard, and then click Next.
- On the Remove Active Directory page, click Next, and then continue to follow the wizard.
Resources
Having Problems?
So you may have tried the above steps and it didn’t work? Or maybe
your server crashed and you don’t want to try recovering it? There are a
number of reasons why you may end up in this scenario – although not
favorable its not all doom and gloom. Below are some resources to get
you out of a pickle.