none
Demote online W2K8r2 DC-GC with DNS role | Best pratices

    Question

  • How to properly demote a DC with DNS server role and still running (as still online)?
    The reason for this is that the DC was disconnected from the WAN for over 180 days as such sysvol and netlogon are not replicating.

    Please note I do not want to delete the computer account as I will make this server a DC and DNS servers again and leave it running as DC/GC/DNS server (is this possible?)
    These are my steps so far:
    - Run DCPROMO on that DC (w2k8 R2)
    From a good DC: 
    - clean up metada: ADSS > Find the site > Find the server > Browse to NTDS settings and delete > go back to server and delete it.
    - DNS > Domain > Zone: domain.com >Forward Lookup Zones > find the domain name folder > _msdcs > _sites > Sitename> _tcp > Delete all entries
    - DNS > Domain > Zone: domain.com >Forward Lookup Zones > find the domain name folder > _msdcs > _tcp > delete _Kerberos and _Ldap entries for demoted DC
    - DNS > Domain > Zone: domain.com >Forward Lookup Zones > find the domain name folder > DomainDNSZones> _Sites >Find the SiteName > _TCP  > Delete _Ldap entries for demoted DC type SRV
    - DNS > Domain > Zone: domain.com >Forward Lookup Zones > find the domain name folder > DomainDNSZones> _Sites > _TCP  > Delete _Ldap entries for demoted DC type SRV

    Is that correct and enough?


    So my understanding is that the DC when demoted becomes a member server and should show up in AD > Computers (whatever OU) is this correct?

    How can I perform a backup before demoting?

    How should the DNS role be reinstalled?

    This box is also holding DHCP Scope but I guess this wont change after the DCPromo?

    Thank you so much for your time.

    M


    Maelito


    • Edited by Maelito Monday, February 20, 2017 3:39 PM
    Monday, February 20, 2017 3:39 PM

Answers

  • Hi

    180 days as such sysvol and netlogon are not replicating.>> So this DC has tombstone lifetime issue,you should forcefully demote dc with "dcpromo /forceremoval" then will do a metadata cleanup.

    So my understanding is that the DC when demoted becomes a member server and should show up in AD > Computers (whatever OU) is this correct? >>> AS mentioned your dc become unavaible after metadata cleanup there should not be any related records on AD,dns,etc...about this dc.But i always prefer clean installation OS on DC's.So you should perfom clean installation OS then promote as domain controller again even same hostname and ip address.

    This box is also holding DHCP Scope but I guess this wont change after the DCPromo? >>> Before demotion process backup dhcp then restore on a healthy dc.


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    • Marked as answer by Maelito Thursday, February 23, 2017 11:18 AM
    Monday, February 20, 2017 3:59 PM
  • Can you advise on how to backup DNS settings or is this nor required since other DC's are running DNS with no problems? >>>> You don't need to backup dns,when you promote dc with dns(ad-integrated) it will sync dns from other dc's.

    Do my steps cover them all required?>>> Seems to OK,also for metadata cleanup check the article to details;

    https://technet.microsoft.com/en-us/library/cc816907(v=ws.10).aspx?f=255&mspperror=-2147217396


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Monday, February 20, 2017 5:11 PM
  • Hi Burak,

    Thanks for you quick reply.

    I cannot afford a OS reinstall due to the server being in a remote location.

    Can you advise on how to backup DNS settings or is this nor required since other DC's are running DNS with no problems?

    I will indeed backup DHCP settings as precaution.

    How about metadata clean up? Do my steps cover them all required?

    Thanks,

    M


    Maelito

    • Marked as answer by Maelito Thursday, February 23, 2017 11:17 AM
    Monday, February 20, 2017 5:03 PM

All replies

  • Hi

    180 days as such sysvol and netlogon are not replicating.>> So this DC has tombstone lifetime issue,you should forcefully demote dc with "dcpromo /forceremoval" then will do a metadata cleanup.

    So my understanding is that the DC when demoted becomes a member server and should show up in AD > Computers (whatever OU) is this correct? >>> AS mentioned your dc become unavaible after metadata cleanup there should not be any related records on AD,dns,etc...about this dc.But i always prefer clean installation OS on DC's.So you should perfom clean installation OS then promote as domain controller again even same hostname and ip address.

    This box is also holding DHCP Scope but I guess this wont change after the DCPromo? >>> Before demotion process backup dhcp then restore on a healthy dc.


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    • Marked as answer by Maelito Thursday, February 23, 2017 11:18 AM
    Monday, February 20, 2017 3:59 PM
  • Hi Burak,

    Thanks for you quick reply.

    I cannot afford a OS reinstall due to the server being in a remote location.

    Can you advise on how to backup DNS settings or is this nor required since other DC's are running DNS with no problems?

    I will indeed backup DHCP settings as precaution.

    How about metadata clean up? Do my steps cover them all required?

    Thanks,

    M


    Maelito

    • Marked as answer by Maelito Thursday, February 23, 2017 11:17 AM
    Monday, February 20, 2017 5:03 PM
  • Can you advise on how to backup DNS settings or is this nor required since other DC's are running DNS with no problems? >>>> You don't need to backup dns,when you promote dc with dns(ad-integrated) it will sync dns from other dc's.

    Do my steps cover them all required?>>> Seems to OK,also for metadata cleanup check the article to details;

    https://technet.microsoft.com/en-us/library/cc816907(v=ws.10).aspx?f=255&mspperror=-2147217396


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Monday, February 20, 2017 5:11 PM
  • Just realized... this server is also a File Server hosting user shared folders.

    This means that once I remote the server from the domain the NTFS permissions will go from the folders.

    Actually - do I need to remove from the domain?

    Would removing metadata (as above) actually remove the server from the domain?

    How can I get around this?

    M


    Maelito


    • Edited by Maelito Wednesday, February 22, 2017 10:56 AM
    Wednesday, February 22, 2017 10:46 AM
  • Hi

     You should not configure any roles,service or feature on a Domain Controller except DS,DNS,GC.So you can migrate the file shares to a other member server with Robocopy.(include NTFS permissions.)

    Robocopy; https://technet.microsoft.com/tr-tr/library/cc733145(v=ws.10).aspx


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur


    Wednesday, February 22, 2017 11:45 AM
  • Hi Maelito,

    Just to check if the above reply could be of help, if yes, you may mark useful reply as answer, if you have other questions, welcome to feedback.

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, February 23, 2017 2:15 AM
    Moderator
  • Thank you so much for your reply.

    Very much appreciated.

    M.


    Maelito

    Thursday, February 23, 2017 11:18 AM