How to successfully demote a Domain Controller

Posted November 4, 2010

How do you successfully demote a Domain Controller? A question everyone would likely answer with “Run dcpromo.exe and you’re done!” on first thought. Sure, the technical process is as easy as that - but things that come with a DC demotion often aren’t as clear as the actual demotion through the executable. There are more things to look at.

My friends from the geek network Mike (http://adisfun.blogspot.com/), Rich (http://cbfive.com/blog/), Eric (still with no blog, but sure to post on Rich’s!) and I have decided to tackle this topic and create a blog series across all our blogs. The next weeks coming, we’ll try to cover as many aspects and tidbits on DC demotion so that you can successfully perform your demotions.

The blog series will cover the following topics (some subjets may change and be added):

  • Domain Controller Scope
    • Demoting the Domain’s First Domain Controller
    • Demoting Domain Controllers Doubling as a Certificate Authority
    • Rolling Back Network and Registry Configuration After Demoting a DC
  • Directory Service Scope
    • Demoting a FSMO Role Owner
    • Demoting a Global Catalog
    • Cleaning Up Replication Topology after DC Demotion
  • Applications
    • Are There Applications That Rely on My DC?
    • Identifying Hard-Coded Applications
    • Adjusting VPN and RRAS for DC Demotion
  • Infrastructure
    • Closing  Holes in the Firewall
  • Method
    • Forcing a DC Out of the Domain
    • Demoting an RODC
  • Timing
    • When’s the Right Time to Demote My DC?
  • DNS
    • DNS Cleanup from DC Demotion
    • Updating Clients for DC Demotion
    • A Second Secondary
  • General
    • Domain Controller Demotion Checklist

We highly recommend you subscribe to the RSS and ATOM feeds of our blogs so that you don’t miss a piece of this series!

Posted in Active Directory, Don't be THAT guy

2 Comments so far

  1. Ahsan on October 4th, 2012

    Hi

    I am planning to demote and decommission a windows 2003 domain controller. I found this article (http://www.frickelsoft.net/blog/?p=271) that you were going to publish on that.

    But could not find that on google. Can you please let me know if you finally published it? If so, can you please email me the link

    Thanking you in anticipation
    Ahsan

  2. florian on October 12th, 2012

    Hey Ashan,

    yeah that fell asleep ever since and never woke up. I’ll have to ping the guys again but since we’re all full-time employed by IT organizations, there’s easily a gap between what you commit to do and when you find time to do it. I am sure you know what I mean.

    I’ll get back to my fellows and see if we can revive the idea.

    I’ll either update this blog post or yank it, if we find there’s no use in writing the series.

    What you can though is take the above list and take it as a check list for your demotion. Like “Is it a RODC? Is it a GC? Do RRAS and VPN endpoints use that DC as a primary/the only directory endpoint?”

    Thanks,
    Florian