Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

FSMO Question about removing Child Domain in Server 2003 forest

Posted on 2007-08-08
12
Medium Priority
?
298 Views
Last Modified: 2013-11-05
I am planning to demote a child domain - which consists of two DCs - DC1 and DC2.  I've been reading up on how to go about this and I'm a little confused on a couple of things.  First - which order should I demote the DCs?  DC1 is the RID, PDC, and GC.  DC2 is the Infrastructure Master.  Should I transfer ALL roles to DC1 before running DCPROMO?  Or do I just run DCPROMO on the IM first and then run DCPROMO on the last server which is RID, PDC, and GC?  Also, I've read conflicting accounts of who I should be logged in as while demoting the child domain.  Should I be logged in as domain admin for the child or the parent (root)?
0
Comment
Question by:erndog5800
  • 5
  • 4
  • 3
12 Comments
 
LVL 5

Expert Comment

by:RightNL
ID: 19654549
if possible do this as an Enterprise admin thus being administrator of both the child and the parent domain.

I would first move all the roles to one box and demote the other.. this makes it much easier to remove the child domain since it's only one box.

than demote it if you want you can do a forrest clean up later.. if needs be.

0
 
LVL 23

Expert Comment

by:ormerodrutter
ID: 19654753
What do you mean by "demoting" your child domain? Are you going to get rid of it completely? IF you are going to get rid of it then it doesn't matter which order your perform the demote.

You need to logon as the Enterprise Admin to perform to demotion.
0
 
LVL 5

Expert Comment

by:RightNL
ID: 19654773
if you want to do it clean I would demote the dc to get rid of it.. that's what I mean with demotion.. dcpromo and choose the option demote
0
NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

 

Author Comment

by:erndog5800
ID: 19654932
Just to clarify -I want to completely remove the child domain.  So not neccessarily 'demoting' the domain, but 'removing it.  I thought having the GC on the same box as the Infrastructure was bad - does it not matter seeing as it will just be for the purpose of removing the domain? So - if this is kosher, I would transfer Infrastructure from DC2 to DC1, then DCPROMO on DC2.  Then DCPROMO on DC1?  All of this while logged in as the enterprise admin?  Meaning when I login as domain admin the 'log on to' domain will be the parent (root) domain and not the child domain.  Correct?

Sorry for the extra questions, I just want to ensure minimal ambiguity.
0
 

Author Comment

by:erndog5800
ID: 19654965
Ah, I just re-read ormerodrutter's post.  See what I mean about ambiguity?  Should I just demote away without transfering roles or consolidate on one server first?  
0
 
LVL 5

Expert Comment

by:RightNL
ID: 19655001
you can do it either way if you do it straight be sure to dcpromo box 2 first..

but to be on the safe side just bring the domain back to one machine.. and than kill that one box to make sure everything is gone and gone propperly..
0
 
LVL 5

Accepted Solution

by:
RightNL earned 1000 total points
ID: 19655032
that way will effectively do almost the same .. you only have the fsmo box last.. I always like to demolishion work neatly ... you don't start taking away walls and the foundation before taking away the roof do ya ???
0
 
LVL 23

Assisted Solution

by:ormerodrutter
ormerodrutter earned 1000 total points
ID: 19655418
erndog5800,

Have a look at this link. Although its not necessary, it suggests to move all roles to one box and demote that last. But the main thing is to make sure your Child domain is removed from your parent domain.
http://searchwinit.techtarget.com/ateQuestionNResponse/0,289625,sid1_cid589040_tax285115,00.html?track=NL-118&ad=483181

You can put your Domain Admin into Enterprise Admin group to perform the task.


0
 

Author Comment

by:erndog5800
ID: 19655897
OK, thanks. I did take a look at this earlier on in my research but it was an old article (2004) so I wanted to ensure that the information in it was still valid.  I'll be pulling the trigger on this shortly - will let you know how things go. Do I need to leave some time after I transfer roles? Or is this immediate?
0
 

Author Comment

by:erndog5800
ID: 19657220
Hi Again - Looks like it went off without a hitch. I'm pleasantly suprised!  I did move the Infrastructure Master from DC2 to DC1, and I did get a warning about how it (IM) shouldn't be on the same machine as a GC, but I clicked OK and the roles transferred without any trouble.  I demoted DC2 without errors, rebooted, and joined it to the root domain.  Then I demoted DC1, rebooted, and rejoined to the root domain.  

The only thing I did differently was to log in using the Domain Admin of the child domain.  Halfway through the demotion process of DC, it asks for the credentials of the forest admin.  

Another cool bonus is that existing shares did not get blown away, and neither did printers, which is something I wasn't sure about and documented just in case.  If you test shares beforehand with root domain permissions, you're pretty much good to go after you blow away your child domain.  

Thanks for the help!  I split the points between you both.
0
 
LVL 23

Expert Comment

by:ormerodrutter
ID: 19671550
I suggest you take a look in your DNS database and ensure removal of all trace of your child domain.
0
 
LVL 5

Expert Comment

by:RightNL
ID: 19673965
have a look at this..

if it all fails this shows you how to clean up..

http://support.microsoft.com/kb/216498

most of the steps won't be necessary but be sure to run through it .. it will show what steps are necessary to remove a dc (and the last of a subdomain) if it dies and you don't want to bring it back.. or if demotion failed..

dns is important ..

also the trusts are ..

just read through it. ...
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Numerous times I have been asked this questions that what is it that makes my machine log on so slow, there have been cases where computers took 23 minute exactly after taking password and getting to the desktop. Interesting thing was the fact th…
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
this video summaries big data hadoop online training demo (http://onlineitguru.com/big-data-hadoop-online-training-placement.html) , and covers basics in big data hadoop .
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question