demoting a secondary domain controller on Windows 2003
Can someone help me with step-by-step guide on demoting a secondary domain controller in Windows 2003 servr.
I already have a domain controller running fine but had added a second Windows 2003 server as a backup. I had initiated the promotion of this second server as a "new domain on an existing forest". but due to corrupt files and OS, I plan to rebuild. But before I do so, how do I gracefully demote this server so that I can rebuild the server with different host name and then join the domain.
I already have a domain controller running fine but had added a second Windows 2003 server as a backup. I had initiated the promotion of this second server as a "new domain on an existing forest". but due to corrupt files and OS, I plan to rebuild. But before I do so, how do I gracefully demote this server so that I can rebuild the server with different host name and then join the domain.
simply go to Start-> Run and type dcpromo and click OK. This will run the dcpromo process but choose to demote/remove it
It really is as easy as that.
Just make sure you don't click "is this the last domain controller in the domain"
Just make sure you don't click "is this the last domain controller in the domain"
Agreed
ASKER
thanks. but i remember, this was done last time.....and there several entries still left behind on the domain controller... is this norm or do i have to use other tools to really cleanup domain controller. like DNS, DHCP, WINS, AD, Registry...etc, etc. ?
The only thing demoting a domain controller will do is remove the AD database.
That will still leave the roles of DNS, DHCP, WINS.
What exactly are you trying to do?
It is unwise to monkey with the registry.
That will still leave the roles of DNS, DHCP, WINS.
What exactly are you trying to do?
It is unwise to monkey with the registry.
Make sure the server in question is not running any of your FSMO roles; if it is, transfer those roles to the other domain controller (PDC, RID, IM, GC). Then run dcpromo to demote it. You'll only have to fiddle with ADSIedit to do cleanup if you forget to transfer the roles first. (been there, done that - you don't want to forget to do that)
If you're not sure how, open Active Directory Users and Computers, connect to the domain in question, right-click on the domain, select Operations Masters. Go through each of the three screens and transfer the roles to the other domain controller, if the server you're demoting holds any of them. To check for Global Catalog, go to Active Directory Sites and Services, open the site in question, open Servers, expand the NTDS Settings under the server you're demoting, and go to Properties on the NTDS Settings. If the Global Catalog checkbox is checked, un-check it, then go to the other domain controller's NTDS Settings properties, and turn the checkbox on.
Once you're finished promoting another domain controller (I assume you are, it's dangerous to only have one), then you'll want to transfer the GC role to a server other than the one holding the FSMO roles.
If you're not sure how, open Active Directory Users and Computers, connect to the domain in question, right-click on the domain, select Operations Masters. Go through each of the three screens and transfer the roles to the other domain controller, if the server you're demoting holds any of them. To check for Global Catalog, go to Active Directory Sites and Services, open the site in question, open Servers, expand the NTDS Settings under the server you're demoting, and go to Properties on the NTDS Settings. If the Global Catalog checkbox is checked, un-check it, then go to the other domain controller's NTDS Settings properties, and turn the checkbox on.
Once you're finished promoting another domain controller (I assume you are, it's dangerous to only have one), then you'll want to transfer the GC role to a server other than the one holding the FSMO roles.
ASKER
Geniph....thanks.
Yes, sooner or later, I will be adding another domain controller to the forest as soon as rebuild it with different host name. I don't plan to work in registry on Domain Controller. That is not my intention BUT I do want to clean up all entries of the corrupted secondary domain controller in the forest before I rebuild and join again.
I was also told to use "dcdiag" to clean up entries in the domain controller. is this true or are there other tools to clean up the entries on primary domain controller for the secondary domain controller.
**NOTE** I know i am referring as primary and secondary....and this was true for NT and not for 2003. But I am using these terms for our conversation here so that we have the understanding of what is taking place.
DCPROMO, ADSIedit, DCDIAG....any other cleanup tools to help me clean up AD in primary for the secondary?
Yes, sooner or later, I will be adding another domain controller to the forest as soon as rebuild it with different host name. I don't plan to work in registry on Domain Controller. That is not my intention BUT I do want to clean up all entries of the corrupted secondary domain controller in the forest before I rebuild and join again.
I was also told to use "dcdiag" to clean up entries in the domain controller. is this true or are there other tools to clean up the entries on primary domain controller for the secondary domain controller.
**NOTE** I know i am referring as primary and secondary....and this was true for NT and not for 2003. But I am using these terms for our conversation here so that we have the understanding of what is taking place.
DCPROMO, ADSIedit, DCDIAG....any other cleanup tools to help me clean up AD in primary for the secondary?
Not long ago, I had a corrupt AD database that we had to demote and repromote. Demoting it removed the AD database and therefore the corrupt items. After demoting it and repromoting it, we had to register the DNS settings. Then we replicated the AD database back from the other domain controller.
The words primary and secondary is understood. Instead of the NT days, we now have servers that hold the FSMO roles. I think we all understand that the Primary is meant as the FSMO role holder these days.
The tool you are refering to, that removes metadata is called the NTDSUtility. DCdiag will show metadata from an inproperly demoted domain controller. The NTDSutility is used to remove the data left over from an inproperly demoted domain controller.
You plan on demoting the machine, changing its name, and repromoting it back into the domain as an other domain controller that is not the domain FSMO role holder. When you change the name, you will have entries that will interfere with the domain. One of those entries will be a DNS record. A second will be a default first site record. We also need to know if you have a global catalog on that machine. There are a lot of things to think about, but all are fixable problems if things go astray.
So, we need to ask you a few questions:
Is DNS AD integrated?
Is this a global catalog server?
Does this server hold any FSMO roles? (I assume not)
Why are you changing the name of the server? Is this a necessary step?
What other roles does this server portray? (Example: DNS, DHCP, AD, WSUS, printer, file server, Exchange ect..)
The words primary and secondary is understood. Instead of the NT days, we now have servers that hold the FSMO roles. I think we all understand that the Primary is meant as the FSMO role holder these days.
The tool you are refering to, that removes metadata is called the NTDSUtility. DCdiag will show metadata from an inproperly demoted domain controller. The NTDSutility is used to remove the data left over from an inproperly demoted domain controller.
You plan on demoting the machine, changing its name, and repromoting it back into the domain as an other domain controller that is not the domain FSMO role holder. When you change the name, you will have entries that will interfere with the domain. One of those entries will be a DNS record. A second will be a default first site record. We also need to know if you have a global catalog on that machine. There are a lot of things to think about, but all are fixable problems if things go astray.
So, we need to ask you a few questions:
Is DNS AD integrated?
Is this a global catalog server?
Does this server hold any FSMO roles? (I assume not)
Why are you changing the name of the server? Is this a necessary step?
What other roles does this server portray? (Example: DNS, DHCP, AD, WSUS, printer, file server, Exchange ect..)
ASKER
Ok.....Thanks ChiefIT....here are some additinal info.
ServerA is the FSMO role holder. This is also my file server, printer server, DNS server and DHCP server. ServerB was initially the secondary server that I promoted or added as a second domain in the forest tree in hope to make it as my secondary backup DC. But due to it being corrupt, I wanted to demote it and rename it to something else so that ServerA does not see it as a second attempt. I have demoted ServerB using DCPROMO but I know for fact that there are some remains in AD on serverA that may conflict or cause problems.
1. Yes DNS AD is integrated
2. ServerA is a global catalog
3. ServerA holds the FSMO roles and not ServerB
4. Why name change, is mentioned above
5. ServerB was not portraying any other roles at the time.
I hope I have answered some or most of your questions.
ServerA is the FSMO role holder. This is also my file server, printer server, DNS server and DHCP server. ServerB was initially the secondary server that I promoted or added as a second domain in the forest tree in hope to make it as my secondary backup DC. But due to it being corrupt, I wanted to demote it and rename it to something else so that ServerA does not see it as a second attempt. I have demoted ServerB using DCPROMO but I know for fact that there are some remains in AD on serverA that may conflict or cause problems.
1. Yes DNS AD is integrated
2. ServerA is a global catalog
3. ServerA holds the FSMO roles and not ServerB
4. Why name change, is mentioned above
5. ServerB was not portraying any other roles at the time.
I hope I have answered some or most of your questions.
If it successfully demotes, then you'll probably be good to go. You may have to use a /forcedemote switch, but usually not. Cleanup of metadata is a bit of a pain, but not difficult to do; you just follow the steps in the KB article carefully.
http://support.microsoft.com/kb/216498
http://support.microsoft.com/kb/216498
Agreed with the above:
Sounds like you will need to do a little metadata cleanup on Server A.
Demote Server B. Also, to clean things up a bit, consider removing the DNS role on Server B. Then Re-add DNS and promote it back into the domain.
Run a DCdiag /verbose on server A and see how it looks.
Change your name, repromote server B, and re add DNS.
At this time you will probably see "DCgetname" errors on Server B if you run a DCdiag report. That means your DNS needs to be registered. Once replicated, the two DC's should be talking with eachother and all AD and DNS entries should be shared between the two DCs. This is what you want.
Don't worry about making mistakes, unless you mess up server A. Metadata cleanup, DNS cleanup, replictating the databses will fix any errors that remain if you make a mistake in demoting the server.
Sounds like you will need to do a little metadata cleanup on Server A.
Demote Server B. Also, to clean things up a bit, consider removing the DNS role on Server B. Then Re-add DNS and promote it back into the domain.
Run a DCdiag /verbose on server A and see how it looks.
Change your name, repromote server B, and re add DNS.
At this time you will probably see "DCgetname" errors on Server B if you run a DCdiag report. That means your DNS needs to be registered. Once replicated, the two DC's should be talking with eachother and all AD and DNS entries should be shared between the two DCs. This is what you want.
Don't worry about making mistakes, unless you mess up server A. Metadata cleanup, DNS cleanup, replictating the databses will fix any errors that remain if you make a mistake in demoting the server.
ASKER
All,
thanks so much. remember, I had already demoted ServerB. It is now a member of the domain....plain and simple. i am just curious to see if ServerA has any other entries of ServerB. like host names, IP addresses or other metadata remains on ServerA.
you all have been very helpful in helping me through it and answering my doubts. i must take some step this weekend and work on it a bit to see if all works good.
thanks so much. remember, I had already demoted ServerB. It is now a member of the domain....plain and simple. i am just curious to see if ServerA has any other entries of ServerB. like host names, IP addresses or other metadata remains on ServerA.
you all have been very helpful in helping me through it and answering my doubts. i must take some step this weekend and work on it a bit to see if all works good.
On server A you can run DCdiag /verbose to see if you have metadata that needs to be removed. Any errors you can cut and paste on this post and we can help you remove it.
ASKER
Ok. The DCdiag /v test that I ran, passed with flying colors. No errors or any reference to the ServerB. Does this mean it is all clean on ServerA and that it is only safe to now move on with the next step of adding ServerB once again?
Thanks ChiefIT
Thanks ChiefIT
Yes,
If I were you, I might conisder removing DNS as well. If it is AD integrated DNS and you have DNS installed prior to AD on that DC, then you may run into problems. Remove the DNS role, promote the machine back into the network, Add DNS, register its DNS record and force replicate from A to B.
Please have others critique this advice. I don't use AD integrated DNS. But I have seen others run into errors when DNS is installed prior to AD running.
If I were you, I might conisder removing DNS as well. If it is AD integrated DNS and you have DNS installed prior to AD on that DC, then you may run into problems. Remove the DNS role, promote the machine back into the network, Add DNS, register its DNS record and force replicate from A to B.
Please have others critique this advice. I don't use AD integrated DNS. But I have seen others run into errors when DNS is installed prior to AD running.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
wow. thanks ChiefIT. I have some work cut out for me. really appreciate it. I will update everyone once i am back on track between ServerA and ServerB