Link to home
Start Free TrialLog in
Avatar of jonhicks
jonhicks

asked on

Demoting a 2003 Domain Controller without impacting users

I need to demote a domain controller. We have three sites and two domains in our forest. This server is a DC in the parent domain.

I want to demote it while causing as little impact as possible. I've gone through the process of moving off any FSMO roles and have run dcdiag and netdiag to test everything is okay. No users should be using this DC as a DNS server.

My main concern when demoting the DC is that some users will be looking to it for logon/authentication and it will take time for DNS to correct this. I can do the work out of hours, but will need an estimate of the time required for everyone (that is, clients, AD S&S and other DCs) to acknowledge that the server is no longer a DC. Site replication is set to 1 hour.
ASKER CERTIFIED SOLUTION
Avatar of mail2prabir
mail2prabir

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of jonhicks
jonhicks

ASKER

Thanks both, useful info.
It seems like you already tested that no user will be using this to be demoted DC in your parent domain. As long as this to be demoted DC is not being used by users via DHCP and it is not a primary DNS for any other DNS server including non-DC and/or DC in your chile domain, you should be fine to demote it.
If you have AD site created, your users hould be able to authenticate to any DC by first attempt to authenticate to a DC which is local site to the users subnet which assigned to the same AD site. If no DC available to the client in the local site, it will look for other DCs in the same domain to authenticate. this means, there shouldn't be any worry as long as your parent domain have two or more DCs with GC to service client before demoting this DC. One last thing to check is make sure this DC is not the only DC hosting logon script or roaming profile or related data etc.
DNS I took care of a while ago. I even bothered to check the dns log to see if any requests came its way - all I saw was traffic between it and the other dns servers.

We have three other DCs in the parent domain, so that's all good. It's not a GC.

Regarding login scripts - all of ours are found in the netlogon share, which is replicated between all DCs. I've gone through and checked that all our GPOs refer to these by domain name instead of server. Will have to test that they still work...