jonhicks
asked on
Demoting a 2003 Domain Controller without impacting users
I need to demote a domain controller. We have three sites and two domains in our forest. This server is a DC in the parent domain.
I want to demote it while causing as little impact as possible. I've gone through the process of moving off any FSMO roles and have run dcdiag and netdiag to test everything is okay. No users should be using this DC as a DNS server.
My main concern when demoting the DC is that some users will be looking to it for logon/authentication and it will take time for DNS to correct this. I can do the work out of hours, but will need an estimate of the time required for everyone (that is, clients, AD S&S and other DCs) to acknowledge that the server is no longer a DC. Site replication is set to 1 hour.
I want to demote it while causing as little impact as possible. I've gone through the process of moving off any FSMO roles and have run dcdiag and netdiag to test everything is okay. No users should be using this DC as a DNS server.
My main concern when demoting the DC is that some users will be looking to it for logon/authentication and it will take time for DNS to correct this. I can do the work out of hours, but will need an estimate of the time required for everyone (that is, clients, AD S&S and other DCs) to acknowledge that the server is no longer a DC. Site replication is set to 1 hour.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
It seems like you already tested that no user will be using this to be demoted DC in your parent domain. As long as this to be demoted DC is not being used by users via DHCP and it is not a primary DNS for any other DNS server including non-DC and/or DC in your chile domain, you should be fine to demote it.
If you have AD site created, your users hould be able to authenticate to any DC by first attempt to authenticate to a DC which is local site to the users subnet which assigned to the same AD site. If no DC available to the client in the local site, it will look for other DCs in the same domain to authenticate. this means, there shouldn't be any worry as long as your parent domain have two or more DCs with GC to service client before demoting this DC. One last thing to check is make sure this DC is not the only DC hosting logon script or roaming profile or related data etc.
If you have AD site created, your users hould be able to authenticate to any DC by first attempt to authenticate to a DC which is local site to the users subnet which assigned to the same AD site. If no DC available to the client in the local site, it will look for other DCs in the same domain to authenticate. this means, there shouldn't be any worry as long as your parent domain have two or more DCs with GC to service client before demoting this DC. One last thing to check is make sure this DC is not the only DC hosting logon script or roaming profile or related data etc.
ASKER
DNS I took care of a while ago. I even bothered to check the dns log to see if any requests came its way - all I saw was traffic between it and the other dns servers.
We have three other DCs in the parent domain, so that's all good. It's not a GC.
Regarding login scripts - all of ours are found in the netlogon share, which is replicated between all DCs. I've gone through and checked that all our GPOs refer to these by domain name instead of server. Will have to test that they still work...
We have three other DCs in the parent domain, so that's all good. It's not a GC.
Regarding login scripts - all of ours are found in the netlogon share, which is replicated between all DCs. I've gone through and checked that all our GPOs refer to these by domain name instead of server. Will have to test that they still work...
ASKER