We help IT Professionals succeed at work.

Need advice removing a Domain Controller

J.R. Sitman
J.R. Sitman used Ask the Experts™
on
I need to remove a DC that is the one the users are authenticating to.  As a test I shut it down and this morning some users could log on to the other DC and some not.  How do I trouble shoot the problem?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Make sure you have the DC's DNS settings on all of your workstations.

Example DNS settings on client:

10.10.10.11 (retired)
10.10.10.12 (DC2)
10.10.10.13 (DC3)
First make sure the DC you are removing does not hold any FSMO roles. Here is a quick rundown on that:

http://www.petri.co.il/transferring_fsmo_roles.htm

Also make sure the other DC is a catalog server as well. Make sure that the users who logged in, were ACTUALLY logging in using the other server, and not just using cached credentials. From a command prompt on the client run echo %logonserver% to be sure.
J.R. SitmanIT Director

Author

Commented:
The DNS setting for the DNS server should be it's own IP and the secondary should be the other DNS server, correct?

@sysreg2000.  Already done.  Thanks
Yes.

You need to verify that client's settings have those entries as well.
J.R. SitmanIT Director

Author

Commented:
I have minimum DNS experience, but I noticed what I would think is a "big" problem.  Both our DNS servers have a subnet of 255.255.255.0.  One of the computers I checked is 255.255.0.0.  This is "BAD" right?

How would this happen and how do I correct it before I DCPromo the DC?
J.R. SitmanIT Director

Author

Commented:
Hope you guys return to this post tomorrow.  :-(
Just change the subnet mask on your client.

Maybe somebody accidentally forgot the 255 on the third octet or the DHCP scope is misconfigured.
J.R. SitmanIT Director

Author

Commented:
DHCP is set to 255.255.0.0, should I leave that and change the servers, or leave the servers and fix DHCP?
The static address on your DCs are more important. I would fix the DHCP scope. You will have to renew "ipconfig /release & ipconfig /renew" on each of your DHCP clients to reflect the change.
J.R. SitmanIT Director

Author

Commented:
won't a reboot of the clients do the same?
A reboot will provide you the same result.
Leon FesterSenior Solutions Architect

Commented:
What kind of errors did you users get when the DC was down?
Top Expert 2014
Commented:
Ok, to remove the server from the domain (providing it is still functional) just run DCPROMO on it.  This is the cleanest (and recommended) way to remove a DC from the domain.  Any FSMO roles will be transferred during the demotion process.

If clients can't authenticate to the other DCs, check DNS as the other experts have suggested.  If your clients have a different subnet mask to the DC fix that in DHCP.  Remove DC1's IP address from the DNS scope options in DHCP too (so clients don't try and use it to resolve DNS).

You should have at least ONE Global Catalog server or clients won't be able to authenticate properly, so make sure that DC2 or DC3 has this role (In AD Sites and Services, under NTDS).

A good place to look is the Event Log on each remaining DC.  Check you have no DNS or NTFRS errors.  If you do, fix them then try again.
J.R. SitmanIT Director

Author

Commented:
Thanks to all