Demoting and Re-promoting AD domain controller steps ?

Hi people

I’m currently trying to fix the physical box Windows Server 2012 R2 domain controller in a remote site office where the AD replication is not going both ways.

Since this box is running as Domain Controller, DNS (AD-Integrated) and DHCP for the AD Site Office13, what would happens to the computers workstations when I demote the Domain Controller role above, wait 1 hour and then re-promote it again as domain controller ?

My plan are as follows to reduce 50 office users email outage and internet connection:

1.      Change the DHCP scope DNS to point to Data Center
2.      Reduce the DHCP scope into 1 hour
3.      Demote AD role
4.      Reboot
5.      Wait until 30 minutes
6.      Promote as AD domain controller
7.      Configure AD-Integrated (is it necessary ?)
8.      Change the DHCP scope back to 8 days
9.      Change the DHCP scope DNS into itself and one DNS server in Data Center AD Site.

Let me know if I missed anything important in the above steps ?
LVL 11
Senior IT System EngineerIT ProfessionalAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Mal OsborneAlpha GeekCommented:
There is  a bit of a problem with step2.  Client machines attempt to release their lease when half way through, so in the case of a default 8 day lease, it will remain for as long as 4 days, PLUS time until the next power up.  Thus, you will need to wait 5 days to ensure all machines have managed to grab the new lease. Just setting the lease to one hour will do nothing until the client machine renew it.

You can of course check in DHCP for old leases.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Senior IT System EngineerIT ProfessionalAuthor Commented:
Ah I see, so how can I for the DHCP lease to expiry and renew it with the new DNS server value ?
The replication is likely the result if missing a leg.

look at sites and services look at the NTDS links and see whether the missing connection can be added.

Repladmin /showrep
To see what is going on?

Usually a demotion, would require ad metadata cleanup to make sure there are no remnants.

IMHO, to resolve one issue such as a quantifiable replication issue by complicating the issue by demoting a sole DC at the site, you are making things significantly worse.

Do you need to change the ip scope?
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

Senior IT System EngineerIT ProfessionalAuthor Commented:
Yes I forgot to do the AD metadata cleanup.
Senior IT System EngineerIT ProfessionalAuthor Commented:
No I do not need to change the IP address and DC name.
Once a DC disappears from the site, depending on your setup, the workstations in the site might be one unusable until the DC is recreated.
I.e. Absent a DHCP/DNS on the site, how will the workstations locate a DC to which ..............

Look at sites and services and see whether you can reestablishes the connection you are missing.
Senior IT System EngineerIT ProfessionalAuthor Commented:
Hi Arnold,

Yes that's what I have already add statically, from the AD Sites and Service, I've added the static connection to the Data Center DC, but somehow the problem still exist.

Is there anything that I missed from the steps above ?

Note: this is the other thread that is explaining the detailed issue:
IMHO, in the situation you face, you might be better off virtualizing your DC, to have two VMS that can provide DNS, DHCP, AD DC and replicated file services.

Instead of the single physical p, single point of failure.

I'll take a look at the link you provide, I still believe the route of demote and then promote DC is asking for trouble.
I.r. To solve a simple identifying of an issue with replication you are taking the risk that during your promotion attempt you will run into a worse issue or get back to the same point where you are if you are lucky.

   There are about a 100 or so pieces of information missing from your list to aide in troubleshooting and resolving your issue.   #1.  Why are you wanting to demote the domain controller in a remote site, that based on your feedback - looks like a read-only domain controller RDOC.   If you have no replication, you need to get your network connectivity, DNS,  VPN (if the offices are connected that way), or Metro Ethernet, or whatever you are using to get replication working 1st before you demote.  DNS should be top priority.    What kind of domain is in the remote office,  is it an RDOC for a Child Domain?   Is it part of the Root Domain ( where in the Forest are your DC's)   This could go on for hours..   If you have a write-able Domain Controller, instead of an RDOC, you have big problems if you Demote now without finding out where replication is broken.   You can run a variety of Commands at the DC -  DCDIAG /V /fix,    Capture this to notepad.   Then repadmin /showrepl      
My advice to you is to get replication working ASAP, unless you are trying to kill  DC in the remote office, and re-organize the domain.   If your remote office is in driving distance to the main office, and this is a physical box, and you have a broken network, then drive the thing over to the home office, place on the same subnet and conduct analysis of replication issues.   If its a VM, export it to a USB drive, send it over to the main office, bring into the main environment.   Leave the broken one alone to service the orphaned clients in remote office since they are not seeing replication anyway.   Demote, Promote in an environment where you have replication available and you have a network.  Otherwise, work on the connectivity, verify DNS, in the existing remote office connections.  If you need another DNS server in the remote office, bring online to assist your troubleshooting.  Do not demote that DC until you have exhausted TS efforts.
Senior IT System EngineerIT ProfessionalAuthor Commented:
ok, somehow the decommission side effect gone wrong :-|

One by one the workstations popping up the Error that the Trust Relationship has broken ?!?!
Failed replication could mean that the workstation were added to this DC their objects did not replicate to the remote DC to which the auth requests are being sent.

Thus would mean that upon completing your metadata cleanup, repromote the DC and hope the replication will be established without issues, then login to each workstation while they are off network, then reconnect and rejoin the domain one workstation at a time, do not unjoin the workstation from the domain.
Senior IT System EngineerIT ProfessionalAuthor Commented:
Yes Arnold, that was probably the case when this site office is opened, the Domain Controller is build first and then the computer straight out of the box joined to the domain.

However yes, what are my options back then to avoid this thing happening ?
Do not dev omission of only DC in the location where ............

Taking the time to fix replication by identifying the cause reasons versus disjoin/rejoin......
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.