Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Demote and promote domain controller for new domain

Posted on 2016-11-23
7
Medium Priority
?
79 Views
Last Modified: 2016-11-27
I have  active directory with 4 remotes sites and subnets, a remote site connected via VPN has a domain controller. this remote is being bought out by another firm who like to keep the IT equipment. I am planning to demote the server and set new local admin password for the server and workstations, and the on the server
-remove from current domain
- remove DNS server config
- remove VPN
-promote server to domain controller of a new domain with DNS and dhcp
- join all workstations to new domain

as the site has 1 server, it is also running file, print and some applications along with it being part of DFS

anything else I need to consider?
0
Comment
Question by:ExchangeKB
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
7 Comments
 
LVL 7

Expert Comment

by:Andy
ID: 41898695
You may also want to remove the devices from the domain before demoting and create a workgroup so the users can still use the shared resources.
Does the server run DHCP?
Ensure that clients get a new DNS server setting so they can access the resources or edit the hosts file.
0
 
LVL 2

Accepted Solution

by:
hastech12 earned 2000 total points
ID: 41898746
Much like Andy said, i would do it in this order

- Disjoin PC's from existing Domain.
- Demote the server from the existing doamin.
- Clean up the old AD environment as per the following Technet article.
- https://blogs.technet.microsoft.com/canitpro/2016/02/17/step-by-step-removing-a-domain-controller-server-manually/ 
- I would rename the server to be something more suitable to the new organisation.
- Setup and configure DHCP
- Setup and configure DNS
- Do a "dcpromo"
- Once the new DC is up and running
- Create new OU for Domain PC's
- Segment them out if possible, either according to departments, management or the like
- Join PC's to the new domain and add them to the new OU.
0
 
LVL 3

Author Comment

by:ExchangeKB
ID: 41898788
Thanks Andy/ Hastech.
As i have found out, the organization structure will remain and the office is being franchised. To reduce the work involved, would it be worth breaking the VPN and once connection is terminated from my Domain controller, I can force transfer the FSMO roles to this server, meaning no work will required on the workstations. May be need to reconfigure DNS, but then i get to keep the group policy etc. Any thoughts ?
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
LVL 7

Expert Comment

by:Andy
ID: 41898795
That is a possible solution, I would make sure you change any passwords used though to ensure you remain secure on your side.

Also, you may need to perform a metadata cleanup on both sides to remove any old references.
0
 
LVL 3

Author Comment

by:ExchangeKB
ID: 41899487
Any ideas on Roaming profiles if chose to demote and promote ?
0
 
LVL 7

Expert Comment

by:Andy
ID: 41900261
I think there could be some admin required.
You'd need to ensure this is still configured and tested, make sure you have a backup just in case, roaming profiles can behave oddly when moved around, and in some scenarios deleting files when moved.
0
 
LVL 2

Expert Comment

by:hastech12
ID: 41900877
If you break the VPN and that DC is now effectively a standalone MemberServer/DC, I would check if the users are using it to for AD auth or if they are actually authenticating to the main DC back at HQ.

There is a command line prompt to trace the auth server that the users are using.  I cant remember it off the top of my head right now, but will update you with it later.

If the users are authenticating to the main server and you break the VPN they may not have a DC to authenticate to.  

Can you advise what roles you have on this server?  Ignoring the ones that you may need to add later once its a standalone server.
0

Featured Post

[Webinar] Lessons on Recovering from Petya

Skyport is working hard to help customers recover from recent attacks, like the Petya worm. This work has brought to light some important lessons. New malware attacks like this can take down your entire environment. Learn from others mistakes on how to prevent Petya like worms.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
Suggested Courses

609 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question