Can someone comment briefly on what best-practice is for demoting a healthy domain controller?
I am planning to replace our 2008R2 DC's with 2016 DC's and will be reusing the existing Names and IP's.
Obviously this is not something we do very often and I just want to makes sure I get it right the first time.
So generally speaking would we demote the DC to a member server and then uninstall ADDS, WINS, DNS, etc. and then remove it from the domain into a workgroup or would we uninstall ADDS, WINS, DNS, then demote the DC into being a member server and then into a workgroup?
We have at least two DC's that host and replicate ADDS, WINS, DNS, GC, GPO, etc. and our replications are good. Neither of the DC servers does anything else other than act as a DC.
We are not running a Certificate Authority on the DC.
Neither DC acts as a bridgehead server as we only have one site and both DC's are in the same subnet/vlan.
Both DC's are patched to within 1 month of current MS updates and are on the same patch level.
Need to verify that replication between all existing DC's works flawlessly.
Do general server checks (review logs, run dcdiag and netdiag) to isolate and mitigate any existing issues.
Make sure remaining DC can handle the domain functions (user logon etc.) on its own.
Remove all FSMO roles hosted on the DC that is being demoted to another DC.
Make sure it is not the only Global Catalogue, DNS/WINS or only DC in the domain, i.e. that another functioning DC can provide those services.
Account used for process must be a member of the Domain Admins group or the Enterprise Admins group in Active Directory.
DFS is not hosted on the DC and it is my understanding that values within AD will replicate from the existing remaining 2008R2 DC to the new 2016 DC once it is up. Use dfsdiag /testdcs to make sure everything is healthy and consistent (it is right now) after new 2016 DC is added.
Will using DCPROMO to remove the DC cleanly also remove any/all remains of the existing DC from AD or is manual intervention required after the successful demotion process? I ask because when we removed 2003 DC before we were left with remains of the DCs object in the Active Directory and when we tried install another server with the same computer name and tried to promote it to become a Domain Controller it failed because the DCPROMO process will still found the old objects and therefore refuse to re-create the objects for the new-old server. We had to manually remove the failed DC object from the Site & Services, manually remove the failed DC entries from each DNS console, etc. Is there anything (apart from maybe DNS entries) that needs to be manually adjusted after the fact? Hopefully it does not require us to run ntdsutil to remove remnants from within AD.
As always many thanks to all the amazing techs who kindly share their insights and expertise.