Thursday, July 10, 2008

How to Demote a Long-Disconnected Domain Controller

Just looking back on some old notes.

Found out nearly 4 years ago that I had to reconnect a branch office Windows Server 2003 domain controller that had a reasonable amount of data (in DFS) and apps on it and I had a weekend in which to do it. A re-install would have been pushing it. Especially the DFS replication (don't even ask about the backups...).

I distinctly remember at the time that there wasn't anything on TechNet, except one of those teaser PowerPoint presentations saying how Windows Server 2003 had better support for long-disconnected domain controllers (which I can no longer seem to find with Google. Hmph.).

Some of my Kerberos experience on FreeBSD and - at that time - my new-found knowledge of pointing Google at Microsoft to search for useful information helped me to try to understand what was going on.

After having a good guess of what I thought was wrong and running down some dead-ends, I ended up surprising myself when the following process worked:

  • Change tombstone on FSMO DC to 180 days
  • Push out changes from FSMO DC to other DCs using replmon
  • Remove GC role from long-disconnected DC on both FSMO DC and on long-disconnected DC using AD Sites and Services
  • Push out changes from FSMO DC to other DCs using replmon
  • Stop and Disable KDC on long-disconnected DC
  • Use netdom to reset machine account password for long-disconnected DC on FSMO DC
    • netdom resetpwd /server:<FSMO DC hostname> /ud:<Domain>\<Admin Account> /pd:<Admin Passwd>
  • restart long-disconnected DC
  • Use dcpromo repeatedly to demote server (I got timeouts for netlogon taking too long to respond; WAN authentication latency problem?)
  • restart the now demoted long-disconnected DC
    • Click OK to "one or more services failed to start"; not finding a DC
  • Use Terminal Services to remove demoted DC as a DNS NS from AD-integrated zones on the FSMO DC
  • Use Terminal Services to connect to FSMO DC and replicate the entire domain
  • run dcpromo to promote standalone server

Thought I'd post this to help out any other poor sod stuck in this sorry state.

Might just have to run up a couple of VMs to verify this still works...

TechNet now has guidance on this with the Reconnecting a Domain Controller After a Long-Term Disconnection article. Doesn't look like what I've got above.

3 comments:

Anonymous said...

Currently attempting something similar :)

Thanks for the link!

Unknown said...

I actually have a Server that A client brought in that he wants turned into a workstation that is running Server 2000 SP4. The machine has not been connected to the Domain in over 2 years... The Server still thinks it is the Primary Domain Controller. I am having a hard time trying to address changing the Tomb Stone on the Different FSMO's, and am not sure which ones I should be doing such at. Your post is the best one I have yet yo find explaining the process. But, I need some help with this. Thanks. ~Dean.

stryqx said...

@Dean: Probably best to use dcpromo to demote the domain controller, selecting Last domain controller in the domain.
You may run into some demotion problems, so it's worth looking at the following MSKB articles:

http://support.microsoft.com/kb/332199
http://support.microsoft.com/kb/260698