How to Demote a Long-Disconnected Domain Controller

Just looking back on some old notes.

Found out nearly 4 years ago that I had to reconnect a branch office Windows Server 2003 domain controller that had a reasonable amount of data (in DFS) and apps on it and I had a weekend in which to do it. A re-install would have been pushing it. Especially the DFS replication (don't even ask about the backups...).

I distinctly remember at the time that there wasn't anything on TechNet, except one of those teaser PowerPoint presentations saying how Windows Server 2003 had better support for long-disconnected domain controllers (which I can no longer seem to find with Google. Hmph.).

Some of my Kerberos experience on FreeBSD and - at that time - my new-found knowledge of pointing Google at Microsoft to search for useful information helped me to try to understand what was going on.

After having a good guess of what I thought was wrong and running down some dead-ends, I ended up surprising myself when the following process worked:

  • Change tombstone on FSMO DC to 180 days
  • Push out changes from FSMO DC to other DCs using replmon
  • Remove GC role from long-disconnected DC on both FSMO DC and on long-disconnected DC using AD Sites and Services
  • Push out changes from FSMO DC to other DCs using replmon
  • Stop and Disable KDC on long-disconnected DC
  • Use netdom to reset machine account password for long-disconnected DC on FSMO DC
    • netdom resetpwd /server:<FSMO DC hostname> /ud:<Domain>\<Admin Account> /pd:<Admin Passwd>
  • restart long-disconnected DC
  • Use dcpromo repeatedly to demote server (I got timeouts for netlogon taking too long to respond; WAN authentication latency problem?)
  • restart the now demoted long-disconnected DC
    • Click OK to "one or more services failed to start"; not finding a DC
  • Use Terminal Services to remove demoted DC as a DNS NS from AD-integrated zones on the FSMO DC
  • Use Terminal Services to connect to FSMO DC and replicate the entire domain
  • run dcpromo to promote standalone server

Thought I'd post this to help out any other poor sod stuck in this sorry state.

Might just have to run up a couple of VMs to verify this still works...

TechNet now has guidance on this with the Reconnecting a Domain Controller After a Long-Term Disconnection article. Doesn't look like what I've got above.


