question

aetherpacket avatar image
0 Votes"
aetherpacket asked FanFan-MSFT commented

Side Effects of Powering Down Domain Controller without Demoting

We have a pair of legacy domain controllers that I want to demote and shutdown. I've already created a pair of Windows Server 2019 DCs and migrated the FSMO roles to one. We have a fairly large environment with many LDAP connections, or domain joined appliances. I've spent the last 6 months trying to find every reference do the legacy domain controllers that I can from everything that I've inherited with little to no documentation. MFDs, UPS's, server / appliance NICs, applications, DHCP scopes, etc.

To see if I'd discovered enough, I wanted to schedule a shutdown test of the two legacy DCs. I have some concerns though about how w32tm, Kerberos, and domain joined devices work with round robin requests. If I merely shutdown the DCs rather than demote them and then shut them down, since devices and member servers reference time through w32tm in a round robin method (as far as I know) from DCs, I think this could cause issues if the device was registered to one of the DCs I shutdown. Similarly, with devices which reference the root of the domain, example.local, rather than specific DCs, this DNS entry will also return in round robin, and I believe that will pose an issue as well.

Am I correct in my assumptions? Is biting the bullet and demoting the DCs really the recommended way to move forward? Do non-windows domain joined devices (like linux appliances) typically have to be rejoined to the domain after a change like this?

windows-serverwindows-active-directory
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

FanFan-MSFT avatar image
0 Votes"
FanFan-MSFT answered FanFan-MSFT commented

Hi,

Based on my understanding, it will be a safe way to shut down the DC before demotion and remove.
Before any big changes, remember to back up the DCs. And make sure there are no errors in the output of the following commands:

Dcdiag /v >c:\dcdiag1.log
Repadmin /showrepl >C:\repl.txt
Repadmin /showreps * 

Transfer the FSMO roles correctly, and make the clients use the good one as the DNS servers.
If there are also other roles installed on the DC which you want to demote and remove, make sure there is a replace server.

Shut down one server at a time and monitor if there any issues.
If everything ok, demote it.
If the other DCs are working well, it will not affect the device in the domain, we don't need to rejoin them to domain.

Best Regards,

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,


Just want to confirm the current situations.
If there's anything you'd like to know, don't hesitate to ask.

Best Regards,

0 Votes 0 ·

Any updates for the issue?
Best Regards,

0 Votes 0 ·