Search icon CANCEL
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Conferences
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
Active Directory Administration Cookbook, Second Edition

You're reading from   Active Directory Administration Cookbook, Second Edition Proven solutions to everyday identity and authentication challenges for both on-premises and the cloud

Arrow left icon
Product type Paperback
Published in Jul 2022
Publisher Packt
ISBN-13 9781803242507
Length 696 pages
Edition 2nd Edition
Languages
Tools
Arrow right icon
Author (1):
Arrow left icon
Sander Berkouwer Sander Berkouwer
Author Profile Icon Sander Berkouwer
Sander Berkouwer
Arrow right icon
View More author details
Toc

Table of Contents (18) Chapters Close

Preface 1. Chapter 1: Optimizing Forests, Domains, and Trusts 2. Chapter 2: Managing Domain Controllers FREE CHAPTER 3. Chapter 3: Managing Active Directory Roles and Features 4. Chapter 4: Managing Containers and Organizational Units 5. Chapter 5: Managing Active Directory Sites and Troubleshooting Replication 6. Chapter 6: Managing Active Directory Users 7. Chapter 7: Managing Active Directory Groups 8. Chapter 8: Managing Active Directory Computers 9. Chapter 9: Managing DNS 10. Chapter 10: Getting the Most Out of Group Policy 11. Chapter 11: Securing Active Directory 12. Chapter 12: Managing Certificates 13. Chapter 13: Managing Federation 14. Chapter 14: Handling Authentication in a Hybrid World (AD FS, PHS, PTA, and DSSO) 15. Chapter 15: Handling Synchronization in a Hybrid World (Azure AD Connect) 16. Chapter 16: Hardening Azure AD 17. Other Books You May Enjoy

Demoting a domain controller

Every domain controller has a life cycle. After a certain period, it should make room for newer, better, more agile, or even more cost-efficient domain controllers, or other solutions, such as Azure Active Directory Domain Services.

Getting ready

Before you demote a domain controller, you should ensure of the following:

  • It no longer hosts any FSMO roles.
  • It no longer offers networking services, such as DNS, LDAP, RADIUS, or WINS. These protocols are manually configured on networking devices and other servers. Demoting a domain controller that offers these services might negatively impact the networking infrastructure. Reconfigure networking devices and servers to use alternative domain controllers or services first.
  • It is not an Enterprise Root Certification Authority (CA). When a domain controller is configured as an Enterprise Root CA using Active Directory Certificate Services (AD CS), it cannot be demoted. First, the CA needs to be migrated.
  • There are other global catalog servers available when you remove a domain controller that is also configured to be a global catalog server.

For successful demotions, the domain controller you intend to demote needs to have at least one network interface card attached to the network. Other domain controllers should be reachable and Active Directory replication should be working properly.

How to do it...

This recipe describes two supported ways to demote a domain controller graciously:

  • Using the Remove Server Roles and Features Wizard
  • Using the Active Directory module for Windows PowerShell

Using the Remove Server Roles and Features Wizard

To demote a domain controller graciously using Server Manager, perform these steps:

  1. Press Start.
  2. Search for Server Manager and click its corresponding search result, or run servermanager.exe. The Server Manager window appears.
  3. In the gray top bar of Server Manager, click Manage.
  4. Select Remove Server Roles and Features from the context menu. The Remove Roles and Features Wizard window appears.
  5. On the Before you begin screen, click Next.
  6. On the Select destination server screen, select the local Windows Server installation from the server pool list, and then click Next.
  7. On the Select server roles screen, deselect the Active Directory Domain Services role from the list of installed roles. The Remove Roles and Features Wizard pop-up window appears.
  8. In the pop-up window, click the Remove Features button to remove features that are required for Active Directory Domain Services:
Figure 2.14 – The Remove Roles and Features Wizard pop-up screen

Figure 2.14 – The Remove Roles and Features Wizard pop-up screen

  1. On the Validation Results screen, follow the Demote this domain controller link to acknowledge that the domain controller needs to be demoted before the Active Directory Domain Services role can be removed:
Figure 2.15 – Validation Results for the Remove Roles and Features Wizard

Figure 2.15 – Validation Results for the Remove Roles and Features Wizard

  1. The Active Directory Domain Services Configuration Wizard window appears. On the Credentials screen, optionally enter the credentials to perform the demotion, or click Next > to perform the operation with the credentials of the account you signed in with.
  2. On the Warnings screen, select the Proceed with removal option and click Next >:
Figure 2.16 – The Warnings screen of the Active Directory Domain Services Configuration Wizard

Figure 2.16 – The Warnings screen of the Active Directory Domain Services Configuration Wizard

  1. On the Removal Options screen, select the Remove DNS delegation option and click Next >.
  2. On the New administrator password screen, enter the new password for the built-in administrator account. Click Next > to proceed to the next screen.
  3. On the Review Options screen, click Demote.
  4. When configuration of the Active Directory Domain Services server role is done, click Close to close the Remove Roles and Features Wizard.

Using the Active Directory module for Windows PowerShell

To demote a domain controller graciously, you can use the Uninstall-ADDSDomainController PowerShell cmdlet like this:

Uninstall-ADDSDomainController 

This removes the domain controller from the Active Directory domain and prompts you for the new password for the built-in administrator account after demotion. Replace the values in the previous sample file with the values of your choice.

To remove the Active Directory Domain Services role after demotion, use the following line of Windows PowerShell:

Uninstall-WindowsFeature AD-Domain-Services -IncludeManagementTools

The domain controller is then demoted, and the Active Directory Domain Services role is removed.

How it works...

Every domain controller has its information stored in numerous places throughout the Active Directory database.

To remove this information and stop other domain controllers from replicating to non-existing domain controllers, the domain controllers should be demoted.

There's more...

Proper demotion of a domain controller will remove all the references to the domain controller from Active Directory.

However, it is a recommended practice to check the following tools manually after demotion:

  • DNS: (dnsmgmt.msc)
  • Active Directory Sites and Services (dssite.msc)
You have been reading a chapter from
Active Directory Administration Cookbook, Second Edition - Second Edition
Published in: Jul 2022
Publisher: Packt
ISBN-13: 9781803242507
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at €18.99/month. Cancel anytime