By Matt Comment Closed

Admin Credentials

Move all FSMO roles the logged-on user should be a member of the Enterprise Administrators group.  This is required to transfer Schema master or Domain naming master roles.

The rest of the operations can be done with a user who is a member of the Domain Administrators group.

The most important things to look out for are the following components that are either running or registered against the system:

  • Global Catalog
  • FSMO Roles
  • Bridgehead server
  • General server checks
  • You have enterprise admin credentials

Global Catalog

To check what servers are functioning as a Domain Controller in your domain, type the following command:

dsquery server -domain #DomainName# | dsget server -isgc -dnsname

replace #DomainName# with the domain of the DC that you are demoting

If you have more than just the DC that you are preparing the demote, then you have nothing else to do as the DCPROMO steps will remove it automatically. If you don’t have any more, follow MS article 296882 to make another DC a GC.

MS article 296882 (https://support.microsoft.com/en-gb/help/296882/how-to-promote-a-domain-controller-to-a-global-catalog-server) Steps mentioned below

To promote a domain controller to a global catalog server, follow these steps:

  1. On the domain controller, click Start, point to Programs, click Administrative Tools, and then click Active Directory Sites and Services.
  2. In the console tree, double-click Sites, double-click the name of the site, and then double-click Servers.
  3. Double-click the target domain controller.
  4. In the details pane, right-click NTDS Settings, and then click Properties.
  5. On the General tab, click to select the Global catalog check box.
  6. Restart the domain controller.

FSMO roles

To check that the the current server is not a FSMO role holder, simply run the following command:

netdom query fsmo

If none of the server names are the one you are demoting then you have nothing else to do. If you are, then follow the MS KB Article 324801

MS KB Article 324801 (https://support.microsoft.com/en-gb/help/324801/how-to-view-and-transfer-fsmo-roles-in-windows-server-2003)

Transfer the Schema Master Role

Use the Active Directory Schema Master snap-in to transfer the schema master role. Before you can use this snap-in, you must register the Schmmgmt.dll file.

Register Schmmgmt.dll

  1. Click Start, and then click Run.
  2. Type regsvr32 schmmgmt.dll in the Open box, and then click OK.
  3. Click OK when you receive the message that the operation succeeded.

Transfer the Schema Master Role

  1. Click Start, click Run, type mmc in the Open box, and then click OK.
  2. On the File, menu click Add/Remove Snap-in.
  3. Click Add.
  4. Click Active Directory Schema, click Add, click Close, and then click OK.
  5. In the console tree, right-click Active Directory Schema, and then click Change Domain Controller.
  6. Click Specify Name, type the name of the domain controller that will be the new role holder, and then click OK.
  7. In the console tree, right-click Active Directory Schema, and then click Operations Master.
  8. Click Change.
  9. Click OK to confirm that you want to transfer the role, and then click Close.

Transfer the Domain Naming Master Role

  1. Click Start, point to Administrative Tools, and then click Active Directory Domains and Trusts.
  2. Right-click Active Directory Domains and Trusts, and then click Connect to Domain Controller.NOTE: You must perform this step if you are not on the domain controller to which you want to transfer the role. You do not have to perform this step if you are already connected to the domain controller whose role you want to transfer.
  3. Do one of the following:
    • In the Enter the name of another domain controller box, type the name of the domain controller that will be the new role holder, and then click OK.-or-
    • In the Or, select an available domain controller list, click the domain controller that will be the new role holder, and then click OK.
  4. In the console tree, right-click Active Directory Domains and Trusts, and then click Operations Master.
  5. Click Change.
  6. Click OK to confirm that you want to transfer the role, and then click Close.

Transfer the RID Master, PDC Emulator, and Infrastructure Master Roles

  1. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
  2. Right-click Active Directory Users and Computers, and then click Connect to Domain Controller.NOTE: You must perform this step if you are not on the domain controller to which you want to transfer the role. You do not have to perform this step if you are already connected to the domain controller whose role you want to transfer.
  3. Do one of the following:
    • In the Enter the name of another domain controller box, type the name of the domain controller that will be the new role holder, and then click OK.-or-
    • In the Or, select an available domain controller list, click the domain controller that will be the new role holder, and then click OK.
  4. In the console tree, right-click Active Directory Users and Computers, point to All Tasks, and then click Operations Master.
  5. Click the appropriate tab for the role that you want to transfer (RIDPDC, or Infrastructure), and then click Change.
  6. Click OK to confirm that you want to transfer the role, and then click Close.

Bridgehead Server

To check what servers are functioning as a Domain Controller in your domain, type the following command:

repadmin /bridgeheads

The output should be all the bridgeheads that are configured on that server.

General Server Checks

make sure it is healthy before running a DCPromo

Displays all information about Domain Controller information.

dcdiag.exe /V /C /D /E /s:#DomainControllerName# > c:\dcdiag.log

Provides information about specific network configuration for the local machine.

netdiag.exe /v > c:\netdiag.log

Helps diagnise AD replication issues

repadmin.exe /showrepl dc* /verbose /all /intersite > c:\repl.txt

Helps you to diagnose common DNS name resolution issues

dnslint /ad /s #IPAddressOfServer#

To demote a domain controller

  1. Use Server Manager to remove the Active Directory Domain Services Role.

    Launch Server Manager, select the Manage drop down menu, select Remove roles and features.

  2. On the Select installation type page ensure Role-based or feature-based installation radial button is selected, click Next.
  3. On the Select destination server page Select the desired server from the Server Pool.
  4. On the Remove Roles and Features Wizard, click on the Active Directory Domain Services box to remove the check box.
  5. The Remove Roles and Features dialog box Remove features that require Active Directory Domain Service pops up, select Remove Features.
  6. On the Remove Roles and Features Wizard dialog box Validation Results box will appear.  The domain controller must be demoted before continuing.  Click on Demote this domain controller.
  7. On the Active Directory Domain Services Configuration Wizard enter the required credentials to demote this server, click Next. Note:  Only select Force the removal of this domain controller if the DC and not communicate with the remaining DCs.
  8. On the New Administrator Password, enter and confirm the new local administrator account password, click Next.
  9. On the Review Options verify the information is correct and click Demote.