Forum Discussion
Demote a 2019 server - problem
I want to demote one of our 2 DC's in preparation for server replacement. Replication between the two works fine and both DNS's are synced and up-2-date. But when I run the wizard, I need to check that "This is the last DNS server" which is not true. If not, I can't proceed to the next step (Next becomes greyed out).
As an experiment, I did this last week and it resulted in a domain where no client could logon, and no file shares was working on the remaining DC/File server. So I restored both backups to get back in business. I do not want to repeat this again.
I have browsed the complete DNS tree for the forward zone and everything looks fine to me (SRV, NS etc records)
For demoting a Domain Controller without disrupting domain services, here are key steps:
- Verify Replication Health
- Use `repadmin /replsummary` to confirm replication is working correctly
- Ensure both DCs have identical Active Directory database state - Transferring FSMO Roles
- Before demoting, transfer Flexible Single Master Operations (FSMO) roles to the remaining DC
- Use `netdom query FSMO` to identify current role holders
- Transfer roles using `ntdsutil` or Active Directory Users and Computers - DNS Configuration
- Since you're experiencing wizard restrictions, use DCPROMO command-line method
- Open Command Prompt as Administrator
- Run: `dcpromo /forceremoval`
- This bypasses GUI wizard limitations - Pre-Demote Checks
- Verify no unique services/roles on this specific DC
- Confirm adequate DNS/time services on remaining DC
- Backup the DC before proceeding - Post-Demote Validation
- Check domain login capabilities
- Verify file share accessibility
- Monitor event logs for any replication/authentication issues
If issues persist, consider consulting Microsoft support or performing a staged migration approach.
Would you like me to elaborate on any of these steps?
Thank you, very helpful!
Yes, could you clarify item 3. I assume that this should be done on the DC to be removed (HP-SRV01)?
Item 4. We have noticed issues with time sync in the past. What would be the correct way of verifying time services on the remaining DC?
I have all the other items under control (I think). Again, thanks a lot!
C:\Users\administrator.HPLTS>repadmin /replsummary
Replication Summary Start Time: 2024-11-21 17:32:36Beginning data collection for replication summary, this may take awhile:
Source DSA largest delta fails/total %% error
HP-SRV01 39m:17s 0 / 5 0
HP-SRV02 38m:04s 0 / 5 0
Destination DSA largest delta fails/total %% error
HP-SRV01 38m:05s 0 / 5 0
HP-SRV02 39m:18s 0 / 5 0C:\Users\administrator.HPLTS>netdom query fsmo
Schema master HP-SRV02.hoganas-xxx.se
Domain naming master HP-SRV02.hoganas-xxx.se
PDC HP-SRV02.hoganas-xxx.se
RID pool manager HP-SRV02.hoganas-xxx.se
Infrastructure master HP-SRV02.hoganas-xxx.se
The command completed successfully.C:\Users\administrator.HPLTS>nslookup
Default Server: HP-SRV02.hoganas-xxx.se
Address: 10.0.2.10> set type=SRV
> _LDAP._TCP.hoganas-xxx.se
Server: HP-SRV02.hoganas-xxx.se
Address: 10.0.2.10_LDAP._TCP.hoganas-xxx.se SRV service location:
priority = 0
weight = 100
port = 389
svr hostname = hp-srv02.hoganas-xxx.se
_LDAP._TCP.hoganas-xxx.se SRV service location:
priority = 0
weight = 100
port = 389
svr hostname = hp-srv01.hoganas-xxx.se
hp-srv02.hoganas-xxx.se internet address = 10.0.2.10
hp-srv01.hoganas-xxx.se internet address = 10.0.2.64/Anders
- Verify Replication Health
dcpromo /forceremoval
