Side Effects of Powering Down Domain Controller without Demoting

Aetherpacket 1 Reputation point
2021-06-09T19:02:07.8+00:00

We have a pair of legacy domain controllers that I want to demote and shutdown. I've already created a pair of Windows Server 2019 DCs and migrated the FSMO roles to one. We have a fairly large environment with many LDAP connections, or domain joined appliances. I've spent the last 6 months trying to find every reference do the legacy domain controllers that I can from everything that I've inherited with little to no documentation. MFDs, UPS's, server / appliance NICs, applications, DHCP scopes, etc.

To see if I'd discovered enough, I wanted to schedule a shutdown test of the two legacy DCs. I have some concerns though about how w32tm, Kerberos, and domain joined devices work with round robin requests. If I merely shutdown the DCs rather than demote them and then shut them down, since devices and member servers reference time through w32tm in a round robin method (as far as I know) from DCs, I think this could cause issues if the device was registered to one of the DCs I shutdown. Similarly, with devices which reference the root of the domain, example.local, rather than specific DCs, this DNS entry will also return in round robin, and I believe that will pose an issue as well.

Am I correct in my assumptions? Is biting the bullet and demoting the DCs really the recommended way to move forward? Do non-windows domain joined devices (like linux appliances) typically have to be rejoined to the domain after a change like this?

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,963 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,463 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Fan Fan 15,326 Reputation points Microsoft Vendor
    2021-06-10T00:14:42.017+00:00

    Hi,

    Based on my understanding, it will be a safe way to shut down the DC before demotion and remove.
    Before any big changes, remember to back up the DCs. And make sure there are no errors in the output of the following commands:

    Dcdiag /v >c:\dcdiag1.log
    Repadmin /showrepl >C:\repl.txt
    Repadmin /showreps * 

    Transfer the FSMO roles correctly, and make the clients use the good one as the DNS servers.
    If there are also other roles installed on the DC which you want to demote and remove, make sure there is a replace server.

    Shut down one server at a time and monitor if there any issues.
    If everything ok, demote it.
    If the other DCs are working well, it will not affect the device in the domain, we don't need to rejoin them to domain.

    Best Regards,


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.