Share via

Side Effects of Powering Down Domain Controller without Demoting

Aetherpacket 1 Reputation point
2021-06-09T19:02:07.8+00:00

We have a pair of legacy domain controllers that I want to demote and shutdown. I've already created a pair of Windows Server 2019 DCs and migrated the FSMO roles to one. We have a fairly large environment with many LDAP connections, or domain joined appliances. I've spent the last 6 months trying to find every reference do the legacy domain controllers that I can from everything that I've inherited with little to no documentation. MFDs, UPS's, server / appliance NICs, applications, DHCP scopes, etc.

To see if I'd discovered enough, I wanted to schedule a shutdown test of the two legacy DCs. I have some concerns though about how w32tm, Kerberos, and domain joined devices work with round robin requests. If I merely shutdown the DCs rather than demote them and then shut them down, since devices and member servers reference time through w32tm in a round robin method (as far as I know) from DCs, I think this could cause issues if the device was registered to one of the DCs I shutdown. Similarly, with devices which reference the root of the domain, example.local, rather than specific DCs, this DNS entry will also return in round robin, and I believe that will pose an issue as well.

Am I correct in my assumptions? Is biting the bullet and demoting the DCs really the recommended way to move forward? Do non-windows domain joined devices (like linux appliances) typically have to be rejoined to the domain after a change like this?

Windows for business | Windows Client for IT Pros | Directory services | Active Directory
Windows for business | Windows Server | User experience | Other
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2021-06-10T00:14:42.017+00:00

    Hi,

    Based on my understanding, it will be a safe way to shut down the DC before demotion and remove.
    Before any big changes, remember to back up the DCs. And make sure there are no errors in the output of the following commands:

    Dcdiag /v >c:\dcdiag1.log
    Repadmin /showrepl >C:\repl.txt
    Repadmin /showreps * 

    Transfer the FSMO roles correctly, and make the clients use the good one as the DNS servers.
    If there are also other roles installed on the DC which you want to demote and remove, make sure there is a replace server.

    Shut down one server at a time and monitor if there any issues.
    If everything ok, demote it.
    If the other DCs are working well, it will not affect the device in the domain, we don't need to rejoin them to domain.

    Best Regards,

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.