Demoting and removing a Domain Controller from a Forest

There are particular situations where moving or removing a Domain Controller responsible for a Active Directory Forest/Domain might be desired. For example, when upgrading from one version of Windows Server to another without doing an in-place upgrade and/or getting prepared to run the ADPREP tool.

In order to accomplish this you need to determine which Domain Controllers have ownership over the particular Flexible Single Master Operations (FSMO) roles (also known as operations master roles) in use by Active Directory.

In a forest, there are at least five FSMO roles that are assigned to one or more domain controllers. The five FSMO roles are:

  1. Schema Master: The schema master domain controller controls all updates and modifications to the schema. To update the schema of a forest, you must have access to the schema master. There can be only one schema master in the whole forest.
  2. Domain naming master: The domain naming master domain controller controls the addition or removal of domains in the forest. There can be only one domain naming master in the whole forest.
  3. Infrastructure Master: The infrastructure is responsible for updating references from objects in its domain to objects in other domains. At any one time, there can be only one domain controller acting as the infrastructure master in each domain.
  4. Relative ID (RID) Master: The RID master is responsible for processing RID pool requests from all domain controllers in a particular domain. At any one time, there can be only one domain controller acting as the RID master in the domain.
  5. PDC Emulator: The PDC emulator is a domain controller that advertises itself as the primary domain controller (PDC) to workstations, member servers, and domain controllers that are running earlier versions of Windows. For example, if the domain contains computers that are not running Microsoft Windows XP Professional or Microsoft Windows 2000 client software, or if it contains Microsoft Windows NT backup domain controllers, the PDC emulator master acts as a Windows NT PDC. It is also the Domain Master Browser, and it handles password discrepancies. At any one time, there can be only one domain controller acting as the PDC emulator master in each domain in the forest.

There are many methods for this, but there are some PowerShell commands that can be run to determine this as well as some diagnostics tools as well as some MMC SnapIn’s as well which are documented on TechNet.

First lets find the PDC Emulator using PowerShell on Windows Server 2012:

Get-ADDomainController -Discover -Service PrimaryDC

Domain      : ronbok.us

Forest      : ronbok.us

HostName    : {RONBOKDC2.ronbok.us}

IPv4Address : 172.16.0.2

IPv6Address :

Name        : RONBOKDC2

Site        : Default-First-Site-Name

 

Continuing with PowerShell, the following command would have been very useful, however it does appear to fall short in that it does not return any results for our SchemaMaster or DomainNamingMaster. While I have no confirmation of this yet, it appears to be a bug with this command:

Get-ADDomain ronbok.us | FT PDCEmulator,RIDMaster,InfrastructureMaster,SchemaMaster,DomainNamingMaster

 

PDCEmulator                  RIDMaster                    InfrastructureMaster        SchemaMaster                DomainNamingMaster        

———–                  ———                    ——————–        ————                ——————        

RONBOKDC2.ronbok.us          RONBOKDC2.ronbok.us          RONBOKDC2.ronbok.us         {}                          {}                        

Instead, we can use DCDiag or DSQuery to determine all the FSMO roles and which DC’s currently own them:

DCdiag /test:Knowsofroleholders /v

Starting test: KnowsOfRoleHolders

 

         Role Schema Owner = CN=NTDS Settings,CN=RONBOKDC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ronbok,DC=us

         Role Domain Owner = CN=NTDS Settings,CN=RONBOKDC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ronbok,DC=us

         Role PDC Owner = CN=NTDS Settings,CN=RONBOKDC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ronbok,DC=us

         Role Rid Owner = CN=NTDS Settings,CN=RONBOKDC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ronbok,DC=us

         Role Infrastructure Update Owner = CN=NTDS Settings,CN=RONBOKDC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=

ronbok,DC=us

         ……………………. RONBOKDC1 passed test KnowsOfRoleHolders

 

dsquery server -hasfsmo pdc

dsquery server -hasfsmo rid

dsquery server -hasfsmo infr

dsquery server -hasfsmo schema

dsquery server -hasfsmo name

Now that you’ve determined which DC owns which role, we can move them to newly built Domain Controllers that may exist in your environment.  So, by example, if I built out a Windows Server 2012 R2 DC (RonBokDC1) as part of the same domain and now want to move all roles to it the following PowerShell command would be useful:

#Move-ADDirectoryServerOperationMasterRole -Identity “RonBokDC1” -OperationMasterRole PDCEmulator, RIDMaster, InfrastructureMaster, SchemaMaster, DomainNamingMaster

#

Move-ADDirectoryServerOperationMasterRole -Identity “RonBokDC1” -OperationMasterRole PDCEmulator

Move-ADDirectoryServerOperationMasterRole -Identity “RonBokDC1” -OperationMasterRole RIDMaster

Move-ADDirectoryServerOperationMasterRole -Identity “RonBokDC1” -OperationMasterRole InfrastructureMaster

Move-ADDirectoryServerOperationMasterRole -Identity “RonBokDC1” -OperationMasterRole SchemaMaster

Move-ADDirectoryServerOperationMasterRole -Identity “RonBokDC1” -OperationMasterRole DomainNamingMaster

Now, once that’s completed I can finally demote the old RonBokDC2 and remove it from the domain.  That’s it!

Advertisements
Tagged with: , , ,
Posted in Windows Server 2012
One comment on “Demoting and removing a Domain Controller from a Forest
  1. jbernec says:

    Nice article. The Get-ADForest powershell cmdlet will display the SchemaMaster and DomainNamingMaster .

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: