Tuesday, April 9, 2019

active directory - Redoing AD: How to completely remove old domain from the network without re-installing Windows?



We currently have two DC's for our one domain but as of now do not have anyone actually authenticating to them so I'd like to take the chance to install it correctly. The domain was setup before I was hired and was done sloppily and is also using the correct naming structure as per this MdMarra post. http://www.mdmarra.com/2013/04/best-practices-for-configuring-new.html



I've decommissioned DC's in the past, seized/transfered roles, etc; but have never tried to completely remove a domain from the network. Will the "/forceremoval" switch + removing metadata be enough?



I'd really like to avoid re-installing Windows.




Other Info: Both on Server 2008 R2. Both have DNS installed. DC1 resides in 192.168.1.x/24 AND 192.168.2.x/24 and runs DHCP for both subnets. DC2 is on 192.168.2.x/24.


Answer



AD DS is a server role that can be removed just like any other server role. Run DCPROMO on both DC's to demote them. When you demote the last DC make sure to select the option that it is the last DC in the domain. This will revert both DC's to standalone servers.



You're probably going to need to revisit and probably reconfigure DHCP and DNS in order to continue to serve your network clients.



EDIT:



Here's my opinion on some of the issues you related in your comment:




rDNS zone missing: an rDNS zone isn't a requirement for AD. It's a preference. There isn't any function of AD that needs or requires an rDNS zone. I personally prefer to create an rDNS zone.



AD Recycle Bin not enabled: Again, this is a preference and not a requirement. I prefer to enable it.



IPv6 enabled: This is debatable. I'm not convinced that it should be disabled. I know that there's a lot of information on the internet for and against but I've never had an issue leaving it enabled and I haven't seen any technical information from MS that recommends disabling it.



No Replication: If the DC's aren't replicating than that's definitely a problem that would need to be resolved if you were leaving the domain intact.


No comments:

Post a Comment

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...