Remove Active Directory from first Domain Controller in a Windows Server environment

Remove Active Directory from first Domain Controller in a Windows 2003 Server environment

Preface
Installed two Microsoft Windows 2003 servers as Active Directory domain controllers. The intent is to replace the original two Microsoft Windows 2003 servers as Active Directory domain controllers. One domain controller was relatively easy to remove Active Directory using DCPROMO. The other not so easy.

Problem
I am a member of the Enterprise Administrators group, DCPROMO failed to remove AD. The Enterprise Administrators group must be a member of the Universal Group. In this case, I had made the assumption that the Enterprise Administrators group was in the Universal Group Scope; however, as assumptions go, I was incorrect. The Enterprise Administrators group was a member of the Global Group Scope. This is as a result of the Domain functional level was Windows 2000 mixed.

Procedure
Note: Leave the first Domain Controller in tact, do not attempt to remove any services, ie Global Catalog or DNS.

  • Logon on with account that is in the Enterprise Administrator group

This will prevent the 0x2098 Insufficient access rights error when attempting to transfer the schema master.

  • Add Global Catalog to new Domain Controller

Active Directory Sites and Services -> Sites -> Default-First-Site-Name -> Servers -> YOURTARGETNAME -> Right click on NTDS Settings -> Select Properties -> Check Global Catalog

  • Domain functional level should at least be Windows 2000 native.

Active Directory Users and Computers, right click on your.domain.com and select Raise Domain Functional Level… to verify or change if needed. After raising the Domain functional level to native, the Enterprise Administrators group automatically becomes a member of the Universal Group Scope.

  • I added myself to the Schema Admins Group, use GPRESULT to verify membership.
  • Transfer FSMO roles in Windows Server 2003 (http://support.microsoft.com/kb/324801)

In a forest, there are at least five FSMO roles that are assigned to one or more domain controllers. The five FSMO roles are: Schema Master, Domain naming master, Infrastructure Master, Relative ID (RID) Master, and PDC Emulator. You can transfer FSMO roles by using the Ntdsutil.exe command-line utility.

ntdsutil: roles
fsmo maintenance: connections
server connections: connect to server YOURTARGETNAME
server connections: q
sfsmo maintenance: transfer PDC
fsmo maintenance: transfer RID master
fsmo maintenance: transfer schema master
fsmo maintenance: transfer infrastructure master
fsmo maintenance: transfer domain naming master

Final Results

Server "YOURTARGETNAME " knows about 5 roles
Schema - CN=NTDS Settings,CN=YOURTARGETNAME ,CN=Servers,CN=Default-First-Site-Name
,CN=Sites,CN=Configuration,DC=erictest,DC=csc,DC=com
Domain - CN=NTDS Settings,CN=YOURTARGETNAME ,CN=Servers,CN=Default-First-Site-Name
,CN=Sites,CN=Configuration,DC=erictest,DC=csc,DC=com
PDC - CN=NTDS Settings,CN=YOURTARGETNAME ,CN=Servers,CN=Default-First-Site-Name,CN
=Sites,CN=Configuration,DC=erictest,DC=csc,DC=com
RID - CN=NTDS Settings,CN=YOURTARGETNAME ,CN=Servers,CN=Default-First-Site-Name,CN
=Sites,CN=Configuration,DC=erictest,DC=csc,DC=com
Infrastructure - CN=NTDS Settings,CN=YOURTARGETNAME ,CN=Servers,CN=Default-First-S
ite-Name,CN=Sites,CN=Configuration,DC=erictest,DC=csc,DC=com
  • Uncheck Global Catalog on old Domain Controller
  • Remove DNS from old Domain Controller

When creating an Active Directory DC, the DNS was automatically configured, however, the DNS services (at least in my case) had to be removed prior to removing AD

  • Change the DNS on the network adapter to point to another DNS server. (The reason for this is that since this was a DNS server, the network card pointed to itself).
  • Remove AD from old Domain Controller (DO NOT check the box indicating that it is the last DC)
  • Reboot old Domain Controller, upon reboot it should be a member server
  • Remove yourself from Schema Admin Group