In addition to being able to promote member
servers to domain controllers, the Active Directory Installation Wizard
can do the exact opposite—demote domain controllers.
You might choose to demote a domain controller for a
couple of reasons. First, if you have determined that the role of a
server should change (for example, from a domain controller to a member
or stand-alone server you might make into a web server), you can easily
demote it to make this happen. Another common reason to demote a domain
controller is if you wish to move the machine from one domain to
another. You cannot do this in a single step: You need to first demote
the existing domain controller to remove it from the current domain,
then promote it into a new domain. The end result is that the server is
now a domain controller for a different domain.
|
You're the Senior Systems Administrator for a
medium-sized Active Directory environment. Currently, the environment
consists of only one Active Directory domain. Your company's network is
spread out through 40 different sites within North America. Recently,
you've received complaints from users and other system administrators
about the performance of Active Directory–related operations. For
example, users report that it takes several minutes to log on to their
machines in the morning between the hours of 9 and 10am when activity
is at its highest. Simultaneously, systems administrators complain that
updating user information within the OUs for which they are responsible
can take longer than expected.
One network administrator, who has a strong Windows
NT 4 domain background but little knowledge of Active Directory design,
suggests that you create multiple domains to solve some of the
performance problems. However, you know that this would significantly
change the environment and could make administration more difficult.
Furthermore, the company's business goals involve keeping all company
resources as unified as possible.
Fortunately, Active Directory's distributed domain
controller architecture allows you to optimize performance for this
type of situation without making dramatic changes to your environment.
You decide that the quickest and easiest solution is to deploy
additional domain controllers throughout the organization. The domain
controllers are generally placed within areas of the network that are
connected by slow or unreliable links. For example, a small branch
office in Des Moines, Iowa receives its own domain controller. The
process is quite simple: you install a new Windows Server 2008 computer
and then run the Active Directory Installation Wizard (DCPROMO) to make
the new machine a domain controller for an existing domain. Once the
initial directory services data is copied to the new server, it is
ready to service requests and updates of your domain information.
Note that there are potential drawbacks to this
solution; for instance, you have to manage additional domain
controllers and the network traffic generated from communications
between the domain controllers.
|
To demote a domain controller, you simply access the
Active Directory Installation Wizard. The wizard automatically notices
that the local server is a domain controller, and it asks you to verify
each step you take, as with most things you do in Windows. You are
prompted to decide whether you really want to remove this machine from
the current domain (see Figure 1).
Note that if the local server is a Global Catalog (GC) server, you will
be warned that at least one copy of the GC must remain available so
that you can perform logon authentication.
|
In order for a domain to continue to exist, at least
one domain controller must remain in that domain. As noted in the
dialog box in Figure 1
you must take some very important considerations into account if you
are removing the last domain controller from the domain. Because all of
the security accounts and information will be lost, you should ensure
that the following requirements are met before you remove a domain's
last domain controller:
Computers no longer log on to this domain. Ensure that computers that were once members of
this domain have changed domains. If computers are still attempting to
log on, they will not be able to use any of the security features,
including any security permissions or logon accounts. Users will,
however, still be able to log on to the computer using cached
authenticated information.
No user accounts are needed. All of the user accounts that reside within the
domain (and all of the resources and permissions associated with them)
will be lost when the domain is destroyed. Therefore, if you have
already set up usernames and passwords, you need to transfer these
accounts to another domain; otherwise, you will lose all of this
information.
All encrypted data is decrypted. You need the security information (including
User, Computer, and Group objects) stored within the Active Directory
domain database to access any encrypted information. Once the domain no
longer exists, the security information stored within it will no longer
be available, and any encrypted information stored in the filesystem
will become permanently inaccessible. So, you need to decrypt any
encrypted data before you begin the demotion process so that you can
make sure you can access this information afterward. For example, if
you have encrypted files or folders that reside on NTFS volumes, you
should decrypt them before you continue with the demotion process.
All cryptographic keys are backed up. If you are using cryptographic keys to
authenticate and secure data, you should export the key information
before you demote the last domain controller in a domain. Because this
information is stored in the Active Directory database, any resources
locked with these keys become inaccessible once the database is lost as
a result of the demotion process.
By now, you've probably noticed a running theme—a
lot of information disappears when you demote the last domain
controller in a domain. The Active Directory Installation Wizard makes
performing potentially disastrous decisions very easy. Be sure that you
understand these effects before you demote the last domain controller
for a given domain.
|
By default, at the end of the demotion process, the
server is joined as a member server to the domain for which it was
previously a domain controller. If you demote the last domain
controller in the domain, the server becomes a standalone.
|
Removing a domain from your environment is
not an operation that you should take lightly. Before you plan to
remove a domain, make a list of all the resources that depend on the
domain and the reasons why the domain was originally created. If you
are sure your organization no longer requires the domain, then you can
safely continue. If you are not sure, think again, because the process
cannot be reversed and you could lose critical information! |
