Hi guys.
I am in a new environment and demoting DCs, as some sites have too many and I am trying to clean stuff up. I have demoted domain controllers several times in other environments, but since I am doing several I thought I would check to see if anyone has some really good steps to go through for demoting a DC.
The main issues I am concerned about are incoming LDAP connections from other servers, as nothing is documented. All of the DCs are running DNS as well, but DHCP, NPS, etc are not a concern. Here is what I am thinking, but if anyone has some better steps, let me know.
1. Check to make sure DC is not running DHCP
2. Check to make sure that no DHCP servers have server/scope options using the DC as DNS/WINS references, etc.
3. Run a script against all other windows servers to check their DNS settings.
4. Check to make sure that the DC does not have any of the FSMO roles
5. Check replication? Any recommendations?
6. Check and make it is not running TS/RDP licensing
7. Check and makes sure it does not contain private key for EFS
8. Check for LDAP connection coming in. Can I use a log? or should I use a permon counter?
8. run dcpromo and remove it
Is there any other recommended steps that you guys can think of? Such as removing the global catalog first? or somehow tracing to make sure Exchange, etc is not referencing the global catalog on that DC?
Thanks,
Dan
Dan Heim