I did all of the below while logged in as the domain administrator.
I had two AD sites, each with it's own domain controller. The "backup" domain controller was over a site-to-site VPN, all traffic allowed, and was the ONLY server in that AD site/subnet. Realizing it was pointless to have this domain controller all by itself on it's own subnet over a site-to-site VPN, I spun up a 3rd domain controller in the same site/subnet as the original domain controller.
I left it for a few days to let all three sync up -- made sure repadmin /showrepl and repadmin /replsummary all showed SUCCESSFUL results. Yay! Before demoting the server that's all by itself (in the AD site/subnet on the other end of the site-to-site VPN), I made sure ALL other domain-joined member server's DNS were pointing to the original DC, and my newly created 3rd DC, and also made sure the original DC was holding ALL FSMO roles (it was). So at this point I have 3 DC's, all GC's.
I first demoted the server that's all by itself in the remote AD site (I did check the "Force the removal of this domain controller" checkbox), rebooted, then re-ran the add/remove roles a second time to REMOVE the ADDS Role, and rebooted. After seeing the "SUCCESSFULLY DEMOTED" prompt (screenshot below), I thought all was well. Then I removed the member server from the domain and rebooted. I even checked the servers had the necessary firewall ports open for proper AD communication prior to the demotion and removal of ADDS role:
- TCP 53 (DNS)
- TCP 88 (Kerberos Key Distribution Center)
- TCP 135 (Remote Procedure Call)
- TCP 139 (NetBIOS Session Service)
- TCP 389 (LDAP)
- TCP 445 (SMB, Net Logon)
- TCP 464 (Kerberos Password)
- TCP 3268 (Global Catalog)
- TCP 49152 – 65535 (Randomly Allocated High Ports)
- UDP 53 (DNS)
- UDP 88 (Kerberos)
- UDP 123 (NTP)
- UDP 389 (LDAP)
- UDP 445
- UDP 464
Because it was "SUCCESSFULLY DEMOTED", I expected to not see this demoted/ADDS-role-removed/dejoined-from-domain server in the Domain Controllers OU, or in AD Sites & Services, yet there it is. It even has the NTDS settings there surprisingly -- most threads I read only the server is still there but with NO NTDS settings under it.
Thoughts anyone? Please provide relevant LINKS to assist with your comments. Many thanks!!
APOLOGIES if this question isn't formatted property. I almost tore my hair out trying to figure all the formatting out and just gave up!!!!
From a command prompt on the remaining Domain Controllers run the following command:
nltest /dclist:YourDomain
If they all have a consistent view of which DC's exist and none of them list the demoted DC, then just manually clean up the demoted DC in ADUC, ADS&S, and DNS.