I know how to demote a domain controller (done it before) but I need to do it for two physical old DCs on a much more 'important' and strictly controlled domain than that which I previously did it for. My question is what additional checks should I run to make sure nothing will break after I demote the domain controllers.
The domain in question is mostly virtualized (including the two new DCs). One of the new DCs has had the FSMO roles for a while now, without any issues, and it is the authorititive time server for the domain. When I run dcdiag it fails only one test (NCSecDesc). The failure of this particular test is acceptable because we will never have RODCs on this domain. All of the member servers have their DNS settings pointing at the new DCs.
As a pre-demotion experiment - can I switch these DCs off for a while to see that the domain continues to function without them? Would this not cause replication issues or other issues?
It seems that you have already thought of everything.
Simply turning them off will make the AD balk at you at most, and might slow some operations in edge cases. Nothing should break.
The only danger (and it's not clear from the available information wether it's a real danger) I see here is that your virtualization platform might have dependencies on your AD (→ virtualized DC's). This will bite you hard after your virtualization platform goes/is taken down for whatever reason; since there's a circular dependency.
In this case you must either decouple the two, leave one or more physical DC, or plan very well for doing maintenance or how to recover from a disaster.
As with most things, the best (and first) precaution you should take is ensuring you have proper backups, and that they are restore-tested.
Otherwise, I can't think of any precautions you need to take before demoting your domain controllers. You ran (and passed) dcdiag, you're not demoting a FSMO role holder, they're not the last DCs in the domain, your other DCs work, and your clients are pointing at DCs you won't be demoting.
Assuming you're demoting the 2003 DCs, the only other thing I'd do is keep the instructions for forcefully demoting a domain controller handy, since they sometimes don't demote gracefully for no apparent reason. And, just for extra caution, maybe the instructions for deleting a failed DC from AD in case things go really wrong.
Having said all that about being careful, at least 99 times out of 100, demoting a domain controller goes smooth, so it shouldn't be considered especially dangerous or risky.
Bit of a old thread but I though I would post my experience as I am doing demotions at the moment.
Take an AD (system state) backups of at least 2 live DCs
Run
DCDiag
andDCDiag /test:DNS
andrepadmin /replsummary
on all your live DCs to make sure all is healthy.Take them off the network for a couple of days to see if anything breaks (we had an authentication system using LDAP on one DC we forgot about). You will see AD replication and RPC unavailable errors during relating to them, but this ok.
Finally do them one at a time with a few hours in between to make sure replication is successful.
Don't for get about other services that could be in use on the DC (DNS, DHCP, WINS, LDAP etc)