RE: Removing Child Domain
From: preiner (preiner_at_comcast.net)
Date: 03/16/04
- Next message: preiner: "RE: Trusted Domain (Sites and Services)"
- Previous message: Brian Desmond [MVP]: "Re: Printer Share Organization"
- In reply to: Bill: "Removing Child Domain"
- Next in thread: Bill: "RE: Removing Child Domain"
- Reply: Bill: "RE: Removing Child Domain"
- Messages sorted by: [ date ] [ thread ]
Date: Mon, 15 Mar 2004 22:51:05 -0800
(this information is presented as-is. It is deemed reliable by me, but then... what do I know?)
Generally, this is a pretty straightforward procedure but there are a few requisite steps...
1) You need to unjoin any workstations from that child domain or move them to another domain or they will be orphaned when the child disappears.
2) You need to move the users and/or verify that the accounts are no longer needed.
3) You need to ensure you are not removing the first domain in the forest (sometimes called the forest root domain). This shouldnt be a problem since you indicate you are removing a child.
4) The domain being removed should not be a parent of another domain. That is, if the domain you wish to remove is called us.microsoft.com, then you must not have a child domain called la.us.microsoft.com because la would become an orphaned child. This installation option is rare - i doubt you do this.
5) If any of the DCs being removed are GCs, check to make sure that there are other GCs up otherwise you will find yourself unable to login because the only GC(s) were killed.
6) Make sure any services like exchange or RRAS or whatever are uninstalled from the DCs
7) Any data on the DCs you wish to save is backed up.
8) I assume the VPN is up and so are the DCs for the child domain. If you have already lost DCs or connectivity, you may be doing what is called a "forced demotion". In that case, I would call tech support to get the list of steps. This has been done many times, but let tech support help.
8) Chant / Pray / whatever. It couldnt hurt.
----
Now the basic steps.
1) Do a basic health check. You dont want to be doing major operations like this when things are already sick.
The health check should include (but not limited to)
a) make sure DNS is able to resolve the other domains in the forest
b) all other DCs are up
c) Run DCDIAG on the DC(s) to be removed. Make sure they arent in distress. Operations will likely fail if the DC is already having issues
d) make sure all the other partitions are replicating.
e) make sure all FSMOs / role holders are up. I know the domain naming master is critical, very likely is the PDC - others likely less important..But get them all up... Make sure the IM is not on a GC since you are not a single domain forest.
f) make sure timesync is healthy forestwide
this is all basic health stuff
2) Run DCPromo on the DC that is going away. Everything should go smooth-just follow the prompts.
3) Repeat DCPromo for each DC going away until you are at the last one. You will see a question like "is this the last DC in the domain". Say yes this time.
(I am of the belief that you could (in theory), skip demoting all of the DCs and just demote one DC and lie and say this is the final DC - but Im dont have a test forest to try this).
4) Check replication on the other domains. The forest should be clean after replication completes.
5) Check the dcpromo.log file if you want to verify no errrors occured.
6) Clean up the turds in the configuration container (thats a techical term). If you had sites defined that only had DCs from the dead domain, you will now have empty sites. KCC will complain. Remove the sites, ip subnets, and related drivel.
7) Do a check for server objects in the configuration container. I believe these are cleaned up, but I expect the unexpected. You may have to manually delete these.
Optional
8) ACLs on servers in the domains that are still alive MAY have references to users orphaned on them (this is due to the way MS architected Windows --- dont go there)...
For example, if bob.us.microsoft.com had rights to a directory on a server called FS1.europe.microsoft.com, then this ACL physically exists on the FS1 server. When you demote the US domain, the european server has a reference for a now-defunct bob user.
This isnt a major issue. Its sort of a housecleaning issue. Its not elegant to leave millions of dead references around..but thats what occurs.
You can get a utility from the resource kit and run it on every server (DC and member) left and it will check all references and delete the old ones...if you like. Truly this is optional
----- Bill wrote: -----
I have a W2K domain with 2 child domains - they are office
in different locations, connected by hardware VPN. One
office is gone, so I need to remove its child domain and
leave the other in place.
I am looking for a good step by step to do this, and don't
find it in KB or other resources.
Any help here? Thanks.
- Next message: preiner: "RE: Trusted Domain (Sites and Services)"
- Previous message: Brian Desmond [MVP]: "Re: Printer Share Organization"
- In reply to: Bill: "Removing Child Domain"
- Next in thread: Bill: "RE: Removing Child Domain"
- Reply: Bill: "RE: Removing Child Domain"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
