Announcement

Collapse
No announcement yet.

Deleting a trust relationship and Demoting last DC in domain.

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Deleting a trust relationship and Demoting last DC in domain.

    Hi,

    We have a trust relationship between 2 domains. There's only one server left in the old domain (the one holding all FSMO roles), so i wanted to put an end to the trust relationship and then, demoting the last DC in the old domain. Then, i guess i could do a dcpromo on the old DC to join it to the new domain as a member server. I'd like to know if i should follow any particular steps before deleting the trust relationship and removing the last DC in a domain (i'm gonna build myself a checklist to make sure i won't miss anything and run into problems...)

    Best regards,

    trep

  • #2
    Re: Deleting a trust relationship and Demoting last DC in domain.

    Is it part of a Forest or it's all alone (forest/Domain all in one)?
    is there anything left on the old domain besides the DC (Servers,Workstations,etc)?
    what about DNS, do you need that Zone for something?
    Last edited by Akila; 19th June 2008, 20:56.

    Comment


    • #3
      Re: Deleting a trust relationship and Demoting last DC in domain.

      I hope they are both in a different forest. If not, you cannot delete the root domain.
      [Powershell]
      Start-DayDream
      Set-Location Malibu Beach
      Get-Drink
      Lay-Back
      Start-Sleep
      ....
      Wake-Up!
      Resume-Service
      Write-Warning
      [/Powershell]

      BLOG: Therealshrimp.blogspot.com

      Comment


      • #4
        Re: Deleting a trust relationship and Demoting last DC in domain.

        Well... i'm pretty sure this was setup in 2 forests.

        I'll give as more infos as i have from this. Basically, the old domain was setup like, 3 years ago. Let's call it olddomain.com. The new server was bought not long ago and was setup in a remote office (not linked in any way to the old server's network). It was setup as a new domain in a new forest. Let's call this domain newdomain.local. We then brought the 2 DC at the same physical place, on the same network. We setup a trust relationship between the 2 domains. Here's the info i can give on the trust relationship and the role holders.

        FSMO roles holder for olddomain.com is the old server (for all 5)
        FSMO roles holder for the newdomain.local is the new server (for all 5)

        Trust type:
        External

        Direction of trust:
        Two-way: Users in the local domain can authenticate in the specified domain and users in the specified domain can authenticate in the local domain.

        Transitivity of trust:
        This trust is not transitive. Only users from the directly trusted domain may authenticate in the trusting domain.

        Authentication:
        Domain-wide authentication

        So, looking at the trust type and the way we setup the new DC/Domain, i'm guessing there are 2 forests. It's kind of lame from my part to not be sure about this, but i always managed small networks with simple architecture hehe, sorry about this.

        As for the olddomain.com, the old server is still in use for printers sharing and file server. Since everyone authenticate on the new domain, i've setup permissions so that the new users could access ressources on the old server. Besides that, there are a few applications still running, like a license server, but these are domain independant.

        Best regards,

        trep

        Comment


        • #5
          Re: Deleting a trust relationship and Demoting last DC in domain.

          Hi,


          if there is no dependency on old domain/fores (DNS, DHCP, Messaging, File server, etc) then I dont thing that there is any harm for removing olddomain..

          steps...

          Remove trust and wait for 2 days to see problem and then demote the old domain. & make old domainmachine to new domain.

          Rgds

          Comment


          • #6
            Re: Deleting a trust relationship and Demoting last DC in domain.

            are there any users from the old domain that are using those file servers as well or it is only users from the new domain that access those file servers?
            if there are still file servers on the olddomain and users , then once removed users from the old domain will no longer be able to access those files, since it is based on the Old SID of the Domain you just about to remove, unless you duplicated the permissions manually and assigned the new domain users with permissions on the file server.

            BTW - it seems both domains are in different forest based on the fact that you stated that you got 2 DC's with 5 FSMO roles each.
            Last edited by Akila; 20th June 2008, 16:58.

            Comment


            • #7
              Re: Deleting a trust relationship and Demoting last DC in domain.

              Thanks for the replies.

              There are users left on the old domain still authenticating and using files using their old accounts. Groups were created on the new domain and permission assigned based on these groups. I'll definitly have to do a cleanup of the permissions though.

              Best regards,

              trep

              Comment


              • #8
                Re: Deleting a trust relationship and Demoting last DC in domain.

                then migrate those left over users to the new domain (assuming they will still need access to those servers), then migrate the file server/s to the new domain as well. after that you may get rid of your old domain.
                You can't demote a the last DC b4 you make sure no one is still using it in some way.

                Comment


                • #9
                  Re: Deleting a trust relationship and Demoting last DC in domain.

                  Hi,

                  Sorry for the last post, i made some mistakes.

                  There are NO users left on the old domains. All users now authenticate on the new domain. So people only use it for files and printers.

                  When you demote the last domain controller in a domain, does it itself automatically in a workrgoup ? Will i be prompted to change the local Administrator password so i can login when it reboots ?

                  Best regards,

                  trep

                  Comment


                  • #10
                    Re: Deleting a trust relationship and Demoting last DC in domain.

                    before you demote the DC , you need to move the file servers into the new domain or those users would have no access to the files.

                    once a DC is demoted it enables the local SAM that was disabled when you promoted the machine into a DC, I don't remember if in the demotion process it asks to provide a new Admin password , but you could try and see for yourself, just run DCpromo and see what options it offers, just don't click on the "Finish" part or you would demote the DC.

                    Comment

                    Working...
                    X