Announcement

Collapse
No announcement yet.

Demote Windows 2008 R2 Server Core domain controller

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Demote Windows 2008 R2 Server Core domain controller

    Environment:
    172.18.1.105 (DEVDC01) Windows 2008 R2 Server Core domain controller in virtual machine
    172.18.1.106 (DEVDC02) Windows 2008 R2 Standard Edition domain controller on physical server


    Because of the issues we have been having with trying to add a VMware vCenter server to Active Directory, we decided to stand up a physical domain controller and demote the virtual domain controller. It is Standard Edition, because Network Policy Server (formerly IAS, formerly RADIUS) won't run on Server Core.

    I was able to transfer the FSMO roles, and migrate the DCHP server configuration to the new physical domain controller.

    When I run dcpromo /unattend:c:\temp\demote.txt to demote the Server Core domain controller, I get the following message:
    Checking if Active Directory Domain Services binaries are installed...
    Active Directory Domain Services Setup

    Validating environment and parameters...

    The local administrator password does not meet the minimum password length requirement of the password policy. Supply a longer password.
    The local administrator's password, which existed before I promoted DEVDC01 to a domain controller, does meet the Windows 2008 default password complexity requirements.

    I have disabled the password complexity requirements in the the group policy for the active directory, but have no idea how to disable the requirements for the local accounts, or even list and manage the local accounts in Server Core.

    Of course, since this is a virtual machine that no longer holds the FSMO roles, I suppose I could just shut it down and let DEVDC02 do all the work. But I'd like to do a clean and proper demotion, especially since I will probably re-create another domain controller on a physical box with the same name and IP in the near future.

    So how can I disable the password complexity requirements in Windows 2008 R2 Server Core for the local administrator account?
    Last edited by Robert R.; 22nd September 2010, 18:27.

  • #2
    Re: Demote Windows 2008 R2 Server Core domain controller

    Can you post the answer file please.
    Caesar's cipher - 3

    ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

    SFX JNRS FC U6 MNGR

    Comment


    • #3
      Re: Demote Windows 2008 R2 Server Core domain controller

      FYI: secedit /export /cfg c:\temp\new.cfg on the 2008 Server Core outputs:

      [System Access]
      MinimumPasswordAge = 1
      MaximumPasswordAge = 42
      MinimumPasswordLength = 7
      PasswordComplexity = 0
      PasswordHistorySize = 24
      LockoutBadCount = 0
      RequireLogonToChangePassword = 0
      ForceLogoffWhenHourExpire = 0
      NewAdministratorName = "Administrator"
      NewGuestName = "Guest"
      ClearTextPassword = 0
      LSAAnonymousNameLookup = 0
      EnableAdminAccount = 1
      EnableGuestAccount = 0

      Comment


      • #4
        Re: Demote Windows 2008 R2 Server Core domain controller

        Can you post the answer file please.
        [DCINSTALL]
        username=administrator
        userdomain=dcad.[domainname.tld]
        password=Asdf1234 (yes, I know this is a crappy password. It's only temporary until everything is set up)
        removeapplicationpartitions=yes
        removeDNSDelegation=yes
        DNSDelegationUserName=administrator
        DNSDelegationPassword=Asdf1234

        Comment


        • #5
          Re: Demote Windows 2008 R2 Server Core domain controller

          Why not just specify a more complex password during demote?
          http://technet.microsoft.com/en-us/l...87(WS.10).aspx
          Tom Jones
          MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
          PhD, MSc, FIAP, MIITT
          IT Trainer / Consultant
          Ossian Ltd
          Scotland

          ** Remember to give credit where credit is due and leave reputation points where appropriate **

          Comment


          • #6
            Re: Demote Windows 2008 R2 Server Core domain controller

            I concur with Ossian - just use a mroe effective password. The problem is, even without a domain, 2008 has much stricter password requirements out of the box - I've tried to set "password' as my password many times, only to have it fail.

            You can do it once you edit the local system policy, but you can't do this util you've demoted it, and you can't demote it until you've got a localadm password, so.. etc etc :P

            set a stronger pasword (try even [email protected] or something) and you should be fine
            Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

            Comment


            • #7
              Re: Demote Windows 2008 R2 Server Core domain controller

              Still no joy.

              I set both the local and domain administrator password to

              [email protected]@ssw0rd2

              and get the same error message.

              Since this is a test network, it's not going to affect anything permanently. The Active Directory will be wiped out and rebuilt from scratch regardless.

              But it is an annoyance, since this is one of those things that should work, but doesn't.

              Comment

              Working...
              X