Demote Windows 2008 R2 Server Core domain controller

Home Forums Microsoft Networking and Management Services Active Directory Demote Windows 2008 R2 Server Core domain controller

This topic contains 6 replies, has 4 voices, and was last updated by tehcamel tehcamel 9 years, 6 months ago.

Viewing 7 posts - 1 through 7 (of 7 total)
  • Author
    Posts
  • Avatar
    Robert R.
    Participant
    #151170

    Environment:
    172.18.1.105 (DEVDC01) Windows 2008 R2 Server Core domain controller in virtual machine
    172.18.1.106 (DEVDC02) Windows 2008 R2 Standard Edition domain controller on physical server

    Because of the issues we have been having with trying to add a VMware vCenter server to Active Directory, we decided to stand up a physical domain controller and demote the virtual domain controller. It is Standard Edition, because Network Policy Server (formerly IAS, formerly RADIUS) won’t run on Server Core.

    I was able to transfer the FSMO roles, and migrate the DCHP server configuration to the new physical domain controller.

    When I run dcpromo /unattend:c:tempdemote.txt to demote the Server Core domain controller, I get the following message:

    Checking if Active Directory Domain Services binaries are installed…
    Active Directory Domain Services Setup

    Validating environment and parameters…

    The local administrator password does not meet the minimum password length requirement of the password policy. Supply a longer password.

    The local administrator’s password, which existed before I promoted DEVDC01 to a domain controller, does meet the Windows 2008 default password complexity requirements.

    I have disabled the password complexity requirements in the the group policy for the active directory, but have no idea how to disable the requirements for the local accounts, or even list and manage the local accounts in Server Core.

    Of course, since this is a virtual machine that no longer holds the FSMO roles, I suppose I could just shut it down and let DEVDC02 do all the work. But I’d like to do a clean and proper demotion, especially since I will probably re-create another domain controller on a physical box with the same name and IP in the near future.

    So how can I disable the password complexity requirements in Windows 2008 R2 Server Core for the local administrator account?

    Avatar
    L4ndy
    Member
    #276903

    Re: Demote Windows 2008 R2 Server Core domain controller

    Can you post the answer file please.

    Avatar
    Robert R.
    Participant
    #353163

    Re: Demote Windows 2008 R2 Server Core domain controller

    FYI: secedit /export /cfg c:tempnew.cfg on the 2008 Server Core outputs:

    [System Access]
    MinimumPasswordAge = 1
    MaximumPasswordAge = 42
    MinimumPasswordLength = 7
    PasswordComplexity = 0
    PasswordHistorySize = 24
    LockoutBadCount = 0
    RequireLogonToChangePassword = 0
    ForceLogoffWhenHourExpire = 0
    NewAdministratorName = “Administrator”
    NewGuestName = “Guest”
    ClearTextPassword = 0
    LSAAnonymousNameLookup = 0
    EnableAdminAccount = 1
    EnableGuestAccount = 0

    Avatar
    Robert R.
    Participant
    #353164

    Re: Demote Windows 2008 R2 Server Core domain controller

    Quote:
    Can you post the answer file please.

    [DCINSTALL]
    username=administrator
    userdomain=dcad.[domainname.tld]
    password=Asdf1234 (yes, I know this is a crappy password. It’s only temporary until everything is set up)
    removeapplicationpartitions=yes
    removeDNSDelegation=yes
    DNSDelegationUserName=administrator
    DNSDelegationPassword=Asdf1234

    Avatar
    Ossian
    Moderator
    #182800

    Re: Demote Windows 2008 R2 Server Core domain controller

    Why not just specify a more complex password during demote?
    http://technet.microsoft.com/en-us/library/cc732887(WS.10).aspx

    tehcamel
    tehcamel
    Moderator
    #356299

    Re: Demote Windows 2008 R2 Server Core domain controller

    I concur with Ossian – just use a mroe effective password. The problem is, even without a domain, 2008 has much stricter password requirements out of the box – I’ve tried to set “password’ as my password many times, only to have it fail.

    You can do it once you edit the local system policy, but you can’t do this util you’ve demoted it, and you can’t demote it until you’ve got a localadm password, so.. etc etc :P

    set a stronger pasword (try even [email protected] or something) and you should be fine

    Avatar
    Robert R.
    Participant
    #353166

    Re: Demote Windows 2008 R2 Server Core domain controller

    Still no joy.

    I set both the local and domain administrator password to

    [email protected]@ssw0rd2

    and get the same error message.

    Since this is a test network, it’s not going to affect anything permanently. The Active Directory will be wiped out and rebuilt from scratch regardless.

    But it is an annoyance, since this is one of those things that should work, but doesn’t.

Viewing 7 posts - 1 through 7 (of 7 total)

You must be logged in to reply to this topic.