0

we (still) have an outdated Domain with 3 Server 2008R2 DCs. One DC, which was from a remote (VPN) location, is now on my desk in main office.

The goal is to demote and remove it from Domain. 2 will then remain. Since the network onsite is different (10.1.30.xxx) from the VPN location (10.2.30.xxx), I cannot connect it to the LAN. Also, afaik, I cannot do a temporary routing without disturbing the VPN location. Also I may not change the IP of the DC (one never should do this)

Should I offsite remove the DC (like this https://techcommunity.microsoft.com/t5/itops-talk-blog/step-by-step-manually-removing-a-domain-controller-server/ba-p/280564 ) or can i somehow connect it to local LAN?

I would rather remove it "online", since the DC itself starts normally. It has been offline for several weeks, though.

shipping it back to the VPN location is not possible.

Thanks! David

David
  • 1
  • 1
  • There are two problems here. First, if a DC is no longer available, it may be deleted in AD Users and Computers/Sites and Services. No metadata cleanup should be required as of 2008 R2. Second, you have two DC's that you don't have physical control over, so someone should physically acquire those and destroy the storage. – Greg Askew Feb 10 '21 at 14:28
  • Hi Greg, thanks for your answer. No, 2 DCs are perfectly fine and fully in control. I edited my post - maybe it was not clear. So you would recommend to just delete the DC (like in the link mentioned) ? – David Feb 10 '21 at 14:44

2 Answers2

1

Also I may not change the IP of the DC (one never should do this)

There's nothing wrong with changing the ip address of a Domain Controller. If you need to do that so that you can log onto it and gracefully demote it, then do that.

As long as it hasn't been offline longer than the Tombstone lifetime you should be fine.

joeqwerty
  • 109,901
  • 6
  • 81
  • 172
0

You have two options:

  1. Boot the domain controller, change the ip address (perfectly fine) and reconnect it to your environment. If you believe that there is a slight risk that the single domain controller was running in a split-brain scenario, then don't do this.

  2. Remove it manually and do a metadata cleanup as in the article you found. However, I'd rather search the official docs for the procedure and check if the author went along the best practice.

Daniel
  • 6,940
  • 6
  • 33
  • 64