I know how to demote a domain controller (done it before) but I need to do it for two physical old DCs on a much more 'important' and strictly controlled domain than that which I previously did it for. My question is what additional checks should I run to make sure nothing will break after I demote the domain controllers.
The domain in question is mostly virtualized (including the two new DCs). One of the new DCs has had the FSMO roles for a while now, without any issues, and it is the authorititive time server for the domain. When I run dcdiag it fails only one test (NCSecDesc). The failure of this particular test is acceptable because we will never have RODCs on this domain. All of the member servers have their DNS settings pointing at the new DCs.
As a pre-demotion experiment – can I switch these DCs off for a while to see that the domain continues to function without them? Would this not cause replication issues or other issues?
Best Answer
It seems that you have already thought of everything.
Simply turning them off will make the AD balk at you at most, and might slow some operations in edge cases. Nothing should break.
The only danger (and it's not clear from the available information wether it's a real danger) I see here is that your virtualization platform might have dependencies on your AD (→ virtualized DC's). This will bite you hard after your virtualization platform goes/is taken down for whatever reason; since there's a circular dependency.
In this case you must either decouple the two, leave one or more physical DC, or plan very well for doing maintenance or how to recover from a disaster.