Windows Server - Demote Windows Server 2008 without Losing Accounts

Asked By Eternal September on 26-Jul-10 06:30 AM
I have done a frustratingly silly thing: I added the AD DS role to a
standalone Windows Server 2008 R2 server, creating a new domain in the
process and making the server a DC. SQL Server 2008 was running on the
server at the time. I managed to get SQL Server running again, but now I
want to remove AD from the server.

When I run dcpromo, I am prompted to say whether this is the last DC in the
domain. It is the one and only DC, so I want to delete the domain, but it
warns that all user and computer accounts will be deleted.

Does this mean all Security Groups will be deleted as well? I could just
about live with users being deleted, but if I had to recreate security
groups as well it would be an absolute pain, and I imagine it would never
work properly again.

TIA

Charles


Chris M replied to Eternal September on 26-Jul-10 08:59 AM
If you are going to remove the only Domain Controller then yes, this will
remove all accounts and groups stored within Active Directory.

Just how many security groups are you using? Are you sure they are AD
security groups that you are referring to? SQL Database roles and users
are not stored in AD. SQL logins can be mapped from an AD user or group
but they can always be re-created and then mapped to the relevant
database user account to preserve their permissions.

If you definitely need to keep the AD groups, one option would be to
bring up a new DC for your domain and let it replicate with your
existing one. Then migrate all of the FSMO roles across to the new DC,
and then demote the first DC. All of your Active Directory will remain
intact, but you will have to keep the remaining DC running somewhere.


--
Chris M.
Eternal September replied to Chris M on 26-Jul-10 09:32 AM
Hi Chris

Thanks for the reply. An example of a group is

SQLServerMSSQLUser$MACHINENAME$MSSQLSERVER

This is listed as

Security Group - Domain Local

I assumed that it was therefore in AD, but perhaps it is not? Would you
expect this group to be removed if I demote the DC and delete the domain?

I do not wish to maintain the domain anymore, in fact I wish I'd never
created it in the first place; it is caused so much bother.

Charles
Chris M replied to Eternal September on 26-Jul-10 09:43 AM
Unfortunately, as the name suggests, a Domain Local group is stored in
the domain. Therefore, this will be deleted if you demote the domain
controller.

--
Chris M.
Charles replied to Chris M on 26-Jul-10 09:48 AM
Thanks. Just as I feared :-(. What a pain.

Charles