I'm having trouble removing a 2025 domain controller (DC) from my existing 2016 domain. When we added the 2025 DC, we faced issues like a "Public Network" error and broken Kerberos connectivity. After some troubleshooting, we decided to build a new 2022 DC instead. Right now, we've disabled KDC on the 2025 DC and restarted Active Directory Domain Services, which allowed us to log in, but we still can't make the domain appear on the network card after trying some network location fixes.
We've been attempting to demote the 2025 DC for removal but keep running into a "Cannot reach a domain controller" error during the graceful removal process. We haven't changed any Kerberos passwords since we don't plan to keep this server and want to avoid affecting the rest of the domain. Can anyone help with either fixing the issue to allow demotion, or suggest how to forcibly remove the 2025 DC?
2 Answers
First, make sure that the 2025 DC didn't inadvertently take on any FSMO roles. You can use the 'ntdsutil' command to help with the removal process. There's a detailed guide available that lays out the steps to manually remove a DC, so check that out when you get a chance.
Yeah, ntdsutil really is your best bet for this situation.
I followed the process from the guide, but ran into a syntax error while using ntdsutil. It turns out the server wasn't listed in the site. Plus, we’re seeing some KCC errors on dcdiag, probably related to the issues we have with the 2025 DC and Kerberos strong keys. I’ll share the dcdiag results after I clean them up.
Glad to hear the FSMO roles are safe with the 2022 DC.