And to answer the other piece, you'll need Domain Admin rights to demote the old DC out.
Thanks, Brian Desmond w - 312.625.1438 | c - 312.731.3132 From: [email protected] [mailto:[email protected]] On Behalf Of Heaton, Joseph@Wildlife Sent: Monday, December 14, 2015 5:38 PM To: '[email protected]' <[email protected]> Subject: [NTSysADM] RE: Credentials needed to add/remove DC from domain Thank you, Michael, I'll run with that. And, I forgot, my organization has access to the State Library, which is through Safari Books Online, and lo, and behold, Brian's book is included: [cid:[email protected]] From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Michael B. Smith Sent: Monday, December 14, 2015 2:41 PM To: [email protected]<mailto:[email protected]> Subject: [NTSysADM] RE: Credentials needed to add/remove DC from domain TTBOMK, none of this has changed since AD 2000: https://technet.microsoft.com/en-us/library/cc755782(v=ws.10).aspx The only addition to what I wrote previously is that a domain admin in the root domain apparently has the same privileges as an enterprise admin. The tech only needs enterprise admin for removing the last DC in a child domain. If you promote a 2012R2 DC before that, the issue will never arise. From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Heaton, Joseph@Wildlife Sent: Monday, December 14, 2015 5:25 PM To: '[email protected]' Subject: [NTSysADM] RE: Credentials needed to add/remove DC from domain I wish I had Brian's book. I did go look on his site, after you replied, and I see that adding/removing a 2012 DC should be Domain Admin, and done through Roles/Features, not dcpromo. But didn't see anything about removing 2008R2 DCs. My tech was asking to have his admin account added to Enterprise Admins for this project, and I want to be able to back my telling him No. From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Michael B. Smith Sent: Monday, December 14, 2015 1:43 PM To: [email protected]<mailto:[email protected]> Subject: [NTSysADM] RE: Credentials needed to add/remove DC from domain What does Brian's book say? :) As I recollect, adding the first DC in a domain (and removing the last DC in a domain) will require enterprise admin. All others should only require domain admin. From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Heaton, Joseph@Wildlife Sent: Monday, December 14, 2015 2:46 PM To: NT System Admin Issues Discussion list Subject: [NTSysADM] Credentials needed to add/remove DC from domain Looking at upgrading our DCs to 2012R2. In order to use DCPromo to demote existing and remove them from AD, and to use DCPromo to promote the new ones, do I need Domain Admin, or Enterprise Admin? I'm seeing contradictory information on the interwebz. Thanks, Joe Heaton
