lehan
asked on
How to properly remove a 2003 Domain Controller from Active Directory
hey all-
I have 2 active directory 2003 domain controllers, DC1 & DC2.
DC1 is running most of the FSMO roles in AD while DC2 has Exchange 2003 installed.
Both are DNS servers obviously.
We are replacing DC2 with new hardware. The new server will not be a domain controller, rather only a member server runing exchange 2003 on the DMZ.
My question is: what is the proper way to decommission/remove DC2 from active directory?
I am pretty its done using DCPROMO, but I would like a step-by-step procedure and any other tips or advice.
I am hoping to mess up my AD by removing DC2.
Once that is accomplished, we should only be left with DC1 running all AD roles.
Later, in a week or 2 we will be getting a new server which we will setup as a 2nd DC for redundancy.
Thanks for any help in advance...
I have 2 active directory 2003 domain controllers, DC1 & DC2.
DC1 is running most of the FSMO roles in AD while DC2 has Exchange 2003 installed.
Both are DNS servers obviously.
We are replacing DC2 with new hardware. The new server will not be a domain controller, rather only a member server runing exchange 2003 on the DMZ.
My question is: what is the proper way to decommission/remove DC2 from active directory?
I am pretty its done using DCPROMO, but I would like a step-by-step procedure and any other tips or advice.
I am hoping to mess up my AD by removing DC2.
Once that is accomplished, we should only be left with DC1 running all AD roles.
Later, in a week or 2 we will be getting a new server which we will setup as a 2nd DC for redundancy.
Thanks for any help in advance...
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
simon,
thanks for the feedback - that's great help.
I think you answered most of my questions -
just to confirm though, if I use the instructions in the MS article below to move the roles to DC1, i should be all set?
http://support.microsoft.com/default.aspx?kbid=324801&product=winsvr2003
on your note about exchange on DMZ, i have been resistant to the idea since i know it will require opening lots of ports in the firewall between DMZ and LAN which defetes the dmz purpose. My recommendation was to setup a relay on the dmz. it's up to the project lead to decide though!
thanks...
thanks for the feedback - that's great help.
I think you answered most of my questions -
just to confirm though, if I use the instructions in the MS article below to move the roles to DC1, i should be all set?
http://support.microsoft.com/default.aspx?kbid=324801&product=winsvr2003
on your note about exchange on DMZ, i have been resistant to the idea since i know it will require opening lots of ports in the firewall between DMZ and LAN which defetes the dmz purpose. My recommendation was to setup a relay on the dmz. it's up to the project lead to decide though!
thanks...
Have you or your project lead seen the full list of ports that are required to run Exchange in a DMZ? It is pretty lengthy and basically turns the firewall in to swiss cheese. Putting an Exchange server in the DMZ does NOTHING to increase security - I do wonder why people think that it is more secure in the DMZ - it isn't. A DMZ should be somewhere that you place things you are prepared to drop at a moments notice. Locked down, tightly controlled communication to the production network (if any). With Exchange, you need to provide full domain access - which is a bad idea. Domain members do NOT belong in the DMZ.
I feel that strongly about it that I have walked out of two places where they wouldn't listen. I asked them why they bothered to bring me in if they are going to ignore my advice. (In case you weren't aware, I am an Exchange MVP, one of less than 100 in the world and 7 in the UK).
That KB article will be fine. Check each role has moved correctly and give the domain at least 40 minutes before making any changes to the domain controllers so that everything can replicate. Also ensure that the other domain controller is a global catalog.
If you have Exchange, check that it isn't using the DC you are going to remove. It may get upset, so I would suggest restarting the Exchange server once the domain controller has gone so that Exchange latches on to the live dc.
Simon.
I feel that strongly about it that I have walked out of two places where they wouldn't listen. I asked them why they bothered to bring me in if they are going to ignore my advice. (In case you weren't aware, I am an Exchange MVP, one of less than 100 in the world and 7 in the UK).
That KB article will be fine. Check each role has moved correctly and give the domain at least 40 minutes before making any changes to the domain controllers so that everything can replicate. Also ensure that the other domain controller is a global catalog.
If you have Exchange, check that it isn't using the DC you are going to remove. It may get upset, so I would suggest restarting the Exchange server once the domain controller has gone so that Exchange latches on to the live dc.
Simon.
ASKER
simon,
not sure what you mean by "If you have Exchange, check that it isn't using the DC you are going to remove. It may get upset, so I would suggest restarting the Exchange server once the domain controller has gone so that Exchange latches on to the live dc. "?
DC2 i am removing from AD has exchange on it. the plan is to move exchange to a new server using the disaster recovery method (microsoft recommendation), then uninstalling exchange from DC2, DCPROM it out of the domain, dropping it to workgroup, then shutdown, pack and ship to dell.
not sure what you mean by "If you have Exchange, check that it isn't using the DC you are going to remove. It may get upset, so I would suggest restarting the Exchange server once the domain controller has gone so that Exchange latches on to the live dc. "?
DC2 i am removing from AD has exchange on it. the plan is to move exchange to a new server using the disaster recovery method (microsoft recommendation), then uninstalling exchange from DC2, DCPROM it out of the domain, dropping it to workgroup, then shutdown, pack and ship to dell.
Yes - but when you install Exchange on the other server, it needs to use a domain controller. You have to be sure that it isn't using the "wrong" one.
Simon.
Simon.
ASKER
yeah I think i got you - the new exchange server will be using DC1 which will be the only domain controller remaining after DC2 is decommissioned.
one last question, I think we will not place the new exchange server on the DMZ (i got to him at last). however, we do not want the new exchange server to be a domain controller - just a member server - is that a problem, is it recommended or not?
one last question, I think we will not place the new exchange server on the DMZ (i got to him at last). however, we do not want the new exchange server to be a domain controller - just a member server - is that a problem, is it recommended or not?
Where possible Exchange should NOT be installed on a domain controller. It is a lot happier on a member server.
Simon.
Simon.
ASKER
well - it was a success. here are the steps we did - it may help someone:
- check and transfer FSMO roles to DC1
- remove DC2 from AD using DCPROMO (no problems)
- DC2 is now a member server
- after reboot, checked exchange on DC2, working perfectly
- dismount exchange store and stop all exchange services
- copy exchange store to DC3 (new exchange server)
- drop DC2 to workgroup, shutdown, pack and ship to dell
- reset DC2 account using AD users & computers on DC1
- rename DC3 (new server) to same computer name as DC2 and assign it the same IP
- join DC3 to the domain as member server only
- Run Exchange 2003 Setup on DC3 with the following parameter:
Setup /disasterrecovery
- install exchange SP1 and the server is fully operational
entire prccess took about 6 hours - we waited for about 30 mins between changes so AD can update properly
Simon,
only question remains: what is the best way to secure exchange with having ports 25 & 110 open? this is the reason why we wanted it on the DMZ so we can plug those ports to the LAN
Thanks - will assign points shortly.
- check and transfer FSMO roles to DC1
- remove DC2 from AD using DCPROMO (no problems)
- DC2 is now a member server
- after reboot, checked exchange on DC2, working perfectly
- dismount exchange store and stop all exchange services
- copy exchange store to DC3 (new exchange server)
- drop DC2 to workgroup, shutdown, pack and ship to dell
- reset DC2 account using AD users & computers on DC1
- rename DC3 (new server) to same computer name as DC2 and assign it the same IP
- join DC3 to the domain as member server only
- Run Exchange 2003 Setup on DC3 with the following parameter:
Setup /disasterrecovery
- install exchange SP1 and the server is fully operational
entire prccess took about 6 hours - we waited for about 30 mins between changes so AD can update properly
Simon,
only question remains: what is the best way to secure exchange with having ports 25 & 110 open? this is the reason why we wanted it on the DMZ so we can plug those ports to the LAN
Thanks - will assign points shortly.
Securing those two ports is difficult due to the nature of them. Port 25 is inviting connections from machines that you don't know because that is how email works.
With POP3 you could look at using one of the more secure options - possibly wrapping the POP3 traffic in SSL.
The thing with Exchange is - what would you prefer to have open?
Port 25 and 110 from the LAN to the Internet.
Or approx 20 ports from a DMZ to the LAN - as well as port 25 and 110 from the Internet.
Most firewall administrators I know are happier with port 25 and 110 coming straight in.
Simon.
With POP3 you could look at using one of the more secure options - possibly wrapping the POP3 traffic in SSL.
The thing with Exchange is - what would you prefer to have open?
Port 25 and 110 from the LAN to the Internet.
Or approx 20 ports from a DMZ to the LAN - as well as port 25 and 110 from the Internet.
Most firewall administrators I know are happier with port 25 and 110 coming straight in.
Simon.
ASKER
hmmm - i will look into SSL for POP3 traffic.
I may also just plug port 110 and force users to VPN to check mail - its inconvenient - but isnt that what security is sometimes all about !
I was also reading up on RPC over HTTP - what's your take on that?
Thanks - I just posted the points....
I may also just plug port 110 and force users to VPN to check mail - its inconvenient - but isnt that what security is sometimes all about !
I was also reading up on RPC over HTTP - what's your take on that?
Thanks - I just posted the points....
RPC over HTTPS? Love it. Deploy it for all clients. Makes life so much easier and when the clients have started using it, they love it as well.
From a security point of view, anything that requires username and password credentials for the domain to be passed in the clear should go over a VPN or SSL. Thing is you might find some sites are blocking certain ports, only allowing 80, 443 and 110 is not unusual.
Simon.
From a security point of view, anything that requires username and password credentials for the domain to be passed in the clear should go over a VPN or SSL. Thing is you might find some sites are blocking certain ports, only allowing 80, 443 and 110 is not unusual.
Simon.
Hi Guys :
I have the same problem , I have a DC1 wich is small business server and has the exchange 2003.
I made another box with windows standard 2003 and made it another domain controller ,
I have moved the mailboxex ( about 25 of them ) . I have moved the FSMO roles to DC2
changed the operation master to DC2.
I wanted to test it so I turn off the DC! ( small business server ) and tried to see the excchange works .
but none of the services started . so I turn the DC1 back again and everything was oK .
now I am affraid to do the DCPromo on DC1 , because if I do that , I might not be abale to get the DC2 exchange working properly ..
any hep would be greatly appriciated .... soryy for some misspell
I have the same problem , I have a DC1 wich is small business server and has the exchange 2003.
I made another box with windows standard 2003 and made it another domain controller ,
I have moved the mailboxex ( about 25 of them ) . I have moved the FSMO roles to DC2
changed the operation master to DC2.
I wanted to test it so I turn off the DC! ( small business server ) and tried to see the excchange works .
but none of the services started . so I turn the DC1 back again and everything was oK .
now I am affraid to do the DCPromo on DC1 , because if I do that , I might not be abale to get the DC2 exchange working properly ..
any hep would be greatly appriciated .... soryy for some misspell
ksaeidi - this is a very old question. Unlike a forum it is not possible to "bump" questions back up the list. The only people who will see your post are those that have already participated. Instead you should post your question as a new question in the Exchange Server Zone which will allow other experts the chance to see the question and respond.
Simon
Exchange Server Zone Advisor.
Simon
Exchange Server Zone Advisor.
Hi,
As you have already mentioned DCPROMO is the only way to remove ADS from your machine and you will need to follow the steps as mentioned in the process.
As you have already mentioned DCPROMO is the only way to remove ADS from your machine and you will need to follow the steps as mentioned in the process.
ASKER
here is what happened: about a month ago DC2 basically blow and Dell had to replace the mother board, memory, power supply, ...etc. We were able to get it back online and fully functional with loss of any data- although one of the disks also fried (thank god for RAID 5). Anyways, Dell deemed the system unsafe and sent us a brand new replacement system, let's call it DC3.
Now Dell wants DC2 returned since they sent us a replacement for it.
So what we need to do is move Exchange to DC3, decommission DC2 and send it back to Dell.
We decided not to setup DC3 as a domain controller again and instead set it up as a member server only running Exchange on the DMZ instead.
This would leave us with DC1 as a single domain controller - but we are going to buy another brand new server for redundancy in about 2 weeks.
Now that I confused everyone, I hope the above helped.
I think we know how to move exchange to the new server - we planned it with help from Microsoft (no easy task from the sound of it)
but I am not cerating how properly remove DC2 from AD.
Should I just use DCPROMO to remove it from domain? that’s all? Do I need to do anything else?
can someone give me some more details? what about DNS, will DCPROMO remove all records?
Thanks...