• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 602
  • Last Modified:

Remove old Domain Controller

Hi,
I have an old domain controller that i need to remove.
This was a dc running dhcp. dns etc
dhcp has been removed and all our dhcp scopes have been modified to not include this server as a dns server, all apps have been removed etc.
Everytime we switch this machie off there is a few clients that are effected mainly in external sites.
Some clients on site just get prompted for a password and then they re authenticate and all is well, however it causes problems on other sites where users can not even log in.
This was a gc at one time
I know to remove completely we should demote it but would rather switch it off for a few days see what is affected then we can switch it back on, like we have had to do
I need to be able to get rid of this server, seems like something still needs it. ie replication / gc
0
dougdog
Asked:
dougdog
  • 8
  • 6
  • 3
  • +1
3 Solutions
 
tntmaxCommented:
Do you have other domain controllers? You can't "just turn it off" and expect things to work, as there is constantly Active Directory replication going on in the background. You need another DC/GC at the site. Make sure that it is not holding the FSMO roles. Run dcpromo to demote it gracefully. Your workstations will authenticate via any available DC in the site, so you need to demote it before it will not be used.
0
 
speshalystCommented:
ensure to transfer the FSMO roles to another DC .. and like Tntmax says.. dcpromo is the right way to get this done safely
0
 
dougdogAuthor Commented:
this server is not holding any fsmo roles
it is just one of around 10 domain controllers
0
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

 
tntmaxCommented:
So why not just demote it with dcpromo?
0
 
dougdogAuthor Commented:
because im afraid to demote it and it cause big problems
i was hoping to just switch it off then if big problems arise just switch it back on
0
 
dougdogAuthor Commented:
when it was switched on we had a few sites that users could not even log on these sites had a dc on site but must have needed something on the particular dc i switched off
0
 
tntmaxCommented:
You have to make sure that none of the clients are pointing to the DC for DNS before demoting it.

You'll cause worse problems by just turning it off.

Are there more domain controllers in this site?
0
 
tntmaxCommented:
If there are more DC's, just demote it.
0
 
dougdogAuthor Commented:
but that does not explain when it is switched off why there is big problems
at least if i switch it off and problems arise i can switch it on
if it is demoted it is not so easy fixed
0
 
tntmaxCommented:
From my first post:

"Your workstations will authenticate via any available DC in the site, so you need to demote it before it will not be used."

If the client has authenticated against the DC, then when you turn it off, of course they have to re-authenticate. You also have mutlimaster replication, so any DC can be used and will continue to be used until it is demoted.

And it's not so bad demoting it. You can repromote it and as long as you have other DC's in the site, it should be okay. The only time you'll have problems is if you still have resources on the server, but you claim to have moved all of them....
0
 
tntmaxCommented:
Just take a system state backup first before demoting it, if you're concerned.
0
 
dougdogAuthor Commented:
think it is something to do with the way it is replicating
the server im taking offline is setup to replicate with the sites that have log in problems when it is switched off
i need to have other servrs replicating to the sites that cause problems i think
0
 
Darius GhassemCommented:
That could be one of the problems. Make sure the clients aren't point to the DC for DNS. Make sure another DC in the site is a global catalog
0
 
dougdogAuthor Commented:
no clients point to it for dns they used to untill i changed it a few weeks back as i knew that waould could problems.
However on the site that was giving problems i discovered that their dc was not a gc
i have now made it a dc and will check all other remote sites that their domain controllers are a dc.
Then i will try shutting it down again
anything else i should be checking for especially on the replication end
0
 
Darius GhassemCommented:
Make sure you flush a clients DNS is it still doesn't work after making the DCs a GCs.
0
 
dougdogAuthor Commented:
am i right in thinking all dcs at remote sites should be a global catalogue, would this have been the reason users could not log in?
0
 
Darius GhassemCommented:
Correct GCs are the ones that actual  take care of authentication.
0
 
dougdogAuthor Commented:
thank guys
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Ruby Fundamentals

This course will introduce you to Ruby, as well as teach you about classes, methods, variables, data structures, loops, enumerable methods, and finishing touches.

  • 8
  • 6
  • 3
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now