Decommissioning Win2003 domain controller & AD integrated DNS

Hi,

I have single forest AD domain with multiple AD sites.

I'm about to decommission the old Windows Server 2003 Domain Controller and with AD integrated DNS in each of the AD Sites.

What manual steps should I do to make sure that the DNS and AD replication can still be working without any issue?

Regarding the Global Catalog that is used by the Exchange Server 2010 SP3 in Data Center AD site, do I need to do anything to prevent email submission issue ?

Thanks in advance.
LVL 9
Senior IT System EngineerIT ProfessionalAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Senior IT System EngineerIT ProfessionalAuthor Commented:
As per this article:

http://blogs.technet.com/b/exchange/archive/2015/02/13/considering-updating-your-domain-functional-level-from-windows-2003-read-this.aspx

Do I need to do the following steps everytime I demote old Win2003 DC ?

GUI steps:
Open the Services mmc (services.msc) on the DC’s
Select the Kerberos Key Distribution Center service and click the restart button


What's the impact to the Exchange Server when I restart the KDC service one DC by one DC ?
0
Dirk MareSystems Engineer (Acting IT Manager)Commented:
Make sure that the site has another working DC or that all the clients are at least pointing to another DNS server for name and network resolution.

Yes you would need to restart the services after each demote, this is not necessary once your Domain and Forest Functional Level is at 2008 or higher. But for best practice I would still restart the service.

Restarting KDC one by one will not effect your Exchange, I also did a DFL and FFL upgrade not too long ago and Exchange was not affected by KDC service restarts.

DirkMare
0
Will SzymkowskiSenior Solution ArchitectCommented:
The site where you are decommissioning the 2003 DC do you have Exchange hosted in this site? If so, you will be required to have another DC/GC in this site to ensure that Exchange will continue to function properly.

Exchange requires at least one writable DC/GC in a site for it to operate properly. If you do not have Exchange in your environment and you do not have or want to setup a second DC in this site you can point DNS for your clients to a different Site (one that is geographically close for better performance) until you introduce another DC after the 2003 DC has been demoted.

Will.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Introducing the "443 Security Simplified" Podcast

This new podcast puts you inside the minds of leading white-hat hackers and security researchers. Hosts Marc Laliberte and Corey Nachreiner turn complex security concepts into easily understood and actionable insights on the latest cyber security headlines and trends.

Senior IT System EngineerIT ProfessionalAuthor Commented:
Thanks Dirk. My DFL and FFL is still on Windows Server 2003 level.

Will,

The site where you are decommissioning the 2003 DC do you have Exchange hosted in this site? If so, you will be required to have another DC/GC in this site to ensure that Exchange will continue to function properly.

Yes, there are two more Win 2008 R2 DC/GC in my Data Centre and the Headquarter AD Site that is writeable.

But in my HQ office, there is only one Win2012R2 DC/GC and this old Win2k3 DC/GC, so would that still be OK after I demote the old Win2k3 DC/GC ?
0
Will SzymkowskiSenior Solution ArchitectCommented:
Any Logical AD site that is hosting Exchange requires 1 DC/GC. If you have 2012 and 2003 then you are fine to demote the 2003 server.

Will.
0
Senior IT System EngineerIT ProfessionalAuthor Commented:
ok, as for the DNS server role, is there anything that I need to do manually in each of the other DC/GC ?

or do I just do the DCPROMO from Win2k3 server to demote it and then look in the remaining DNS server for any reference to the old win2k3 server name ?
0
Will SzymkowskiSenior Solution ArchitectCommented:
When you demote the domain controller DNS will no longer be integrated on this 2003 server, however you will need to manually uninstall the DNS server role as this does not happen when you demote the domain controller.

Will.
0
Senior IT System EngineerIT ProfessionalAuthor Commented:
ok, so how about the replication partner setting or any other configuration that I need to remove in the otehr DNS server or Domain Controller ?

is there anything that I need to be aware of before or after the decommission process ?
0
Senior IT System EngineerIT ProfessionalAuthor Commented:
ok, last thing to ask.

Regarding the Exchange Server 2010, do I need to restart any service or just leave it untouched ?

Because in Exchange Management Console > Server Configuration > Client Access | System Settings tab, I can see the three DC/GC as follows PRODDC01-VM (2008 R2), PRODDC02 (2003 to be decom), PRODDC03-VM (2008 R2).

I need to avoid any client Outlook 2010/2013 connection issue or email delivery issue if possible.
0
Will SzymkowskiSenior Solution ArchitectCommented:
Because in Exchange Management Console > Server Configuration > Client Access | System Settings tab, I can see the three DC/GC as follows PRODDC01-VM (2008 R2), PRODDC02 (2003 to be decom), PRODDC03-VM (2008 R2).

If you have a healthy Active Directory environment then you should not have to reboot anything on Exchange. Exchange will attempt to connect to another DC within the same site. You will even be able to see this in the Exchange events directly on the server if it needs to contact another server (can't remember the exact event id).

So that being said you should be fine with regards to decommissioning the DC and as log as you have another DC/GC in the same site Exchange will query the DC that is still online.

Will.
0
Senior IT System EngineerIT ProfessionalAuthor Commented:
Ah I see,

The PDC emulator in the domain has been transferred to the new2k12R2DC server, however, some of the server that I can see from the network sniffer appliance still using this old Windows Server 2003 as the NTP source.

w32tm /query /source command showing the result is still pointing to the oldDC2k3 box, so should I be worry or it will be automatically contact the other DC for time synch ?
0
Will SzymkowskiSenior Solution ArchitectCommented:
So for NTP your clients or member servers should point to any DC for the time source. Those DC's point to the PDC for external time source.

There are articles that state you should use a GPO to configure the time source for all machines to point directly to the PDC. Personally i do no like this method and i would rather allow the clients to point to any DC that is in its own site. This is the hierarchy when you are working with NTP (External Time source/PDC/DC/clients.

If you have your clients pointing to a DC then they should have the correct time because those DC's are pointing to the PDC.

So to answer your question when you demote your DC your client will automatically look for another DC to authenticate/get time source from.

Will.
0
Senior IT System EngineerIT ProfessionalAuthor Commented:
Many thanks for the calrification WIll,

I was logging in to each of the server which is still talking to the oldDC2k3 and then re-issue this command:

w32tm /config /syncfromflags:domhier /update
w32tm /resync /rediscover
net stop w32time
net start w32time

Open in new window


but yes, according to your explanation, it should not be needed as long as the other Domain Controllers are also pointing to the PDC emulator which is synched to the NTPpool.org.
0
Will SzymkowskiSenior Solution ArchitectCommented:
That's is correct.

Will.
0
Senior IT System EngineerIT ProfessionalAuthor Commented:
ok, got it. so in the event that the DCPROMO failed, is there any roll back plan ?
0
Will SzymkowskiSenior Solution ArchitectCommented:
ok, got it. so in the event that the DCPROMO failed, is there any roll back plan ?

If dcpromo fails nothing happens to the environment, so there is nothing to roll back.

Will.
0
Senior IT System EngineerIT ProfessionalAuthor Commented:
THanks !
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.