Preparation steps and the implementation steps to decommission Windows Server 2003 AD-DNS Domain Controller ?

Hi All,

Can anyone here please share and let me know what are the preparation steps and the implementation steps to decommission Windows Server 2003 AD-DNS Domain Controller ?
LVL 10
Senior IT System EngineerIT ProfessionalAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Manikandan NarayanswamySecurity Specialist & IBM Security GuardiumCommented:
Hi,

In-case if you to decommission a domain controller. Then first you need to create and additional domain install ad, move the fsmo roles ,install DNS transfer the DNS primary zone to additional DC, make the additional DC as a global catalog server. Once all these steps are done you can decommison the old server from AD.

Let me know if you need detailed steps to perform the same.

Thanks
Manikandan
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Zacharia KurianAdministrator- Data Center & NetworkCommented:
If you are sure that all the FSMO roles are moved from your old DC,  and all is fine, then you can demote your old DC either gracefully or forcefully.

It is worth to read these links;

https://technet.microsoft.com/en-us/library/cc740017%28v=ws.10%29.aspx

http://www.itserveronline.com/microsoft/demote-a-windows-server-2003-r2-domain-controller/

http://blogs.technet.com/b/asiasupp/archive/2006/09/06/454327.aspx

After the removal of the server from the network, you may have to do a metadata cleanup i.e.. you may have to check your upgraded AD, if any objects, DNS records etc..

Look into the below link;

http://social.technet.microsoft.com/wiki/contents/articles/3984.domain-controller-demotion-and-metadata-cleanup.aspx

Zac.
0
Manikandan NarayanswamySecurity Specialist & IBM Security GuardiumCommented:
Hi,

For moving the FSMO Roles here is the below steps on the command prompt run the following command on the old DC

Ntdsutil
Roles
Connections
Connect to server <type the name of the new Server>
Quit
Transfer Schema master
Transfer RID master
Transfer infrastructure master
Transfer PDC
Transfer domain naming master
quit
quit

C:\netdom query fsmo ( It should show the FSMO roles on the new DC)

For creating additonal DC as Global catalog do the following.

On the new DC go to run prompt type dssite.msc ( This will open active-directory sites and services)

In the console tree, click the server object to which you want to add the global catalog or from which you want to remove the global catalog.

Where?
Active Directory Sites and Services\Sites\SiteName\Servers

In the details pane, right-click NTDS Settings of the selected server object, and then click Properties .
Select the Global Catalog check box to add the global catalog, or clear the check box to remove the global catalog.

Thanks
Manikandan
0
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

Senior IT System EngineerIT ProfessionalAuthor Commented:
OK So in this case, shall I just run the DCPromo command to demote it after all FSMO role transferred ?
0
Senior IT System EngineerIT ProfessionalAuthor Commented:
Do I need to restart the exchange server service or not needed ?

Yes please, if anyone know what's the command for transferring the DNS role that'd be great.

I've created new DC as Win2k12R2 holding all the FSMO role and also DNS-AD integrated, but not sure what to do next about the oldDC DNS server role.

What about the DNS replication between this old DC and the other DC ?
0
Zacharia KurianAdministrator- Data Center & NetworkCommented:
not sure what to do next about the oldDC DNS server role.

Have you pointed the IP of your old DC to the new one and wise-verse?  (as the secondary DNS).?

If so compare the DNS entries in both server.

Run the following command to check the replications is happening;

Dcdiag /test:replication

repadmin /replsum

repadmin /syncall

If all is well,  remove global catalog from your old server as per the below;

new-gc1.gif
And then in your exchange server make sure that this server is been removed. see the below;

exchange.png
Make sure that all your client PCS are directed to the new PC too.

And then proceed to demoting your old server.


Zac.
0
Manikandan NarayanswamySecurity Specialist & IBM Security GuardiumCommented:
Hi,

I have already given steps on my previous post. In-case if you're using 2012 R2. Then no need for the DNS zones to be transferred. Transfer the FSMO roles mentioned on my previous post then do an uninstall of AD by running DCPROMO.

Thanks
Manikandan
0
Senior IT System EngineerIT ProfessionalAuthor Commented:
last question guys,

w32tm /query /source command showing the result is still pointing to the oldDC2k3 box, so should I be worry or it will be automatically contact the other DC for time synch ?

The PDC emulator in my domain has been transferred to the new2k12R2DC server, however, some of the server that I can see from the network sniffer appliance still using this old Windows Server 2003 as the NTP source.
0
Zacharia KurianAdministrator- Data Center & NetworkCommented:
Once you demote your 2003dc, it should contact your new pdc. Make sure those servers DNS entry is pointed to your  new pdc

Zac
0
Manikandan NarayanswamySecurity Specialist & IBM Security GuardiumCommented:
Hi,

It will contact the new DC since the pdc emulator role is now available with the new Dc. Based on the DNS records.

Thanks
Manikandan
0
Senior IT System EngineerIT ProfessionalAuthor Commented:
Cool, so in this case I guess I do not need to do anything then.

I was under the impression that I must go to all of the servers in my domain and the running the below command:

w32tm /config /syncfromflags:domhier /update
w32tm /resync /rediscover
net stop w32time
net start w32time

Open in new window

0
Manikandan NarayanswamySecurity Specialist & IBM Security GuardiumCommented:
Hi,

Nope you don't need to do all this only need make sure DNS has proper entries.

Thanks
Manikandan
0
Senior IT System EngineerIT ProfessionalAuthor Commented:
ok, so which entries / entry here that you mean for example ?
0
Manikandan NarayanswamySecurity Specialist & IBM Security GuardiumCommented:
Hi,

You just need to check whether proper Host A records exists for the new DC where the FSMO roles have been transferred. If its present then you're good to go.

Thanks
Manikandan
0
Senior IT System EngineerIT ProfessionalAuthor Commented:
thanks people,

So I guess, there is no rollback plan when the DCPROMO failed or having some issue during the Demotion.
0
Senior IT System EngineerIT ProfessionalAuthor Commented:
thanks !
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.