Remove the Windows 2003 Domain Controller

Hello,

I'm planning to demote windows 2003 DC this weekend and after researching the process I believe following needs to be done and want to make sure my understanding is correct.
Current Environment:
DC2003 running Windows 2003 (AD, DNS, DHCP, File Server)
DC1 running Windows 2008
DC2 running Windows 2008

Ran DCDIAG report attached.
DC1 has all FSMO roles.
All three domain controllers are global catalog servers.
Domain Functional level: 2003 (screenshot attached)

Steps to demote:
Remove DC2003 as a global catalog server. (maybe reboot afterward)
Change DC2003 DNS to point to DC1.
Run DCPROMO and keep this as DC2003 as the member server.
After successful removal change domain functional level to 2008

Should this change affect DHCP? Can I move DHCP role at the later time?
Am I missing anything?

Can someone please review this and let me if steps are correct?

Thank you,
dcdiag12142017.txt
2017-12-14_14-30-38.png
LVL 1
Nirav04Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

PberSolutions ArchitectCommented:
Ensure that you adjust the DHCP scopes DNS settings to point the clients to DC1 and DC2 (Incase they still reference DC2003)
Also I don't think you really need to remove the global catalog prior to the operation.
There may be a chance you need to re-authorize your DHCP server, but that is trivial
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
PberSolutions ArchitectCommented:
Also, not sure why you are getting these errors: " Event String: While processing a TGS request for the target"
0
RobertSystem AdminCommented:
If the 2003 DC was servicing a different site don't forget to reassign the subnets in sites and services.
Only setting that may be affected (depending on your configuration) for DHCP would be the DNS registration setting.
Yes DHCP can be moved at a later time. It is a separate role and can be separately installed / removed.

If you are also removing DNS from the server (not specifically listed in your steps), check if DHCP was configured to hand out DNS server address in the scope options for example that would need updated to the other DNS address.

You should also increase the Forest Functional Level if you have no other 2003 domain controllers.
1
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

Nirav04Author Commented:
Pber and Robert,
I have already remove DNS registration from DHCP so now its pointing only to DC1 and DC2. I did not list DNS because all forward and reverse zones are AD integrated and I have checked the DHCP scope and its only pointing to DC1 and DC2 IP
0
65tdRetiredCommented:
Are the FSMO roles that the 2003 server had moved to the other servers?
Is one of the 2008 DC's a domain time source for the domain?
1
Nirav04Author Commented:
All FSMO roles are on DC1and I have checked couple of machine and ran w32tm /query /source and some machines are pulling from DC2003 and some from DC1 and 2. How do I make sure time source is either DC1 or DC2 or both?
0
it_saigeDeveloperCommented:
You can only have one time source in a domain, that Time Source is the DC with the PDCe FSMO role assigned.  I usually use a GPO with a WMI Filter to ensure that the NTP settings follow the PDCe role: https:/Q_28597899.html/#a40553961

Here is a previous EE PAQ which has a good discussion concerning Time Sychronization in AD: https:/Q_28646908.html

The discussion thread also includes a post that describes how to clean the NTP slate, as it were: https:/Q_28646908.html#a40698381

One other thing to note, Server 2003 and Server 2008 were still using FRS (as opposed to DFSR).  FRS employs a JET Database which would become corrupted from time to time.  This corruption prevents DCPROMO events from completing.  Check to ensure that both of your 2008 servers have completed their DCPROMO process (look for event id 13508 or 13568):error_13508.pngCapture.PNGIf you do have these errors, you will need to reinitialize your FRS replica sets.  Microsoft has a TID that discusses the process:  http://support.microsoft.com/kb/290762

In a nutshell, the process involves stopping the FRS service, editing the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup\BurFlags setting in the registry and restarting the FRS service.

You first want to ensure that you have stopped the FRS service on all DC's.  Then on the 2003 server that holds the PDCe FSMO role, perform the following steps.
1. Modify the registry setting for the BurFlags key using a value of D4.
2. Restart the FRS service.
On your remaining DC's:
1. Modify the registry setting for the BurFlags key using a value of D2.
2. Restart the FRS service.
Look for event 13516 to indicate that the FRS is no longer preventing the 2012 server from becomming a domain controller.

After you do this and complete the demotion of your 2003 server, if you have 2008R2 on your remaining DC's, I would highly recommend that you migrate from FRS to DFSR.

https://blogs.technet.microsoft.com/filecab/2014/06/25/streamlined-migration-of-frs-to-dfsr-sysvol/

-saige-
0
Nirav04Author Commented:
I have checked registry setting for w32 and only DC1 which is FSMO roles holder is setup for NTP using external time source, DC2 and DC2003 is set for NT5DS

Any where else I can check?
0
it_saigeDeveloperCommented:
That is the way it should be, NT5DS is DOMHIER.  Everything that is attached to the domain, with exception to the DC holding the PDCe FSMO role, should be using NT5DS.

https://www.angryadmin.co.uk/?tag=nt5ds

-saige-
0
Nirav04Author Commented:
Hi Saige,

All FSMO roles are on DC1and I have checked couple of machine and ran w32tm /query /source and some machines are pulling from DC2003 and some from DC1 and 2. Is this normal?

I have checked event logs on both DC1 and DC2 for File Replication service and did not find 13508/13568 event id last event id was from 12/6.
Now I'm just conccerned about time service.
0
PberSolutions ArchitectCommented:
Some clients will still pull their time from DC2003 until it is removed as DC2003 is still the an authenticating DC.  This is normal.  As Saige mentioned, since your DC1 is holding the PDCe FSMO role he is master and your domain will automatically follow suit.
0
it_saigeDeveloperCommented:
When I mentioned 'time source' above, I meant 'polling time source'.  Both member servers and member computers source their time from the DOMHIER and *any* DC is qualified to be a time source for domain members.

Only one DC (the PDCe FSMO holder) is qualified to poll extradomain time sources and is therefore a polling time source.

-saige-
0
Nirav04Author Commented:
Will demotion also remove DNS which AD integrated?
0
Nirav04Author Commented:
Windows 2003 server demotion was successful :-) removed DNS from add/remove components. Anything else I need to check for on DC1 and DC2 servers?
0
Nirav04Author Commented:
In DNS Host A record for DC2003 which is named same as parent folder should I remove this entry?
0
it_saigeDeveloperCommented:
You can remove the 2003 entry from the Name Servers tab in the top-level domain (tld) properties; -Capture.PNG
-saige-
0
Nirav04Author Commented:
Hi saige,

I already removed name server entry but (same as parent folder) Host A DC2003 still there should I remove that?
0
it_saigeDeveloperCommented:
Can you show a screen shot of the entry?

-saige-
0
Nirav04Author Commented:
sorry, I was mistaken that entry is for different host.
0
Nirav04Author Commented:
Thank you, everyone, for all your help, much appreciated.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
DHCP

From novice to tech pro — start learning today.