Remove the Windows 2003 Domain Controller
Hello,
I'm planning to demote windows 2003 DC this weekend and after researching the process I believe following needs to be done and want to make sure my understanding is correct.
Current Environment:
DC2003 running Windows 2003 (AD, DNS, DHCP, File Server)
DC1 running Windows 2008
DC2 running Windows 2008
Ran DCDIAG report attached.
DC1 has all FSMO roles.
All three domain controllers are global catalog servers.
Domain Functional level: 2003 (screenshot attached)
Steps to demote:
Remove DC2003 as a global catalog server. (maybe reboot afterward)
Change DC2003 DNS to point to DC1.
Run DCPROMO and keep this as DC2003 as the member server.
After successful removal change domain functional level to 2008
Should this change affect DHCP? Can I move DHCP role at the later time?
Am I missing anything?
Can someone please review this and let me if steps are correct?
Thank you,
dcdiag12142017.txt
2017-12-14_14-30-38.png
I'm planning to demote windows 2003 DC this weekend and after researching the process I believe following needs to be done and want to make sure my understanding is correct.
Current Environment:
DC2003 running Windows 2003 (AD, DNS, DHCP, File Server)
DC1 running Windows 2008
DC2 running Windows 2008
Ran DCDIAG report attached.
DC1 has all FSMO roles.
All three domain controllers are global catalog servers.
Domain Functional level: 2003 (screenshot attached)
Steps to demote:
Remove DC2003 as a global catalog server. (maybe reboot afterward)
Change DC2003 DNS to point to DC1.
Run DCPROMO and keep this as DC2003 as the member server.
After successful removal change domain functional level to 2008
Should this change affect DHCP? Can I move DHCP role at the later time?
Am I missing anything?
Can someone please review this and let me if steps are correct?
Thank you,
dcdiag12142017.txt
2017-12-14_14-30-38.png
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Pber
Also, not sure why you are getting these errors: " Event String: While processing a TGS request for the target"
If the 2003 DC was servicing a different site don't forget to reassign the subnets in sites and services.
Only setting that may be affected (depending on your configuration) for DHCP would be the DNS registration setting.
Yes DHCP can be moved at a later time. It is a separate role and can be separately installed / removed.
If you are also removing DNS from the server (not specifically listed in your steps), check if DHCP was configured to hand out DNS server address in the scope options for example that would need updated to the other DNS address.
You should also increase the Forest Functional Level if you have no other 2003 domain controllers.
Only setting that may be affected (depending on your configuration) for DHCP would be the DNS registration setting.
Yes DHCP can be moved at a later time. It is a separate role and can be separately installed / removed.
If you are also removing DNS from the server (not specifically listed in your steps), check if DHCP was configured to hand out DNS server address in the scope options for example that would need updated to the other DNS address.
You should also increase the Forest Functional Level if you have no other 2003 domain controllers.
ASKER
Pber and Robert,
I have already remove DNS registration from DHCP so now its pointing only to DC1 and DC2. I did not list DNS because all forward and reverse zones are AD integrated and I have checked the DHCP scope and its only pointing to DC1 and DC2 IP
I have already remove DNS registration from DHCP so now its pointing only to DC1 and DC2. I did not list DNS because all forward and reverse zones are AD integrated and I have checked the DHCP scope and its only pointing to DC1 and DC2 IP
Are the FSMO roles that the 2003 server had moved to the other servers?
Is one of the 2008 DC's a domain time source for the domain?
Is one of the 2008 DC's a domain time source for the domain?
ASKER
All FSMO roles are on DC1and I have checked couple of machine and ran w32tm /query /source and some machines are pulling from DC2003 and some from DC1 and 2. How do I make sure time source is either DC1 or DC2 or both?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I have checked registry setting for w32 and only DC1 which is FSMO roles holder is setup for NTP using external time source, DC2 and DC2003 is set for NT5DS
Any where else I can check?
Any where else I can check?
That is the way it should be, NT5DS is DOMHIER. Everything that is attached to the domain, with exception to the DC holding the PDCe FSMO role, should be using NT5DS.
https://www.angryadmin.co.uk/?tag=nt5ds
-saige-
https://www.angryadmin.co.uk/?tag=nt5ds
-saige-
ASKER
Hi Saige,
All FSMO roles are on DC1and I have checked couple of machine and ran w32tm /query /source and some machines are pulling from DC2003 and some from DC1 and 2. Is this normal?
I have checked event logs on both DC1 and DC2 for File Replication service and did not find 13508/13568 event id last event id was from 12/6.
Now I'm just conccerned about time service.
All FSMO roles are on DC1and I have checked couple of machine and ran w32tm /query /source and some machines are pulling from DC2003 and some from DC1 and 2. Is this normal?
I have checked event logs on both DC1 and DC2 for File Replication service and did not find 13508/13568 event id last event id was from 12/6.
Now I'm just conccerned about time service.
Some clients will still pull their time from DC2003 until it is removed as DC2003 is still the an authenticating DC. This is normal. As Saige mentioned, since your DC1 is holding the PDCe FSMO role he is master and your domain will automatically follow suit.
When I mentioned 'time source' above, I meant 'polling time source'. Both member servers and member computers source their time from the DOMHIER and *any* DC is qualified to be a time source for domain members.
Only one DC (the PDCe FSMO holder) is qualified to poll extradomain time sources and is therefore a polling time source.
-saige-
Only one DC (the PDCe FSMO holder) is qualified to poll extradomain time sources and is therefore a polling time source.
-saige-
ASKER
Will demotion also remove DNS which AD integrated?
ASKER
Windows 2003 server demotion was successful :-) removed DNS from add/remove components. Anything else I need to check for on DC1 and DC2 servers?
ASKER
In DNS Host A record for DC2003 which is named same as parent folder should I remove this entry?
You can remove the 2003 entry from the Name Servers tab in the top-level domain (tld) properties; -
-saige-
-saige-
ASKER
Hi saige,
I already removed name server entry but (same as parent folder) Host A DC2003 still there should I remove that?
I already removed name server entry but (same as parent folder) Host A DC2003 still there should I remove that?
Can you show a screen shot of the entry?
-saige-
-saige-
ASKER
sorry, I was mistaken that entry is for different host.
ASKER
Thank you, everyone, for all your help, much appreciated.