PDIS
asked on
Decomissioning 2008 DC
I have a 2008DC that I need to decommission. I shut it down just to make sure it wouldn't cause any problems when I remove it and when I did that I had one developer that had issues logging in to any of the servers he normally accesses with his credentials. He also couldn't access any of his mappings for Microsoft Visual Studio. I'm not really sure where to start troubleshooting this issue
ASKER
I know I don't need to shut it down to decommission, I was testing to see if there would be any issues before decommissioning.
I have a total of 4 DCs including this one.
This is part of a project to move to exchange online which requires a 2016 Exchange server in house, which requires a domain/forest functional level of 2008r2 or above
I have had the 2012 DC and one of the 2016DCs up and running for at least a couple of years. I added the second 2016DC a couple of months ago.
When I run repadmin /showrepl from the 2008 server everything comes back as successful to my two 2016 DCs but does not show anything for 2012 DC
When I run repadmin/showrepl from my 2016 server that holds all the FSMO roles I get successful replication for the 2008 and 2012 DCs, it does not mention my other 2016 DC. I do get the following failure, twice
DsReplicaGetInfo() failed with status 8453 (0x2105):
Replication access was denied
I have a total of 4 DCs including this one.
- 1- 2008 (this is the one I'm trying to decommission
- 1 - 2012
- 2 - 2016
This is part of a project to move to exchange online which requires a 2016 Exchange server in house, which requires a domain/forest functional level of 2008r2 or above
I have had the 2012 DC and one of the 2016DCs up and running for at least a couple of years. I added the second 2016DC a couple of months ago.
When I run repadmin /showrepl from the 2008 server everything comes back as successful to my two 2016 DCs but does not show anything for 2012 DC
When I run repadmin/showrepl from my 2016 server that holds all the FSMO roles I get successful replication for the 2008 and 2012 DCs, it does not mention my other 2016 DC. I do get the following failure, twice
DsReplicaGetInfo() failed with status 8453 (0x2105):
Replication access was denied
Please tell developer to reboot his machine, he is probably authenticating on the DC you shut down.
After reboot he should not have any more problems.
After reboot he should not have any more problems.
What domain functional level are you at?
Thanks
Alex
Thanks
Alex
For safety what I do is move (FSMO) roles to another DC and make sure it replicates to the new DC using command repadmin /showrepl
Wait for 1-2 days. Check the new DC replication and health again. If everythig works fine shutdown the the 2008 DC for 1-2 days to make sure there is no impact on your business and other apps used. if everything works as expected start the server and decommission the server.
Run this command to make sure FSMO is transferred from DC or ADC.
https://www.youtube.com/watch?v=e10tubWpvq4
You can see yuor current Domain Fuctional level using the below article
http://www.aitek.ch/active-directory-how-to-check-domain-and-forest-functional-level/
Wait for 1-2 days. Check the new DC replication and health again. If everythig works fine shutdown the the 2008 DC for 1-2 days to make sure there is no impact on your business and other apps used. if everything works as expected start the server and decommission the server.
Run this command to make sure FSMO is transferred from DC or ADC.
netdom query fsmo
Here is a video how to decommison 2008https://www.youtube.com/watch?v=e10tubWpvq4
You can see yuor current Domain Fuctional level using the below article
http://www.aitek.ch/active-directory-how-to-check-domain-and-forest-functional-level/
Also adding to Alex's questions , how many sites you have and what is the configuration ?
Which / how many DC's you have as GC and how is the replication topology configured.
Is the TIME matching on all DC's ?
Which / how many DC's you have as GC and how is the replication topology configured.
Is the TIME matching on all DC's ?
ASKER
1. My Domain Functional Level is 2008
2. My Forest Functional Level is 2003
3. The four domain controllers mentioned are all in the same site.
4. All four domain controllers are also GCs
5. I do have another location that is on a separate domain. The domains have a two way transitive trust. Currently there is only one DC there and it is 2008r2, I am in the process of adding a second 2016 DC.
6. The time does match on all 4 DCs, plus the one on the other site
7. I ran the netdom query fsmo and all are pointing to the 2016 DC I moved them to
2. My Forest Functional Level is 2003
3. The four domain controllers mentioned are all in the same site.
4. All four domain controllers are also GCs
5. I do have another location that is on a separate domain. The domains have a two way transitive trust. Currently there is only one DC there and it is 2008r2, I am in the process of adding a second 2016 DC.
6. The time does match on all 4 DCs, plus the one on the other site
7. I ran the netdom query fsmo and all are pointing to the 2016 DC I moved them to
In which case, given that replication is working, I'd go about decommissioning your 2008 box.
If you run CMD as admin and then run repadmin again it should pull the details. 2008 requires "Run as Admin" for it to work properly.
Thanks
Alex
If you run CMD as admin and then run repadmin again it should pull the details. 2008 requires "Run as Admin" for it to work properly.
Thanks
Alex
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Mas,
Realistically he should be going to 2016 if that's his latest DC level, I think Microsoft put it as "If you don't have a reason not to do it JFDI" :-)
Cheers
Alex
Realistically he should be going to 2016 if that's his latest DC level, I think Microsoft put it as "If you don't have a reason not to do it JFDI" :-)
Cheers
Alex
Agree with Alex.
You can raise to 2016 but you should have all DCs 2016.
You can raise to 2016 but you should have all DCs 2016.
Yeah, it will put anything below that out of commission.
ASKER
When I run the repadmin /showrepl from an elevated command prompt it comes back with no errors.
But this still doesn't explain why the one developer had all the issues. I will try shutting down the 2008DC again and have him reboot. If that works I will decommission it.
Thank you all for your help.
But this still doesn't explain why the one developer had all the issues. I will try shutting down the 2008DC again and have him reboot. If that works I will decommission it.
Thank you all for your help.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
It's ok,
As previously stated, it'll be that he was connecting to that DC for authentication. With a reboot it should be fine.
You could always just flat out decommission it. That'll work just as well as turning it off. If anything better since it'll remove it from AD completely :-)
As previously stated, it'll be that he was connecting to that DC for authentication. With a reboot it should be fine.
You could always just flat out decommission it. That'll work just as well as turning it off. If anything better since it'll remove it from AD completely :-)
Secondly, more information please.
When you let me know that, we'll look at the problem.
Thanks
Alex