Thursday, September 19, 2013

Decommission Windows 2003 Domain Controller

Decommission Windows 2003 domain controller and transferring roles over

 

 

1.     View the current operations master role holders

To view the current operations master role holder

1.      Click Start, click Run, type ntdsutil, and then press ENTER.

2.      At the ntdsutil: prompt, type roles and press ENTER.

3.      At the fsmo maintenance: prompt, type connections and press ENTER.

4.      At the server connections: prompt, type connect to server servername (where servername is the name of the domain controller that belongs to the domain containing the operations masters).

5.      After receiving confirmation of the connection, type quit and press ENTER to exit this menu.

6.      At the fsmo maintenance: prompt, type select operation target and press ENTER.

7.      At the select operations target: prompt, type list roles for connected server and press ENTER.

The system responds with a list of the current roles and the Lightweight Directory Access Protocol (LDAP) name of the domain controllers currently assigned to host each role.

Type quit and press ENTER to exit each prompt in Ntdsutil.exe. Type quit and press ENTER at the ntdsutil: prompt to close the window.

 

2.     Transfer the schema master

1.       Open the Active Directory Schema snap-in.

2.       In the console tree, right-click Active Directory Schema, and click Change Domain Controller.

3.       In the Change Domain Controller dialog box, click Specify Name. Then, in the text box, type the name of the server to which you want to transfer the schema master role. Click OK.

4.       In the console tree, right-click Active Directory Schema. Click Operations Master. The Change Schema Master box displays the name of the server that is currently holding the role. The targeted domain controller is listed in the second box.

5.       Click Change. Click Yes to confirm your choice. The system confirms the operation. Click OK again to confirm that the operation succeeded.

6.       Click Close to close the Change Schema Master dialog box.

 

3.     Transfer the domain naming master

1.       Open Active Directory Domains and Trusts.

2.       In the console tree, right-click Active Directory Domains and Trusts, and then click Connect to Domain Controller.

3.       Ensure that the proper domain name is entered in the Domain box.

                                                                          i.      The available domain controllers from this domain are listed.

4.       In the Name column, click the domain controller (to select it) to which you want to transfer the role. Click OK.

5.       Right-click Active Directory Domains and Trusts, and then click Operations Master.

6.       The name of the current domain naming master appears in the first text box. The server to which you want to transfer the role should appear in the second text box. If this is not the case, repeat steps 1 through 4.

7.       Click Change. To confirm the role transfer, click Yes. Click OK again to close the message box indicating the transfer took place. Click Close to close the Change Operations Master dialog box.

 

4.     Transfer the domain-level operations master roles

 

1.      Open Active Directory Users and Computers.

2.      At the top of the console tree, right-click Active Directory Users and Computers. Click Connect to Domain Controller.

3.      In the list of available domain controllers, click the name of the server to which you want to transfer the role, and then click OK.

4.      At the top of the console tree, right-click Active Directory Users and Computers, point to All Tasks, and then click Operations Masters.

5.      The name of the current operations master role holder appears in the Operations master box. The name of the server to which you want to transfer the role appears in the lower box.

Click the tab for the role you want to transfer: RID, PDC, or Infrastructure. Verify the computer names that appear and then click Change. Click Yes to transfer the role, and then click OK.

6.      Repeat steps 4 and 5 for each role that you want to transfer.

 

5.     Determine whether a domain controller is a global catalog server

 

1.      Open Active Directory Sites and Services.

2.      In the console tree, expand the Sites container, expand the site of the domain controller you want to check, expand the Servers container, and then expand the Server object.

3.      Right-click the NTDS Settings object, and then click Properties.

4.      On the General tab, if the Global Catalog box is selected, the domain controller is designated as a global catalog server.

 

6.      Verify DNS registration and functionality

IPv6 Can Cause failures

1.       Open a Command Prompt.

2.       Type the following command, and then press ENTER:

netdiag /test:dns /v

·         On a Windows Server 2008 or Windows Server 2008 R2 computer, type the following command, and then press ENTER:

dcdiag /test:dns /v

3.       If DNS is functioning, the last line of the response for all operating system versions is

DNS Test…..: Passed. The verbose option lists specific information about what was tested. This information can help with troubleshooting if the test fails.

If the test fails, do not attempt any additional steps until you determine and fix the problem that prevents proper DNS functionality.

               1 test failure on this DNS server

            

            DNS server: 2001:500:2d::d (d.root-servers.net.)

               1 test failure on this DNS server

               PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:500:2d::d

            DNS server: 2001:500:2f::f (f.root-servers.net.)

               1 test failure on this DNS server

               PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:500:2f::f

            DNS server: 2001:503:ba3e::2:30 (a.root-servers.net.)

               1 test failure on this DNS server

               PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:503:ba3e::2:30

             

 

7.      Verify communication with other domain controllers

During the removal of Active Directory, contact with other domain controllers is required to ensure:

    • Any un-replicated changes are replicated to another domain controller.
    • Removal of the domain controller from the directory.
    • Transfer of any remaining operations master roles.

If the domain controller cannot contact the other domain controllers during Active Directory removal, the decommissioning operation fails. As with the installation process, test the communication infrastructure prior to running the installation wizard. When you remove Active Directory, use the same connectivity tests that you used during the installation of Active Directory.

1.      Open a Command Prompt.

2.      On a Windows Server 2003 computer, type the following command, and then press ENTER:

netdiag /test:dsgetdc

If domain controllers are successfully located, the last line of the response is DC discovery test……..: Passed. The verbose option lists the specific domain controllers that are located.

On a Windows Server 2008 or Windows Server 2008 R2 computer, type the following command, and then press ENTER:

nltest /dclist:yourdomain.org

If domain controllers are successfully located, the last line of the response is The command completed successfully.

If the tests fail on any of the operating system versions, do not attempt any additional steps until you determine and fix the problem that prevents communication with other domain controllers.

 

8.     Verify the availability of the operations masters

1.      Open a Command Prompt.

2.      Type the following command to ensure that the operations masters can be located and then press ENTER:

dcdiag /s:yourserver /test:knowsofroleholders /v

dcdiag /s:yourotherserver /test:knowsofroleholders /v

The verbose option provides a detailed list of the operations masters that were tested. Near the bottom of the screen, a message confirms that the test succeeded. If you use the verbose option, look carefully at the bottom part of the displayed output. The test confirmation message appears immediately after the list of operations masters. Press ENTER.

9.      Type the following command to ensure that the operations masters are functioning properly and are available on the network:

dcdiag /s:yourserver /test:fsmocheck

dcdiag /s:yourotherserver /test:fsmocheck

·         If any of the verification tests fail, do not continue until you determine and fix the problems. If these tests fail, the uninstallation is also likely to fail.

 

10.               If the domain controller hosts encrypted documents, perform the following procedure before you remove Active Directory to ensure that the encrypted files can be recovered after Active Directory is removed.

To export a certificate with the private key

1.       Open the Certificates console for the user, computer, or service you want to manage.

2.       In the console pane, select the certificate store and container holding the certificate that you want to export.

3.       In the details pane, click the certificate you want to export.

4.       On the Action menu, point to All Tasks, and then click Export.

5.       In the Certificate Export Wizard, click Yes, export the private key. (This option will appear only if the private key is marked as exportable and you have access to the private key.)

6.       Under Export File Format, do one or all of the following, and then click Next.

1.       To include all certificates in the certification path, select the Include all certificates in the certification path if possible check box.

2.       To enable strong protection, select the Enable strong protection (requires IE 5.0, NT 4.0 SP4 or above) check box.

3.       To delete the private key if the export is successful, select the Delete the private key if the export is successful check box.

1.       In Password, type a password to encrypt the private key you are exporting. In Confirm password, type the same password again, and then click Next.

2.       In File name, type a file name and path for the PKCS #12 file that will store the exported certificate and private key, click Next, and then click Finish.

Note

  • If a certificate was issued from a Windows Server 2003 certification authority, the private key for that certificate is only exportable if the certificate request was made via the Advanced Certificate Request certification authority Web page with the Mark keys as exportable check box selected, or if the certificate is for EFS (Encrypting File System) or EFS recovery.
  • Strong protection (also known as iteration count) is enabled by default in the Certificate Export Wizard when you export a certificate with its associated private key.

    Strong protection is not compatible with older programs, so you need to clear the Enable strong protection option if you are going to use the private key with any browser earlier than Microsoft Internet Explorer 5.
  • After the Certificate Export Wizard is finished, the certificate will remain in the certificate store in addition to being in the newly-created file. If you want to remove the certificate from the certificate store, you will need to delete it.

11.               Uninstall Active Directory

  1. Click Start, click Run, type dcpromo and then click OK.
  2. The Active Directory Installation Wizard appears. Click Next at the Welcome screen.
  3. You have an option to select This server is the last domain controller in the domain. If you select this option, the wizard attempts to remove the domain from the forest. Do not select this option. Click Next.
  4. At the Administrative Password screen, enter and confirm the password that you want to assign to the local Administrator account after Active Directory is removed. Click Next.
  5. At the Summary screen, verify that the information is correct and then click Next to proceed with the removal.
  6. The wizard proceeds to remove Active Directory. After it finishes, the wizard displays a completion screen. Click Finish to close the wizard.
  7. Click Restart to restart the domain controller.

You may experience an error during the demotion of the Source server, namely:

Active Directory Installation Wizard

The operation failed because:

Failed to configure the service NETLOGON as requested

“The wait operation timed out.”

Go ahead and Click "OK". Then click "Back" until you are at the Welcome screen of the "Active Directory Installation Wizard". Then next back through everything and the demotion process should complete correctly.

12.               Uninstall DNS services

Delete any old records

13.               If the domain controller hosts encrypted documents and you backed up the certificate and private key before you remove Active  Directory, perform the following procedure to re-import the certificate to the server:

 

 

Posted by at No comments:
Labels: , , , ,
Subscribe to: Posts (Atom)