Decommission Windows 2003
domain controller and transferring roles over
1.
View
the current operations master role holders
To view the current operations master role holder
1.
Click Start, click Run, type ntdsutil,
and then press ENTER.
2.
At the ntdsutil: prompt, type roles
and press ENTER.
3.
At the fsmo maintenance: prompt, type connections
and press ENTER.
4.
At the server connections: prompt, type connect
to server servername (where servername is the name
of the domain controller that belongs to the domain containing the operations
masters).
5.
After receiving confirmation of the connection, type quit
and press ENTER to exit this menu.
6.
At the fsmo maintenance: prompt, type select
operation target and press ENTER.
7.
At the select operations target: prompt, type list
roles for connected server and press ENTER.
The system responds with a list of the current
roles and the Lightweight Directory Access Protocol (LDAP) name of the domain
controllers currently assigned to host each role.
Type quit and press ENTER to exit
each prompt in Ntdsutil.exe. Type quit and press ENTER at the ntdsutil:
prompt to close the window.
2.
Transfer
the schema master
1.
Open the Active Directory Schema
snap-in.
2.
In the console tree, right-click Active
Directory Schema, and click Change Domain Controller.
3.
In the Change Domain Controller
dialog box, click Specify Name. Then, in the text box, type the name of
the server to which you want to transfer the schema master role. Click OK.
4.
In the console tree, right-click Active
Directory Schema. Click Operations Master. The Change Schema
Master box displays the name of the server that is currently holding the
role. The targeted domain controller is listed in the second box.
5.
Click Change. Click Yes
to confirm your choice. The system confirms the operation. Click OK
again to confirm that the operation succeeded.
6.
Click Close to close the Change
Schema Master dialog box.
3.
Transfer
the domain naming master
1.
Open Active Directory Domains and
Trusts.
2.
In the console tree, right-click Active
Directory Domains and Trusts, and then click Connect to Domain
Controller.
3.
Ensure that the proper domain name
is entered in the Domain box.
i.
The available domain controllers from
this domain are listed.
4.
In the Name
column, click the domain controller (to select it) to which you want to
transfer the role. Click OK.
5.
Right-click Active
Directory Domains and Trusts, and then click Operations Master.
6.
The name of the current domain naming
master appears in the first text box. The server to which you want to transfer
the role should appear in the second text box. If this is not the case, repeat
steps 1 through 4.
7.
Click Change. To
confirm the role transfer, click Yes. Click OK
again to close the message box indicating the transfer took place. Click Close
to close the Change Operations Master dialog box.
4.
Transfer
the domain-level operations master roles
1. Open Active Directory Users and
Computers.
2. At the top of the console tree,
right-click Active Directory Users and Computers. Click Connect
to Domain Controller.
3. In the list of available
domain controllers, click the name of the server to which you want to
transfer the role, and then click OK.
4. At the top of the console tree,
right-click Active Directory Users and Computers, point to All
Tasks, and then click Operations Masters.
5. The name of the current
operations master role holder appears in the Operations master
box. The name of the server to which you want to transfer the role appears in
the lower box.
Click
the tab for the role you want to transfer: RID, PDC,
or Infrastructure. Verify the computer names that appear and
then click Change. Click Yes to transfer the
role, and then click OK.
6. Repeat
steps 4 and 5 for each role that you want to transfer.
5.
Determine
whether a domain controller is a global catalog server
1. Open Active Directory Sites and
Services.
2. In the console tree, expand the Sites
container, expand the site of the domain controller you want to check, expand
the Servers container, and then expand the Server object.
3. Right-click the NTDS
Settings object, and then click Properties.
4. On the General
tab, if the Global Catalog box is selected, the domain
controller is designated as a global catalog server.
6.
Verify
DNS registration and functionality
IPv6 Can Cause
failures
1.
Open a Command
Prompt.
2.
Type the following
command, and then press ENTER:
netdiag
/test:dns /v
·
On a Windows
Server 2008 or Windows Server 2008 R2 computer, type the following command, and
then press ENTER:
dcdiag
/test:dns /v
3.
If DNS is
functioning, the last line of the response for all operating system versions is
DNS Test…..:
Passed. The
verbose option lists specific information about what was tested. This
information can help with troubleshooting if the test fails.
If the test fails, do
not attempt any additional steps until you determine and fix the problem that
prevents proper DNS functionality.
|
1 test failure on this DNS server
DNS server: 2001:500:2d::d (d.root-servers.net.)
1 test failure on this DNS server
PTR record query for the
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa
failed on the DNS server 2001:500:2d::d
DNS server: 2001:500:2f::f (f.root-servers.net.)
1 test failure on this DNS server
PTR record query for the
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa
failed on the DNS server 2001:500:2f::f
DNS server: 2001:503:ba3e::2:30 (a.root-servers.net.)
1 test failure on this DNS server
PTR record query for the
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa
failed on the DNS server 2001:503:ba3e::2:30
|
7. Verify
communication with other domain controllers
During the removal of
Active Directory, contact with other domain controllers is required to ensure:
- Any un-replicated changes are replicated to
another domain controller.
- Removal of the domain controller from the
directory.
- Transfer of any remaining operations master
roles.
If the domain controller cannot
contact the other domain controllers during Active Directory removal, the
decommissioning operation fails. As with the installation process, test the
communication infrastructure prior to running the installation wizard. When you
remove Active Directory, use the same connectivity tests that you used during
the installation of Active Directory.
1. Open a Command
Prompt.
2. On a Windows
Server 2003 computer, type the following command, and then press ENTER:
netdiag
/test:dsgetdc
If domain controllers are successfully
located, the last line of the response is DC discovery test……..: Passed.
The verbose option lists the specific domain controllers that are located.
On a Windows Server 2008 or Windows
Server 2008 R2 computer, type the following command, and then
press ENTER:
nltest /dclist:yourdomain.org
If domain controllers are successfully
located, the last line of the response is The command completed successfully.
If the tests fail on any of the
operating system versions, do not attempt any additional steps until you
determine and fix the problem that prevents communication with other domain
controllers.
8.
Verify
the availability of the operations masters
1.
Open
a Command Prompt.
2.
Type
the following command to ensure that the operations masters can be located and
then press ENTER:
dcdiag /s:yourserver /test:knowsofroleholders
/v
dcdiag /s:yourotherserver /test:knowsofroleholders
/v
The verbose option provides a detailed
list of the operations masters that were tested. Near the bottom of the screen,
a message confirms that the test succeeded. If you use the verbose option, look
carefully at the bottom part of the displayed output. The test confirmation
message appears immediately after the list of operations masters. Press ENTER.
9. Type the
following command to ensure that the operations masters are functioning
properly and are available on the network:
dcdiag /s:yourserver /test:fsmocheck
dcdiag /s:yourotherserver /test:fsmocheck
·
If any of the
verification tests fail, do not continue until you determine and fix the
problems. If these tests fail, the uninstallation is also likely to fail.
10.
If
the domain controller hosts encrypted documents, perform the following
procedure before you remove Active Directory to ensure that the encrypted
files can be recovered after Active Directory is removed.
To export a certificate with the
private key
1.
Open the Certificates console for the user, computer, or service you
want to manage.
2.
In the console pane, select the certificate store and container holding
the certificate that you want to export.
3.
In the details pane, click the certificate you want to export.
4.
On the Action menu, point to All Tasks,
and then click Export.
5.
In the Certificate Export Wizard, click Yes, export the private
key. (This option will appear only if the private key is marked as
exportable and you have access to the private key.)
6.
Under Export File Format, do one or all of the following,
and then click Next.
1.
To include all certificates in the certification path, select the Include
all certificates in the certification path if possible check box.
2.
To enable strong protection, select the Enable strong protection
(requires IE 5.0, NT 4.0 SP4 or above) check box.
3.
To delete the private key if the export is successful, select the Delete
the private key if the export is successful check box.
1.
In Password, type a password to encrypt the private key
you are exporting. In Confirm password, type the same password
again, and then click Next.
2.
In File name, type a file name and path for the
PKCS #12 file that will store the exported certificate and private key,
click Next, and then click Finish.
|
 Note
|
- If a
certificate was issued from a Windows Server 2003 certification
authority, the private key for that certificate is only exportable if
the certificate request was made via the Advanced Certificate Request
certification authority Web page with the Mark keys as
exportable check box selected, or if the certificate is for EFS
(Encrypting File System) or EFS recovery.
- Strong
protection (also known as iteration count) is enabled by default in the
Certificate Export Wizard when you export a certificate with its
associated private key.
Strong protection is not compatible with older programs, so you need to
clear the Enable strong protection option if you are
going to use the private key with any browser earlier than Microsoft
Internet Explorer 5.
- After the Certificate
Export Wizard is finished, the certificate will remain in the
certificate store in addition to being in the newly-created file. If you
want to remove the certificate from the certificate store, you will need
to delete it.
|
11.
Uninstall
Active Directory
- Click
Start, click Run, type dcpromo and then click OK.
- The
Active Directory Installation Wizard appears. Click Next at the
Welcome screen.
- You
have an option to select This server is the last domain controller in
the domain. If you select this option, the wizard attempts to remove
the domain from the forest. Do not select this option. Click Next.
- At
the Administrative Password screen, enter and confirm the password
that you want to assign to the local Administrator account after Active
Directory is removed. Click Next.
- At
the Summary screen, verify that the information is correct and then
click Next to proceed with the removal.
- The
wizard proceeds to remove Active Directory. After it finishes, the wizard
displays a completion screen. Click Finish to close the wizard.
- Click
Restart to restart the domain controller.
You may experience an error during
the demotion of the Source server, namely:
Active
Directory Installation Wizard
The
operation failed because:
Failed
to configure the service NETLOGON as requested
“The
wait operation timed out.”
Go ahead and Click "OK".
Then click "Back" until you are at the Welcome screen of the
"Active Directory Installation Wizard". Then next back through
everything and the demotion process should complete correctly.
12.
Uninstall
DNS services
Delete
any old records
13.
If
the domain controller hosts encrypted documents and you backed up the certificate
and private key before you remove Active Directory, perform the following
procedure to re-import the certificate to the server:
