DC Demotion Checklist?

[Guest]

Greetings,

I know there are a ton of checklist for promoting a server to a domain
controller, but how about in the other direction? We are carrying out a
hardware replacement and need to demote the DC's that are being retired.
Are there steps I need to take care of or people I need to notify prior to
doing so? Are there any steps I should take other than just running DCpromo
and being done with it?

Any suggestions appreciated.

 

[Jorge Silva]

Hi
-First, ensure that the clients use the new DC/DNS (assuming that the old
DCs are also DNS), ensure that you have at least one GC available, transfer
(NOT seize) the FSMO roles to the new servers, make sure that all DCs are
sync.

-You could have other requirements but those will depend of your scenario.
Make sure that all services that the DCs to retired have now, will be
available when they go offline.

-Avoid the demotion immediately after the new servers are online, instead
take the DCs offline for a couple of days/weeks (not more than your forest
tombstone lifetime) and check that everything is working, if everything is
ok then dcpromo to demote them from your network, to avoid problems check
(after demotion) that all dns records for the dead DCs no longer exist, and
manually remove them from ADSS (after dcpromo).
--
I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MCSE, MVP Directory Services

 

[Paul Bergson [MVP-DS]]

Check out my article on this:

http://www.pbbergs.com/windows/articles/DecommissionDC.html

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Guest]

Thanks for the tips.

I have had the new DC's online for about 3 months. I did the following:

Had the DHCP admins update the scope to put the new DC/DNS IP's as the two
primary DNS' on the scope. I still have one of the two "about to be
demoted" DC's on the list as the fifth DNS to use.

Ran a report of machines/servers with fixed IP's and we ran a script to
update the DNS settings for those.

I installed Terminal Services Licensing server on the new DC a few weeks ago
and deactivated the old one.

I transferred the FSMO's back in November-ish.

I installed the Cisco ACS agent on the new DC which now has the PDC role.

I sent out a technical note to the IT department informing the impending
change with a chart of the old and new names and IP's, and advising any
developers to change any entries if they had any hard coded entries to the
old DC's and reminded of best practice to reference the domain name only.

Can't think of anything else, we've got GC's out the kazoo... though of
course I'm still paranoid (I'm thinking of doing a walk-around reminder).
I'll double check on the EFS thing, I don't think we have it at the child
domain level though.

---------

Also, I was discussing with a colleague about whether to deactivate GC and
uninstall(or stop) DNS prior to demotion or whether to have a single pain
point (if any) and just do the demotion and shut off the box for a day. He
advised to do the GC-demo and DNS stopping a few days ahead of time. Anyone
have any thoughts on that?


Thanks to all btw.

 

[Jorge Silva]

see answers inline:

I have had the new DC's online for about 3 months. I did the following: Ok

Had the DHCP admins update the scope to put the new DC/DNS IP's as the two
primary DNS' on the scope. I still have one of the two "about to be
demoted" DC's on the list as the fifth DNS to use. Ok.

Ran a report of machines/servers with fixed IP's and we ran a script to
update the DNS settings for those.

Ok. Confirm that all machines already have the new Dns server settings.

I installed Terminal Services Licensing server on the new DC a few weeks
ago and deactivated the old one.

Ok. Make sure that the Terminal Services Licensing server is registering the
existing TS connections

I transferred the FSMO's back in November-ish.

Ok. Make sure that all DCs are sync.

I installed the Cisco ACS agent on the new DC which now has the PDC role. Ok.

I sent out a technical note to the IT department informing the impending
change with a chart of the old and new names and IP's, and advising any
developers to change any entries if they had any hard coded entries to the
old DC's and reminded of best practice to reference the domain name only.

Also tell them to start using DNS as resoluyion mechanism instead of hard
coded IPAddress or Names, that way they won't need any extra action in
future changes.

Can't think of anything else, we've got GC's out the kazoo... though of
course I'm still paranoid (I'm thinking of doing a walk-around reminder).
I'll double check on the EFS thing, I don't think we have it at the child
domain level though

As I told before take the Old DCs offline for a couple of Days and check if
anyone screems, if everything is ok you should be ready to take off the DCs
using dcpromo.


--
I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MCSE, MVP Directory Services

 

[Paul Bergson [MVP-DS]]

One other thing to think of is to run some diagnostics

If you don't have the support tools installed, install them from your server
install disk.
d:\support\tools\setup.exe

Run dcdiag, netdiag and repadmin in verbose mode.
-> DCDIAG /V /C /D /E /s:yourdcname > c:\dcdiag.log
-> netdiag.exe /v > c:\netdiag.log (On each dc)
-> repadmin.exe /showrepl dc* /verbose /all /intersite > c:\repl.txt
-> dnslint /ad /s "ip address of your dc"

**Note: Using the /E switch in dcdiag will run diagnostics against ALL dc's
in the forest. If you have significant numbers of DC's this test could
generate significant detail and take a long time. You also want to take
into account slow links to dc's will also add to the testing time.

If you download a gui script I wrote it should be simple to set and run
(DCDiag and NetDiag). It also has the option to run individual tests
without having to learn all the switch options. The details will be output
in notepad text files that pop up automagically.

The script is located on my website at
http://www.pbbergs.com/windows/downloads.htm

Just select both dcdiag and netdiag make sure verbose is set. (Leave the
default settings for dcdiag as set when selected)

When complete search for fail, error and warning messages.

Description and download for dnslint
http://support.microsoft.com/kb/321045


--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Guest]

Hi Jorge,

Thanks for the feedback. The funny thing about the TS licensing, when I
deactivated the TS licensing on the "soon-to-be-demoted" DC, I had
previously had my own license issued with that one, and when I uninstalled
it from add/remove, I didn't have a license issued from the new DC with TS
licensing, but I was still able to come through (Citrix in our case).
Basically what I'm saying is, I don't know why it worked, theoretically it
shouldn't have, but it did. The fact is that TS licensing is actually gone,
totally, from the retiring server, so I can only assume that it won't
matter if the DC is retired.

Again, appreciate the feedback.

Obrigado =)

 

[Jorge Silva]

glad to help.

De nada =)

--
I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MCSE, MVP Directory Services

 

[Guest]

Sorry to bother, I just had one more question that just came to me today.

Should I take these two DC's out of the Delegated DNS zones listing before I
retire the DC's or after or does it matter? I have had the new DC's in
there since November, and a few other DC's that are not going anywhere.

 

[Jorge Silva]

-After you run dcpromo those DCs should be romoved automatically from DNS,
if not you can do it manually, also confirm that not only the NS records are
gone as all others.

--
I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MCSE, MVP Directory Services

 

[Guest]

My colleague said the same thing too. Thanks again.