remove Domain Controller

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

AD - Windows 2000 native

We have 4 domain Controllers.

Whats the proper way \ proper steps to remove one of them.
This was our first win2000DC and is a rather old and slow PC.

I do not want to screw anything up during this process.

Thanks,
 
dcpromo, just like when you added it to the domain.

--


Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA

This posting is provided "AS IS" with no warranties, and confers no rights.
 
what is this recovery agent private key?

And is there anything special I need to do since this was the first DC in
our win 2000 AD?

Thanks,
 
Hutch,

Just make sure that any services that this DC is holding ( read: DNS, DHCP,
Global Catalog, etc ) are transferred to any of the remaining Domain
Controllers. In the case of the Global Catalog Server I would suggest that
you make all of your Domain Controllers a Global Catalog Server ( done via
the Active Directory Sites and Services MMC - go to the NTDS Settings under
each Domain Controller ). This assumes that you have only one Domain.

Another point to consider is to manually transfer any of the five FSMO roles
that this DC might be holding. Since it is the first DC it very possibly
holds all five of them. The dcpromo process will take care of this for you
but I like to be in charge and manually do it. There are two ways to do
this: use ntdsutil ( probably not the best way for someone with your
experience ) or via the GUIs. Please see the two links below:

http://support.microsoft.com/?id=255504
http://support.microsoft.com/?id=255690

Should you decide to venture out and use ntdsutil ( a wonderful little
utility ) I would stress to you that you really should *TRANSFER* and not
seize. Granted, if you are going to be removing the old DC then that should
not matter but it is best to do things the correct way.....

--
Cary W. Shultz
Roanoke, VA 24012
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com
 
Cary....thanks for the detailed break down.

I have the 5 roles transfered. But what about this "recovery agent private
key" that Andrei said I should export?
What is it, and how do you do it?

Thanks again,
 
Hutch,

If the Domain Controller that you are going to dcpromo is also the DC on
which you have Certificate Services running.....most probably not in your
case so I would not worry about it! But, just check to make sure.

Now, what is Certificate Services? That would be a good google project for
you, right? ;-)

Just in case you are pressed for time, here is a pretty good starting point:

http://www.microsoft.com/windows2000/techinfo/planning/security/adminca.asp

--
Cary W. Shultz
Roanoke, VA 24012
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com
 
Thank you!

Cary Shultz said:
Hutch,

If the Domain Controller that you are going to dcpromo is also the DC on
which you have Certificate Services running.....most probably not in your
case so I would not worry about it! But, just check to make sure.

Now, what is Certificate Services? That would be a good google project for
you, right? ;-)

Just in case you are pressed for time, here is a pretty good starting point:

http://www.microsoft.com/windows2000/techinfo/planning/security/adminca.asp

--
Cary W. Shultz
Roanoke, VA 24012
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com
Click to expand...
 
Just a note on this. I'm sure you are aware that the dc willl gracefully
transfer the roles (Except the gc) when demoted to other servers. As far as
the certificate services goes once a machine is a dc you can't make it a
certificate server so odds are it isn't a certificate authority of any type.

--


Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA

This posting is provided "AS IS" with no warranties, and confers no rights.
 
Good morning, Paul!

Thank you for pointing these two things out. It is always a good thing to
have multiple heads involved in finding a solution.

As I mentioned, the dcpromo process will indeed handle the transferring of
any FSMO roles that the 'being demoted' Domain Controller holds to another
Domain Controller. I just like to handle that myself so that the DC that I
choose is the new role holder. It is a good thing to make this point very
clear!!!!

As to a Domain Controller not being able to a Certificate Server - I will
have to check into this. I will admit that I have never set this up in a
production environment ( never any desire for it on the clients part....and
the key word was 'production' - I have played with it in the lab.... ). I,
however, would venture to guess that you could make a Domain Controller a
Certificate Server. I will have to look into this. Are you saying that you
can not do ( as in, physically not possible ) or are you saying that it is
not the best of ideas? I would agree with that part!

--
Cary W. Shultz
Roanoke, VA 24012
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com
 
Once a server becomes a DC it can no longer become a certificate server.
BUT... a DC can be a certificate server if before being promoted it was a
certificate server.

--


Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA

This posting is provided "AS IS" with no warranties, and confers no rights.
 
Back
Top