Posts Tagged ‘DC’

A time comes in a server’s life where it will be either “retired from its job role” or “put to sleep”. This might sound very dramatic for the non-IT folks, but it’s not. Relax! Usually, “retiring a server from its job role” happens when the demand increases and one single server cannot take up the burden of doing it all alone. So, one or more roles are removed and the server acts like a storage dump. The “putting to sleep” phase comes when the server simply is too dated for the current technology and an option of installing a new application or server OS runs out.

Recently, I ¬†had the opportunity of “putting a server to sleep”. The job was to decommission a domain controller and shut it down. All this sitting thousands of miles away. This was an unnerving experience because of the complex nature of the job. We all generally get a DC setup in a lab within minutes and if things go wrong, there is always an option of reinstalling the OS ūüėÄ This is a bad practice which lot of institutes ask the students to do. There is no real troubleshooting in life and you are not geared up for disaster management. Setting up a DC at a particular sites with numerous servers which sync with each other is a tough job. However, I never realized that decommissioning would be tough as well.

The steps followed (to most extent) was from the official Microsoft site http://technet.microsoft.com/en-us/library/cc755937(WS.10).aspx and this was to be done on a multi-site network. My job was made slightly easier since its role of acting as a RADIUS server was moved to another one by someone else.

Here are the steps which were followed :

1. Check the assigned FSMO roles

We need to make sure that the server is not playing the FSMO role.  The server which needed to be decommissioned was named contoso-dc5. To do that, fire up your command prompt and type :

netdom query fsmo

Here is the (modified) output of the command

C:\Users\iamadmin>netdom query fsmo
Schema master                                                      contoso-dc1.contoso.com

Domain naming master                                      contoso-DC6.contoso.com

PDC                                                                          contoso-DC6.contoso.com

RID pool manager                                                 contoso-DC6.contoso.com

Infrastructure master                                         contoso-dc1.contoso.com

The command completed successfully

We can see that contoso-DC5 is not playing any FSMO roles. Good. Next step.

2. Transfer the Naming Master FSMO role

3. Transfer other FSMO roles such as RID, PDC, or Infrastructure roles.

Points 2 and 3 will not be applicable in this case. So, we move to the next important step.

4. Remove the Global Catalog(GC)

This is the major step. You need to make sure that there are other GCs in the site. If it’s the last GC in the AD and you remove it, you’ll be unable to log on anymore. Do this carefully. Log into any other DC in the same site(I chose DC6) and make sure that there are other GCs by opening ¬†Active Directory Sites and Services.

a) In the console tree, expand the Sites container, expand the site of the domain controller you want to check, expand the Servers container, and then expand the Server object.

b) Right-click the NTDS Settings object, and then click Properties.

c) On the General tab, if the Global Catalog box is selected, the domain controller is designated as a global catalog server.

This was indeed a GC and since I made sure that other servers were acting as GCs, went ahead and unchecked it on contoso-DC5.  Allow few  minutes for the settings to replicate. Log off from the server where you performed the other task(DC6 for me) and reboot the machine which needs to be decommissioned(contoso-DC5)

5. Verify DNS registration and functionality

Back in the DC which needs to be decommissioned, type netdiag /test:dns (I chose to do netdiag /test:dns /v) and the output should be successful. If it is not, do not go ahead with the other steps until you resolve the issue. Remember, the /v stands for the verbose and the output can spit out pages of data. In case you need to go through the output, make sure you redirect the output to a text file.

6. Verify communication with other domain controllers

During the removal of Active Directory, contact with other domain controllers is required to ensure:

a) Any unreplicated changes are replicated to another domain controller

b) Removal of the domain controller from the directory

c) Transfer of any remaining operations master roles

Type¬†netdiag /test:dsgetdc in the command prompt. This is where I hit my first ‘roadblock’. The output showed that it failed. So, ran the command again in verbose mode to get an idea as to what exactly is happening. The summary kinda explains things.


Summary of DNS test results:

Auth Basc Forw Del Dyn RReg Ext

________________________________________________________________

Domain: contoso.com contoso-dc5 PASS PASS FAIL FAIL PASS PASS n/a ……………………. contoso .com failed test DNS

We can see that the DNS test result failed for Forwarding and Delegation (the output could not be formatted properly in this text area). A quick check to see if this server was also taking up the role of the DNS server made me heave a sigh of relief. Contoso-DC1 was acting as the primary DNS and a public DNS was acting as the secondary. This server was probably acting as a DNS, since I also so numerous host entries for the DNS role.¬† So, we can still go ahead with the next step. Yippee! ūüėÄ

7. dcpromo

Run dcpromo in Run dialog box and get yourself a break for sometime and reboot when prompted to.

This computer was also to be removed from the domain and shutdown. So, before doing that, make sure you know the local admin password. Else, you will be locked out of the computer once you remove it from the domain. Time to power down the server. Sweet!

One last step is to check if the computer still shows up in Active Directory Users and Computers list after shutting down. When you demote a server, the AD should take it out, but in my case it hadn’t(probably because I didn’t give enough time to repliacte?). If it does, go ahead and delete the computer from the list.

That’s it! I hope this guide was helpful. In case someone finds out any mistake in this or know of a better solution, please do let me know.


Advertisements