Removal of domain's last 2003 DC
Hi,
I'm looking at removing the last 2003 DC in my domain. My setup is as follows:
1 forest with 2 domain. Parent domain "parent" has 2008 and 2003 DCs. Child domain "child" has 1 2003 DC and multiple 2008 DCs. There are multiple global catalogs and the 2003 DC does not hold any FSMO roles. The forest uses a centralized
DNS delegation with forest wide AD integrated zones. I've checked that my clients no longer use the 2003 DC for DNS referrals.
Looking through the documentation here
http://technet.microsoft.com/en-us/library/cc776503(v=ws.10).aspx it mentions checking that the remaining 2003 DC isn't holding the last replica of an application partition and gives steps for checking this. I've ran the ntdsutil and connected to my 2003
DC and then ran the list nc information\list nc replica commands. I get 7 naming contexts returned:
Found 7 Naming Context(s)
0 - CN=Configuration,DC=parent,DC=com
1 - CN=Schema,CN=configuration,DC=com
2 - DC=child,DC=parent,DC=com
3 - DC=parent,DC=com
4 - DC=ForestDnsZones,DC=parent,DC=com
5 - DC=DomainDnsZones,DC=child,DC=parent,DC=com
6 - DC=DomainDnsZones,DC=parent,DC=com
When the list nc replica\info command is ran on my DCs in the child and parent domains for naming contexts 4 to 6 I see the replication partners listed as expected. However when I run the list command for contexts 0 to 3 I get no replicas found or "could
find no special info for this partition"
I'm not sure if this is normal and whether I need to do anything additional when demoting my 2003 DC in the child domain?
Hi Peter,
According to your description, it seems like that the
metadata
of Windows Server 2003 didn’t get cleaned up during demotion.
I suggest you try to cleanup server metadata by performing the following steps:
Open Command Prompt as an administrator on a DC in the child domain.
At the Command Prompt, type: ntdsutil,
and press Enter.
Next, type: metadata cleanup, then press Enter.
After that, type remove selected server <server name>.
In the Server Remove Configuration Dialog, review the information and warning, then click on
Yes.
Type quit, then press Enter.
After the above actions, please run
ntdsutil command again to confirm the results.
More information for you:
Clean Up Server Metadata
http://technet.microsoft.com/en-us/library/cc816907(v=WS.10).aspx
partition management
http://technet.microsoft.com/en-us/library/cc730970.aspx
Please feel free to let us know if the issue persists.
Best Regards,
Amy Wang
Similar Messages
-
We have a single Exchange 2003 server. We have multiple mail domains on the server, but are slowly moving to a hosted email solution. I moved the first domain, I will call it
domainABC, to our hosted solution. I have removed all exchange mailboxes from the users, and deselected the domain from Recipient Policies. I then ran the policy.
Whenever I send an email to anyone on Domain ABC from any other domain on the Exchange server, I get the 5.1.1 message. I am not sure what to do next - any help would be appreciated...
BrianHi Brian,
Could you post the detail information for the NDR message?
When you migrate all the users to the host email server, did you change mx record point to the new server?
You also can use this tool to help you check for the inbound email test (for Domain ABC).
Exchange Remote Connectivity Analyzer
https://www.testexchangeconnectivity.com/
Thanks,
Evan Liu
TechNet Subscriber Support in forum
If you have any feedback on our support, please contact
[email protected]
Evan Liu
TechNet Community Support -
Upgrade to Server 2012 R2 domain controllers from 2003
I am at a loss as to what I did wrong here. Everything seems to be working fine except for one subnet (which is behind a hardware firewall).
We had two Server 2003 domain controllers and one of them was failing. I raised the forest functional level of our old primary domain controllers to 2003. I built the first replacement Server 2012 R2 domain controller. Added the AD DS roles
and promoted it as a domain controller. I let it sit for a couple days. The FSMO roles were currently being handled by our other 2003 domain controller. Once this had been sitting for a while (don't recall how long) I ran dcpromo on the failing
server and demoted it. Once demoted I shut it down and pulled it out of the rack. I then built our second 2012 R2 server and gave it the same IP as the failing one. Installed the AD DS roles and integrated DNS as prompted by the wizard.
I then made it the operations master for Schema master, Domain naming master, PDC, RID pool manager, and Infrastructure master. Then I ran dcpromo on the second 2003 domain controller to demote it and removed it from the network. I then demoted
the first new controller (DC03) changed the hostname and IP to the name and IP of the second 2003 controller and promoted it again. I'm not sure at what point things broke, but everything works from the same subnet that the domain controllers are in,
just not a second subnet that is through a hardware firewall. I don't see anything getting blocked while watching firewall logs so I don't think the firewall is the issue.
Here is the dcdiag and ipconfig from the first controller (which has all 5 FSMO roles).
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\Users\username>dcdiag /v /test:dns
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
* Verifying that the local machine WGDDC01, is a Directory Server.
Home Server = WGDDC01
* Connecting to directory service on server WGDDC01.
* Identified AD Forest.
Collecting AD specific global data
* Collecting site info.
Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=wgd,DC=inet,LD
AP_SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings),.......
The previous call succeeded
Iterating through the sites
Looking at base site object: CN=NTDS Site Settings,CN=Default-First-Site-Name
,CN=Sites,CN=Configuration,DC=wgd,DC=inet
Getting ISTG and options for the site
* Identifying all servers.
Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=wgd,DC=inet,LD
AP_SCOPE_SUBTREE,(objectClass=ntDSDsa),.......
The previous call succeeded....
The previous call succeeded
Iterating through the list of servers
Getting information for the server CN=NTDS Settings,CN=WGDDC01,CN=Servers,CN=
Default-First-Site-Name,CN=Sites,CN=Configuration,DC=wgd,DC=inet
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
Getting information for the server CN=NTDS Settings,CN=WGDDC02,CN=Servers,CN=
Default-First-Site-Name,CN=Sites,CN=Configuration,DC=wgd,DC=inet
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
* Identifying all NC cross-refs.
* Found 2 DC(s). Testing 1 of them.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\WGDDC01
Starting test: Connectivity
* Active Directory LDAP Services Check
Determining IP4 connectivity
* Active Directory RPC Services Check
......................... WGDDC01 passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\WGDDC01
Test omitted by user request: Advertising
Test omitted by user request: CheckSecurityError
Test omitted by user request: CutoffServers
Test omitted by user request: FrsEvent
Test omitted by user request: DFSREvent
Test omitted by user request: SysVolCheck
Test omitted by user request: KccEvent
Test omitted by user request: KnowsOfRoleHolders
Test omitted by user request: MachineAccount
Test omitted by user request: NCSecDesc
Test omitted by user request: NetLogons
Test omitted by user request: ObjectsReplicated
Test omitted by user request: OutboundSecureChannels
Test omitted by user request: Replications
Test omitted by user request: RidManager
Test omitted by user request: Services
Test omitted by user request: SystemLog
Test omitted by user request: Topology
Test omitted by user request: VerifyEnterpriseReferences
Test omitted by user request: VerifyReferences
Test omitted by user request: VerifyReplicas
Starting test: DNS
DNS Tests are running and not hung. Please wait a few minutes...
See DNS test in enterprise tests section for results
......................... WGDDC01 failed test DNS
Running partition tests on : DomainDnsZones
Test omitted by user request: CheckSDRefDom
Test omitted by user request: CrossRefValidation
Running partition tests on : ForestDnsZones
Test omitted by user request: CheckSDRefDom
Test omitted by user request: CrossRefValidation
Running partition tests on : Schema
Test omitted by user request: CheckSDRefDom
Test omitted by user request: CrossRefValidation
Running partition tests on : Configuration
Test omitted by user request: CheckSDRefDom
Test omitted by user request: CrossRefValidation
Running partition tests on : wgd
Test omitted by user request: CheckSDRefDom
Test omitted by user request: CrossRefValidation
Running enterprise tests on : wgd.inet
Starting test: DNS
Test results for domain controllers:
DC: WGDDC01.wgd.inet
Domain: wgd.inet
TEST: Authentication (Auth)
Authentication test: Successfully completed
TEST: Basic (Basc)
The OS
Microsoft Windows Server 2012 R2 Standard (Service Pack level:
0.0)
is supported.
NETLOGON service is running
kdc service is running
DNSCACHE service is running
DNS service is running
DC is a DNS server
Network adapters information:
Adapter [00000010] Broadcom NetXtreme Gigabit Ethernet:
MAC address is B0:83:FE:C1:98:07
IP Address is static
IP address: 10.240.1.23
DNS servers:
10.240.1.23 (WGDDC01) [Valid]
10.240.1.24 (WGDDC02) [Valid]
127.0.0.1 (WGDDC01) [Valid]
The A host record(s) for this DC was found
The SOA record for the Active Directory zone was found
Warning: no DNS RPC connectivity (error or non Microsoft DNS s
erver is running)
[Error details: 5 (Type: Win32 - Description: Access is denied
Summary of test results for DNS servers used by the above domain
controllers:
DNS server: 10.240.1.23 (WGDDC01)
All tests passed on this DNS server
Name resolution is functional._ldap._tcp SRV record for the fores
t root domain is registered
DNS server: 10.240.1.24 (WGDDC02)
All tests passed on this DNS server
Name resolution is functional._ldap._tcp SRV record for the fores
t root domain is registered
Summary of DNS test results:
Auth Basc Forw Del Dyn RReg Ext
Domain: wgd.inet
WGDDC01 PASS WARN n/a n/a n/a
n/a n/a
......................... wgd.inet passed test DNS
Test omitted by user request: LocatorCheck
Test omitted by user request: Intersite
C:\Users\dsmythe>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : WGDDC01
Primary Dns Suffix . . . . . . . : wgd.inet
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : wgd.inet
Ethernet adapter WGD_INET:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet
Physical Address. . . . . . . . . : B0-83-FE-C1-98-07
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 10.240.1.23(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.240.1.1
DNS Servers . . . . . . . . . . . : 10.240.1.23
10.240.1.24
127.0.0.1
NetBIOS over Tcpip. . . . . . . . : Enabled
Tunnel adapter isatap.{2C28B0FA-6BF8-4201-A6DA-081AED63B496}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
When I try to bind a machine to the domain I get an error message that says "
The following error occurred when DNS was queried for the service location (SRV) resource record used to locate an Active Directory Domain Controller (AD DC) for domain "wgd.inet":
The error was: "This operation returned because the timeout period expired."
(error code 0x000005B4 ERROR_TIMEOUT)
The query was for the SRV record for _ldap._tcp.dc._msdcs.wgd.inet
The DNS servers used by this computer for name resolution are not responding. This computer is configured to use DNS servers with the following IP addresses:
10.240.1.24
10.240.1.23
Verify that this computer is connected to the network, that these are the correct DNS server IP addresses, and that at least one of the DNS servers is running.
Please let me know if I'm missing something or if there are other things I can check.
Thanks!
I forgot to mention that after the 2003 domain controllers were out of the environment, I raised the domain and forest functional level to 2012 R2. All clients in the environment are Windows XP Pro or above. The XP Pro boxes will be going away as
soon as our vendor supports their software to run on Windows 7.We now have 2 2012 R2 DCs. The 2003 DCs are gone. Metadata from the old DCs is all cleaned up. DNS seems to be working fine in 3 out of 4 subnets. The 4th is behind a hardware firewall and I can see the IP address of the machine I am trying to bind to the
domain connecting to the two new domain controllers but the client machine that is trying to bind gives an error. An Active Directory Domain Controller for the domain wgd.inet could not be contacted. It seems that this is just a DNS issue for one
particular subnet (10.240.2.0/24). This subnet is setup in AD Sites and Services\Sites\Subnets\10.240.2.0/24 (Site: Default-First-Site-Name).
When trying to do anything with nslookup from the 10.240.2.0/24 subnet it times out. The route is there and I can watch it connect through our hardware firewall over port 53.
DC01
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\Users\dsmythe>netdom query fsmo
Schema master WGDDC01.wgd.inet
Domain naming master WGDDC01.wgd.inet
PDC WGDDC01.wgd.inet
RID pool manager WGDDC01.wgd.inet
Infrastructure master WGDDC01.wgd.inet
The command completed successfully.
C:\Users\dsmythe>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : WGDDC01
Primary Dns Suffix . . . . . . . : wgd.inet
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : wgd.inet
Ethernet adapter WGD_INET:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet
Physical Address. . . . . . . . . : B0-83-FE-C1-98-07
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 10.240.1.23(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.240.1.1
DNS Servers . . . . . . . . . . . : 10.240.1.23
10.240.1.24
NetBIOS over Tcpip. . . . . . . . : Enabled
Tunnel adapter isatap.{2C28B0FA-6BF8-4201-A6DA-081AED63B496}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
C:\Users\dsmythe>
DC02
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\Users\dsmythe>netdom query fsmo
Schema master WGDDC01.wgd.inet
Domain naming master WGDDC01.wgd.inet
PDC WGDDC01.wgd.inet
RID pool manager WGDDC01.wgd.inet
Infrastructure master WGDDC01.wgd.inet
The command completed successfully.
C:\Users\dsmythe>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : WGDDC02
Primary Dns Suffix . . . . . . . : wgd.inet
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : wgd.inet
Ethernet adapter NIC1:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet
Physical Address. . . . . . . . . : B0-83-FE-C1-9F-74
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 10.240.1.24(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.240.1.1
DNS Servers . . . . . . . . . . . : 10.240.1.24
10.240.1.23
NetBIOS over Tcpip. . . . . . . . : Enabled
Tunnel adapter isatap.{4F45E51E-FC2F-49ED-85CF-0750A9EEECF5}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
C:\Users\dsmythe> -
I am slowly nursing a broken Montain Lion Server back to health. The problems started with a name change days ago then went sour, probably because of some stuff in the keychain that tripped the commands up.
I have now a trusted Root CA in my System Keychain which has signed my wildcard Certificate for my domain and all my services are protected by this wildcard certificate. Creating and installing that certificate helped me back (slowly) but there are still problems to solve
I also have set the com.apple.servermgrd identity preference to this (now trusted) wildcard certificate a few minutes ago
I am busy cleaning as much as possibe of junk from my Keychains to improve stability, of course without damaging things (I hope)
There are 19 "Mac OS X Server certificate management" application passwords in my System Keychain.
12 are from 9 days ago when I installed this clean OS X Mountain Lion Server for the first time, created within a minute during server install.
1 from 6 minutes later, maybe when I turned on a Service
2 are from that day, but 2 and 3 hours later (also probably because of something I did in Server.app, like enabling a service)
1 from 2 days later (probably when I tried to change the server name/domain)
1 from again 5 days later (probably when I tried to change the server name/domain again)
1 from yesterday, when I changed the servername
1 from today, when I changed the server name again.
What are these application passwords for and can I safely remove all but the last one? What are they for?I went ahead and remove them a month ago. So far, there don't seem to be any issues. As long as you double-triple-check that the hash-number in those "Mac OS X Server certificate management" keychains _aren't_ in the filename of any of the *.pem files in the /etc/certificates folder, you can delete those orphan keychains.
-
I have imac 10.6.8 how to add it to my domain server windows 2003
i have imac 10.6.8 how to add it to my domain server windows 2003
and .
i cant find the directory access anyOne option is to create a new partition (~30- 50 GB), install the new OS, and ‘test drive’ it. If you like/don’t like it it, you can then remove the partition. Do a backup before you do anything. By doing this, if you don’t like it you won’t have to go though the revert process.
Check to make sure your applications are compatible.
Application Compatibility
Applications Compatibility (2) -
Remove Personal Domain Problem
Hi. I had a personal domain setup and it was working fine. I recently removed the domain from my .Mac account. iWeb still thinks it is publishing to the domain, and shows the little green indicator light at the bottom with my domain. After it publishes, the Visit Site button tries to load up with my domain and not with the .mac address.
How can I get it to revert to the .mac address mode?I'm pretty good on computers but my dad asked him to help him with a Mac problem so here I am...
Our good friend has built our website from his computer at his house, me and my dad need to be able to edit the website using iWeb (the same program our friend uses) so we can make appropriate changes...
We can log into the .Mac the same one that our friend uses but we can't figure out how to actually "load" the work our friend has already done so we can add to it and edit it...
Any advice is appreciated -
Can we run domain controller windows 2008 32 bit and additional domain controller on 2003 server
im my environment we are trying to upgrade from server 2k3 to 2k8, out testing done on server 2k3 to 2k8, but can we run domain controller windows 2008 32 bit and additional domain controller on 2003 server ...kindly suggest
Nitin Gaurav
[email protected]Yes you can. If you have two 2003 AD servers currently and upgrade one of them to 2008 AD then they'll continue to be able to work together. The domains functional level will remain as 2003 across both servers so at this stage you won't get any benefit from
the new AD functionality available in 2008.
Once you've then upgraded the second 2003 server to 2008 you can then upgrade the functionality levels in AD to make it 2008. It's been a while, but I believe it doesn't happen automatically, so once all AD servers have been upgraded you have to go into
AD and upgrade the functionality levels yourself. -
Installing a Windows 2012 Domain Controller into a 2000/2003 domain with Exchange 2003
Hello,
I have a client that we are planning to migrate to 2012 over time. They currently have a Windows 200 DC and 2 member servers running Windows 2003, one of which is running Exchange 2003.
We first are going to introduce a 2012 server into the domain and my plan was to DCPromo the 2003 server that isn't running Exchange and raise domain level to 2003 and then demote the 2000 server. I was then going to install the
2012 server into the domain and make it a backup Domain Controller for the time being and leave the newly promoted Windows 2003 server as the primary Domain Controller with all the roles and global catalog. My question is will Exchange 2003 still function
normally in this scenario?
I've been doing research and read some things about Exchange 2003 not working with 2012 Domain Controllers, but I was thinking if the 2003 is still the primary, it might work. We will eventually migrate to 2003, they just don't want to
do it all at once, due to costs and other issues.
Thanks.I didn't ask if it was supported, I just wanted to know if Exchange 2003 would continue
to function if the Windows 2003 DC still held all the FSMO roles and Global Catalog.
A not supported situation means that it is a situation where Microsoft made no testing or do not guarantee that you can operate with no problems. Following a not supported scenario could be done but is on your own risk.
If it won't, can the 2012 server be a member server in the 2003 AD? The 2000
DC it is replacing, just shares files on the network in addition to being the lone AD server
Yes, it can be a member server.
This posting is provided AS IS with no warranties or guarantees , and confers no rights.
Ahmed MALEK
My Website Link
My Linkedin Profile
My MVP Profile -
Remove FOPE Domain/O365 Domain (Admin needed) - Causing Email issues.
Good Morning,
Long time ago (2007) I messed around setting up FOPE but did not do much with it, which is or currently transitioning to Office 365? Anyways, I logged into FOPE yesterday based on some help from another company that has been unable to email us, said they
talked to Microsoft and the rep saw we had a FOPE account setup with mail server settings pointing to our old Exchange Server.. Turns out the company and many other companys that can't email us are using FOPE/O365 and Microsoft internally is using those settings
to route mail to our old On-Premise Exchange Server and not picking up our new MX record.
We have since transitioned to Google Apps (thus the new MX record), but from what we see - O365 Customers look like they are being routed to the old Exchange Server based on those settings.. It looks like FOPE is set in a "read only" mode,
I cannot change the MX record, or IP addresses to route mail to.. I would like to formally request the deletion of the Domain from both O365 and FOPE, this should resolve our Email issues. The domain in question is bangorschools DOT org
I have logged into O365 and deleted the domain leaving the onmicrosoft domain, but It doesnt look like I can do anything with FOPE.. Even if I could just change the IP address to point to google, or someone at Microsoft can remove the account all together?
Thank you,
KyleHi,
when you have been transitioned to EOP your FOPE-settings will be readonly. So you should contact FOPE/EOP support for help to remove your domain from FOPE, they can do changes.
Greetings
Christian
Christian Groebner MVP Forefront -
I have a domain called Ixxxx.com with two domain controllers in a clustered environment. i added another domain called dxxxx.com . the domain dxxxx.com crashed and i had to format the server. now when i try to create a new domain in existing
forest with the name dxxxx.com it says "The name dxxxx.com is already in use on the network. type a name that is not in use."
how do i remove any reference to dxxxx.com and then recreate a domain with the same name in existing forest ?
Please HelpHi William,
Checkout the below link on Microsoft KB article for completely removing a orphaned domain controller,
http://support.microsoft.com/kb/555846/en-us
Checkout the below
thread on similar issue,
http://social.technet.microsoft.com/Forums/en-US/187c9cad-4b1d-49d6-beca-d3c02fe1a2d4/remove-orphaned-domain?forum=winserverDS
Regards,
Gopi
JiJi Technologies -
The Best Way to Restore a DC if it is removed from Domain
Good Day,
I have 2 Windows Server 2008 R2 DC's in my network and I am trying to upgrade 1 of them to Server 2012 R2. The DC being replaced is also running Certificate Services. To do this I will need to remove AD from the DC as well as remove CA and remove it from
the domain. I plan on backing up and restoring Active Directory/Certificate Services to the new Server 2012 box with the new server using the same name as the old DC.
I am worried about this transition because if something goes wrong I will have to not only restore from backup I will have to restore the computer object in AD as well.
Would the best strategy be:
Backup AD using ntdsutil
Uninstall AD and CA from DC01
Remove DC01 from domain
** failure occurs **
Restore DC01 computer object in AD on DC02 using ntdsutil authoritative restore
Restore full OS on DC01 from tape backup
The problem I have with this is all of the setting in Sites and Services will still be gone because of the removal of AD from DC01. I am also thinking about simply taking snapshots of the 2 DC's as they are both Virtual Servers in Hyper-V
Another Strategy (Not approved of as snapshot is NOT a backup):
Snapshot both DC01 and DC02
Uninstall AD and CA from DC01
Remove DC01 from domain
** failure occurs **
Revert back to pre-removal snapshot of DC02
Revert back to pre-removal snapshot of DC01
Any help would be awesome!
AntonyHi,
First at all,
we don’t recommend to
install CA on a DC. This is because if the DC corrupt and need to demote, we need
to uninstall the CA role first. If you want to install the CA on a DC, please follow below steps:
Clean install a new windows 2012 server and add it to domain as domain member.
Promote this new windows 2012 R2 server to DC.
Step-by-Step Guide for Setting Up A Windows Server 2012 Domain Controller
http://social.technet.microsoft.com/wiki/contents/articles/12370.step-by-step-guide-for-setting-up-a-windows-server-2012-domain-controller.aspx
Transfer or seize FSMO roles from old windows 2008 R2 DC to new windows 2012 R2 DC
How to view and transfer FSMO roles in Windows Server 2003
http://support.microsoft.com/kb/324801/en-us
Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controllerhttp://support.microsoft.com/kb/255504/en-au
Back up CA from 2008 R2 server with steps below:
Backing up a CA database and private key.
Backing up CA registry settings.
Backing up CAPolicy.inf only if we install our CA by using it.
Removing the CA role service from this server.
Restoring the CA database and configuration on new server.
Verifying the migration:
Verifying certificate enrollment
Verifying CRL publishing
For more information please refer below articles:
AD CS Migration: Preparing to Migrate:
http://technet.microsoft.com/en-us/library/ee126102(WS.10).aspx
Migrating the Certification Authority: http://technet.microsoft.com/en-us/library/ee126140(WS.10).aspx
Performing Post-Upgrade or Post-Migration Tasks: http://technet.microsoft.com/en-us/library/cc742471(v=ws.10).aspx
5. After that, make the old 2008 DC offline for a while. If everything things are working fine, you can then demote the windows 2008 DC.
Thanks. -
What note when remove an Domain controller from Existing Domain!!!
Dear everybody,
My company has 3 Domain controllers at the moment.
all of them have some functions: DHCP, DNS.
Now, we have plan to remove an DC/
So, What note we need to pay attention when remove one of them?
Thanks for your help!!!1. Migrate DHCP first. Using below command
netsh dhcp server export C:\dhcp.txt all -old Server
netsh dhcp server import C:\dhcp.txt all -New Server.
2. Enable DNS debug log & see which client still pointing the old DC.
http://technet.microsoft.com/en-us/library/cc759581%28v=ws.10%29.aspx
3. Change the DHCP Scope accordingly.
HTH
Biswajit
Regards,
Biswajit
MCTS, MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, Enterprise Admin, ITIL F 2011
Blog:
Script Gallary:
LinkedIn:
Note: Disclaimer: This posting is provided & with no warranties or guarantees and confers no rights.. -
I just received my new MacBook Pro yesterday and I have an Exchange 2003 server that I would like to work with the email client. now I know some email clients in certain modes will download the mail from the mail server removing it from there at the same time. My question is will the email client remove the mail from the server in order to receive it? I want the mail to remain in the mailbox so I will still have it available at my office later. I am honestly not certain what version of OS X it is, and I don't have it handy, but I just bought it last week. Thanks!
Try trash the com.apple.iPhoto.plist file from the HD/Users/ Your Name / library / preferences folder. (Remember you'll need to reset your User options afterwards. These include minor settings like the window colour and so on. Note: If you've moved your library you'll need to point iPhoto at it again.)
What's the plist file?
For new users: Every application on your Mac has an accompanying plist file. It records certain User choices. For instance, in your favourite Word Processor it remembers your choice of Default Font, on your Web Browser is remembers things like your choice of Home Page. It even recalls what windows you had open last if your app allows you to pick up from where you left off last. The iPhoto plist file remembers things like the location of the Library, your choice of background colour, whether you are running a Referenced or Managed Library, what preferences you have for autosplitting events and so on. Trashing the plist file forces the app to generate a new one on the next launch, and this restores things to the Factory Defaults. Hence, if you've changed any of these things you'll need to reset them. If you haven't, then no bother. Trashing the plist file is Mac troubleshooting 101.
If that fails:
Option 1
Back Up and try rebuild the library: hold down the command and option (or alt) keys while launching iPhoto. Use the resulting dialogue to rebuild. Choose to Rebuild iPhoto Library Database from automatic backup.
If that fails:
Option 2
Download iPhoto Library Manager and use its rebuild function. This will create a new library based on data in the albumdata.xml file. Not everything will be brought over - no slideshows, books or calendars, for instance - but it should get all your albums and keywords back.
Because this process creates an entirely new library and leaves your old one untouched, it is non-destructive, and if you're not happy with the results you can simply return to your old one. .
Regards
TD -
Removing admin password form Access 2003 database front end and back end
We have a legacy database that has been passed down from the original creator, who is no longer with the organization. It was created in Access 2003. It has a front end and a back end. The original admin password can not be located and we are in the process
of upgrading this application to 2010. Is there a way to remove that password so we can make changes to the original files?Hi,
What password are you talking about, the one created with the workgroup manager? That will be difficult since 2010 doesn't have the workgroup manager anymore. You can still use the database in the 2010 environment but you can't make any changes to the original
database without the password.
Maurice -
Need to remove oracle 9i from win 2003 svr
Hi Guys,
I have a rogue install of oracle 9i on a windows 2003 server box. It was installed as part of a package from a vendor. But during the setup the deal went south and the oracle install was never removed. I arrive on the scene much later and go to remove it. Universal installer (version 2.??) removes a few components (itself included) and then errors saying "this component was installed with installer 10.2.?? cant remove" I am currently downloading the first disk of the oracle9 db and hope that running the installer from that download will let me remove the rest..Is it going to work for me or will there be some issues with oracle being somewhat butchered as it stands. I need to remove the db any number of reasons. is there a guide on how to manually remove all traces of oracle from a server incase the installer fails?
Regards DaveThanks Neil. But as we never really had the software setup I dont have a cal number or what ever they call it to login to metalink. if someone would get the note and email me a copy that would be above and beyond the call of duty...but it would sure be helping me out.???
Maybe you are looking for
-
Table of contents placeholder not working?
So far, everything is working well. I have my book about ready to go, but I need to customize the table of contents. There is a placeholder on each TOC page that as far as I can tell from the Help files, you can drop an image there. However, I can't
-
Connection problems w/HTC Mogul PPC phone via Missing Sync & Bluetooth
Can anyone help me connect my HTC Mogul phone to my Mac with Missing Sync using bluetooth? It syncs great using USB, but will not work with bluetooth. Is this an issue with the Mac, the bluetooth profile, or the phone? Any help would be appreciated!
-
Transport Error on Data Mart Application Component
Hi All, I have to transportthe export data source for my DSOs. I did use transport collection to make sure all the relevent objects are collected. When I transport the export data sources everything is going fine, but the DM (Application Component fo
-
Macbook Air 2012 SPEAKER LEVEL 11" Vs. 13"
I had an 2010 11" and the speaker level was too low for anything. Just got the 13" 2012 and the speaker audio level is very decent and usable. My question is DOES THE 2012 11" have the speakers as the 13" macbook air? I am thinking of getting the 11"
-
How to get back my ipad?
I had lost my ipads at 26 June 2012 in Hongkong One belong to me with serial no. DLXG****KNY and one belong to my son with serial no.DRSH****DKNW. Until today I have not found these two ipads yet <Edited by Host>