Monday, December 16, 2013

Domain Controller Decommission an Overview

In every Organization's IT Infrastructure introducing new Server and removing the old one from the Environment is not a new topic and when it comes to Windows Server Environment it becomes quite critical as there are more dependency over the Server that is getting retired, let's say the one your are about to retire is a Domain Controller.
I was reading few TechNet articles on the topic and also a new PFE blog post today which made me to write this post as these articles when combined under a single roof will provide readers with the required information needed when they plan to decommission a DC from their Environment and also what are things they additionally need to look out and perform a successful decommission that does not impact the Environment.

Let's check out the articles and begin our reading.

Before your remove any DC from the environment you need to first demote the server by removing the Active Directory Domain Services (AD DS) server role by using the Active Directory Domain Services Installation Wizard or an answer file or by running Dcpromo.exe at a command line. Review the below article for more detailed information.

Scenarios for Removing AD DS

Once this above task is complete now the next step is to remove the DC from the domain, for this follow the below article  and this also contains three different ways as above which are shown below
  • Removing a domain controller by using the Windows interface 
  • Removing a domain controller by using an answer file 
  • Removing a domain controller by entering unattended installation parameters at the command line 

Access article here : Removing a Domain Controller from a Domain

Now it's time for the additional things to check before we proceed with the above steps of removing the DC, normally administrators will know what are the applications that use the DC for authentication and also they will notify the necessary application team regarding the change before they proceed to ensure that those applications are configured to use a new DC, there are scenarios in which we are not sure about some of the applications that are developed very long time ago and the developers would have left the Organization and some unknown applications are still used and not known to the Administrators and still use this DC to function which we are about to decommission, At this stage we need to have a mechanism that can assist us in identifying what are the applications that use our DC in hand and then proceed with action plan of updating the application accordingly and proceed with the change.

For the above said vital task Microsoft PFE Adrian Corona has written an excellent post on the Ask PFE Blog that typically address the needs of getting this information collected easily with the help of internal tools like Data Collector sets and ETW Tracing with few Excel work.

Review the below blog post for detailed information and ensure that you perform these outlined steps once on your Environment in addition to the already planned process before your decommission your DC.

Domain and DC Migrations: How To Monitor LDAP, Kerberos and NTLM Traffic To Your Domain Controllers

No comments:

Post a Comment