Remove an Old DC and Introduce a New DC with the Same Name and IP Address

Remove an old DC and Introduce a new DC with the Same Name and IP Address

Ace Fekay, MCT, MVP, MCITP EA, Exchange 2010 Enterprise Administrator, MCTS Windows 2008, Exchange 2010 & Exchange 2007, MCSE 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP: Directory Services
Active Directory, Exchange and Windows Infrastructure Engineer

Original Publication: 10/9/2010
Edited 10/19/2010 – Added an additional step in case you are introducting a new 2008 or 2008 R2 DC into a 2003 environment

Applies to Windows 2000, 2003, 2003 R2, 2008, 2008 R2

Preface

This question has arisen time to time in the Microsoft Public NNTP Newsgroups and Microsoft Social Forums. I’ve put together a set of steps over the years. Each time I post the steps, I’ve found I’ve needed to refine it, or explain certain steps. As time’s gone by, and questions have arisen on some of the steps, I’ve tried to add that information intot the steps. This procedure has grown to the point where I believe I’ve covered most of what’s involved and needed in most scenarios.

Comments, suggestions and corrections are more than welcomed. If I’ve missed something, based on your feedback, I will promptly add them to the list.

Scenario:

6 DCs, 2 in SiteA, 4 in SiteB
One of the DCs in SiteA will be replaced with a DC with the same name and IP.
DHCP installed and needs to be migrated to new DC.
All DCs are DNS servers.
All DCs are GCs.

Basic Steps are:

1. If this you are replacing the DC with new hardware but keeping with your current Windows 2003 DCs and not introducing a Windows 2008 or WIndows 2008 R2 DC into the environment, you can skip this step and go to Step 2.

Otherwise, if you are introducing a 2008 or 2008 R2 DC into your current 2003 environment, please see the following links (one has a step by step with screenshots). You must await replication if you need to do this step. To quicken replication after this step, do Step #2, then Step #12.

Running Adprep.exe:
http://technet.microsoft.com/en-us/library/dd464018(WS.10).aspx

Windows Server 2008 ADPREP (With step by step screenshots)
http://www.petri.co.il/windows-server-2008-adprep.htm

2. Optional – Drop the default intrasite DC to DC notification time from the default 5 minutes to 30 seconds. I normally don’t do this change and simply wait around 10 minutes. This is part of what you can call the “patience” factor. If you want to force the intrasite intervals, here how.

There are two settings you can change, the notification interval, which is 5 minutes by default, and the time to pause between notifications, which is 30 seconds by default. If you want, you can alter the notification interval down to 30 seconds, but leave the time to pause as default, since that’s fine. 

Keep in mind, this is a registery setting change. Remember to have a backup prior to this, as well as export the portion of the registry you’re modifying so you have a copy of it.

You can use the following article to show you how to change these settings.

How to Modify the Default Intra-Site Domain Controller Replication …This article describes how to modify the default intra-site domain controller replication interval.
http://support.microsoft.com/kb/214678

3. If you have a number of locations and you’ve defined and created AD Sites to optimize replication and logon/authentication traffic, you would want to drop intersite link replication interval to 15 minutes. That’s performed in AD Sites & Service on the Site Connector’s properties. The following shows you how.

How to change the interSite Replication Interval (with screenshots):
http://windowspeople.com/index2.php?option=com_content&task=emailform&id=159&itemid=1

4. Make sure all of your DCs (this site and all other sites, whether a single domain or multi-domain forest) are all GCs. Making all DCs GCs alleviates the IM-GC conflict as well as provides better GC availability for services that use it such as for the logon and other processes, etc, especially services that use it heavily such as Exchange.

Open Active Directory Sites & Service,
Drill down and expand the AD Site name the domain controller exists in
Click on the DC’s name
In the right window pane, you will see “NTDS Settings”
Right-click NTDS Settings, Choose Properties
Under the General tab, check the Global Catalog checkbox
Check each DC in the site to make sure they are all GCs

5. Install the new server. Get the machine up to date with the latest SP, hotfixes and updates.

6. If this is Windows 2003, copy the i386 folder to C: drive. Integrate the latest SP into the i386 folder. If this is 2008, 2008 R2, or newer, it’s not necessary, and you can skip this step.

This step helps if adding new Windows 2003 services through Add/Remove Windows Components. Simply point to this folder for the source files, and you won’t need to re-run the SP to get the new services up to date.

Example: C:\SP2\i386\update\update /s:C:\ (this command assumes the i386 is on C: drive. If it’s under another folder, you must specify the parent folder after the /s switch.

How to integrate Windows XP Service Pack 2 files into the Windows XP installation folder
(Same exact steps for Windows 2003)
http://support.microsoft.com/kb/900871

7. Set new server to use the other DC in SiteA as DNS and WINS.

If WINS is installed, you’ll need to migrate it to another server.   Read more in this link:
How to migrate a WINS Database from Windows 2000-based WINS server (Applies to all Windows 2000 and newer Windows versions)
http://support.microsoft.com/kb/875419

8. Change the DC’s DNS settings on the DC another DC in the same Site.

9. Make sure Exchange 2003 is not using this DC for OAB or RUS. Change it to the another DC is this is the case. If Exchange 2007 or 2010, Exchange will automatically discover the change.

If Exchange is installed on the DC, this introduces a  huge complexity and would involve moving the Exchange installation to another Exchange server first. Read the following for more information:

Exchange on a Domain Controller – Ramifications and How to Move Exchange off a DC  
Published by acefekay on Aug 8, 2009 at 7:00 PM 
http://msmvps.com/blogs/acefekay/archive/2009/08/08/moving-from-exchange-2000-currently-on-a-windows-2000-domain-controller-to-a-new-exchange-2003-server-on-a-windows-2003-member-server.aspx

10. If DHCP is installed, export the DHCP database off the DC in preparation to migrate to the new DC.

How to move a DHCP database from a computer that is running Windows 2003 (Als applies to newer versions)
http://support.microsoft.com/kb/325473

How to migrate a DHCP database from Windows 2000 Server to Windows, Nov 9, 2009
http://www.google.com/url?sa=t&source=web&cd=5&sqi=2&ved=0CCUQFjAE&url=http%3A%2F%2Fblogs.technet.com%2Fb%2Fnetworking%2Farchive%2F2009%2F11%2F09%2Fhow-to-migrate-a-dhcp-database-from-windows-2000-server-to-windows-server-2008-or-windows-server-2008-r2.aspx&ei=IZCwTP7ADcK88ga_5cSvCQ&usg=AFQjCNFaNCXFfYCbpjjnIrAkaQ-3PjAd1Q

11. Transfer FSMO roles to another DC in the same Site, or to a DC of your choosing, preferrably in the same site.

How to view and transfer FSMO roles in Windows Server 2003 using the GUI
http://support.microsoft.com/kb/324801

Using Ntdsutil.exe to transfer or seize FSMO roles to a domain
http://support.microsoft.com/kb/255504

How to view and transfer FSMO roles in the graphical user interfaceThere are five Flexible Single Master Operations (FSMO) roles in a Windows …
http://support.microsoft.com/kb/255690

Transferring FSMO Roles – How can I transfer some or all of the FSMO Roles from one DC to another?
You can transfer FSMO roles by using the Ntdsutil.exe command-line utility or …
http://www.petri.co.il/transferring_fsmo_roles.htm

12. Run dcpromo and demote the DC choosing this is not the last DC in the domain. Then Restart.

Removing a Domain Controller from a Domain
Updated: January 5, 2009
Applies To: Windows Server 2008, Windows Server 2008 R2
http://technet.microsoft.com/en-us/library/cc771844(WS.10).aspx

Demote a domain controller: Active Directory
Updated Jan 21, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
http://technet.microsoft.com/en-us/library/cc740017(WS.10).aspx

13. Allow replication to occur. If your site links are still default (180 min), wait at least 3 hours, otherwise wait about 20 minutes if you had previously changed it to 15 minutes (first step). You can also force replication using repadmin if you want:

Repadmin /syscall  – to initiate a replication for all partners
repadmin /syncall /A /e /P (/A Synchronizes all partitions on the DC you’re running it on, /e Synchronizes partitions across all Sites, /P Forces a “Push” that pushes changes outwards instead of the default to pull changes)

Also, to check replication status:

To see if anything is in the queue waiting for replication:
Run “repadmin /queue *”

Find out what the replication latency is, if any. If it’s less than a few minutes, you’re fine.
Run “repadmin /showutdvec server-name dc=mydomain,dc=lab /latency”

Repadmin
Updated: August 22, 2005
A complete list of switches with details and usage.
Applies To: Windows Server 2003 R2 (However, the switches apply to 2008 and 2008 R2 as well.)
http://technet.microsoft.com/en-us/library/cc778305(WS.10).aspx

You can also use the Replmon Gui version for Windows 2000 and 2003, but it’s no longer available for 2008 or newer.
Getting Over Replmon – Ask the Directory Services Team – Site Home …Jul 1, 2009 …
With the release of Window Server 2008 Replmon was not included …
http://blogs.technet.com/b/askds/archive/2009/07/01/getting-over-replmon.aspx

14. Rename the now demoted DC to something else, or keep it unplugged.

15. Check DNS to make sure it’s references (LdapIpAddres and GC) are gone.

16. Check AD Sites & Services to make sure it’s server object is gone. If not, delete the server object.

Open Active Directory Sites & Service,
Drill down and expand the AD Site name the domain controller exists in
Right-Click on the DC’s name
Choose Delete (or hit the delete key)

17. Check ADUC, Domain Controllers OU to make sure it’s gone. You should now find the old DC computer object in the Computers Container.

18. Rename the new server to the old DC’s name.

19. Change the new server’s IP to the old DC’s IP.

20. Run dcpromo. Select to install DNS (if not already installed).  Then Restart.

How do I install Active Directory on my Windows Server 2003 server?
http://www.petri.co.il/how_to_install_active_directory_on_windows_2003.htm

How to Install Active Directory on Windows Server 200, 3May 19, 2005
http://technet.microsoft.com/en-us/…/aa998088(EXCHG.65).aspx

When you run Dcpromo.exe to create a replica domain controller …When you run Dcpromo.exe to create a replica domain controller, you receive one of the following error messages in Dcpromo.exe: Error message 1 Error …
http://support.microsoft.com/kb/232070

If you are introducing a newer Operating System version, you’ll need to run ADPREP:

Running Adprep.exe:
http://technet.microsoft.com/en-us/library/dd464018(WS.10).aspx

Windows Server 2008 ADPREP (With step by step screenshots)
http://www.petri.co.il/windows-server-2008-adprep.htm

21. Allow it to come up. Wait about 5 – 10 minutes after it has restarted and logged in.

22. Check DNS to make sure that the LdapIpAddress registered and a Nameserver entry was created.

23. Go into AD Sites and Services and make sure you see the new DC in your Site and there are connection objects to another DC that the KCC created.

24. While in AD Sites and Services, make it a GC. It’s the preferred method now to make all DCs GCs in an infrastructure, whether there is one domain or multiple domains in the forest. This will alleviate the well-known Infrastructre Master and Global Catalog contention issue.

Open Active Directory Sites & Service, 
Drill down and expand the AD Site name the domain controller exists in
Click on the DC’s name
In the right window pane, you will see “NTDS Settings”
Right-click NTDS Settings, Choose Properties
Under the General tab, uncheck the Global Catalog checkbox

25. Run ipconfig /registerdns, restart netlogon service. Wait 5-10 minutes, then check DNS for the _gc._msdcs.OTEC-DC.domain.com records to see if it registered as a GC. If it’s not there yet, wait a few more minutes. Be patient. Hit F5 to refresh the console until you see it.

26. Check ADUC, look in the Domain Controllers OU for the new DC’s entry.

27. Change DNS settings to it’s own IP address (to itself). Delete the 127.0.0.1 entry. Make the other DC in SiteA the second DNS entry. Actually this is the preferred setting, where all DCs should point to themselves as the first entry, and another DC in its own Site as the second. If no other DCs are in its own Site, choose one across the WAN with the fasted link.

28. If any Forwarders were configured in DNS, you will need to manually re-enter them.

29. If applicable, revert back any and all changes you made earlier regarding Site replication settings and intrasite DC to DC settings.

30. If you haven’t done so already, go have a cold or hot beverage of your choosing. You should be good to go.

 

 

All Comments, Suggestions or Corrections are welcomed!
Ace Fekay

Remove a Current Operational Domain Controller from Active Directory

Remove a Current Operational Domain Controller from Active Directory

Ace Fekay, MCT, MVP, MCITP EA, Exchange 2010 Enterprise Administrator, MCTS Windows 2008, Exchange 2010 & Exchange 2007, MCSE 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP: Directory Services
Active Directory, Exchange and Windows Infrastructure Engineer

Original Publication: 10/9/2010
Updated 12/27/2011 – added time service configuration info.

 

Preface

I’ve written this blog because this question has come up numerous times in the forums, newsgroups, and from colleagues. There are other very well qualified blogs, posts and tech articles on these steps. I thought to outline the steps with adding links for each appropriate step to explain how to do it if one is not sure of the steps.

Keep in mind, you can’t simply unplug a DC and be done with it, such as you could do in the Windows NT4 days. There are numerous ramifications involved with a domain controller in the AD database and AD functionality. Other DCs will still think it’s there and will try to replicate to it because it’s still in the AD database. You must remove it properly.

Now if the domain controller has been unplugged and offline for more than the tombstone lifetime, (60 days for Windows 2000, Windows 2003 SP0, or 180 days for Windows 2003 SP1 and all newer operating systems), you will need to run a Metadata Cleanup to remove the DC. This is due to the scavenging period that AD will keep deleted objects or objects that have not been in communication with such as a domain controller.

If I’ve omitted any basic or necessary steps, please do comment and let me know. All comments and suggestions are welcome!

 

If the DC has been unplugged for more than the Tombstone Lifetime

If the case is that it’s been unplugged for longer than the tombstone with Windows 2003 or newer, you can either run a simple dcpromo /forceremoval to remove AD off the DC, or reinstall the DC from scratch. Either way, you will need to run a Metadata Cleanup procedure.

Restart the DC OFF the network
On this DC, run “DCPROMO /FORCEREMOVAL”
Run the Metadata Cleanup procedure to remove it’s reference on a current DC
If you want to reintroduce the old DC, you can simply promote the old DC back to a DC

Once you’ve done the above, run the Metadata Cleanup Procedure. Here are some links to guide you

How to remove data in Active Directory after an unsuccessful Domain Controller Promotion
http://support.microsoft.com/kb/216498

Clean up server metadata: Active Directory, Mar 2, 2005
http://technet.microsoft.com/en-us/library/cc736378(WS.10).aspx

Script to run Metadata Cleanup Procedure:
Script to Remove Active Directory Domain Controller Metadata
Microsoft: The Scripting Guys, Published on 8/10/2009
http://gallery.technet.microsoft.com/ScriptCenter/en-us/d31f091f-2642-4ede-9f97-0e1cc4d577f3

Delete Failed DCs from Active Directory
This link put together by Dan Petri, includes screen shots.
http://www.petri.co.il/delete_failed_dcs_from_ad.htm

 

To remove a Current Operational DC under the Tombstone Lifetime, the Basis steps are

Reminder: Do this during off-production hours. This will allow time for changes to replicate in the AD and DNS infrastructure prior to users logging on the next production day.

1. Change the DNS addresses on the DC to point to an existing DC/DNS server in the same AD Site. If no other DCs in the Site, choose a DC in another Site with a fast link.

2. If DHCP is installed, export the DHCP database off the DC in preparation to migrate to the new DC.

How to move a DHCP database from a computer that is running Windows 2003 (Als applies to newer versions)
http://support.microsoft.com/kb/325473

How to migrate a DHCP database from Windows 2000 Server to Windows, Nov 9, 2009
http://www.google.com/url?sa=t&source=web&cd=5&sqi=2&ved=0CCUQFjAE&url=http%3A%2F%2Fblogs.technet.com%2Fb%2Fnetworking%2Farchive%2F2009%2F11%2F09%2Fhow-to-migrate-a-dhcp-database-from-windows-2000-server-to-windows-server-2008-or-windows-server-2008-r2.aspx&ei=IZCwTP7ADcK88ga_5cSvCQ&usg=AFQjCNFaNCXFfYCbpjjnIrAkaQ-3PjAd1Q

3. If WINS is installed, you’ll need to migrate it to another server. Read more in this link:

How to migrate a WINS Database from Windows 2000-based WINS server (Applies to all Windows 2000 and newer Windows versions)
http://support.microsoft.com/kb/875419

4. Disable the Global Catalog service from the domain controller.

Open Active Directory Sites & Service, 
Drill down and expand the AD Site name the domain controller exists in
Click on the DC’s name
In the right window pane, you will see “NTDS Settings”
Right-click NTDS Settings, Choose Properties
Under the General tab, uncheck the Global Catalog checkbox

5. If this domain controller currently holds one or more FSMO operations master roles, transfer the operations master roles to another domain controller before demoting it. You can allow dcpromo to automatically transfer the roles, however, they may transfer to a DC that you may not want to transfer the roles to. This is why this is suggested in order to allow you to transfer the roles to a specific DC.

How to view and transfer FSMO roles in Windows Server 2003 using the GUI
http://support.microsoft.com/kb/324801

Using Ntdsutil.exe to transfer or seize FSMO roles to a domain
http://support.microsoft.com/kb/255504

How to view and transfer FSMO roles in the graphical user interfaceThere are five Flexible Single Master Operations (FSMO) roles in a Windows …
http://support.microsoft.com/kb/255690

Transferring FSMO Roles – How can I transfer some or all of the FSMO Roles from one DC to another?
You can transfer FSMO roles by using the Ntdsutil.exe command-line utility or …
http://www.petri.co.il/transferring_fsmo_roles.htm

6. If you transfer the PDC Emulator FSMO role to the new DC, you will need to configure the time service on the new PDC.

On the new PDCEmulator:           (Note: ‘peers’ is an Internet time source such as time-a.nist.gov or time.windows.com):
w32tm /config /manualpeerlist:peers /syncfromflags:manual /reliable:yes /update

On the old PDCEmulator:
w32tm /config /syncfromflags:domhier /update

After that run the following on all DCs:
net stop w32time
net start w32time

The “peers” can be a text file, or direct input, allowing you to set the time source, either DNS name such as (time.windows.com, or an ip address for a reliable time source. I normally use 192.5.41.41. Check http://www.pool.ntp.org for time servers in your own locale.

On your edge firewall, make sure UDP port 123 traffic is allowed inbound from the time source to the new PDC Emulator.

For more Windows Tims Service specifics and troublshooting, check the following:

Configuring the Windows Time Service for Windows 2000, 2003, 2008 and newer, explanation of the time service hierarchy, and more
http://msmvps.com/blogs/acefekay/archive/2009/09/18/configuring-the-windows-time-service-for-windows-server.aspx

7. Make sure Exchange 2003 is not using this DC for OAB or RUS. Change it to the another DC is this is the case. If Exchange 2007 or 2010, Exchange will automatically discover the change.

If Exchange is installed on the DC, this introduces a huge complexity and would involve moving the Exchange installation to another Exchange server first. Read the following or more information:

Exchange on a Domain Controller – Ramifications and How to Move Exchange off a DC  
Published by acefekay on Aug 8, 2009 at 7:00 PM 
http://msmvps.com/blogs/acefekay/archive/2009/08/08/moving-from-exchange-2000-currently-on-a-windows-2000-domain-controller-to-a-new-exchange-2003-server-on-a-windows-2003-member-server.aspx

8. Run dcpromo. Choose this DC is not the last DC in the domain. Allow it to restart. If not sure how or options to choose, read the following links.

Removing a Domain Controller from a Domain
Updated: January 5, 2009
Applies To: Windows Server 2008, Windows Server 2008 R2
http://technet.microsoft.com/en-us/library/cc771844(WS.10).aspx

Demote a domain controller: Active Directory
Updated Jan 21, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2     
http://technet.microsoft.com/en-us/library/cc740017(WS.10).aspx

9. Go to an existing DC and check DNS to make sure it’s references (LdapIpAddres and GC) are gone.

Check _gc._msdcs.domain.com
If exists, delete the old reference.

Check the domain.com zone
If an entry for “(same as parent) A <oldIpAddress>” exists, delete it.

10. Check the domain.com and the _msdcs.domain.com zones for the NS (nameserver) records to make sure it no longer exists. If it still shows:

Right-click the zone properties
Choose Nameserver tab
Highlight the old entry
Choose Delete. Ok the message that pops up asking are you sure you want to delete it

11. Check AD Sites & Services to make sure it’s server object is gone. If not, delete the server object.

Open Active Directory Sites & Service,
Drill down and expand the AD Site name the domain controller exists in
Right-Click on the DC’s name
Choose Delete (or hit the delete key)

12. Check ADUC, Domain Controllers OU to make sure it’s gone. You should now find the old DC computer object in the Computers Container.

13. Change DNS settings to it’s own IP address (to itself). Delete the 127.0.0.1 entry. Make the other DC in SiteA the second DNS entry. Actually this is the preferred setting, where all DCs should point to themselves as the first entry, and another DC in its own Site as the second. If no other DCs are in its own Site, choose one across the WAN with the fasted link.

14. Go have a cold or hot beverage of your choosing. You should be good to go.

 

All comments, corrections and suggestions are welcome!

Ace Fekay

Complete Step by Step to Remove an Orphaned Domain Controller

Complete Step by Step to Remove an Orphaned Domain controller

Ace Fekay, MCT, MVP, MCITP EA, Exchange 2010 Enterprise Administrator, MCTS Windows 2008, Exchange 2010 & Exchange 2007, MCSE 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP: Directory Services
Active Directory, Exchange and Windows Infrastructure Engineer

Published 10/5/2010
Revamped  11/3/2010 – Changed the steps to make more sense and easier to follow

 

Preface

I think at this time you’re probably thinking, “What, another blog on how to remove an Orphaned DC?” I know. There are many out there, and I commend all the ones I’ve read. I thought to put together a complete step by step with all the little nuances that are involved with links and explanations. If I’ve forgotten any, I do hope someone is kind of enough to post a comment indicating, or even if I’ve made a mistake. I would do the same. 

In a nutshell, I wrote this is in response to questions that have come up numerous times in the AD NNTP newsgroups and Microsoft Social Forums. The question isn’t usually asked directly, because in some cases some may not have realized these steps are required, rather how to remove an orphaned DC is normally a response after diagnosing a specific DC or replication issue, such as not being able to introduce a new DC with the same name as a failed one, or a DC was lost and there are numerous Event log replication errors, as well as DCDIAG and other errors, to something simple as having ran the procedure but may have forgotten a step or two.

To point out, many of the steps were taken from the following link, but I’ve extrapolated the steps and added additional information, links, and explanations.

How to remove completely orphaned Domain Controller
http://support.microsoft.com/kb/555846

 

Should I repair the DC or simply dump it and create a new one?

Good question. In many cases, whenever a DC is lost, the easiest and simplest way is to simply dump the machine, cleanup AD and rebuild it using the same name. Compared to doing a restore, this is the simplest procedure and will save wasted time, because it’s much faster. HOwever, just to add, if any application  or service is installed on the DC, it adds a compexity, especially if Exchange was installed on it. Needless to say, which many are aware of or already have heard, it’s recommended to never install Exchange on a DC. See the next section where I posted a link that explains this in greater detail.

Of course the decision to dump the failed DC and rebuild a new one with the same name is a sound and proven popular decision, however this it’s assumed there are no applications or major services installed and running, or files to be restored on the DC. Normally we do not recommend installing additional apps or services, other than DNS, WINS and/or DHCP. If there are, then of course the apps, services, files, etc, must be reinstalled, reconfigured, or restored.

Was Exchange on the DC?

As mentioned in the Preface , one thing I like to point out that if Exchange is on a DC, well, besides not wanting to reiterate that this is not a recommended option nonetheless, hopefully you have a full backup of the Exchange Information Store and the DC System State, because both would have to be restored. Hopefully as well you have two separate backups of each and not together in the same backup job, otherwise you may find the Exchange backup is useless to restore. More about Exchange on a DC in the following link. It’s not a DC/Exchange restore link, rather it explains why you wouldn’t want to install Exchange on a DC and the ramifications, as long as it’s not SBS, which is designed to allow Exchange on it. Read more if this applies to your scenario:

Exchange on a Domain Controller – Ramifications and How to Move Exchange off a DC  
Published by acefekay on Aug 8, 2009 at 7:00 PM 
http://msmvps.com/blogs/acefekay/archive/2009/08/08/moving-from-exchange-2000-currently-on-a-windows-2000-domain-controller-to-a-new-exchange-2003-server-on-a-windows-2003-member-server.aspx

 

Were there any applications or services installed?

Was DHCP installed?

If you don’t have a backup that you can retrieve the DHCP database, your best bet is to reinstall DHCP services and start from scratch. If you do have a backup and can restore the DHCP files, follow this link:

How to move a DHCP database from a computer that is running Windows 2003 (Als applies to newer versions)
 http://support.microsoft.com/kb/325473

How to migrate a DHCP database from Windows 2000 Server to Windows, Nov 9, 2009
http://www.google.com/url?sa=t&source=web&cd=5&sqi=2&ved=0CCUQFjAE&url=http%3A%2F%2Fblogs.technet.com%2Fb%2Fnetworking%2Farchive%2F2009%2F11%2F09%2Fhow-to-migrate-a-dhcp-database-from-windows-2000-server-to-windows-server-2008-or-windows-server-2008-r2.aspx&ei=IZCwTP7ADcK88ga_5cSvCQ&usg=AFQjCNFaNCXFfYCbpjjnIrAkaQ-3PjAd1Q

Was WINS installed?

If you don’t have a backup that you can retrieve the WINS database, your best bet is to reinstall WINS services and start from scratch. If the WINS server had a partner, you can possibly use that to reinitiate the database. If you do have a backup and can restore the WINS files, follow this link:

How to migrate a WINS Database from Windows 2000-based WINS server (Applies to all Windows 2000 and newer Windows versions)
http://support.microsoft.com/kb/875419

Was DNS installed?

No worries as long as the zones were AD Integrated. They’ll just replicate over from another DC automatically. No need to manually create the zones. If you do try to manually create the zones and they are AD Integrated, you’ll introduce a duplicate zone issue in the AD database, which is another topic to clean them up.

Any other applications or services installed?

Dep[ending on the application or service installed, hopefully you’ll have either a backup that you can retrieve the files, or you’ll have to reinstall. For any third party application, you’ll need to refer to the documentation or contact the vendor for assistance.

Basic High-Level steps

1. Run a Metadata Cleanup
2. Remove the old computer in “Active Directory Sites and Services.”
3. Remove old DNS and WINS records of the orphaned Domain Controller.
4. If Windows 2000, use “ADSIEdit” to remove old computer records from the Active Directory.
5. Force Active Directory replication

 

 

Steps Broken Down with a Low-Level Description

1. Make sure at least one of the current live DCs is a GC. It’s actually recommended to make all DCs GCs, whether in a single domain or multi-domain forest. This way it alleviates issues with the IM/GC conflict. Many large installations have been using  this design successfully without issues. Matter of fact, Exchange likes it.

Global Catalog vs. Infrastructure Master:
“If a single domain forest, you can have all DCs a GC. If multiple domains, it is recommended for a GC to not be on the FSMO IM Role, unless you make all DCs GCs”
http://msmvps.com/blogs/ulfbsimonweidner/archive/2005/03/08/37975.aspx

Enable or disable a global catalog: Active Directory
Jan 21, 2005 … Select the Global Catalog check box to enable the global catalog, or clear the check box to disable the global catalog. …
http://technet.microsoft.com/en-us/library/cc758330(WS.10).aspx

How to create or move a global catalog in Windows Server 2003 (same in 2008 & 2008 R2)
http://support.microsoft.com/kb/313994

 

2. Use the following knowledgebase to run a Metadata Cleanup to remove common Domain Controller objects and settings from Active Directory.

A. For Windows 2003

NTDSUTIL in 2003 and newer automatically removes the Computer Account and FRS Objects from Active Directory, but if you like, you can still use these steps to insure the objects were removed.

How to remove data in Active Directory after an unsuccessful domain controller demotion
http://support.microsoft.com/kb/216498

 

B. For  Windows 2000, you must use ADISEdit  to remove the Computer Account and the FRS Object from Active Directory.

 Use ADSIEdit to delete the computer account. To do this, follow these steps:   

  1.  
    1. Click Start, click Run, type adsiedit.msc in the Open box, and then click OK.
    2. Expand the Domain NC container.
    3. Expand DC=Your Domain Name, DC=COM, PRI, LOCAL, NET.
    4. Expand OU=Domain Controllers.
    5. Right-click CN=domain controller name, and then click Delete.

If you receive the “DSA object cannot be deleted” error message when you try to delete the object, change the UserAccountControl value. To change the UserAccountControl value, right-click the domain controller in ADSIEdit, and then click Properties. Under Select a property to view, click UserAccountControl. Click Clear, change the value to 4096, and then click Set. You can now delete the object.

Note The FRS subscriber object is deleted when the computer object is deleted because it is a child of the computer account.

 Use ADSIEdit to delete the FRS member object. To do this, follow these steps:   

  1.  
    1.  
      1. Click Start, click Run, type adsiedit.msc in the Open box, and then click OK
      2. Expand the Domain NC container.
      3. Expand DC=Your Domain, DC=COM, PRI, LOCAL, NET.
      4. Expand CN=System.
      5. Expand CN=File Replication Service.
      6. Expand CN=Domain System Volume (SYSVOL share).
      7. Right-click the domain controller you are removing, and then click Delete.

 

C. For Windows 2008 and WIndows 2008 R2:

It’s all GUI based in 2008 and 2008 R2. However, you’ll still want to follow the rest of the steps to seize FSMOs, force replication, checking DNS & WINS, etc.

Cleanup Server Metadata Windows 2008 (GUI Based)
http://technet.microsoft.com/en-us/library/cc816907(WS.10).aspx

Active Directory Metadata Cleanup (For Windows 2008 or newer – with screen shots)
By Meinolf Weber, MVP
http://msmvps.com/blogs/mweber/archive/2010/05/16/active-directory-metadata-cleanup.aspx

 

Optional Script For Windows 2000, 2003,  2008, and 2008 R2

If you don’t like to use the command line tools, you can use a script that was developed to do this part for you:

You can also use Microsoft’s Script written specifically to run a Metadata Cleanup if reluctant to use ntdsutil in a command line:
Remove Active Directory Domain Controller Metadata (Microsoft) – Applies to all Windows Server Versions (2000, 2003, 2003 R2, 2008, 2008 R2, SBS 2003 & SBS 2008)
http://gallery.technet.microsoft.com/ScriptCenter/en-us/d31f091f-2642-4ede-9f97-0e1cc4d577f3

 

3. If the failed DC held any of the FSMO Roles, you need to seize the FSMO to alternative Domain Controller

Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller
http://support.microsoft.com/kb/255504

How to view and transfer FSMO roles in Windows Server 2003 using the GUI
http://support.microsoft.com/kb/324801

 

4. If the failed DC held the PDC Emulator Role, you need to configure a new authoritative timeserver in the domain. The first link is my blog with complete steps. It was compiled using the following two Microsoft KBs, among other links.

Configuring the Windows Time Service for Windows Server
Scroll down to the section “Transferring the PDC Emulator Role”
Published by acefekay on Sep 18, 2009 at 8:14 PM  3050  1 
http://msmvps.com/blogs/acefekay/archive/2009/09/18/configuring-the-windows-time-service-for-windows-server.aspx

How to configure an authoritative timerver in Windows 2000
http://support.microsoft.com/kb/216734
 
How to configure an authoritative time server in Windows Server 2003
http://support.microsoft.com/kb/816042

 

5. Remove old computer account by using “Active Directory Sites and Services” tool.

Open Active Directory Sites and Services
Expand the Sites folder
Select the site the old DC was in
Expand Servers
Delete the old DC name

 

6. Remove any old WINS records of the orphaned Domain Controller from the WINS database. If there are WINS replication partners, when you delete them, choose the “Tombstone” option.

Deletion of WINS Database Records
If WINS records deleted this way have been replicated to other WINS servers, these additional records will not be removed fully. The records on other WINS …
http://technet.microsoft.com/en-us/library/cc959263.aspx

Deleting and tombstoning records: Windows Internet Name Service (WINS)
Jan 21, 2005 … If the WINS records deleted in this way exists in WINS data replicated to other WINS servers on your network, these additional records are …
http://technet.microsoft.com/en-us/library/cc782886(WS.10).aspx

 

7. Force Active Directory replication by using “Repadmin.exe” tool.

Repadmin examples:

Repadmin /syscall  – to initiate a replication for all partners
repadmin /syncall /A /e /P (/A Synchronizes all partitions on the DC you’re running it on, /e Synchronizes partitions across all Sites, /P Forces a “Push” that pushes changes outwards instead of the default to pull changes)

Also, to check replication status:

To see if anything is in the queue waiting for replication:
Run “repadmin /queue *”

Find out what the replication latency is, if any. If it’s less than a few minutes, you’re fine.
Run “repadmin /showutdvec server-name dc=mydomain,dc=lab /latency”

You can also use the Replmon Gui version for Windows 2000 and 2003, but it’s no longer available for 2008 or newer.
Getting Over Replmon – Ask the Directory Services Team – Site Home …Jul 1, 2009 …
With the release of Window Server 2008 Replmon was not included …
http://blogs.technet.com/b/askds/archive/2009/07/01/getting-over-replmon.aspx

Repadmin: More info as well as explanations on the specific repadmin switches

Repadmin
Updated: August 22, 2005
A complete list of switches with details and usage.
Applies To: Windows Server 2003 R2 (However, the switches apply to 2008 and 2008 R2 as well.)
http://technet.microsoft.com/en-us/library/cc778305(WS.10).aspx

Using Repadmin.exe to troubleshoot Active Directory replication
http://support.microsoft.com/kb/229896/

Initiating Replication Between Active Directory Direct Replication Partners
Written for Windows 2000, but works for Windows 2003, 2008 and 2008 R2
This article shows how to use repadmin and the necessary switches to force replication between specific or all partners in the infrastructure
http://support.microsoft.com/kb/232072

Troubleshooting replication
Updated: April 4, 2008
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
http://technet.microsoft.com/en-us/library/cc755349(WS.10).aspx

Repadmin
Updated: July 13, 2010
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2008
http://technet.microsoft.com/en-us/library/cc770963(WS.10).aspx

Repadmin: Microsoft Technical Whitepaper (download link):
http://www.microsoft.com/downloads/details.aspx?familyid=c6054092-ee1e-4b57-b175-5aabde591c5f&displaylang=en

 

 8. Go through DNS with a fined-toothed comb to delete all references for the old DC. You’ll need to delete records such as such as SRV, host, LdapIPddress, and GcIpAddress.

Drill down into every record under both domain.local and _msdcs.domain.local.

Under the domain.local zone:

Delete the A (host record) for the failed DC
Delete the LdapIpAddress: Under domain.local, you will see a record such as (same as parent)  A  192.168.1.10 (using this IP as an example). Delete it.
Delete any reference in the DomainDnsZones. If the DomainDnsZones folder exists, expand it. Check and delete any reference to the failed DC’s FQDN and IP address.
Delete any reference in the ForestDnsZones. If the ForestDnsZones folder exists, expand it. Check and delete any reference to the old DC’s FQDN and IP address.

To make sure all records are gone, fully expand each folder under the domain.local zone, and delete any references you see such as for the kerberos and ldap SRV references. The subfolders are:

_sites
_tcp
_udp
domaindnszones
forestdnszones

Under the _msdcs.domain.local zone:

Delete the GcIpAddress: Click on the _gc._msdcs.domain.local folder. Delete the IP Address for the old DC.
Delete the DC’s GUID ALIAS: Click on _msdcs.domain.local. You will see an ALIAS record with a long GUID number as the name pointing to the old DC’s FQDN. Delete it.

To make sure all records are gone, fully expand each subfolder under the _msdcs.domain.local zone. Make sure you do not see any references to the failed DC. If so, please delete them. The subfolders are:

dc
domains
gc
pdc

9. Delete the NameServer reference in all DNS zones’ properties, Nameserver tab.

Right-click DNS server name, properties
Nameserver Tab
Remove the old DC FQDN and/or IP
Repeat for every zone that exists

10. Run a DNSLINT report. Make sure the old DC is no longer listed anywhere in DNS. If it still does, go back to Steps #8 and #9.

Here are some links to understand how to use it.

Dnslint Overview: Domain Name System(DNS)
Prior to the development of DNSLint, the nslookup utility was frequently …
http://technet.microsoft.com/en-us/library/cc736981(WS.10).aspx

Support WebCast: Microsoft Windows: Using the DNSLint Utility
http://support.microsoft.com/?id=329982

Description of the DNSLint utility
Dec 3, 2007 … DNSLint is a Microsoft Windows utility that helps you to diagnose common DNS name resolution issues.
http://support.microsoft.com/kb/321045

How to use DNSLint to troubleshoot Active Directory replication issues
This article describes how to use the DNSLint utility to troubleshoot Active …
http://support.microsoft.com/kb/321046

 

 

Manually altering a DC to turn it into a non-DC

Last but not least, years ago before the /forceremoval switch, when a DC could not be removed yet wanting to keep the machine intact after demotion, there was a method posted the steps to manually rip out the pieces that make a DC a DC. FWIW, here they are:

 

14 easy manual steps to make a DC a non-DC

Some have posted this as 12 steps, 13 steps or 14 steps. They are the same steps. Some have combined multiple tasks, but they are the same.

Keep in mind, unless it was changed, this is not supported by Microsoft. I believe there was a KB on it at one time, but I don’t have the KB#. If you follow this, keep in mind, this posting is AS-IS and offers no guarantees and confers no rights from Microsoft or myself. Here are a couple of links explaining the steps, as well as the steps posted below.

This was archived at this site from an old Newsgroup post I made back in 3/11/2003:
http://www.pcreview.co.uk/forums/manually-remove-ad-t1448839p2.html

Remove failed DC from AD manually… Never been easier (step by step with screen shots)
Unlike Windows 2000 and 2003, Windows 2008 & Windows 2008 R2 have new GUI tools to remove a failed DC from the AD database.
http://fawzi.wordpress.com/2010/11/11/remove-failed-dc-from-ad-manually-never-been-easier/

 

1) On another DC in the domain run NTDSUTIL to move the FSMO’s, er seize them! DOH. (If this is the only DC, then don’t worry about it)
2) Make sure DNS is 100% solid on the working DC. (If only one DC, don’t worry about it for now, but configure it correctly before promoting it to a new DC).
3) Make sure working DC is also a GC. (If just one DC, don’t worry about it).
4) Boot corrupted DC into DSRM, edit the registry change HKLM\SYSTEM\CCS\Control\ProductOptions change the ProductType value from LanmanNT to ServerNT. This key dictates if the machine is a DC or just a server. ServerNT means it’s not a DC.
5) Command prompt > net stop ntfrs to stop FRS.
6) Delete the Winnt\Sysvol and NTDS directories.
7) Reboot the now former DC
8) Log into the now member server. Change it to a stand alone, by joining a workgroup (My Computer Properties, Network ID tab, remove it from the old domain).
9) Reboot the now stand alone server.
10) If there is only one DC in the domain, skip this step, otherwise, on the good DC delete the disabled computer account for the old, now defunct DC.
11) Now on this new stand alone machine, set the Primary DNS Suffix to the new domain name that you want (In My Computer. Properties, Network ID Tab, Properties, More,). Reboot.
12) Make sure that DNS is configured with the new domain name and updates  set to YES.
13) Run DCPROMO to create a new domain or join the domain/tree/forest again.
14) Reboot

Comments, suggestions and corrections are welcomed! 

Ace Fekay

Exchange on a Domain Controller – How to Move Exchange off a DC

Exchange on a Domain Controller – Ramifications and How to Move Exchange off a DC  
Formerly Titled: Exchange on a DC: Moving from Exchange 2000 currently on a Windows 2000 domain controller to a new Exchange 2003 server on a Windows 2003 member server


Ace Fekay, MCT, MVP, MCITP EA, Exchange 2010 Enterprise Administrator, MCTS Windows 2008, Exchange 2010 & Exchange 2007, MCSE 2003/2000, MCSA Messaging 2003
  Microsoft Certified Trainer
  Microsoft MVP: Directory Services
  Active Directory, Exchange and Windows Infrastructure Engineer


Edits and updates:
9/16/2009, 8:30 PM EST. Added Errata and blurb on Exchange not recommended to be installed on a DC, with additional links to articles explaining this issue.
10/4/2010, 1:54 AM EST. Retitled Blog and added new links for Exchange 2007
10/9/2010 – Added blurb about write-caching being disabled on a DC by default, how it conflicts with Exchange, and how you can’t change it.
10/28/2011 – Updated syntax and wording.
1/15/2012 – Added additional info in the section about demoting a DC with Exchange on it,

 

Preface

Other than Small Business Server (SBS), which is designed to run Exchange on a DC, installing Exchange on a DC, is not recommended. There are a number of implications:

  • When a machine is promoted to a DC, it disabled the write cache function on the drive controller. This is to protect the AD database (ntds.dit) and its method of transactional logging. However, Exchange needs this function to be enabled for its transactional logging method. Thisresults in a substantial performance loss.
  • Difficult and complex to recover.
  • Internet exposure of a DC when accessing OWA. IIS on a DC is not best security practice.
  • Exchange on a DC will “lock” itself to the local DC for a GC and won’t look elsewhere. Make sure at least it’s a GC.
  • You can’t demote a DC with Exchange. You must uninstall Exchange first.
  • Exchange is not supported in a clustered configuration where the cluster nodes are domain controllers

Complete list can be found here:
Exchange resident on domain controller that is not a global catalog server
http://technet.microsoft.com/en-us/library/aa997060(EXCHG.80).aspx

“You can run Exchange Server 2003 on either a member server or on a domain controller. After you install Exchange Server 2003 on a server, do not change the role of the server. For example, if you install Exchange Server 2003 on a member server, do not use the Dcpromo tool to promote the server to a domain controller. Or, if you install Exchange Server 2003 on a domain controller, do not use the Dcpromo tool to demote the server to a member server. Changing the role of a server after you install Exchange Server 2003 may result in loss of some Exchange functionality and is not supported.”

That was quoted from the following, and applies to all versions of Exchange:
Overview of operating system and Active Directory requirements for Exchange Server 2003
http://support.microsoft.com/kb/822179/en-us

 

Write-Cache is Disabled on a DC

When a server is promoted to a DC, write cache is disabled by default. You can try to enable it, but it will revert back to disabled. This is default and can’t be changed. It’s done to protect the AD database as well as improve AD DC performance. However as mentioned above, this conflicts with Exchange, which requires write-cache to be enabled for performance and the way Exchange’s transactional logging works. More info in the following links on DC write caching being disabled.

Event ID 1539 — Database integrity – Domain controllers attempt to protect this data from accidental loss or by disabling write-caching…
http://technet.microsoft.com/en-us/library/dd941847(WS.10).aspx

Slow Network Performance After You Promote a Windows 2000-Based …If you use the Dcpromo tool to promote a Windows 2000-based server to a domain controller, the write caching functionality (write-back cache is a firmware …
http://support.microsoft.com/kb/321543

Things to consider when you host Active Directory domain …Discusses the issues that affect a domain controller that runs as a guest …
http://support.microsoft.com/kb/888794

Event 13512 Logged on a Domain ControllerThe File Replication Service has detected an enabled disk write cache on the …
http://support.microsoft.com/kb/316504

 

DSAcess – Global Catalog Ramifications

The other implication is the fact Exchange “locks” on to the DC it’s installed on for its GC DSAccess. If it is not a GC, it may cause issues. If AD services on the DC fail, and you have other DCs, Exchange will not failvoer to another DC for DSAccess. This is by design based on to use the closest DC for DSAccess, and since it is installed on a DC, it will not look elsewhere.

Also, if you manage to demote the DC without removing Exchange first, Exchange will not look elsewhere for a DC/GC because it “locks” on to the GC it was installed on. Read more on this in the following articles.

This Exchange server is also a domain controller, which is not a recommended configuration
http://technet.microsoft.com/en-us/library/aa997407.aspx

Exchange resident on domain controller that is not a global catalog server
http://technet.microsoft.com/en-us/library/aa997060(EXCHG.80).aspx

Running Exchange on a Domain Controller
http://robertmoir.com/blogs/someone_else/archive/2006/01/04/2029.aspx

Problems with Exchange 2003 Installed on Domain Controllers
http://www.petri.co.il/problems_with_exchange_2003_installed_on_domain_controllers.htm

 

Recovering a DC/Exchange Server

For the most part, if a DC is lost for any reason, such as a failed drive, etc, you can simply manually remove the orphaned DC out of the AD database, in addition to a few other steps, reinstall a new operating system with the same name and promote it. It’s much faster and simpler than trying to recover the DC. However, with Exchange installed on it, it adds a complexity because you must recover the DC first, then Exchange.

Also, you can’t backup a DC’s System State and an Information Store backup on the same backup job, otherwise the INformation Store backup is useless when trying to restore any Exchange data. They need to be run separately. Albeit, some third party backup processes can overcome this limitation.

More info on recovering a failed DC:

Complete Step by Step to Remove an Orphaned Domain controller
Published by acefekay on Oct 5, 2010 at 12:14 AM
http://msmvps.com/blogs/acefekay/archive/2010/10/05/complete-step-by-step-to-remove-an-orphaned-domain-controller.aspx

 

SBS is the Exception!

Of course, the ONLY exception to this rule regarding Exchange on a DC, is SBS. SBS was specifically designed to run Exchange, SQL and other services together on a DC.

 

Removing Exchange from a DC

Keep in mind the following fact:

If the computer is running Exchange 2000 Server, you can demote the server to a member server using DCPromo at the first opportunity.

If the computer is running Exchange Server 2003, Exchange Server 2007, or Exchange Server 2010, you can’t demote it. YOu must uninstall Exchange first, before you can demote it. That will involve installing another Exchange server and move the mailboxes, public folders, system & hidden folders, rehoming public folders, reconfigure connectors, etc, and then uninstall Exchange, then demote it.

Read more on this:

Exchange resident on domain controller that is not a global catalog server
http://technet.microsoft.com/en-us/library/aa997060(EXCHG.80).aspx

 

Documentation where I had to demote a DC that was an Exchange 2003 Server

(This applies to any version of Exchange and Windows)

I previously preformed this procedure for a customer in Feb, 2009, without a hitch. Here are the steps I followed. Keep in mind, as pointed out at the top, if you want to demote a DC to a member server that has Exchange installed, it cannot be done. Exchange must be removed first, then the DC can be demoted.

Therefore, you must install Exchange on another server, whether or not you want to move up to a newer version of Exchange. Of course, with Exchange 2007 or 2010, this would depend on if the company’s budget allows for acquiring the new version taking into account the new licensing rules and beefy 64 bit server requirements. In this case, the customer already had an SA that included Exchange Enterprise 2003, so they wanted to stick with 2003.

You can follow the steps I performed to install a new Windows 2003 DC, then install Exchange 2003 on a member server, moved everything to the new Exchange 2003 server, then remove the original Exchange installation off the DC, then demoted it.

8 Steps…

1. Run the command in the following article to fix the mangled attributes in your current domain. This is because Exchange 2000 creates two incompatible attributes that Windows 2003 cannot use since it was updated in 2003 AD. Follow the steps under “Scenario 2: Exchange 2000 Schema Changes Are Installed Before You Run the Windows Server 2003 adprep /forestprep Command”

Windows Server 2003 adprep /forestprep Command Causes Mangled Attributes in Windows 2000 Forests That Contain Exchange 2000 Servers:
http://support.microsoft.com/kb/314649

2. Then promote the Windows 2003 as a replica DC in the existing domain.

3. Move the FSMO roles and the GC to the new server. Run repadmin /syncall and wait about 30 minutes allowing replication to take place and insure that the new DC has taken on the FSMO roles and it became a GC. Check DNS to insure that it’s now registerd as a GC.

4. Install Exchange as an additional Exchange server in the existing organization. Moving forward, it’s recommended to install it on a member server.

5. In ADUC, highlight all of your mailbox enabled accounts, right-click, choose Exchange Tasks, choose to move all mailboxes to the new Exchange server.

6. Move ALL Public and System (hidden) folders to the new Exchange server. Follow the following articles for specific steps. Look for the section about “Migration of mailboxes and public folders”. This is extremely important because the system folders are only created when a new Exchange organization is created. If you remove the first server without moving the hidden system folder, it’s possible to recreate them, but it’s extremely difficult and quite involved.

822450 – How to Remove the Last Exchange Server 5.5 Computer from an Exchange Server 2003 Administrative Group (Look at “Migration of mailboxes and public folders”):
http://support.microsoft.com/default.aspx?kbid=822450&product=exch2003

822450 – How to Remove the Last Exchange Server 5.5 Computer from an Exchange Server 2003 Administrative Group (Look at Step 4 about how to view the System folders and how to replicate them and remove the original instances):
http://support.microsoft.com/kb/822450

Step-by-Step Migrating Exchange 2000 to Exchange 2003 Using New Hardware:
http://www.msexchange.org/tutorials/Migrating-Exchange2000-Exchange-2003-Hardware.html

7. Once you’ve verified the folders are all moved, mailboxes are working, then run the Exchange setup and remove (uninstall) Exchange off of the original DC.

8. Double check in ADSI Edit, configuration container, Services, Exchange, drill down to the server list, and insure that the original Exchange server reference is gone on the original DC, and all Exchange components are on the new DC.

 

Clustered Exchange on Domain Controllers?

Nope. It’s not recommended, or supported

Exchange is not supported in a clustered configuration where the cluster nodes are domain controllers
http://support.microsoft.com/kb/281662

Domain Controllers as Cluster Nodes – Bad Idea (Microsoft recommends against it)
http://msmvps.com/blogs/clusterhelp/archive/2008/02/12/domain-controllers-as-cluster-nodes-bad-idea.aspx

 

Complete List of Related links including the Aforementioned Links

Exchange Server 2003 and Domain Controllers – A Summary:
http://theessentialexchange.com/blogs/michael/archive/2007/11/13/exchange-server-2003-and-domain-controllers-a-summary.aspx

This Exchange server is also a domain controller, which is not a recommended configuration
http://technet.microsoft.com/en-us/library/aa997407.aspx

Exchange resident on domain controller that is not a global catalog server
http://technet.microsoft.com/en-us/library/aa997060(EXCHG.80).aspx

Exchange Server 2007 and Domain Controllers – A Summary
http://theessentialexchange.com/blogs/michael/archive/2008/03/29/exchange-server-2007-and-domain-controllers-a-summary.aspx 

Exchange Server 2003 and Domain Controllers – A Summary:
http://theessentialexchange.com/blogs/michael/archive/2007/11/13/exchange-server-2003-and-domain-controllers-a-summary.aspx

Running Exchange on a Domain Controller
http://robertmoir.com/blogs/someone_else/archive/2006/01/04/2029.aspx

Problems with Exchange 2003 Installed on Domain Controllers
http://www.petri.co.il/problems_with_exchange_2003_installed_on_domain_controllers.htm

How to remove Exchange Server 2003 from your computer. This how-to article describes the steps to automatically or manually remove Microsoft Exchange Server 2003 from your computer.
http://support.microsoft.com/kb/833396

How to completely remove a Exchange server or the entire Exchange …Oct 19, 2004 … Remove the Exchange 2003 server object from the Exchange 5.5 Admin … How to Remove the First Exchange 2003 Server Computer from the Site …
http://www.msexchange.org/tutorials/Remove-Exchange-server-entire-Exchange-organization.html

Removing The Last Exchange 2003 Server From Exchange 2007 (Part 1)Jun 5, 2008 … The steps required in order to remove the last Exchange 2003 server from an organization that has been migrated to Exchange 2007.
http://www.msexchange.org/articles_tutorials/exchange-server-2007/migration-deployment/removing-last-exchange-2003-server-exchange-2007-part1.html

How to remove the first Exchange Server 2003 computer from the …This article describes the steps to remove the first Microsoft Exchange Server 2003 computer from an administrative group. The first Exchange Server 2003 …
http://support.microsoft.com/kb/822931

CANNOT REMOVE EXCHANGE 2003 SERVER FROM ACTIVE DIRECTORY: Note: this site requires a membership. If you don’t have a membership, no problem. The thread makes mention that after following KB833396, to delete or confirm deletion of the old server object out of the Administrative Group using ADSIEdit, that is if you plan to never install that server by name, which is assuming you are moving it off the DC anyway.
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_2003_Active_Directory/Q_22501384.html

 

All comments, suggestions or corrections welcomed!

Ace Fekay
==================================================================