Re: remove Domain Controller

Hutch,

If the Domain Controller that you are going to dcpromo is also the DC on
which you have Certificate Services running.....most probably not in your
case so I would not worry about it! But, just check to make sure.

Now, what is Certificate Services? That would be a good google project for
you, right? ;-)

Just in case you are pressed for time, here is a pretty good starting point:

http://www.microsoft.com/windows2000/techinfo/planning/security/adminca.asp

--
Cary W. Shultz
Roanoke, VA 24012
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com



"Hutch" <Hutch@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:7E5D7989-59B9-458B-950F-6FFDC1989E86@xxxxxxxxxxxxxxxx
> Cary....thanks for the detailed break down.
>
> I have the 5 roles transfered. But what about this "recovery agent private
> key" that Andrei said I should export?
> What is it, and how do you do it?
>
> Thanks again,
>
>
> "Cary Shultz [A.D. MVP]" wrote:
>
>> Hutch,
>>
>> Just make sure that any services that this DC is holding ( read: DNS,
>> DHCP,
>> Global Catalog, etc ) are transferred to any of the remaining Domain
>> Controllers. In the case of the Global Catalog Server I would suggest
>> that
>> you make all of your Domain Controllers a Global Catalog Server ( done
>> via
>> the Active Directory Sites and Services MMC - go to the NTDS Settings
>> under
>> each Domain Controller ). This assumes that you have only one Domain.
>>
>> Another point to consider is to manually transfer any of the five FSMO
>> roles
>> that this DC might be holding. Since it is the first DC it very possibly
>> holds all five of them. The dcpromo process will take care of this for
>> you
>> but I like to be in charge and manually do it. There are two ways to do
>> this: use ntdsutil ( probably not the best way for someone with your
>> experience ) or via the GUIs. Please see the two links below:
>>
>> http://support.microsoft.com/?id=255504
>> http://support.microsoft.com/?id=255690
>>
>> Should you decide to venture out and use ntdsutil ( a wonderful little
>> utility ) I would stress to you that you really should *TRANSFER* and not
>> seize. Granted, if you are going to be removing the old DC then that
>> should
>> not matter but it is best to do things the correct way.....
>>
>> --
>> Cary W. Shultz
>> Roanoke, VA 24012
>> Microsoft Active Directory MVP
>>
>> http://www.activedirectory-win2000.com
>> http://www.grouppolicy-win2000.com
>>
>>
>>
>> "Hutch" <Hutch@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> news:5E943464-C0AB-43A9-A203-071109D7E563@xxxxxxxxxxxxxxxx
>> > what is this recovery agent private key?
>> >
>> > And is there anything special I need to do since this was the first DC
>> > in
>> > our win 2000 AD?
>> >
>> > Thanks,
>> >
>> > "Andrei Ungureanu" wrote:
>> >
>> >> and as always, I add "export the recovery agent private key"
>> >>
>> >>
>> >> --
>> >> Andrei Ungureanu
>> >> www.eventid.net
>> >> Free Windows event logs reports
>> >> http://www.altairtech.ca/evlog/
>> >>
>> >> "Paul Bergson" <pbergson@xxxxxxxxxxxxxxxxx> wrote in message
>> >> news:%23vO6GZ$dFHA.1404@xxxxxxxxxxxxxxxxxxxxxxx
>> >> > dcpromo, just like when you added it to the domain.
>> >> >
>> >> > --
>> >> >
>> >> >
>> >> > Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA
>> >> >
>> >> > This posting is provided "AS IS" with no warranties, and confers no
>> >> > rights.
>> >> >
>> >> >
>> >> > "Hutch" <Hutch@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> >> > news:946E7059-C1F4-4DE5-82C1-DC748A12D515@xxxxxxxxxxxxxxxx
>> >> >> AD - Windows 2000 native
>> >> >>
>> >> >> We have 4 domain Controllers.
>> >> >>
>> >> >> Whats the proper way \ proper steps to remove one of them.
>> >> >> This was our first win2000DC and is a rather old and slow PC.
>> >> >>
>> >> >> I do not want to screw anything up during this process.
>> >> >>
>> >> >> Thanks,
>> >> >
>> >> >
>> >>
>> >>
>> >>
>>
>>
>>


.

Relevant Pages

  • Re: Certificate services on a domain controller
    ... I'm not even sure we use the certificate services. ... Because it's a cert server. ... To remove old domain controller certificates, ... How do I decommission Domain Controller, uninstall Certificate ...How do I decommission Domain Controller, uninstall Certificate Services ... ...
    (microsoft.public.windows.server.setup)
  • Re: 2003 CA in 2000 Domain
    ... getting error messages from certificate services. ... a Windows 2000 based domain. ... bunch of error messages in event veiewer on the new 2003 CA. ... 2000 domain controller, to bring it up to the 2003 level. ...
    (microsoft.public.win2000.active_directory)
  • RE: Certificate Services on a Domain Controller
    ... It is not recommended to run Certificate Services on a Domain Controller. ... and renew the CA cert local administrative access is required. ... i am wondering if there are any best-practice recommendations on running ...
    (microsoft.public.windows.server.active_directory)
  • Re: remove Domain Controller
    ... > If the Domain Controller that you are going to dcpromo is also the DC on ... > which you have Certificate Services running.....most probably not in your ... >>> Hutch, ...
    (microsoft.public.win2000.active_directory)
  • RE: Provide feedback to DC promotion/replacement
    ... "Masterplan" wrote: ... When I promote my dc3 to a domain controller, the first step is to enable GC ... the infrastructure master is also a global catalog it won't ever see any ... -the Infrastructure Master is not allowed to run on a Global Catalog Server ...
    (microsoft.public.windows.server.active_directory)