How can I determine if a Windows 2003 server is still being used by anyone/thing, and if it is, what it is being used for?
I'm drawing a blank on what else to check other than event viewer to see what accounts are connecting to the server.
Asked
Active
Viewed 7,184 times
43
-
13After you figure it out...document it...since apparently no one else did. Then you'll at least be able to go back in the future and say "yeah, this used to be #-server with x specs/ip/name and did y and we decomm'd it on z date". Be sure and include any licensing that was associated with it and that could be re-assigned if any. Also make sure it is removed from DNS, WSUS/SCCM, or anywhere else that referenced it. – TheCleaner Jan 20 '15 at 20:16
4 Answers
69
This is not a dumb question, it's a great question and I'm glad that you're asking.
Human processes
Make sure that you've reviewed all documentation, talked to the greybeards, and have sign-off from someone from the business.
Technical processes
Get a complete backup; mark the media for long-term archival. Run a connection monitor or packet sniffer for a period of time to see what connections are still being made. Inspect the services to see if anything sounds important/familiar.
Cutting the cord
Better idea than powering off - unplug the network cable for a few days. If it's an old physical machine, you don't want to risk the situation where you need to power it back up but the disk spindles are frozen. Leave them spinning.
Source of authority - I spent over a year decommissioning old servers for a Fortune 25 pharma company. This was the process, and it worked.
-
6I didn't even think of using a packet sniffer, excellent idea. I really appreciate the help :) – SumDumGuy Jan 20 '15 at 19:44
-
18Just an addendum that a packet sniffer **will** find traffic. There's always background stuff going to and from any host on a network, and some of that background stuff may look like significant traffic at first glance (like, say, reporting system health data to a monitoring service somewhere). The onus is to flush out all that chaff to see if there's still any wheat left. – Joel Coel Jan 21 '15 at 04:58
-
1Joel - yup, entirely correct. You will definitely need to do some analysis on the packet capture results. – mfinni Jan 21 '15 at 14:00
-
2At the risk of ruining a joke: who do you refer to as greybeards? Users? Managers? Support staff? – Lilienthal Jan 21 '15 at 21:11
-
1Also a good question. I'm referring to any long-term technical talent - they don't need to be old, they just need to have been around long enough to know where the bodies are buried. Could even be a business analyst or project manager. Not the users - whoever from "the business" that signs off on the decommission is responsible for reaching out to user population (or delegating that.) – mfinni Jan 21 '15 at 21:14
-
6
-
You can see open shares and locked files from Computer Management. – paulmorriss Jan 22 '15 at 09:52
-
`you don't want to risk the situation where you need to power it back up but the disk spindles are frozen` is that insight from personal experience? – Lie Ryan Jan 22 '15 at 13:16
-
-
1which voice should I ask the [greybeards](http://elderscrolls.wikia.com/wiki/The_Greybeards) to teach me for this? – user2813274 Jan 22 '15 at 15:20
20
Power it off and see who screams, and about what.
Seriously, it is the best way. Even checking logs will only get you so far, because you'll only see activities that are logged.
EDIT: To head off any further comments, this advice assumes you've already done what you should have done in the first place, even before asking the question here - asked around about the server, looked for documentation, and logged on to see if you can catch any obvious signs of activity.
This also assumes you're not in one of those environments that apparently exist where business-critical systems that no one knows about run on hardware so fragile it's at risk of bursting into flames or exploding during boot.
HopelessN00b
- 53,385
- 32
- 133
- 208
-
1Yeah...I thought of that but this is a new job and I'm trying to not piss anyone off yet. – SumDumGuy Jan 20 '15 at 19:26
-
3This, this is the one true answer. You don't necessarily have to admit that you shut it down if someone screams. – Hyppy Jan 20 '15 at 19:27
-
12@SumDumGuy Like Hyppy says, you don't have to admit you shut it down if someone screams. "Weird, let me look into that" is generally a good way to respond to someone who's screaming about something you know you did. Or it's been good *to me*, at the very least. :) – HopelessN00b Jan 20 '15 at 19:30
-
Since I have several servers to check I'll try this one a couple and see what happens. Thanks for the help :) – SumDumGuy Jan 20 '15 at 19:42
-
4... and 16 different comments from 9 different users deleted. All of which I can summarize with: "some people think powering the server off is too risky, and some people do not." If you want to express one of those opinions on my answer, do so by clicking one of the arrows to the side. If you want to piss me off, repeat one of those same opinions in a comment so I get a notification nag that a 10th person is telling me something I've read 16 times already in as many hours. – HopelessN00b Jan 22 '15 at 02:31
-
4@SumDumGuy If this is a new job, then be sure to discuss this with your manager before actually doing anything. You might find that you have procedures you need to follow, or that he knows helpful things. – Thorbjørn Ravn Andersen Jan 22 '15 at 09:41
7
For users who are authenticating against the server with LDAP (file shares, print shares, etc.) you can use the "Shares & Sessions" snap-in in mmc to identify users who are connected with open sessions. These are users who are actively or passively (mapped drives) connected.
I found an article that is more detailed.
You can also check if it has any installed services such as SQL or programs and see if there are any non-default open ports using software such as sysinternals TCPView to identify any software running. These open ports can help identify the protocols being used and that can help identify the purpose of the server.
Finally, you can check the installed/running services and identify what is running.
Nathan Goings
- 171
- 4
-
Welcome to Server Fault! It looks like you may have the information required to solve the problem in the question, but your current answer doesn't communicate a clear solution. Please read [How do I write a good answer?](http://serverfault.com/help/how-to-answer) and consider revising your current answer. – Paul Jan 21 '15 at 01:38
-
Paul, do you have any specific complaints with my answer? (I've since edited it) – Nathan Goings Jan 21 '15 at 01:47
-
In the page I linked to, note the "Provide context for links" section. Links go bad or content in them gets changed, making it difficult for people who find your answer in the future to understand how to apply your solution. – Paul Jan 21 '15 at 01:50
2
Doesn't really fit your situation because you've said you have multiple servers to check, so this is for others reading this for answers of their own:
If it's a small business and there is no real procedural documentation or any onsite techs to talk to then here are two things you can do:
Check services and installed programs, see if you can figure out who uses the software that connects to those services and make sure they are moved to any new servers.
Shares, I'm sure you know you can look at all the files opened from the network in the Shared Folder MMC snap-in (computer management > shared folders), Sessions and open files will help you here. Find the computers / users listed here and move their files to the new location.
Once that's done feel free to unplug it from the network or shut it off, as stated this is really the only way to know for sure its not being used, be sure to wait a few days in case its something that doesn't get used constantly.
RyanTimmons91
- 141
- 6