2

To cut a long story short, we have inadvertently ended up with a Windows Server 2003 DC that has now passed the 60 day tombstone period for replication. As well as a DC it is also a Global Catalogue, our only Certification Authority and runs Windows Server Update Services.

The server has been turned back on after the tombstone period, however I have checked all of our other DC's and they all have strict replication consistency enabled. So we shouldn't have had any lingering objects copied to our other DC's. I have now turned off the problem server while we figure out what to do next.

I have done a little research and will continue looking, but so far I have read that fixing it is risky and we are much better off removing the DC from the domain and rebuilding it (We are waiting to upgrade this sever to a supported OS anyway, but don't currently have a spare compatible server). It appears that WSUS can just be installed on a new server and we would just need to point our clients to it. But I've no idea where we stand with the CA.

So my questions are:

  1. What do I need to do to safely remove the server from our domain?
  2. What do I need to do to replace the CA with a new one?
  3. Can I just install WSUS on a different server and point our clients to it, or is there something else which needs to be done to remove the old one?
  4. What do I need to do to remove the global catalogue on from this server? (It is NOT the only GC in the domain)
  5. Are there any questions I should be asking, but have missed?
Daniel
  • 243
  • 1
  • 7
  • 16

3 Answers3

0

What do I need to do to safely remove the server from our domain?

You have to delete the active directory object and clean-up metadata. If you have domain controller running Windows 2008R2 or above, the second (metadata) is done automatically.

More info : https://technet.microsoft.com/en-us/library/Cc816907%28v=WS.10%29.aspx

What do I need to do to replace the CA with a new one?

This is the most trickiest part, but since you do have access to the server, there's no major obstacle.

You will find various procedure on Microsoft Web sites, for example here or maybe preferably this one

Can I just install WSUS on a different server and point our clients to it, or is there something else which needs to be done to remove the old one?

Yes, no trick here, just change your GPO to point to the new server.

What do I need to do to remove the global catalogue on from this server? (It is NOT the only GC in the domain)

This is part of the first point.

Are there any questions I should be asking, but have missed?

None I think about right now.

JFL
  • 2,006
  • 1
  • 11
  • 16
0

Firstly CA

backup and move the CA complete guide here Migrating CA from 2003 to 2012 but the high level steps are as follows

1) Backup current CA
This can be done by accessing the CA console and using the Backup option, ensure you backup the private key along with the database and logs, when asked)

2) Backup CA Registry Settings
Export the following key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc

3) Uninstall CA Service from Windows Server 2003
From inside control panel, add remove programs windows components

4) Clean up CA information in the domain.
Using sites and services remove references to failed ca ms support page

5) Install Windows Server 2012 R2 Certificate Services
Use the roles wizard to do this, include web enrolment role

6) Configure AD CS
Select AD CS from the installed roles and select configure, select enterprise CA, ROOT CA, and importantly use existing Private Key (These are on various secreens) Import the private key from the backup created earlier

7) Restore the CA
The same steps as backup but restore, restore private ca, database and log when prompted

8) Restore the registry info Import the registry backup from above

9) Reissue Certificate Templates
certificate templates list click on the appropriate certificate template

Secondly WSUS

This can be moved or can be clean installed. The main thing here is to update your Group Policies with the new server information Technet Guide

Thirdly Domain controller

If you still need this server to be a domain controller you need to do the following.

1) Turn the server back on while disconnected from the network and run dcpromo /forceremoval

2) Seize any FSMO roles this server had onto another server MS Support Page

3) Do a metadata cleanup from active domain controller Technet on Meta Data Cleanup

4) Delete all DNS entries relating to the original server

5) Rename server (Not strictly required, but if you miss anything on the cleanup this will save you problems with old references)

6) Promote back to DC

Drifter104
  • 3,693
  • 2
  • 22
  • 39
  • Thanks. As the server needs to be kept offline until it has been removed from the domain, will the uninstallation of the CA work as expected? I.e. Doesn't it need to remove anything from Active Directory? Because it will obviously remove everything on itself, but won't replicate to our other servers. – Daniel Sep 11 '15 at 12:52
  • @Daniel Good point, I've updated step 4. Which isn't part of the full guide but has separate steps – Drifter104 Sep 11 '15 at 13:00
0

One question you should ask yourself is why TSL is 60 days. It has been 180 days since Windows Server 2003 SP1/Windows Server 2003 R2 SP2 (about eight years). You should change that to 180 days. This episode is one reason why Microsoft increased this to 180 days. Another reason is any AD backup older than TSL is invalidated.

Determine the tombstone lifetime for the forest
https://technet.microsoft.com/en-us/library/cc784932%28v=ws.10%29.aspx

AD DS: The resultant backup lifetime in this forest should be equal to or greater than 180 days
https://technet.microsoft.com/en-us/library/dd723674%28v=ws.10%29.aspx

Greg Askew
  • 34,339
  • 3
  • 52
  • 81
  • Thanks, I will look into changing that. This domain was originally created with Server 2000 or NT I believe. Maybe that's why the TSL is set to 60 days. – Daniel Sep 11 '15 at 12:46