To cut a long story short, we have inadvertently ended up with a Windows Server 2003 DC that has now passed the 60 day tombstone period for replication. As well as a DC it is also a Global Catalogue, our only Certification Authority and runs Windows Server Update Services.
The server has been turned back on after the tombstone period, however I have checked all of our other DC's and they all have strict replication consistency enabled. So we shouldn't have had any lingering objects copied to our other DC's. I have now turned off the problem server while we figure out what to do next.
I have done a little research and will continue looking, but so far I have read that fixing it is risky and we are much better off removing the DC from the domain and rebuilding it (We are waiting to upgrade this sever to a supported OS anyway, but don't currently have a spare compatible server). It appears that WSUS can just be installed on a new server and we would just need to point our clients to it. But I've no idea where we stand with the CA.
So my questions are:
- What do I need to do to safely remove the server from our domain?
- What do I need to do to replace the CA with a new one?
- Can I just install WSUS on a different server and point our clients to it, or is there something else which needs to be done to remove the old one?
- What do I need to do to remove the global catalogue on from this server? (It is NOT the only GC in the domain)
- Are there any questions I should be asking, but have missed?