Remove AD DS role from server which has (AD CS, DHCP, IIS)

Eduards 791 Reputation points
2020-11-03T06:13:05.997+00:00

Hello,

I got a question.

I have a domain controller server that has -> AD DS, AD CS, DHCP, IIS roles. I installed a new DC in this domain. IIS role is for certificate Authority.

I need to remove AD DS role from old server that has AD CS and DHCP roles.

My plan:
On old DC:
Backup AD CS - then remove AD CS role, but what to do with IIS ? Because it's related to CA.
Remove AD DS role

Restart server - add AD CS role and return it from backup.

Is this will work?

And what about DHCP? - could i remove AD DS without removing DHCP?

Also i have domain trust and this server IP is figuring out there.. how could i be sure that after removing AD DS role from this server trust between domains will be working?

Also i have installed new AD servers and promoted them to DC.

How could i reconfigure DNS so workstations will be using new AD DC DNS not old ones that is now?

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,437 questions
0 comments No comments
{count} votes

Accepted answer
  1. Daisy Zhou 22,476 Reputation points Microsoft Vendor
    2020-11-04T02:42:54.773+00:00

    Hello @Eduards ,

    Thank you for posting here.

    Based on the description above, I understand now we have two DCs in this domain, one old DC has AD DS, ADCS, DHCP and IIS roles on it, and the other DC is a new DC with AD DS role.

    Q1: I need to remove AD DS role from old server that has AD CS and DHCP roles.
    A1: If we want to remove AD DS role from server with ADCS role, we must remove AD CS role first, then we can remove AD DS role.

    We can try the following steps on the old DC (also CA server):

    1. Back up AD CS based on the steps in the following link.
      Including backup Windows Server 2003 certificate authority database and its configuration
      Including backup CA Registry Settings

    Step-By-Step: Migrating The Active Directory Certificate Service From Windows Server 2003 to 2012 R2

    https://learn.microsoft.com/en-us/archive/blogs/canitpro/step-by-step-migrating-the-active-directory-certificate-service-from-windows-server-2003-to-2012-r2

    1. Uninstall AD CS role, and we must remove IIS role at the same time, otherwise we can not remove AD CS role.
    2. Remove AD DS role (maybe also remove the DNS role).
    3. Install AD CS role and configure AD CS configuration. Including the following steps:
      Restore CA Backup
      Restore Registry information
      Reissue Certificate Templates
      Test the CA
    4. If step 4 is OK and CA is working fine, we can reinstall IIS role and reconfigure IIS.

    Q2: And what about DHCP? - could i remove AD DS without removing DHCP?
    A2: Yes, we can remove AD DS without removing DHCP.

    ---------------------------------------------------------------------------------------------

    ---------------------------------------------------------------------------------------------

    Tip (important):

    If the removed DC was a DNS server, before removing DNS role on old DC, update the DNS client configuration on all member workstations, member servers, and other DCs that might have used this DNS server for name resolution.
    If it is required, modify the DHCP scope to reflect the removal of the DNS server and the adding of the DNS server.
    If the removed DC was a DNS server, update the Forwarder settings and the Delegation settings on any other DNS servers that might have pointed to the removed DC for name resolution.

    ---------------------------------------------------------------------------------------------

    ---------------------------------------------------------------------------------------------

    Q3: Also i have domain trust and this server IP is figuring out there.. how could i be sure that after removing AD DS role from this server trust between domains will be working?
    A3: As I understand old DC and new DC are both DNS server, too, is that right? If so, you also want to remove DNS role from old DC and install DNS server on new DC.

    For trust between domains in different forests (all domains in the same forest have trusts by default), if you have such domain trust, we should update secondary zone OR conditional forwarders using new DNS server information on specific DNS server(also DC server).

    For more information about updating secondary zone OR conditional forwarders, we can refer to the similar case below.
    setup of trust relationship between 2 domains

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/9e501d72-5457-421a-b81b-3a1f83ac7b0e/setup-of-trust-relationship-between-2-domains?forum=winservergen

    Q4: Also i have installed new AD servers and promoted them to DC.
    How could i reconfigure DNS so workstations will be using new AD DC DNS not old ones that is now?
    A4: As I understand old DC and new DC are both DNS server, too, is that right? If so, you also want to remove DNS role from old DC and install DNS server from new DC.

    If we set IP addresses for all member workstations, member servers (and other DCs if you have)munually, we can update the DNS servers for all member workstations, member servers, and other DCs munually.

    If we set IP addresses for all member workstations, member servers (and other DCs if you have)via DHCP server. After DHCP scope option is configured, it will take effect when we run ipconfig /release and ipconfig /renew or restart these machines.

    Note 1:

    Option 006 is used to configure the DNS server. If the client gets the IP address from DHCP, it will also get the IP address of the DNS server from DHCP server automatically.
    37239-se.png

    Note 2:

    1. Usually, we want a DC to be just a DC, there is nothing else, because this reduces possible resource conflicts and exploit vulnerabilities and minimizes patching of other applications that might cause downtime.
      Ideally, a DC should be easy to replace, just by standing up another DC.When we put other software and roles on one DC, maybe the DC is harder to replace it.
    2. We had better perform all the operations during downtime or non-working day.

    Before we do any change in existing AD domain environment, we had better do:

    1. Check if AD environment is healthy. Check all DCs in this domain is working fine by running Dcdiag /v. Check if AD replication works properly by running repadmin /showrepl and repadmin /replsum.
    2. Back up all domain controllers.
    3. Check both SYSVOL folder and Netlogon folder are shared by running net share on each DC.
    4. Check we can update gpupdate /force on each DC successfully.
    5. We had better back up DC.

    Best Regards,
    Daisy Zhou

    0 comments No comments

4 additional answers

Sort by: Most helpful
  1. Thameur-BOURBITA 32,831 Reputation points
    2020-11-03T11:46:35.27+00:00

    Hi,

    ***On old DC:
    Backup AD CS - then remove AD CS role, but what to do with IIS ? Because it's related to CA.
    Remove AD DS role

    Restart server - add AD CS role and return it from backup.

    Is this will work?***

    It should work for AD CS if you want remove AD CS temporary to be able to demote domain controller.
    Don't worry about IIS , you can keep you don't need to remove it.

    And what about DHCP? - could i remove AD DS without removing DHCP?

    Regarding you question about DHCP , the answer is YES. You don't have to remove DHCP to demote the domain
    controller role.

    Also i have domain trust and this server IP is figuring out there.. how could i be sure that after removing AD DS role from this server trust between domains will be working?

    When you change the IP , you should check if the new IP has all required network flow opened for the trust. If the network flows is ok , there is no impact on domain trust.

    ***Also i have installed new AD servers and promoted them to DC.

    How could i reconfigure DNS so workstations will be using new AD DC DNS not old ones that is now?***

    Yes you should update the IP of DNS resolver on all members machines (workstation and servers). To lelt them able to resolve the domain DNS name.

    Please don't forget to mark this reply as answer if it help you to fix your issue


  2. Eduards 791 Reputation points
    2020-11-04T09:44:31.043+00:00

    Thank you for your answer! It will help me alot.

    I have last question. This server on which i want to remove AD DS role installed have all FSMO roles.

    I wand to move FSMO roles to my new AD DC server.

    On this server where is DHCP - i also got configured PXE - after moving FSMO roles from old DC will this impact my DHCP settings on PXE and all other?

    Or it could only impact in moment when i remove AD DS role on old DC? @Daisy Zhou

    0 comments No comments

  3. Thameur-BOURBITA 32,831 Reputation points
    2020-11-04T21:41:34.867+00:00

    Hi,

    On this server where is DHCP - i also got configured PXE - after moving FSMO roles from old DC will this impact my DHCP settings on PXE and all other?

    Moving fsmo roles to another domain controller doesn't impact DHCP , PXE and others services.

    Or it could only impact in moment when i remove AD DS role on old DC?

    It can impact, if there is some servers or workstations use this DC as DNS resolver. I recommend you to plan the demotion outside of working hours.

    Please don't forget to mark this reply as answer if it help you to fix your issue

    0 comments No comments

  4. Daisy Zhou 22,476 Reputation points Microsoft Vendor
    2020-11-05T06:26:22.76+00:00

    Hello @Eduards ,

    Thank you for update.

    Based on our experience, there is no effect for transferring FSMO roles.
    We can place them on one DC according to your needs and requirement.
    Usually, we recommend we can place them on a DC with better server hardware performance.

    References:

    Transfer or seize FSMO roles in Active Directory Domain Services
    https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/transfer-or-seize-fsmo-roles-in-ad-ds

    FSMO placement and optimization on Active Directory domain controllers
    https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/fsmo-placement-and-optimization-on-ad-dcs

    Hope the information above is helpful. If anything is unclear, please feel free to let us know.

    Best Regards,
    Daisy Zhou


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.