Hello @Eduards ,
Thank you for posting here.
Based on the description above, I understand now we have two DCs in this domain, one old DC has AD DS, ADCS, DHCP and IIS roles on it, and the other DC is a new DC with AD DS role.
Q1:
I need to remove AD DS role from old server that has AD CS and DHCP roles.
A1:
If we want to remove AD DS role from server with ADCS role, we must remove AD CS role first, then we can remove AD DS role.
We can try the following steps on the old DC (also CA server):
- Back up AD CS based on the steps in the following link.
Including backup Windows Server 2003 certificate authority database and its configuration
Including backup CA Registry Settings
Step-By-Step: Migrating The Active Directory Certificate Service From Windows Server 2003 to 2012 R2
- Uninstall AD CS role, and we must remove IIS role at the same time, otherwise we can not remove AD CS role.
- Remove AD DS role (maybe also remove the DNS role).
- Install AD CS role and configure AD CS configuration. Including the following steps:
Restore CA Backup
Restore Registry information
Reissue Certificate Templates
Test the CA - If step 4 is OK and CA is working fine, we can reinstall IIS role and reconfigure IIS.
Q2:
And what about DHCP? - could i remove AD DS without removing DHCP?
A2:
Yes, we can remove AD DS without removing DHCP.
---------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------
Tip (important):
If the removed DC was a DNS server, before removing DNS role on old DC, update the DNS client configuration on all member workstations, member servers, and other DCs that might have used this DNS server for name resolution.
If it is required, modify the DHCP scope to reflect the removal of the DNS server and the adding of the DNS server.
If the removed DC was a DNS server, update the Forwarder settings and the Delegation settings on any other DNS servers that might have pointed to the removed DC for name resolution.
---------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------
Q3:
Also i have domain trust and this server IP is figuring out there.. how could i be sure that after removing AD DS role from this server trust between domains will be working?
A3:
As I understand old DC and new DC are both DNS server, too, is that right? If so, you also want to remove DNS role from old DC and install DNS server on new DC.
For trust between domains in different forests (all domains in the same forest have trusts by default), if you have such domain trust, we should update secondary zone OR conditional forwarders using new DNS server information on specific DNS server(also DC server).
For more information about updating secondary zone OR conditional forwarders, we can refer to the similar case below.
setup of trust relationship between 2 domains
Q4:
Also i have installed new AD servers and promoted them to DC.
How could i reconfigure DNS so workstations will be using new AD DC DNS not old ones that is now?
A4:
As I understand old DC and new DC are both DNS server, too, is that right? If so, you also want to remove DNS role from old DC and install DNS server from new DC.
If we set IP addresses for all member workstations, member servers (and other DCs if you have)munually, we can update the DNS servers for all member workstations, member servers, and other DCs munually.
If we set IP addresses for all member workstations, member servers (and other DCs if you have)via DHCP server. After DHCP scope option is configured, it will take effect when we run ipconfig /release and ipconfig /renew or restart these machines.
Note 1:
Option 006 is used to configure the DNS server. If the client gets the IP address from DHCP, it will also get the IP address of the DNS server from DHCP server automatically.
Note 2:
- Usually, we want a DC to be just a DC, there is nothing else, because this reduces possible resource conflicts and exploit vulnerabilities and minimizes patching of other applications that might cause downtime.
Ideally, a DC should be easy to replace, just by standing up another DC.When we put other software and roles on one DC, maybe the DC is harder to replace it. - We had better perform all the operations during downtime or non-working day.
Before we do any change in existing AD domain environment, we had better do:
- Check if AD environment is healthy. Check all DCs in this domain is working fine by running Dcdiag /v. Check if AD replication works properly by running repadmin /showrepl and repadmin /replsum.
- Back up all domain controllers.
- Check both SYSVOL folder and Netlogon folder are shared by running net share on each DC.
- Check we can update gpupdate /force on each DC successfully.
- We had better back up DC.
Best Regards,
Daisy Zhou