Lesson 5: Decommissioning

In a restructure, users and resources are moved from source domains to destination domains. Once everything has been successfully migrated to Windows 2000 and the production environment is working correctly, it's time to decommission the source domains. In this lesson, you'll learn the sequence and tasks to be performed in the decommissioning of a source domain.

After this lesson, you will be able to

• Understand the sequence of steps to perform to decommission a domain.

Estimated lesson time: 45 minutes

Preparing to Decommission a Source Domain

During the migration, the source domain will usually be retained as a fallback until all the migration operations have been completed successfully. However, at some point, you'll decommission it. The decommissioning can take place only when all the users and resources in the source domain have been moved or copied into the destination and are working successfully in it.

Testing the Target Domain

The target domain should be tested extensively to prove that all services are available and function correctly before the source is decommissioned. Beware of applications or tasks that are used or performed infrequently, such as monthly payrolls or annual reviews, and make sure that all such tasks have been performed successfully before the source domain is removed.

Backing Up the Source Domain

The source domain should be backed up completely prior to decommissioning. It's important to be able to quickly restore the source domain in the event of a serious problem with the destination environment.

Shared Local Groups in Source Domains

A shared local group resides on a Windows NT primary domain controller and is shared between the PDC and the BDCs in the Windows NT domain. The membership of this group can be made up of accounts from any trusted Windows NT or Windows 2000 domain. If the domain containing the shared local group is decommissioned, members of the group will be denied access to resources because its SID value is no longer recognized in the trusted domains.

To resolve this issue, the shared local group should be cloned into the target domain and the new group given appropriate permissions on resources. The Active Directory Migration Tool (ADMT) is recommended for this task because it will copy the local group and populate its membership automatically if member accounts are migrated at the same time. Once the group has been migrated, it must be given permissions on resources as required.

User Accounts in the Source Domain

If an inter-forest restructure has been performed, the original user accounts will have been copied into the destination domain. However, they will still exist in the source domain. Before the source domain is decommissioned, these user names should be disabled in case some users are still using the accounts. If any problems are reported, an account can be re-enabled and the migration completed for that user with minimal disruption. Once all the accounts have been disabled, the source domain can be decommissioned.

Backing Up the Source Domain

Before the domain is decommissioned, a complete backup of the system should be performed and verified.

Decommissioning Source Domains

The first step in the decommission process is to remove the trust relationships between the source and target domains. Once the trust relationships have been broken, the SID values from destination domains will no longer be valid on resources in the source domains. You can use the Netdom tool to remove trusts between domains. Once the trust relationship has been broken, BDCs can be shut down and redeployed. The PDC should be shut down last.

Redeploying Domain Controllers

You can decommission a domain controller in the source domain by installing Windows 2000 on the machine (assuming the hardware platform is compatible with Windows 2000). You would then make the upgraded machine a member server of the destination domain. The migration plan should cover the redeployment of controllers from a source domain.

Practice: Redeploying Domain Controllers

Once you've migrated all your resources either via an inter-forest or intra-forest migration, you'll be left with the source domain controllers. As you've seen in previous chapters, there are no tools to move domain controllers to another domain. Because no users or resources are left in the source domain, you can either decommission the domain controllers for other purposes or migrate them into the Windows 2000 pristine forest either by an upgrade/reinstall (necessary for Windows NT systems) or by demoting and then repromoting if it's a Windows 2000 domain controller. In the following practice, you'll attempt the latter method.

In this practice, you've decided that the resources of the migkit.trainkit. microsoft.com domain have been fully migrated and consolidated into the trainkit.microsoft.com domain. You've made all necessary backups and ensured that all users, data, and applications are working as expected under Windows 2000. You would now like to migrate the MIGKIT1 server from migkit.trainkit. microsoft.com to serve as a domain controller in the trainkit.microsoft.com domain.

1. On MIGKIT1 (PC2), log on as Administrator with the password secret. Be sure you're logging on to MIGKIT1.

   You're going to remove Active Directory on the MIGKIT1 server and reduce the computer to a member server. You'll then repromote MIGKIT1 into the trainkit.microsoft.com domain.

2. Open Run on the Start menu, type dcpromo, and press Enter.

   The opening screen will explain that MIGKIT1 is already an Active Directory domain controller and that continuing with the program will demote the machine to a member server.

3. Click Next.
4. Select the check box labeled This Server Is The Last Domain Controller In The Domain, as shown in Figure 10.13, and then click Next.

   

   Figure 10.13 Removing Active Directory from MIGKIT1

5. On the Network Credentials page, type Administrator for the user name and secret as the password. The Domain field should contain trainkit.microsoft.com. Click Next.
6. On the Administrator Password screen, type and confirm secret. This will be the password required to log on to the server after Active Directory has been removed. Click Next.
7. Click Next on the Summary screen.

   The Configuring Active Directory message box will appear and will show the progress in deleting everything that was in Active Directory. This might take 20 minutes or so, so now is a good time to take a break.

8. When the Finish button appears on the final Active Directory installation wizard page, click it, and then click the Restart Now button that appears.
9. Once MIGKIT1 has rebooted, log on as Administrator with the password secret.

   When Windows 2000 finishes loading, the Configure Your Server window should appear. You can use Configure Your Server to reinstall Active Directory, or you can run the Dcpromo utility again to begin the Active Directory installation wizard.

10. Select the option One Or More Servers Are Already Running In My Network, as shown in Figure 10.14.

    

    Figure 10.14 Configuring the member server

11. Click Next.
12. Select the Active Directory listing in the left column of options. Then scroll down the page and select the link labeled Start The Active Directory Wizard.
13. When the Active Directory installation wizard appears, click Next.
14. On the Domain Controller Type page, select Additional Domain Controller For An Existing Domain, as shown in Figure 10.15, and then click Next.

    

    Figure 10.15 Specifying an additional domain controller

15. On the Network Credentials page, enter Administrator for the user account, secret as the password, and TRAINKIT as the domain name. Then click Next.
16. On the Additional Domain Controller screen, type the full domain name, trainkit.microsoft.com, and click Next.
17. Click Next to accept the defaults on the next two screens.
18. When the Restore Password page appears, type and confirm the password secret again.
19. Click Next on the Summary screen and wait while Active Directory is replicated from trainkit1.trainkit.microsoft.com to MIGKIT1.
20. Once the process has completed, click Finish and then click Restart Now.

    When you log on, notice that the only domain available now is TRAINKIT.

    

21. Install the support tools from the Windows 2000 installation CD into the C:\Tools folder on MIGKIT1 as explained in Chapter 9. Be sure you install into the Tools folder rather than the suggested default folder. You will be using some of these tools in later practices.

When recommissioning domain controllers in this way, you'll need to clean up the DNS database. Active Directory DNS will correctly locate and report the IP address of your migrated domain controller, but it won't delete the original entries from its database. For example, you can verify that MIGKIT1 is now in the trainkit.microsoft.com DNS zone by opening the DNS administrative tool and looking in trainkit.microsoft.com. However, note that the migkit.trainkit.microsoft.com zone still exists. This setting will be ignored, but it can be quite confusing for other administrators if they're unaware that the migration has taken place.

Lesson Summary

In this lesson, you learned the sequence of steps to follow to decommission a Windows NT domain. You saw the importance of ensuring that the source domain is not required by any migrated applications or accounts in the destination domain before it is decommissioned. The need for a comprehensive backup of both the source and destination domains was also emphasized. Finally, the servers in the domain are shut down and possibly redeployed in the destination domain if needed and if their hardware complement is suitable for Windows 2000.