Replacing a W2K3 Domain Controller - what do I need to know?
Solution 1:
Microsoft has a wealth of articles regarding moving roles and service from one server to another. With DC's you do need to be particularly careful in order for things to happen gracefully and you are well guided to post the question here, because it isn't a simple power off or delete the server from AD Users and Users and computers.
If you are going to build a new server - at this point I'd need a compelling reason not to base it on 2K8 R2. Be sure your supporting applications support 2K8 R2 also - AntiVirus, Backup, etc. If the cost of the OS and Cals isn't an issue, I guess I wouldn't see the reasoning to stand up a long term system based off a 7 year old OS? I think the reqs for 2K8 R2 to exist in a 2K3 domain are it must be in 2K3 Native mode and the 2K3 DC's may need to be SP2 or later.
First build up your new server, add it to the domain and dcpromo it - no reason to wait on this. Make sure either the new server or the remaining old server are set to be Global Catalog Servers: http://support.microsoft.com/kb/313994
Your primary area of concern needs to be about ensuring the FSMO roles are properly handed over to another DC. This article will tell you the exact what and how of every step you will need to perform: http://support.microsoft.com/kb/324801 .
The replication of GPO's is handled automatically by the FRS on the Sysvol tree - so you shouldn't have any worries there.
You'll likely also need to handle DHCP and DNS services as well. Here's a good article on moving your DHCP database if need be: http://support.microsoft.com/kb/962355 . Be sure to disable the DHCP service after you move the dhcp database to a new server and fire it up there. It's important to move the dhcp database rather than just stop the service on the old server and start it on another - you'll have client systems all over the place with duplicate IP addresses.
I always prefer to move the FSMO and DHCP roles off and wait several days before removing the system as a DC.
When you have your FSMO roles and DHCP moved (and any other software) run dcpromo from the command line to remove it as a DC. Then use Add/Remove Programs -> Windows Components to uninstall the DNS service. Lastly - remove the system from the domain and power it off.
Good Luck!
Solution 2:
Replication is totally automatic between domain controllers in the same domain, so you shouldn't need to worry at all about it, unless something goes wrong; all AD content (users, computers, OUs, GPOs, etc.) will be replicated to any new DC you add to the domain, and each DC will always store a full copy of the domain database.
There are two things you should care about (apart from any other application that may be running on the server, of course): FSMO roles and DNS.
If you DC is a DNS server, you should take care to enable that service on other DCs and have all your domain member computers (client and servers) point to them instead of the one you're retiring; in a standard AD setup, installing the DNS service on a DC is enough: you don't need to define and populate DNS zones, as the main domain zone will be AD-integrated and thus replicated to all DNS servers which are also DCs.
FSMO roles are special roles which can be held only by a single DC at a time, and they're usually owned by the first DC created in the domain; they will be automatically moved to another one if you demote the DC that owns them, but you'll have no control over their placement, so it's always better to move them manually; you can do that using the various AD tools (Users & Computers, Sites & Services, Domain & Trusts, Schema), or by using NTDSUTIL.
Also, be careful to actually demote the old DC (using dcpromo
) before retiring it; this will ensure all informations concerning its previous role as a DC get properly removed from Active Directory.