none
Windows 2003 domain controller

    Question

  • HI

    I have One domain controller that is windows 2003 and it is still sitting there we want to decommission it but nobody knows what request it may receive. It is also DNS server but that should be easy just enable debugging and if any request we should be able to output to txt file.

    But how do I check if there are any requests to domain controller from for example workstations or other servers. Many servers are still in the list but they are gone so nobody really dis-joined them from domain just remove servers and that is it. So what I would like to know is there any way to trace traffic to domain controller and output it to some file to see what can still talk to that DC.

    Server has been installed in 2006 and looks like since then nobody touched it but it still works. We would like to know if there is anything sending requests to this DC if not then just decommission it


    Dalibor Bosic

    Tuesday, December 13, 2016 7:16 PM

Answers

  • Then I'd use a network capture tool (wireshark) as Burak suggests. This one will give an idea of what to expect.

    https://technet.microsoft.com/en-us/library/dd772723%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396

     

     

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    • Marked as answer by cer113 Wednesday, December 14, 2016 8:12 PM
    Wednesday, December 14, 2016 2:45 PM
  • You could check if any users or computers have authenticated recently. For example, the following will output the sAMAccountName and lastLogonTimestamp for all accounts:

    dsquery * -LDAPFilter "(sAMAccountName=*)" -Attr sAMAccountName lastLogonTimestamp > LastLogons.txt

    This can be run at the command prompt of the DC, or any client with RSAT installed.

    Edit: And if your DC or any client has PowerShell (even version 1), the following will output all accounts that logged in within the specified number of days in the past:

    # Specify a date 180 days in the past.
    $FileTimeUtc = (Get-Date).AddDays(-180).ToFileTimeUtc()
    
    $Searcher = New-Object System.DirectoryServices.DirectorySearcher
    # Specify your domain.
    $Searcher.SearchRoot = "LDAP://dc=MyDomain,dc=com"
    $Searcher.PageSize = 100
    $Searcher.SearchScope = "subTree"
    
    $Searcher.PropertiesToLoad.Add("distinguishedName") > $Null
    $Searcher.PropertiesToLoad.Add("lastLogonTimeStamp") > $Null
    
    # Filter on all accounts that have logged on in the last 180 days.
    $Searcher.Filter = "(lastLogonTimestamp>=$($FileTimeUtc))"
    
    $Accounts = $Searcher.FindAll()
    
    ForEach ($Account In $Accounts)
    {
        # Retrieve values.
        $DN = $Account.properties.Item("distinguishedName")
        $LL = $Account.properties.Item("lastLogonTimeStamp")
        # Convert Integer8 values into dates in the local time zone.
        If ($LL.Count -eq 0)
        {
            $Last = [DateTime]0
        }
        Else
        {
            $Last = [DateTime]$LL.Item(0)
        }
        If ($Last -eq 0)
        {
            $LastLogon = $Last.AddYears(1600)
        }
        Else
        {
            $LastLogon = $Last.AddYears(1600).ToLocalTime()
        }
        # Output values, comma delimited.
        """$DN"",$LastLogon"
    }

    Similar can be done with VBScript, if you don't have PowerShell.


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)



    • Edited by Richard MuellerMVP Wednesday, December 14, 2016 6:31 PM
    • Marked as answer by cer113 Wednesday, December 14, 2016 8:12 PM
    Wednesday, December 14, 2016 4:54 PM

All replies

  • As long as you have other properly functioning DC's at site it shouldn't be a problem. Might just turn it off for a few days as a test.

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    Tuesday, December 13, 2016 7:41 PM
  • Hi

     Inaddtion you can analyse the traffic with ms network monitor tool;

    https://www.microsoft.com/en-us/download/details.aspx?id=4865

    And as dave's mentioned just turn off server 2003 dc for couple days then check.


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Tuesday, December 13, 2016 7:56 PM
  • Hi

    Yes that would be easy but this is the only domain controller for whole domain which may be abandoned but nobody knows. on this domain there is child domain as well windows 2003. It was set up long time ago like that and we would eventually want to decomission this domain but nobody knows whether this is used or not.

    My question is whether there is any tool that I can use to see if something is still talking to this domain controller since it is the only domain controller in this domain.


    Dalibor Bosic

    Wednesday, December 14, 2016 2:40 PM
  • Then I'd use a network capture tool (wireshark) as Burak suggests. This one will give an idea of what to expect.

    https://technet.microsoft.com/en-us/library/dd772723%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396

     

     

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    • Marked as answer by cer113 Wednesday, December 14, 2016 8:12 PM
    Wednesday, December 14, 2016 2:45 PM
  • You could check if any users or computers have authenticated recently. For example, the following will output the sAMAccountName and lastLogonTimestamp for all accounts:

    dsquery * -LDAPFilter "(sAMAccountName=*)" -Attr sAMAccountName lastLogonTimestamp > LastLogons.txt

    This can be run at the command prompt of the DC, or any client with RSAT installed.

    Edit: And if your DC or any client has PowerShell (even version 1), the following will output all accounts that logged in within the specified number of days in the past:

    # Specify a date 180 days in the past.
    $FileTimeUtc = (Get-Date).AddDays(-180).ToFileTimeUtc()
    
    $Searcher = New-Object System.DirectoryServices.DirectorySearcher
    # Specify your domain.
    $Searcher.SearchRoot = "LDAP://dc=MyDomain,dc=com"
    $Searcher.PageSize = 100
    $Searcher.SearchScope = "subTree"
    
    $Searcher.PropertiesToLoad.Add("distinguishedName") > $Null
    $Searcher.PropertiesToLoad.Add("lastLogonTimeStamp") > $Null
    
    # Filter on all accounts that have logged on in the last 180 days.
    $Searcher.Filter = "(lastLogonTimestamp>=$($FileTimeUtc))"
    
    $Accounts = $Searcher.FindAll()
    
    ForEach ($Account In $Accounts)
    {
        # Retrieve values.
        $DN = $Account.properties.Item("distinguishedName")
        $LL = $Account.properties.Item("lastLogonTimeStamp")
        # Convert Integer8 values into dates in the local time zone.
        If ($LL.Count -eq 0)
        {
            $Last = [DateTime]0
        }
        Else
        {
            $Last = [DateTime]$LL.Item(0)
        }
        If ($Last -eq 0)
        {
            $LastLogon = $Last.AddYears(1600)
        }
        Else
        {
            $LastLogon = $Last.AddYears(1600).ToLocalTime()
        }
        # Output values, comma delimited.
        """$DN"",$LastLogon"
    }

    Similar can be done with VBScript, if you don't have PowerShell.


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)



    • Edited by Richard MuellerMVP Wednesday, December 14, 2016 6:31 PM
    • Marked as answer by cer113 Wednesday, December 14, 2016 8:12 PM
    Wednesday, December 14, 2016 4:54 PM
  • If this works after a few weeks decomission the DC properly, you don't want to wait to long maybe a month max.
    Wednesday, December 14, 2016 5:21 PM
  • Thanks to all of you

    I made new filter in Network Monitor and then created new filter and specify all the filters for active directory. Also run dsget and got the users that still using this for authentication

    Now i know what talks to this DC and can take action from there

    Thanks a lot


    Dalibor Bosic

    Wednesday, December 14, 2016 8:15 PM