To prevent old domain controllers from authenticating clients, we can tune their Service Records by modifying their local registry. This will drain off any of the live Active Directory Domain Services (ADDS) connections for these domain controllers before decommissioning.

1.Logon to TMDC02 as Techmentor\Administrator.

2. Run Regedit.

3. Create a new Registry key in HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters.

4. New Reg DWORD 32Bit.

5. LdapSrvPriority.

6. Set the value to 10.

7. Open an Administrative Command Prompt.

8. Type: Net Stop Netlogon & Net Start Netlogon.

9. Open the DNSmgmt.msc (DNS Management Console) and review the zone.

10. Validate that the change in the Service Records has taken place à You can see TMDC02 with a value of 16 now.

11. Next, open Perfmon and review the active LDAP Connections.

12. Add NTDS\LDAP Client Sessions.

13. Note the number of LDAP Client Sessions. As active clients reboot.

14. Reboot the non-domain controller VM’s.

15. Check Perfmon again.

16. Repeat the steps to tune the Service Records for the remaining legacy domain controllers.

Hope you enjoy this post.

Cristal Kawula