How can I determine if a Windows 2003 server is still being used by anyone/thing, and if it is, what it is being used for?
I'm drawing a blank on what else to check other than event viewer to see what accounts are connecting to the server.
How can I determine if a Windows 2003 server is still being used by anyone/thing, and if it is, what it is being used for?
I'm drawing a blank on what else to check other than event viewer to see what accounts are connecting to the server.
This is not a dumb question, it's a great question and I'm glad that you're asking.
Human processes
Make sure that you've reviewed all documentation, talked to the greybeards, and have sign-off from someone from the business.
Technical processes
Get a complete backup; mark the media for long-term archival. Run a connection monitor or packet sniffer for a period of time to see what connections are still being made. Inspect the services to see if anything sounds important/familiar.
Cutting the cord
Better idea than powering off - unplug the network cable for a few days. If it's an old physical machine, you don't want to risk the situation where you need to power it back up but the disk spindles are frozen. Leave them spinning.
Source of authority - I spent over a year decommissioning old servers for a Fortune 25 pharma company. This was the process, and it worked.
Power it off and see who screams, and about what.
Seriously, it is the best way. Even checking logs will only get you so far, because you'll only see activities that are logged.
EDIT: To head off any further comments, this advice assumes you've already done what you should have done in the first place, even before asking the question here - asked around about the server, looked for documentation, and logged on to see if you can catch any obvious signs of activity.
This also assumes you're not in one of those environments that apparently exist where business-critical systems that no one knows about run on hardware so fragile it's at risk of bursting into flames or exploding during boot.
For users who are authenticating against the server with LDAP (file shares, print shares, etc.) you can use the "Shares & Sessions" snap-in in mmc to identify users who are connected with open sessions. These are users who are actively or passively (mapped drives) connected.
I found an article that is more detailed.
You can also check if it has any installed services such as SQL or programs and see if there are any non-default open ports using software such as sysinternals TCPView to identify any software running. These open ports can help identify the protocols being used and that can help identify the purpose of the server.
Finally, you can check the installed/running services and identify what is running.
Doesn't really fit your situation because you've said you have multiple servers to check, so this is for others reading this for answers of their own:
If it's a small business and there is no real procedural documentation or any onsite techs to talk to then here are two things you can do:
Check services and installed programs, see if you can figure out who uses the software that connects to those services and make sure they are moved to any new servers.
Shares, I'm sure you know you can look at all the files opened from the network in the Shared Folder MMC snap-in (computer management > shared folders), Sessions and open files will help you here. Find the computers / users listed here and move their files to the new location.
Once that's done feel free to unplug it from the network or shut it off, as stated this is really the only way to know for sure its not being used, be sure to wait a few days in case its something that doesn't get used constantly.