Decommissioning a Domain Controller

Before getting into it, I want to raise some caution. Every environment is different and you really want to make sure that you’ve got your head wrapped around what removing a domain controller will impact in your specific environment. In this post, the idea is to provide a high level view of the general process, while presenting some things to consider that are sometimes missed. The general idea is to think before you do and to do as much as possible to get you to a successful outcome.

Phase 0 – Prerequisites

  • Run repadmin /replsummary and repadmin /showrepl to ensure Active Directory is replicating perfectly before you change the topology. Demoting a DC in an unhealthy forest can cause lingering objects.
  • Run netdom query fsmo to see who holds the roles. If it’s this server, move them using PowerShell (Move-ADDirectoryServerOperationMasterRole).
  • Check your DHCP scopes, member servers, and appliances (firewalls, switches). If they point to this DC’s IP for DNS, they will lose internet and domain connectivity the moment you pull the plug. Change client DNS settings days before the demotion to be safe
  • Check devices with static IP addresses, and resolve any future DNS problems by targeting a surviving DNS server
  • Remember when you decided that it was a good idea to host printer and file shares on your DC (this is never a good idea)? If you did, you’ll have to deal with that first.
  • Have an Active Directory backup. Not a VM snapshot, but an Active Directory, application-aware backup. It would be a dark day if you needed it, but make sure you have it.

Phase 1 – Preparation (Days Before)

  1. Point all client/server DNS settings away from this DC’s IP address.
  2. Verify AD health to confirm that everything has remained healthy since the prerequisite checks (repadmin).
  3. Check and migrate FSMO roles (netdom query fsmo). You may ask yourself, why would I do this again as I checked it the other day??? I will tell you why. You should do this because it takes 5 seconds and because not everyone is a great communicator. Other people sometimes do stuff that you’re not aware about. Ask me how I know!
  4. Migrate DHCP or other secondary roles if applicable.
  5. Perform a “scream test” or whatever you call it. Don’t skip it. Disable the NIC for a few days to see what breaks and keep your ear to the ground. Make sure you re-enable the NIC and allow a day or so before advancing to the next phase.

Phase 2 – Demoting the Server and Removing the AD DS and DNS roles

  1. Check out the servers DNS configuration. If you find the loopback address configured for the primary or secondary DNS, lose it. Make the Primary DNS point to an alternate and healthy Domain Controller/DNS server in your environment. Make the Secondary DNS point to another surviving DC/DNS server. Make sure that you can resolve host names including the top level domain name (ping YourDomainName.local).
  2. Demote the DC via Server Manager (or PowerShell). If this is not the last DC in the environment, then don’t select the box that says “this is the last DC in the environment”. Enter and record the new local admin password. Monitor progress and wait until the server has been successfully demoted.
  3. Reboot. The server is now just a member server.
  4. Remove the AD DS and DNS Roles via Server Manager.
  5. Reboot again.

Phase 3 – Cleanup & Decommission

  1. Verify the server automatically moved to the “Computers” OU in AD.
  2. Validate AD Sites and Services. A graceful demotion removes the NTDS Settings object from under the server in AD Sites and Services, but it does not automatically remove the top-level server object container itself. You may need to delete the empty server container manually.
  3. To completely retire the server, this would be a safe time to disjoin it from the domain and shut it down.
  4. If you do disjoin and are planning to nuke it, check out DNS Management, and remove any A or reverse pointers for this server that may be lingering.
  5. Update your asset and configuration management platforms to account for the changes.
Scroll to Top