Categories
Tech

Decommission a Domain Controller

📃 What to check and how to demote a domain controller

Short version

Make sure the DC you’re demoting is not the only GC

dsquery server -domain <domain FQDN> | dsget server -isgc -dnsname

It does not have any FSMO roles

netdom query fsmo

It is not the bridgehead of any site – run this from the DC being demoted

repadmin /bridgeheads

This post is based off of this post that I’ve used for years. It recently went down so I’m making an updated version.

Checking Roles

The DC ad-dc-01 is being demoted and replaced by ad-dc-02 in this post.
Every site should have at least two DCs ad-dc-03 has already been promoted to a DC and will be the second DC in this site after ad-dc-01 is demoted.

Global Catalog

A global catalog server allows users and applications to find objects in an Active Directory domain tree. Logons and lookups will fail without a global catalog server.

Run the command below from any DC in the site.
The DC can (and probably will) appear on the list with isgc set to yes.
Make sure the DC being demoted is not the only DC in this list.

dsquery server -domain <domain FQDN> | dsget server -isgc -dnsname

Skip to transfer global catalog section

FSMO Roles

The Flexible Single Master Operation (FSMO) roles consists of at least five roles.
These roles can be assigned to different domain controllers.

  • Schema master
  • Domain naming master
  • PDC
  • RID pool manager
  • Infrastructure master

Run the command below from any DC in the site.
The DC being demoted should not have any roles on this list.

netdom query fsmo


Skip to transfer FSMO section

Bridgehead Server

A bridgehead server sends and receives replicated data between sites.
You technically only need to check if this you have multiple sites but it’s a good idea to check it anyways.

Run the command below from the server that you are decommissioning.

repadmin /bridgeheads


Skip to transfer bridgehead server section

General Checks

dcdiag

Run DCDiag to check for any DC issues.

dcdiag.exe /v /c /e /f:dcdiag.log

/v Verbose
/c Comprehensive. Runs all tests except DCPromo and RegisterInDNS, including non-default tests.
/e Tests all the servers in the enterprise.
/f:<filename> (optional) Output to <filename>

repadmin

Run repadmin to check replication

repadmin /showrepl /verbose /all /intersite
Certificate Authority

You will need to remove the CA role before demoting the DC.
You should move the CA in AD before uninstalling the CA role.

Get-WindowsFeature ADCS-Cert-Authority
Network Policy Server

Check if NPS is running unless you’re keeping the server around as a member after demoting it.
You can export the NPS config before removing the role and import it to the new NPS server.
Don’t ignore the warning about shared secrets when you export the config.

Get-WindowsFeature RSAT-NPAS
Fileshares

Check if any non-DC related fileshares (NETLOGON, SYSVOL) are hosted on the server.

net share
DNS

Clients are most likely using the DC for DNS. Make sure to update this in DHCP or network settings.

DHCP

You can export your DHCP server config and import it to the new DHCP server before uninstalling the role.

Transfer Roles

Global Catalog

Open Active Directory Sites and Services

dssite.msc

Go to Sites > <site name> > Servers > <new DC name> > NTDS Settings
Right click NTDS Settings and click Properties

Check the Global Catalog checkbox.

Run netdom query fsmo from both DCs to verify the role has been transferred

FSMO Roles

Here’s the MS article for reference.

You’ll need to register Schmmgmt.dll first

regsvr32 schmmgmt.dll

Schema master

Do this on the new DC. Do not do this on the DC that is being demoted.

Open mmc
Go to File > Add/Remove Snap-in and add Active Directory Schema

Right click Active Directory Schema and select Change Active Directory Domain Controller

Select the new DC and click OK

Verify the new DC is listed after “Active Directory Schema” in the tree
Right click Active Directory Schema and select Operations Master

Verify the server in the bottom is the one you want to use as the new schema master
Click Change to transfer the role to the new server
If the change button is greyed out check if you’re in the Schema Admins group. The Domains Admin group is not in this group by default.

Run netdom query fsmo from both DCs to verify the role has been transferred

Domain Naming Master

Open Active Directory Domains and Trusts

domain.msc

Right click Active Directory Domains and Trusts then select Change Active Directory Domain Controller
Select the new DC and click OK

Right click Active Directory Domains and Trusts then select Operations Master
Verify the server in the bottom is the one you want to use as the new domain naming master
Click Change to transfer the role to the new server

Run netdom query fsmo from both DCs to verify the role has been transferred

PDC Emulator RID Pool Manager and Infrastructure Master

Open Active Directory Users and Computers

dsa.msc

Right click Active Directory Users and Computers then select Change Active Directory Domain Controller
Select the new DC and click OK

Right click Active Directory Users and Computers then go to All Tasks > Operations Masters
Verify the server in the bottom is the one you want to use for the role in each tab
Click Change to transfer the role to the new server in each tab

Run netdom query fsmo from both DCs to verify the roles have been transferred

Bridgehead Server

Open Active Directory Sites and Services

dssite.msc

Go to Sites > <site name> > Servers > <new DC name>
Right click the new dc and click Properties

Highlight IP and SMTP under transports available and click Add

Check the properties of the DC being demoted
Highlight both and click Remove if they are set as preferred
This may not update immediately after changing. If the new DC is set as preferred it will fail over after the old DC goes offline

Demote Domain Controller

Powershell

Here’s the output from the wizard below. Use this at your own risk.

Import-Module ADDSDeployment
Uninstall-ADDSDomainController `
-DemoteOperationMasterRole:$true `
-RemoveDnsDelegation:$true `
-Force:$true

Server Manager (GUI)

Consider letting the DC sit for a while after transferring roles

Open Server Manager on the old DC
Go to Manage > Remove Roles and Features

Skip the first page then verify you’re selecting the DC you want to demote in the server selection screen.
Uncheck Active Directory Domain Services then click Remove Features on the dialog that pops up

You’ll get a validation error that the domain controller needs to be demoted before the role can be uninstalled
Click the Demote this domain controller link

Verify or change the creds to demote the domain controller and click Next

You may see a warning that the DC has roles
If you already checked the roles listed click Proceed with removal then next

Click Next to confirm removing DNS delegation and any other removal options

Set a new password for the local administrator account
This account will be created after the server is demoted

Click Demote to demote the DC

The system will automatically reboot and be moved to the Computers OU when done.
You can disable or delete the object if you’re decommissioning it.

The system will still have the ADDS (Active Directory Domain Services) role installed but it’s not doing anything with the domain.
You can safely remove the role or shut down the system.

You may need to cleanup the DC if it’s still in Active Directory Sites and Services after deleting the object in AD.

dssite.msc

Markdown Checklist

- [ ] DNS
- [ ] DHCP
- [ ] Global Catalog
- [ ] FSMO
    - [ ] Schema master
    - [ ] Domain naming master
    - [ ] PDC
    - [ ] RID pool manager
    - [ ] Infrastructure master 
- [ ] Bridgehead
- [ ] dcdiag

Leave a Reply

Your email address will not be published. Required fields are marked *