Windows Active Directory
Decommission A Domain Controller
Purpose
Decommissioning a Domain Controller (or DC) should only be done in an environment where multiple DCs exist so that you do not lose any of the configuration and settings for your existing domain. The reasons for decommissioning a DC are that you have a newer one in place (likely using a newer version of the Windows Server operating system), you are replacing aging server hardware, or both.
Prerequisites
- Multiple Domain Controllers
Solution
The best practice is to build your Windows Domain with multiple Domain Controllers. However, due to the cost of licensing, maintenance, and disaster recovery, this isn’t always feasible. Once you have added your new server, promoted it to be a Domain Controller, and have given it enough time to sync, you can begin following the decommissioning process.
Locate Server(s) with FSMO Roles
Login to the Domain Controller that you wish to decommission with your Domain Admin credentials
Check the availability of the necessary Flexible Single Master Operation (FSMO) roles in Active Directory
Open Server Manager and from the Tools menu select Active Directory Module for Windows PowerShell and type the following commands:
Get-ADDomain | FL InfrastructureMaster, RIDMaster, PDCEmulator Get-ADForest | FL DomainNamingMaster, SchemaMaster
Verify and notate the FSMO roles that pertain to the server you are on.
Transfer the FSMO roles
You have four options for transferring the FSMO roles from the Domain Controller that you are about to decommission:
Option 1 (Using Server Manager to demote the Domain Controller)
This is the easiest option because it will automatically transfer the FSMO roles to the other DC. This option is best used in a Domain with only two DCs and you are decommissioning one of them. To use this option go directly to the Remove Active Directory Role section.
Option 2 (Use PowerShell to transfer all FSMO roles to the new Domain Controller – Preferred)
This option is best used in a Domain with only two DCs and you wish to decommission one of them and manually transfer the FSMO roles to the new DC. This also is the preferred option because it places the transfer of FSMO roles under our control.
Open Server Manager and from the Tools menu select Active Directory Module for Windows PowerShell and type the following command:
Move-ADDirectoryServerOperationMasterRole -Identity "newDCname" -OperationMasterRole 0,1,2,3,4
After the command completes, enter the commands under Locate Server(s) with FSMO Roles to verify the transfer. Once the transfer is determined to be successful continue to the Remove Active Directory Role section.
Option 3 (Use PowerShell to individually transfer the FSMO roles between Domain Controllers)
This option is best used when you have three or more DCs, including when the FSMO roles have been spread among them.
Open Server Manager and from the Tools menu select Active Directory Module for Windows PowerShell. Use only the commands for the FSMO Roles maintained by the DC you are decommissioning.
To transfer the PDCEmulator role type the following command:
Move-ADDirectoryServerOperationMasterRole -Identity "newDCname" PDCEmulator
To transfer the RIDMaster role type the following command:
Move-ADDirectoryServerOperationMasterRole -Identity "newDCname" RIDMaster
To transfer the InfrastructureMaster role type the following command:
Move-ADDirectoryServerOperationMasterRole -Identity "newDCname" Infrastructuremaster
To transfer the DomainNamingmaster role type the following command:
Move-ADDirectoryServerOperationMasterRole -Identity "newDCname" DomainNamingmaster
To transfer the SchemaMaster role type the following command:
Move-ADDirectoryServerOperationMasterRole -Identity "newDCname" SchemaMaster
After the required commands have been entered and completed, enter the commands under Locate Server(s) with FSMO Roles to verify the transfer. Once the transfer is determined to be successful continue to the Remove Active Directory Role section.
Option 4 (Manually Removing a Domin Controller)
This is the option of last resort. You are forced to use it when a catastrophic failure has occurred to a DC which held one or more FSMO roles and after you have made every effort to revive it or restore it from backup but have failed.
Open the Server Manager and from the Tools menu select Active Directory Users and Computers
Expand your Domain and select the Domain Controllers folder
In the right-hand window pane right-click on your failed DC and from the contextual menu select Delete
in the warning pop-up window ensure that the check-box next to Delete this Domain Controller anyway is checked
Click on the Delete button
After the DC is deleted from the Domain Controllers folder enter the commands under Locate Server(s) with FSMO Roles to verify the transfer. At this point you’re done!
Remove Active Directory Role
At the Review Options screen click on the Demote button
Remove Server from Active Directory Sites and Services
Open Server Manager and from the the Tools menu select Active Directory Sites and Services
Close Active Directory Sites and Services window
Verify Proper Functionality of the new Domain Controller
Open Server Manager and from the Tools menu select Active Directory Module for Windows PowerShell and type the following commands:
dcdiag dcdiag /test:dns
Verify that all test have passed with no errors
After verification you can shutdown the decommissioned computer
It is recommended to keep the computer around for at least a week if not more, just to be sure you can still access any needed data.
Recent Comments