Windows Active Directory
Decommission A Domain Controller

Purpose

Decommissioning a Domain Controller (or DC) should only be done in an environment where multiple DCs exist so that you do not lose any of the configuration and settings for your existing domain. The reasons for decommissioning a DC are that you have a newer one in place (likely using a newer version of the Windows Server operating system), you are replacing aging server hardware, or both.

Prerequisites

  • Multiple Domain Controllers

Solution

The best practice is to build your Windows Domain with multiple Domain Controllers. However, due to the cost of licensing, maintenance, and disaster recovery, this isn’t always feasible. Once you have added your new server, promoted it to be a Domain Controller, and have given it enough time to sync, you can begin following the decommissioning process.

Locate Server(s) with FSMO Roles

Login to the Domain Controller that you wish to decommission with your Domain Admin credentials
Check the availability of the necessary Flexible Single Master Operation (FSMO) roles in Active Directory
Open Server Manager and from the Tools menu select Active Directory Module for Windows PowerShell and type the following commands:

Get-ADDomain | FL InfrastructureMaster, RIDMaster, PDCEmulator
Get-ADForest | FL DomainNamingMaster, SchemaMaster

Verify and notate the FSMO roles that pertain to the server you are on.

Transfer the FSMO roles

You have four options for transferring the FSMO roles from the Domain Controller that you are about to decommission:

Option 1 (Using Server Manager to demote the Domain Controller)

This is the easiest option because it will automatically transfer the FSMO roles to the other DC. This option is best used in a Domain with only two DCs and you are decommissioning one of them. To use this option go directly to the Remove Active Directory Role section.

Option 2 (Use PowerShell to transfer all FSMO roles to the new Domain Controller – Preferred)

This option is best used in a Domain with only two DCs and you wish to decommission one of them and manually transfer the FSMO roles to the new DC. This also is the preferred option because it places the transfer of FSMO roles under our control.
Open Server Manager and from the Tools menu select Active Directory Module for Windows PowerShell and type the following command:

Move-ADDirectoryServerOperationMasterRole -Identity "newDCname" -OperationMasterRole 0,1,2,3,4

After the command completes, enter the commands under Locate Server(s) with FSMO Roles to verify the transfer. Once the transfer is determined to be successful continue to the Remove Active Directory Role section.

Option 3 (Use PowerShell to individually transfer the FSMO roles between Domain Controllers)

This option is best used when you have three or more DCs, including when the FSMO roles have been spread among them.
Open Server Manager and from the Tools menu select Active Directory Module for Windows PowerShell. Use only the commands for the FSMO Roles maintained by the DC you are decommissioning.
To transfer the PDCEmulator role type the following command:

Move-ADDirectoryServerOperationMasterRole -Identity "newDCname" PDCEmulator

To transfer the RIDMaster role type the following command:

Move-ADDirectoryServerOperationMasterRole -Identity "newDCname" RIDMaster

To transfer the InfrastructureMaster role type the following command:

Move-ADDirectoryServerOperationMasterRole -Identity "newDCname" Infrastructuremaster

To transfer the DomainNamingmaster role type the following command:

Move-ADDirectoryServerOperationMasterRole -Identity "newDCname" DomainNamingmaster

To transfer the SchemaMaster role type the following command:

Move-ADDirectoryServerOperationMasterRole -Identity "newDCname" SchemaMaster

After the required commands have been entered and completed, enter the commands under Locate Server(s) with FSMO Roles to verify the transfer. Once the transfer is determined to be successful continue to the Remove Active Directory Role section.

Option 4 (Manually Removing a Domin Controller)

This is the option of last resort. You are forced to use it when a catastrophic failure has occurred to a DC which held one or more FSMO roles and after you have made every effort to revive it or restore it from backup but have failed.
Open the Server Manager and from the Tools menu select Active Directory Users and Computers
Expand your Domain and select the Domain Controllers folder
In the right-hand window pane right-click on your failed DC and from the contextual menu select Delete
in the warning pop-up window ensure that the check-box next to Delete this Domain Controller anyway is checked
Click on the Delete button
After the DC is deleted from the Domain Controllers folder enter the commands under Locate Server(s) with FSMO Roles to verify the transfer. At this point you’re done!

Remove Active Directory Role

Open Server Manager and from the Manage menu select Remove Roles and Features
At the Select destination server window verify or select the name of the DC you are going to decommission
Click the Next button
At the Remove server roles window uncheck the check-box next to Active Directory Domain Services and click the Next button
At the Remove Roles and Features Wizard pop-up dialog box click on the Remove Features button
After the wizard completes click on the link for Demote this domain controller
At the Credentials window click on the Next button (since you’ve already signed in as a Domain Admin)
At the Warnings window check the check-box next to Proceed with removal and then click the Next button
At the Removal Option screen leave the check-box next to Remove DNS delegation unchecked and click on the Next button
At the New Administrator Password enter the local admin password and click on the Next button

At the Review Options screen click on the Demote button

Remove Server from Active Directory Sites and Services

Login to your new Domain Controller with your Domain Admin credentials
Open Server Manager and from the the Tools menu select Active Directory Sites and Services
Expand to Sites > Default-first-Site-Name > Servers
Right-click on the server you are decommissioning and select Delete from the contextual menu

Close Active Directory Sites and Services window

Verify Proper Functionality of the new Domain Controller

Login to your new Domain Controller with your Domain Admin credentials

Open Server Manager and from the Tools menu select Active Directory Module for Windows PowerShell and type the following commands:

dcdiag
dcdiag /test:dns

Verify that all test have passed with no errors
After verification you can shutdown the decommissioned computer
It is recommended to keep the computer around for at least a week if not more, just to be sure you can still access any needed data.