To decommission an Active Directory Domain Controller (Windows Server 2003/2008) is a fairly straightforward task so long as you make sure nothing is relying on that server specifically. I will cover off the demotions steps (fairly easy) but I will go through a checklist (and how-to) of gotchas that you might get caught out when doing this.
UPDATE: 27/09/2019 – Quick update to say that this is definitely the most popular comment on my blog. Thank you all for the all the comments, and please do keep them coming. The more comments i get, the more likely i will start to write articles again.
What to check before demoting your DC?
The most important things to look out for are the following components that are either running or registered against the system:
- Global Catalog
- FSMO Roles
- Bridgehead server
- General server checks
- You have enterprise admin credentials
Global Catalog
If you remove the last remaining Global Catalog server from a domain, you will experience logon issues across the domain along with other functions like searches and lookups.
If you remove the last Global Catalog server from a site, users/machines will have to contact a Global Catalog server from a different site. This may not cause problems with small branch offices, however large sites may suffer with the additional overhead in traffic.
To check what servers are functioning as a Domain Controller in your domain, type the following command:
dsquery server -domain #DomainName# | dsget server -isgc -dnsname
Note: replace #DomainName# with the domain of the DC that you are demoting. The output should look similar to this:
If you have more than just the DC that you are preparing the demote, then you have nothing else to do as the DCPROMO steps will remove it automatically. If you don’t have any more, follow MS article 296882 to make another DC a GC.
Resources:
- Global Catalog Servers
http://technet.microsoft.com/en-us/library/cc977998.aspx - Determine whether a domain controller is a global catalog server (Windows Server 2003)
http://technet.microsoft.com/en-us/library/cc786686%28v=ws.10%29.aspx - Determine whether a domain controller is a global catalog server (Windows Server 2008)
http://technet.microsoft.com/en-us/library/cc794880%28v=ws.10%29.aspx - How to promote a domain controller to a global catalog server
http://support.microsoft.com/kb/296882
FSMO roles
Flexible Single Master Operation roles (FSMO) are a feature of Microsoft’s Active Directory and you need to make sure they are not present on the server you are demoting.
To check that the the current server is not a FSMO role holder, simply run the following command:
netdom query fsmo
The output should look similar to this:
If none of the server names are the one you are demoting then you have nothing else to do. If you are then follow the MS KB Article 324801 noted below.
Resources:
- Flexible Single Master Operations
http://en.wikipedia.org/wiki/Flexible_single_master_operation - How to view and transfer FSMO roles in Windows Server
http://support.microsoft.com/kb/324801 - Understanding FSMO Roles in Active Directory
http://www.petri.co.il/understanding_fsmo_roles_in_ad.htm
Bridgehead Server
As Microsoft have described it here, ‘A bridgehead server is a domain controller that has been either administratively assigned or automatically chosen to replicate changes collected from other domain controllers in the site to bridgehead servers in other sites.’ If you have multiple sites you want to make sure the server you are demoting is not a Bridgehead server. To check if this server is, run the following command on the server console that is being demoted:
repadmin /bridgeheads
The output should be all the bridgeheads that are configured on that server. If it looks like the below screenshot, then you dont have any configured, otherwise you will need to reconfigure this before proceeding.
To do a whole check on the site, simply extend the command to
repadmin /bridgeheads site:#sitename#
where #sitename# is the name if the Active Directory site. The output for that looks like this:
Resources:
- Description of Bridgehead Servers in Windows 2000
http://support.microsoft.com/kb/271997 - What is bridgehead server , preferred bridgehead server and Knowledge Consistency Checker (KCC)
http://www.omnisecu.com/windows-2003/active-directory/what-is-bridgehead-server.htm
General Server Checks
There are some general server checks that you should run on your servers/domain to make sure it is healthy before running a DCPromo. There are a couple of reports that give you plenty of info, and they are quite easy to read. Search for the term ‘error’ or ‘fail’ on dcdiag and netdiag reports to locate the problem areas, but i do recommend reading through the entire logs to familiarise yourself.
DCDiag (part of WS03 SP1 Support tools) displays all information about Domain Controller information.
dcdiag.exe /V /C /D /E /s:#DomainControllerName# > c:\dcdiag.log
NetDiag provides information about specific network configuration for the local machine.
netdiag.exe /v > c:\netdiag.log
RepAdmin helps diagnise AD replication issues with WS03 and WS08 DC’s.
repadmin.exe /showrepl dc* /verbose /all /intersite > c:\repl.txt
DNSLint is a Microsoft Windows utility that helps you to diagnose common DNS name resolution issues.
nslint /ad /s #IPAddressOfServer#
Resources
- Windows Server 2003 Service Pack 1 Support Tools
http://support.microsoft.com/kb/892777 - Repadmin
http://technet.microsoft.com/en-us/library/cc770963%28v=ws.10%29.aspx - Description of the DNSLint utility
http://support.microsoft.com/kb/321045
Admin Credentials
There are two types of Administrator Credentials you may need to use:
If you need to move all FSMO roles the logged-on user should be a member of the Enterprise Administrators group. This is required to transfer Schema master or Domain naming master roles.The rest of the operations can be done with a user who is a member of the Domain Administrators group.
How to decommission a Windows Server 2003/2008
The procedure involved is fairly straight forward so I will only document the steps. For more details and screenshots of the steps, refer to the resources below.
To demote a domain controller
- On a domain controller, click Start, and then click Run.
- In Open (or Run), type dcpromo to open the Active Directory Installation Wizard, and then click Next.
- On the Remove Active Directory page, click Next, and then continue to follow the wizard.
Resources
- Demoting a Domain Controller
http://www.vmadmin.co.uk/microsoft/43-winserver2008/136-svr2008dcdemote - Demote a domain controller
http://technet.microsoft.com/en-us/library/cc740017%28v=WS.10%29.aspx
Having Problems?
So you may have tried the above steps and it didn’t work? Or maybe your server crashed and you don’t want to try recovering it? There are a number of reasons why you may end up in this scenario – although not favorable its not all doom and gloom. Below are some resources to get you out of a pickle.
- Complete Step by Step to Remove an Orphaned Domain controller
http://msmvps.com/blogs/acefekay/archive/2010/10/05/complete-step-by-step-to-remove-an-orphaned-domain-controller.aspx - Forceful removal of DC
http://support.microsoft.com/kb/332199 - Metadata cleanup
http://www.petri.co.il/delete_failed_dcs_from_ad.htm - How to remove data in Active Directory after an unsuccessful domain controller demotion
http://support.microsoft.com/kb/216498 - Seize FSMO role
http://www.petri.co.il/seizing_fsmo_roles.htm - Configuring the time service on the PDC Emulator FSMO role holder
http://msmvps.com/blogs/acefekay/archive/2009/09/18/configuring-the-windows-time-service-for-windows-server.aspx
Thank you for this.
Glad it was useful after this many years!
very appreciating post.
However, in single-site, single-forest environment, how to add/modify the new DNS IP in domain workstation’s NIC?
and
how to remove “decommissioned/demoted DC IP” from workstations NIC settings accordingly?
Best Regard.
Hi Mullah, even in a single-site, single-forest, the process in this article is focused all around removing an old domain controller, while maintaining a new domain controller.
In order to replace DNS Server IP’s on clients, there are 3 high level steps required:
1. Provision DHCP on new server and transition role from one to another – remember you cant have overlapping DHCP otherwise it creates conflict
2. Update the DNS server IPs in DHCP scope, either after transition or during
3. Update static DNS server IPs on clients/workstations/etc
With regards to point 3, there are several approaches to make this easier.
1. use remote PowerShell on all windows devices to see if its statically assigned (audit), and dynamic updating of the setting.
2. assign a second IP address to the Domain Controller. Then configure your clients to use that specific IP both statically and dynamically. This allows you to change IP Config on the DC’s and move those DNS requests to a different server.
3. Assign the old Domain Controller IP Address to the new server, after it has been demoted and removed from the network.
Also thanks for the comment.
nicely done!
Thank you Ivan. Just removed my last 2003 server!! Yes i know it is almost 2020….but hey, it was working..
Thank you Ivan. this is very useful information for me as I am going to decommission Windows Server2008 R2 DC.
Ivan this is the most comprehensive and easy to follow instructions I found to demote my old Windows 2003 domain controller. My Windows 2012 server has never been setup properly. I look forward to reviewing your blog for additional help on those issues.
Thank you Ivan. It’s 2019 and this is still useful for getting rid of the remnant 2008 servers.
Comprehensive, articulate, everything you need to know. I missed the NTP setting, hence the thank-you-so-much post.
Thank you for the feedback. Greatly appreciated.
Very helpful. Great instructions. Thanks much.
I got this error:
Before you can install or remove Active Directory, you must remove Certificate Services. For information about the consequences of removing Certificate Services, see Help and Support.
Thansk for that. 🙂
Great checklist.
“And stopping netlogon service” <– this
Thank you, This was really helpful.
To add, also make sure dns server on 2003 server is pointing to new dns server instead of itself.
And stopping netlogon service
Great simple little checklist. This saved me a lot of time, thank you!
Very very useful post
Agreed. Ridiculously useful.
Thank you so much, you saved my AD from having issues.