Proper way to decommission a domain controller?

Can someone point me to the proper way on how to decommission a domain controller?  Windows 2016 AD.
Thanks in advance.
LVL 17
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Andrew Hancock (VMware vExpert / EE Fellow)VMware and Virtualization ConsultantCommented:
Make sure all the roles are transferred, and remove the AD role!

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Lee W, MVPTechnology and Business Process AdvisorCommented:
I suspect removing the role will prompt or do it for you, but typically, you run DCPROMO to demote the server.  After you've transferred any FSMO roles it may have.
timgreen7077Exchange EngineerCommented:
PMI ACP® Project Management

Prepare for the PMI Agile Certified Practitioner (PMI-ACP)® exam, which formally recognizes your knowledge of agile principles and your skill with agile techniques.

I would also make sure that if this is just retiring a DC and it won't be replaced, that you make sure that it isn't being used for DNS, DHCP, NPS, print server, DFS Replication, etc.
Sekar ChinnakannuStaff EngineerCommented:
If you think of changing the DC by decom and adding new one, then add SAN name of decom server in ssl cert to avoid issues with app level. IF anyone bind the DC name then there is a problem. You have to add the dns entry once demo later  stage you can remove too.
I suspect removing the role will prompt or do it for you, but typically, you run DCPROMO to demote the server.  After you've transferred any FSMO roles it may have.

Just an FYI, DCPROMO hasn't been a thing since Server 2008 R2. Since Server 2012+ all activity relating to ADDS has been centralised into Server Manager.

Proper way to decommission a domain controller?

Perform your pre-requisite checks. Everybody has their own lists and ways of doing things. Microsoft have a TechNet Wiki article that's pretty generic for a checklist. Follow it or come up with your own chec list. Generally you want to ensure you are not causing a mass application outage. We've all been there, its never fun. Other than that follow the Microsoft guideline for demoting a domain controller, see here. Again it is good to come up with your own procedures, but you can use this as a framework. PowerShell is the new demote tool of choice that everyone should be using, but if you don't feel the need for speed, go with the GUI.

Generally speaking, it is terrible to run anything but the AD DS role on your CD's. Do not install DHCP on it. Do not install some app on there. Do not install Exchange on there. A DC is a DC and should never be more than that. Obviously some places simply don't have the money for multiple servers, they can't do anything about it and just need to live with the complications.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
IT Administration

From novice to tech pro — start learning today.