Proper way to decommission a domain controller?

Tiras25
Tiras25 used Ask the Experts™
on
Can someone point me to the proper way on how to decommission a domain controller?  Windows 2016 AD.
Thanks in advance.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
VMware and Virtualization Consultant
Fellow 2018
Expert of the Year 2017
Commented:
Make sure all the roles are transferred, and remove the AD role!
Lee W, MVPTechnology and Business Process Advisor
Most Valuable Expert 2013
Commented:
I suspect removing the role will prompt or do it for you, but typically, you run DCPROMO to demote the server.  After you've transferred any FSMO roles it may have.
timgreen7077Exchange Engineer
Distinguished Expert 2018
Commented:
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

kevinhsiehNetwork Engineer
Commented:
I would also make sure that if this is just retiring a DC and it won't be replaced, that you make sure that it isn't being used for DNS, DHCP, NPS, print server, DFS Replication, etc.
If you think of changing the DC by decom and adding new one, then add SAN name of decom server in ssl cert to avoid issues with app level. IF anyone bind the DC name then there is a problem. You have to add the dns entry once demo later  stage you can remove too.
I suspect removing the role will prompt or do it for you, but typically, you run DCPROMO to demote the server.  After you've transferred any FSMO roles it may have.

Just an FYI, DCPROMO hasn't been a thing since Server 2008 R2. Since Server 2012+ all activity relating to ADDS has been centralised into Server Manager.

Proper way to decommission a domain controller?

Perform your pre-requisite checks. Everybody has their own lists and ways of doing things. Microsoft have a TechNet Wiki article that's pretty generic for a checklist. Follow it or come up with your own chec list. Generally you want to ensure you are not causing a mass application outage. We've all been there, its never fun. Other than that follow the Microsoft guideline for demoting a domain controller, see here. Again it is good to come up with your own procedures, but you can use this as a framework. PowerShell is the new demote tool of choice that everyone should be using, but if you don't feel the need for speed, go with the GUI.

Generally speaking, it is terrible to run anything but the AD DS role on your CD's. Do not install DHCP on it. Do not install some app on there. Do not install Exchange on there. A DC is a DC and should never be more than that. Obviously some places simply don't have the money for multiple servers, they can't do anything about it and just need to live with the complications.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial