Collections
Deploying Active Directory
Administration
DC Decommissioning

DC Decommissioning

This article will walk you through the basics of demoting and removing a domain controller from an active domain. We’ll start by walking through the existing domain ensuring all roles and functions are configured correctly. Once confirmed, we’ll initiate the demotion process.

Prerequisites

When performing a demotion the devil’s in the details. Performing the demotion itself is quite easy as its a single PowerShell command, however to ensure no issues after the demotion has taken place, a number of checks should be perforemd prior too.

Perform Health Check

Perform a DC Health Check on the domain controller to verify that it’s fully functional. It’s recommended that any errors be resolved prior to continuing.

Verify FSMO Roles

Ensure all FSMO (Flexible Single Master Operation) roles are located or migrated onto other DCs.

Please see FSMO Roles for information on completing this step.

Verify Global Catalog

Ensure at least one other DC holds a copy of the Global Catalog. Please see Global Catalog for more information on determining which DCs contain a replica of the Global Catalog and how to add additional DCs.

Test Demotion Process

Perform a dry-run and validate that the demotion process will not fail when run.

Test-ADDSDomainControllerUninstallation

Scream Test (Optional)

Lastly, some technician recommend that prior to fully demoting and removing the Domain Controller, you first shutdown or disconnect the DC for a short period of time. This will simulate the removal of the DC to see if any large issues occur.

Initiate the Demotion Process

When confident that the DC is ready for removal, run the following command to demote the DC.

Uninstall-ADDSDomainController

Uninstall ADDS (Optional)

Optionally uninstall the ADDS feature from the server.

Uninstall-WindowsFeature AD-Domain-Services

Final Steps

Assuming you’ll shutdown the host (never to be turned on again), perform the following commands to ensure no remnants of the host remains within Active Directory.

Delete the host’s computer object within Active Directory.

Remove-ADComputer -Identity HOSTNAME

Search and clear/modify any lingering SPN (Service Principal Name) records. Further research is requires if an entry is found.

setspn -Q */HOSTNAME*

Search for and clear any DNS records associated with the DC.

Get-DnsServerResourceRecord -ZoneName "ad.twobyte.blog" | Where-Object {$_.RecordData -match "HOSTNAME"}

If a record is found, delete it. For example:

Remove-DnsServerResourceRecord -ZoneName "ad.twobyte.blog" -Name "HOSTNAME" -RRType "A"
DC IP ChangeDC Upgrade Methods