3 INTRODUCTION
The objective of this document is to provide Domain controller decommission preparation and decommissioning steps.
3.1 OBJECTIVE
The Scope of this document includes the pre and post check of the uninstallation of Active directory services and validation steps.
3.2 AUDIENCE
This document will help Wintel AD Team (MBG PS) and who will go to embrace this technology.
4 DISASTER RECOVERY CHALLENGES
No disaster recovery process will be facilitated by this document.
5 PLANNING OF DOMAIN CONROLLER DECOMMISSION
• The prerequisite steps for safe domain controller decommission.
• Isolate the Domain Controller
• Check Domain Controller authentication request.
• Check Domain Controller Role.
• Check the DNS Role.
• Check is any other roles are holding by the DC.
• Domain controller cooling period.
5.1 ISOLATE THE DOMAIN CONTROLLER
Just create temporary AD site and move the Domain Controller which you want to remove, make sure the temporary AD site only has the DC Subnet, so that there won’t be any client authentication reaching the DC.
Also check the DC SRV records are pointing to new temporary AD site and delete if any record pointing from old user site, this should be dynamic and no manual action required, just make sure SRV records in-place as excepted.
5.2 CHECK DOMAIN CONTROLLER AUTHENTICATION REQUEST
Make sure auditing been enabled for all logon and logoff, check for Event ID 540 for Windows Server 2003 DC and Event ID 4624 for Windows server 2012 r2, windows 2008 R2 and windows 2016 in the decommissioning Domain Controller security event log to find any users have logged on the site from any workstation and even you will be able to see is any application uses the DC using static configuration.
5.3 CHECK DOMAIN CONTROLLER ROLE.
Check is any FSMO roles are holding on this DC by “netdom query fsmo”, move the roles to other Domain Controllers.
5.4 CHECK THE DNS ROLE.
Check is any member server/computer or DHCP Scope uses the Domain Controller IP as a primary DNS server, just change this to other DNS Server on the Domain
5.5 CHECK IS ANY OTHER ROLES ARE HOLDING BY THE DC.
Roles like DFSR, file server, print server and any other server role, move all the roles to different live Server.
5.6 DOMAIN CONTROLLER COOLING PERIOD.
Just Shut down the Domain Controller for a week time before permanent decommission/powered off, if any application server, users, client system uses the DC will be failed and you will be notified by them, you can fix the issue by re-pointing to other working Domain Controller
In worst case you can power on the Domain Controller and keep live till the issue been fixed, this will minimize the impact.
6 STEPS TO DEMOTE THE DOMAIN CONTROLLER ROLE
The below recommended steps for removing a domain controller role from the server.
Step 1. Open Server Manager
Step2. Select manage -> “Remove Roles and Features” Click next on the “Before you begin page.”
Step 3. On the server selection page, select the server you want to demote and click the next button.
In this example, I’m demoting server “srv-2016”
Step 4. Uncheck “Active Directory Domain Services” on the Server Roles page.
When you uncheck, you will get a popup to remove features that require Active Directory Domain Services.
If you will plan on using the server to manage Active Directory, then keep these installed. In this example, I plan to decommission the server so I will remove these management tools.
Step 5. Select Demote this domain controller.
On the next screen make sure you DO NOT select “Force the removal of this domain controller”. You should only select this if you are removing the last domain controller in the domain.
You can also change credentials on this screen if needed.
Click Next
Step 6. On the warnings screen, it will give you a warning this server hosts additional roles. If you have client computers using this server for DNS you will need to update them to point to a different server since the DNS role will be removed.
Check the box “Proceed with removal and click next.
Step 7. If you have DNS delegation, you can select “Remove DNS delegation and click next. In most cases, you will not have DNS delegation and can uncheck this box.
Step 8. Now put in the new administrator password. This will be for the local administrator account on this server.
Step 9. Review options and click “Demote.”
There is a “view script” button that generates a PowerShell script to automate all the steps we just walked through. If you have additional domain controllers to remove you could use this script.
When you click demote, the server will be demoted and rebooted. Once it reboots the server will be a member server. You can log in with domain credentials to the server.
7 POST CLEAN-UP ACTIVITY
Step 1. On another domain controller or computer with RSAT tools open “Active Directory Users and Computers”
Go to the domain Controllers folder. Right click the domain controller you want to remove and click delete.
On the next screen select the box “Delete this Domain Controller anyway” and click delete”
If the DC is a global catalog server, you will get an additional message to confirm the deletion. I’m going to click Yes.
Top comments (0)