Decommissioning Domain Controllers

When you no longer need a domain controller, you can decommission it and remove it from service. Running Dcpromo.exe on the domain controller allows you to remove Active Directory Domain Services and demote the domain controller to either a stand-alone server or a member server.

If the domain controller is the last in the domain, it will become a stand-alone server in a workgroup.If other domain controllers remain in the domain, the domain controller will become a member server in the domain.

Preparing to Remove Domain Controllers

Before you demote a domain controller, you should determine the functions and roles the server has in the domains.

If you remove the last global catalog server from a domain, you will have big problems. Users will not be able to log on to the domain, and directory search functions will be affected. To avoid problems, ensure another global catalog server is available.

Also if you remove the last global catalog server from a site, computers in the site will query a global catalog server in another site when searching for resources in other domains in the forest, and a domain controller responding to a users logon or authentication request will need to obtain the required information from a global catalog server in another site.

Check whether a domain controller is acting as a global catalog server by typing the following at a command prompt: dsquery server -domain DomainName | dsget server -isgc -dnsname where DomainName is the name of the domain you want to examine.

If you remove the last preferred bridgehead server, intersite replication will stop until you change the preferred bridgehead server configuration options.

You can avoid problems by removing the preferred bridgehead server designation before demoting the domain controller and thereby allowing Active Directory to select the bridgehead servers to use.

To check whether a domain controller is acting as a bridgehead server by typing the following at a command prompt: repadmin /bridgeheads site:SiteName where SiteName is the name of the site.

If you remove an operations master without first transferring the role, Active Directory will try to transfer the role as part of the demotion process, and the domain controller that ends up holding the role may not be the one you would have selected. To check whether a domain controller is acting as an operations master by typing the following at a command prompt: netdom query fsmo.

Before you remove the last domain controller in a domain, you should examine domain accounts and look for encrypted files and folders. You must decrypt any encrypted data on the server, including data stored using the Encrypting File System, before removing the last domain controller, or the data will be permanently inaccessible.You can check for encrypted files and folders by using the EFSInfo utility.

To remove the last domain controller from a domain tree or child domain,you must use an account that is a member of the Enterprise Admins group or be able to provide credentials for an enterprise administrator account. To remove the last domain controller in a forest, you must log on to the domain as Administrator or use an account that is a member of the Domain Admins group. To remove other domain controllers, you must use an account that is a member of either the Enterprise Admins or Domain Admins group.

Removing Additional Domain Controllers

You can remove an additional domain controller from a domain by completing the following steps: 1. Start the Active Directory Domain Services Installation Wizard by clicking Start, typing dcpromo in the Search box, and pressing Enter.

2. When the wizard starts, you should see a message stating the server is already a domain controller and that by continuing you will remove Active Directory, Click Next.

3. If the domain controller is a global catalog server, a message appears to warn you about ensuring other global catalog servers are available.

4. On the Delete The Domain page, click Next without making a selection. If the domain controller is the last in the domain, you will see a warning.

5. If the domain controller is the last DNS server for one or more Active Directory integrated zones, a message appears to warn you that you may be unable to resolve DNS names in the applicable zones.

6. If the domain controller has application directory partitions, the next page you will see is the Application Directory Partitions page.

You will need to do the following:

If you want to retain any application directory partitions that are stored on the domain controller, you will need to use the application that created the partition to extract and save the partition data. You can let the Active Directory Domain Services Installation Wizard remove the related directory partitions. When you are ready to continue with Active Directory removal, you can click Refresh. Click Next. Confirm that you want to delete all application directory partitions on the domain controller by selecting the related option and then clicking Next. Deleting the last replica of an application partition will delete all data associated with that partition. 7. The wizard checks DNS to see if any active delegations for the server need to be removed. If the Remove DNS Delegation page is displayed, verify that the Delete The DNS Delegations Pointing To This Server check box is selected. Then click Next. If you do not remove the delegations at this time, you will need to manually remove them later using the DNS console

8. If you are removing DNS delegations, the Active Directory Domain Services Installation Wizard then examines the DNS configuration, checking your credentials and attempting to contact a DNS server in the domain. If you need additional credentials to remove DNS delegations, the Windows Security dialog box is displayed. Enter administrative credentials for the server that hosts the DNS zone in which the domain controller is registered and then click OK.

9. On the Administrator Password page, you are prompted to type and confirm the password for the local Administrator account on the server,so the local Administrator account will be recreated as part of the Active Directory removal process. Click Next.

10. On the Summary page, review your selections.click Next.

11. On the Completing The Active Directory Domain Services Installation Wizard page, click Finish. You can either select the Reboot On Completion check box to have the server restart automatically, or you can restart the server to complete the Active Directory removal when you are prompted to do so.

Removing the Last Domain Controller

You can remove the last domain controller in a domain or forest by completing the following steps: 1.Start the Active Directory Domain Services Installation Wizard by clicking Start, typing dcpromo in the Search box, and pressing Enter.

2.When the wizard starts, click Next. If the domain controller is a global catalog server, a message appears to warn you about ensuring other global catalog servers are available. Click OK to continue.

3.On the Delete The Domain page, select Delete The Domain Because This Server Is The Last Domain Controller In The Domain check box, Click Next. After you remove the last domain controller in a domain or forest, you can no longer access any directory data, Active Directory accounts, or encrypted data.

4. The rest of the installation proceeds as previously discussed. Continue with steps 6 through 11 of the previous section.

If you are removing the last domain controller from a domain, the wizard verifies that there are no child domains of the current domain before performing the removal operation. If child domains are found, removal of Active Directory fails. When the domain being removed is a child domain, the wizard notifies a domain controller in the parent domain that the child domain is being removed. For a parent domain in its own tree, a domain controller in the forest root domain is notified. The domain object is tombstoned, and this change is then replicated to other domain controllers. The domain object and any related trust objects are also removed from the forest. As part of removing Active Directory from the last domain controller in a domain, all domain accounts, all certificates, and all cryptographic keys are removed from the server. The wizard creates a local SAM account database and a local Administrator account. It then changes the computer account type to a stand-alone server and puts the server in a new workgroup.