Preparing to Remove Domain Controllers
Before you demote a domain controller, you should determine the functions and roles the server has in the domains.
Global catalog server
If you remove the last global catalog server from a domain, you will have
big problems. Users will not be able to log on to the domain, and directory
search functions will be affected. To avoid problems, ensure another global
catalog server is available.
Also if you remove the last global catalog server from a site, computers in the site will
query a global catalog server in another site when searching for resources in
other domains in the forest, and a domain controller responding to a users
logon or authentication request will need to obtain the required information
from a global catalog server in another site.
Check whether a domain controller is acting as a global catalog server
by typing the following at a command prompt: dsquery server -domain
DomainName | dsget server -isgc -dnsname where DomainName is
the name of the domain you want to examine.
If you remove the last preferred bridgehead server, intersite replication will
stop until you change the preferred bridgehead server configuration options.
You can avoid problems by removing the preferred bridgehead server designation before demoting the domain controller and thereby allowing
Active Directory to select the bridgehead servers to use.
To check whether a domain controller is acting as a bridgehead server by typing the following at a command prompt: repadmin /bridgeheads
site:SiteName where SiteName is the name of the site.
If you remove an operations master without first transferring the role, Active Directory will try to transfer the role
as part of the demotion process, and the domain controller that ends up holding the role may not be the one you would have selected.
To check whether a domain controller is acting as an operations master by typing the following at a command prompt: netdom query fsmo.
Before you remove the last domain controller in a domain, you should examine domain accounts and look for encrypted files and folders. You must decrypt any encrypted data on the server, including data stored using the Encrypting File System, before removing the last domain controller, or the data will be permanently inaccessible.You can check for encrypted files and folders by using the EFSInfo utility.
To remove the last domain controller from a domain tree or child domain,you must use an account that is a member of the Enterprise Admins group or
be able to provide credentials for an enterprise administrator account. To remove the last domain controller in a forest, you must log on to the
domain as Administrator or use an account that is a member of the Domain Admins group.
To remove other domain controllers, you must use an account that is a member of either the Enterprise Admins or Domain Admins group.