none
How to Decommission a Domain Controller

    Question

  • I am decommissioning a Windows Server 2003 which has served as a domain controller, and as the primary controller for our network.  I currently have two other controllers, a Windows Server 2003 and a Windows Server 2008 Enterprise R2 server.  Can anyone point me to a COMPLETE procedure for removing a Windows Server 2003 domain controller?  I have had links to bits and pieces and to articles for Windows Server 2000 and so on, with cryptic language assuming full knowledge of everything (like FSMO?).  Like heart surgery, I don't just need to know how to clip the arteries once I reach the heart.  I also need to know the proper steps to prep, open, and close the patient so that when the surgery is over, the patient and all the other servers are not dead or sick.  Any complete help will be greatly appreciated.  Thanks.

    Doug Pruiett Good News Jail & Prison Ministry Richmond, Virginia www.goodnewsjail.org

    Monday, March 12, 2012 10:17 PM

Answers

  • Here is a pretty comprehensive step-by-step procedure with detailed (and correct) instructions:

    http://technet.microsoft.com/en-us/library/cc755937(v=ws.10).aspx

    It is just that when I got to the third to the last step of "Uninstall Active Directory," which used DCPROMO, I got the following error dialogue:

    "Before you can install or remove Active Directory, you must remove Certificate Services.  For information about the consequences of removing Certificate Services, see Help and Support."

    I still have one web site running on this server (a secure SSL site) and suspect that removing Certificate Services will hose the site?  Any thoughts?


    Doug Pruiett Good News Jail & Prison Ministry Richmond, Virginia www.goodnewsjail.org

    • Marked as answer by Chaplain Doug Tuesday, March 13, 2012 2:41 PM
    Monday, March 12, 2012 11:03 PM
  • Hi doug,

    The error message is talking about windows certificate services, not the certificates that are located in the IIS.

    To check it try (It's been a long time since I've done this, but from memory) this: start menu -> control panel -> add remove programs -> add remove windows components

    In the list you should see that the “certificates Services” option is checked.

    If you are not using the internal certificate authority at all, for example if it was installed in error, you can simply uninstall it and move on; If you ARE using the internal certificate authority, then you need to move it out (quite a few steps involved on this), or replace it with a new one depending on the reality of your environment and the actual installation.

    Uninstalling it isn’t hard, just clear the checkbox, click ok and follow the wizard.

    Just be sure that this certificate authority it’s not being used (or that it has been moved or replaced), otherwise it’s going to be a pain to undo the damage.


    -----------------

    Best Regards, Marianok

    Disclaimer: While I do my best to make sure everything I post is accurate and safe, I’m certainly not perfect so all this information is provided "AS IS" with no warranties or guarantees and confers no rights. Any suggested steps or code provided should be done under your own risk, I take no responsibilities if your system blows, the universe stops spinning, o nor for any other adverse consequence the information on this code might cause directly or indirectly.

    • Marked as answer by Chaplain Doug Tuesday, March 13, 2012 2:42 PM
    Tuesday, March 13, 2012 11:59 AM
  • Thanks.  I was able to remove the component per your instructions.

    Doug Pruiett Good News Jail & Prison Ministry Richmond, Virginia www.goodnewsjail.org

    Tuesday, March 13, 2012 2:42 PM

All replies

  • Here is a pretty comprehensive step-by-step procedure with detailed (and correct) instructions:

    http://technet.microsoft.com/en-us/library/cc755937(v=ws.10).aspx

    It is just that when I got to the third to the last step of "Uninstall Active Directory," which used DCPROMO, I got the following error dialogue:

    "Before you can install or remove Active Directory, you must remove Certificate Services.  For information about the consequences of removing Certificate Services, see Help and Support."

    I still have one web site running on this server (a secure SSL site) and suspect that removing Certificate Services will hose the site?  Any thoughts?


    Doug Pruiett Good News Jail & Prison Ministry Richmond, Virginia www.goodnewsjail.org

    • Marked as answer by Chaplain Doug Tuesday, March 13, 2012 2:41 PM
    Monday, March 12, 2012 11:03 PM
  • Might ask them here about IIS issues. Also it isn't recommended to run a web site on a DC

    http://forums.iis.net/ 

     

     

     


    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows]

    Monday, March 12, 2012 11:38 PM
  • can you move the site? is the certificate internally generated or a commercial SSLC?

    this might help:

    http://learn.iis.net/page.aspx/144/how-to-set-up-ssl-on-iis/

    • Edited by Bill - MCSE Monday, March 12, 2012 11:55 PM
    Monday, March 12, 2012 11:53 PM
  • Had no choice as this was the only server available.  It ran everything (DC, Exchange, IIS, etc.).  The web site will be moved later this week.  Just wanted to remove the DC role entirely today.

    Doug Pruiett Good News Jail & Prison Ministry Richmond, Virginia www.goodnewsjail.org

    Tuesday, March 13, 2012 12:13 AM
  • The site will be moved later this week.  It is an SSL from GoDaddy.  Was just hoping to complete the removal of the DC functions as soon as possible, even before moving the last remaining web site.

    Doug Pruiett Good News Jail & Prison Ministry Richmond, Virginia www.goodnewsjail.org

    Tuesday, March 13, 2012 12:14 AM
  • Hi doug,

    The error message is talking about windows certificate services, not the certificates that are located in the IIS.

    To check it try (It's been a long time since I've done this, but from memory) this: start menu -> control panel -> add remove programs -> add remove windows components

    In the list you should see that the “certificates Services” option is checked.

    If you are not using the internal certificate authority at all, for example if it was installed in error, you can simply uninstall it and move on; If you ARE using the internal certificate authority, then you need to move it out (quite a few steps involved on this), or replace it with a new one depending on the reality of your environment and the actual installation.

    Uninstalling it isn’t hard, just clear the checkbox, click ok and follow the wizard.

    Just be sure that this certificate authority it’s not being used (or that it has been moved or replaced), otherwise it’s going to be a pain to undo the damage.


    -----------------

    Best Regards, Marianok

    Disclaimer: While I do my best to make sure everything I post is accurate and safe, I’m certainly not perfect so all this information is provided "AS IS" with no warranties or guarantees and confers no rights. Any suggested steps or code provided should be done under your own risk, I take no responsibilities if your system blows, the universe stops spinning, o nor for any other adverse consequence the information on this code might cause directly or indirectly.

    • Marked as answer by Chaplain Doug Tuesday, March 13, 2012 2:42 PM
    Tuesday, March 13, 2012 11:59 AM
  • Thanks.  I was able to remove the component per your instructions.

    Doug Pruiett Good News Jail & Prison Ministry Richmond, Virginia www.goodnewsjail.org

    Tuesday, March 13, 2012 2:42 PM