Introduction

Domain Controllers are one of the most critical components in the IT environment, especially if the environment is Windows oriented. If you are using products like Exchange, SharePoint, Failover Clustering, DFS and other AD integrated applications,  then your Domain Controller becomes more critical.

Due to this fact, there are many points you should consider before you demote a Domain Controller.

In this article, let's go through a checklist which we have used in production and found 99% effective. Using this checklist, we have decommissioned at least 50 Domain Controllers (in multiple environments) without any major outage. Preparing this checklist is time-consuming, but considering the criticality of Domain Controller, it is worth spending time on this. The checklist also takes care of the AD-integrated DNS Server, which is very common in most of the AD oriented environment.

This article also covers high-level action plan for DC Decommission, and post decommission cleanup.

We will not go through the Domain Controllers demotion steps in this article, for that refer any other TechNet article specific to your OS.

The Checklist

Item

How to Check

Verify that this server is not the last Domain Controller for this Domain (Most Important)

Use ADUC console or PowerShell Command to get a list of Active Domain Controllers. Alternatively, use this script to get a list of all Domain Controllers.

Are any system (Servers or Workstations) points to this server as the DNS server?

Use this script to find out the list of preferred DNS Servers for multiple systems.

Is there any DHCP Scope, which is assigning this Server IP as the preferred DNS server to DHCP clients? Please also check the DHCP Global Scope (Server Option).

Validate each DHCP scope; including global scope (Server Option for Windows-based DHCP Server).

Is there any DNS Forwarder which is pointing to this DNS Server?

Use this script to find out the list of forwarders for multiple DNS Servers.

Is there any conditional forwarder within this Forest, which is using this DNS Server IP?

Check manually or with the help of a PowerShell script

Is there any conditional forwarder outside this Forest, which is using this DNS Server IP?

Check manually or with the help of a PowerShell script

Are other login servers (Domain Controllers) available on the AD site, from where you are decommissioning this Domain Controller?

Use this script, to get below information:

1) List of DCs and GCs site wise.

2) Domain and Forest FSMO Role Holder Details.

If this server is a Global Catalog, please make sure there is another Global Catalog server available in the same AD site.

Is this Domain Controller holding any Operation Master (FSMO) role?

Is Exchange server / Email server in your environment has any kind of dependency on this Domain Controller?

Check with Exchange Team.

Is this Domain Controller acts as an ADFS server?

Check Server Role from the Server Manager. Also, check Services.

Is this Domain Controller acts as an LDS server?

Check Server Role from the Server Manager. Also, check Services.

Is this Domain Controller acts as a KMS server?

Check Server Role from the Server Manager. Also, check Services.

Is this Domain Controller acts as a DHCP server?

Check Server Role from the Server Manager. Also, check Services.

Is this Domain Controller acts as a Certificate server?

Check Server Role from the Server Manager. Also, check Services.

Is this Domain controller acts as a DFS Namespace server?

Check from DFS Console.

Is any other application /tool / role installed on this server and if yes, is there still any dependency on this server?

Check all installed programs, roles and services. Also, notify all application owner before you demote this Domain Controller.

     

     



High-Level Action Plan

Below table shows the high-level action plan which you should follow. However, some steps may vary depending on your environment.

Sr. No

Item

1

Inform all teams and stakeholders about the upcoming decommission activity, along with the DC list. Also, share the details of new DC / DNS server to be used as a replacement.

2

Perform an impact analysis and ensure there is no dependency remains for this server. For that, follow the previous (checklist) worksheet.

3

Once all dependencies have been assessed, raise a Change Request to remove those and then shut down the Domain Controllers.

4

Keep those DCs powered off for 1-2 week(s) to ensure that there is no dependency left.

5

Once it has been ensured that there is no dependency, raise a Change record and get it approved by all Stakeholders. Begin the decommission activity only when the Change Record is an approved state.

6

Demote the Domain Controller. Ensure that this server is NOT the last Domain Controller.

7

Disjoin the server from the Domain.

8

Shut Down the Server.

9

Delete (for VM) or format (for Physical) the server as per the organization policy, and update the inventory.

10

Return the IP address to Network Team for reuse.

Validation

After 1 hour of DC Demotion, run a replication report for the entire forest and validate that the demoted DC is not showing as a replication member. Also, validate that replication of other Domain Controllers is not impacted.

Post-Decommission Cleanup

This is one of the most overlooked areas during DC and DNS Decommission activity. But please remember that if proper cleanup is not done during decommissioning, it will never be done again unless you face any issue due to those stale entries. So please perform these tasks just after decommission, and do not mark the decommission activity completed unless cleanup is done.

Again, the actual implementation may vary depending on your environment, however there is a basic guideline.

Sr. No

Item

1

Remove the computer account from AD (If not removed already)

2

Remove DNS Host Record

3

Remove the Server from the Name Server entry from all DNS zones.

4

Remove all delegations (Glue Records) pointing to this server

5

Remove the Server from all SRV records

6

Remove DHCP Reservation (If applicable)

7

Remove the Server from backup console

8

Remove the Server from monitoring console (Ex: SCOM)

9

Remove the Server from antivirus console

10

Remove the Server from Patch Management console (Ex: WSUS or SCCM)

11

Remove the Server from Inventory or mark it as decommissioned

Summary

In this article, we have gone through the various activities that need to be performed before, during and after decommissioning of Domain Controllers and AD integrated DNS Server.