Decommissioning the old Domain Controller


When you connect into your network new Domain Controllers, you may wish to remove the old ones. The reason can vary, you have newer hardware on which DC is running or you just want to remove old Windows 2000/2003 Domain Controllers which were replaced by Windows Server 2008.

To do that you need to have a Domain Admin account. When you are sure that decommissioning DC can be done, you need to do some additional steps before you really remove it from your network.

First of all, you need to check the forest/domain condition if there are no errors. To do that, you need to use dcdiag and repadmin tools. Dcdiag is available on Domain Controller by default but repadmin must be installed from Support Tools from Windows Server CD.

Run command-line and type dcdiag /v to check condition of your domain environment. Review an output and check if everything is ok. If not, you have to fix errors before continuing with Domain Controller decommissioning.

dcdiag check

you should also check if Active Directory replication between Domain Controllers occurs regularly. To check that use repadmin tool from Support Tools. You need to install them from Windows Server CD. After installation they are located by default in “C:Program FilesSupport Tools”

enter this syntax and review an output to see if there is no error in AD replication.

repadmin /showrepl /all /verbose

AD data replication check

You should also check if DC which will be decommission, do not hold any of FSMO roles. Don’t worry, decommission process will transfer them automatically to another available Domain Controller but it’s better to control this process by yourself. Please ensure also if at least one Global Catalog server is available in your network after decommission process.

Now, when you are sure that you have no errors in your Domain Environment, you can start decommissioning Domain Controller. Log on to that particular server with Domain Admin credentials and in run box type dcpromo (like in DC promotion process)

Demoting DC

Active Directory installation wizard will be displayed. Continue this process

Active Directory Installation wizard

you will be warned to ensure that at least one Global Catalog will be left in your environment

Active Directory Installation wizard

on the next screen do not select “This server is the last domain controller in the domain” checkbox. This option is only used when you are demoting the last Domain Controller and you also want to remove the domain. So, go further without any changes on this screen in this case

Active Directory Installation wizard

Set up a server’s password. After decommission it will be a domain member server and you need to specify local administrator’s password.

Active Directory Installation wizard

to permanently remove Active Directory role from this server click “Next”

Active Directory Installation wizard

wait until Active Directory services will be removed from the server and when your DC is decommissioned, you need to reboot it, to complete a process

Active Directory Installation wizard

Active Directory removed

As you can see, your box is a domain member now.

a domain member server

If you wish to keep this server in your environment it’s good to consider its name change (if it was related with DC – as in my example). When you don’t want to use this server anymore, you can shut it down and then clean up DNS records and Sites and Services.

To do that, open DNS management console and delete all DNS records related with removed Domain Controller. Next, run Active Directory Sites and Services console and from appropriate Site, remove a server.

Removing demoted DC from Sites and Services

Confirm that you want to remove this object and that’s it.

DC removal from Sites and Services - confirmation

It’s done.

Author: Krzysztof Pytko


5 responses to “Decommissioning the old Domain Controller”

  1. Cimibrebtew says :

    That was a great piece of information, I enjoyed reading it.
    [edited post. No adverts in comments, plese – iSiek]

  2. Anand says :

    Greetings,this was very helpful.I would like to check further>I am told that the basic checks such as dcdiag and the DNS records cleanup,we should also remember to use the correct DNSresolver settings for domain controllers.can you explain further/provide some info on this? TQ

    • iSiek says :

      Hello Anand,

      yes, this is really important to set up properly DNS servers list on Domain Controllert to avoid an issue. If DNS service is broken on a DC or it is inaccessible then Domain Controller cannot be get up until DNS server would be reached as whole AD relies on DNS server records.

      To configure DNS server list properly on each Domain Controller I would suggest settings DNS servers within NIC’s properties in this order:

      Primary DNS server: IP address of another DC/DNS server within the same location for fast DNS query resolution
      Alternate DNS server: IP address of that particular Domain Controller itself
      3rd DNS server: IP address of loopback interface ( as this is always available if NIC is not broken. So, if during DC reboot not IPs can be reached then the last chance is contacting DNS server over loopback interface (works only if DC is also DNS server).

      I hope these settings would help you.


  3. Matt says :

    will be keeping this book marked for future reference, thanks for the information, very useful.

  4. Steve says :

    Thank you, very helpful in my case!


Leave a Reply

Your email address will not be published. Required fields are marked *