Removing a Domain Controller from a Domain

There are times when you need to decommission one or more domain controllers from your domain, and don’t think you just power off that specific domain controller and put it in a closet. No…you need to issue specific commands and follow some wizard steps which safely removes the domain controller, and sets the right permissions on the server. If you don’t do this the rest of the domain controllers will try to reach the one that is disconnected, resulting in increase of traffic and error logs, as a start.

For this guide I have a single forest and a single domain with two Windows 2008 R2 domain controllers (Server-DC and Server-2k8) in one site. We are going to decommission the second domain controller which is Server-2k8.vkernel.local, so let’s get started. Ohh …I almost forgot, this server does not hold any FSMO roles; now log in to Server-2k8, click Start > Run, type dcpromo and click OK or press ENTER.

The Active Directory Domain Services wizard is displayed. Just click Next to skip the Welcome screen.

When you click Next on the Welcome screen a message pops-up, informing us that a Global Catalog server should exist in the domain before you decommission this one. Just click OK because our first domain controller (Server-DC) is also a GB server.

On the next screen we have the option to delete the domain by checking the box Delete the domain because this server is the last domain controller in the domain. You need to be very careful with this, because you can destroy the domain and clients will not be able to log in, besides other things. In this example we are going to leave the box unchecked, so click Next to continue.

Here type the new password for the local Administrator account.

On the Summary screen click Next to begin the removal process.

On the window that pops-up we have the option to automatically reboot the server by checking the box Reboot on completion.

When is done click Finish and restart the server. This screen will not appear if you previously checked the box to automatically restart.

As you can see after restart the server is now part of the domain, just like a file server or a client. You can log in using a domain or a local administrator account.

After you are logged on, you can see that Active Directory Snap-ins are still present on Administrative Tools. To remove them, open Server Manager and from the Roles section choose Remove Roles, then clear those roles boxes and click Next.

There’s one more thing we need to do, we need to delete the former domain controller from the sites link. From a domain controller, and in this example there is only one left, open Active Directory Sites and Services from Administrative Tools. Expand Default-First-Site-Name > Server, identify the name of the server we just decommissioned, right click on it and choose Delete. Click Yes on the warning message. Your site name may be different, or you may have multiple sites, be careful which server you delete.