Decommissioning a Domain Controller

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Decommissioning a domain controller effectively removes all Active Directory and related components and returns the domain controller to a member server role.

Protecting EFS-encrypted files

If the domain controller to be decommissioned hosts any Encrypting File System (EFS) encrypted files, you must take precautions to protect the private key for the recovery agent for the local EFS-encrypted documents. It is possible for this key to be lost during the demotion when the Security Accounts Manager (SAM) is recreated on the computer. In this case, you are cannot recover encrypted documents on this computer unless the recovery agent is changed to an existing domain account before encryption. To prevent loss of the private key, you must back up (export) the recovery agent private key before you decommission the domain controller. After you remove Active Directory, re-import the private key.

You must be able to ensure that the domain account that serves as the recovery agent for the certificate remains the same after removing Active Directory. If you cannot guarantee that the account will remain the same after the domain controller is decommissioned, or if you removed Active Directory without backing up the certificate and you cannot recover EFS-encrypted files, see article 276239 in the Microsoft Knowledge Base (https://go.microsoft.com/fwlink/?LinkId=117370).

Task Requirements

The following tools are required to perform the procedures for this task:

  • Ntdsutil.exe

  • Active Directory Domains and Trusts

  • Active Directory Users and Computers

  • Active Directory Sites and Services

  • Netdiag.exe

  • Dcdiag.exe

To complete this task, perform the following procedures:

  1. View the current operations master role holders

    To avoid problems, transfer any operations master roles prior to running the Active Directory Installation Wizard to decommission a domain controller so that you can control the operations master role placement. If you need to transfer any roles from a domain controller, understand all the recommendations for role placement before performing the transfer.

    Warning

    During the decommissioning process, the Active Directory Installation Wizard will attempt to transfer any remaining operations master roles to other domain controllers without any user interaction. However, if a failure occurs, the wizard will continue to uninstall Active Directory and leave your domain without roles. Also, you do not have control over which domain controller receives the roles. The wizard transfers the roles to any available domain controller and does not indicate which domain controller hosts them.

  2. Transfer the schema master

  3. Transfer the domain naming master

  4. Transfer the domain-level operations master roles

  5. Determine whether a domain controller is a global catalog server

    If you remove Active Directory from a domain controller that hosts a global catalog, the Active Directory Installation Wizard confirms that you want to continue with removing Active Directory. This confirmation ensures that you are aware that you are removing a global catalog from your environment. Do not remove the last global catalog server from your environment because users cannot log on without an available global catalog server. If you are not sure, do not proceed with removing Active Directory until you know that at least one other global catalog server is available.

  6. Verify DNS registration and functionality

  7. Verify communication with other domain controllers

    During the removal of Active Directory, contact with other domain controllers is required to ensure:

    • Any unreplicated changes are replicated to another domain controller.

    • Removal of the domain controller from the directory.

    • Transfer of any remaining operations master roles.

    If the domain controller cannot contact the other domain controllers during Active Directory removal, the decommissioning operation fails. As with the installation process, test the communication infrastructure prior to running the installation wizard. When you remove Active Directory, use the same connectivity tests that you used during the installation of Active Directory.

  8. Verify the availability of the operations masters

    Important

    If any of the verification tests fail, do not continue until you determine and fix the problems. If these tests fail, the uninstallation is also likely to fail.

  9. If the domain controller hosts encrypted documents, perform the following procedure before you remove Active Directory to ensure that the encrypted files can be recovered after Active Directory is removed:

    Export a certificate with the private key (https://go.microsoft.com/fwlink/?LinkId=20039)

  10. Uninstall Active Directory

  11. If the domain controller hosts encrypted documents and you backed up the certificate and private key before you remove Active  Directory, perform the following procedure to re-import the certificate to the server:

    Import a certificate (https://go.microsoft.com/fwlink/?LinkId=20040)

  12. Determine whether a Server object has child objects

  13. Delete a Server object from a site

    Note

    The administrator may not want to remove the Server object if it hosts something in addition to Active Directory—Microsoft Exchange, for example.