Planning safe Decommission of Domain Controller (Decommission of Active Directory site) Without Impacting Users

By | March 1, 2018

Best practice for decommissioning a Domain Controller Server: In general Decommission of Domain Controller is straightforward procedure and not required a much planning as we always have a redundant Domain Controller in a same site, so the client authentication will be handled by the other DC’s, if you want to find is any application hard-coded(“hard path” setting) the DC’s, or the site itself closing and you want to know is any users or application still using Domain Controller before power-off/shutdown, will be listing steps by steps procedure without impacting users

Also Read: How do I find what is accessing my LDAP Server and what LDAP query used and how many queries for a period of time?

Thinks to check before demote a DC from AD DS


Isolate the Domain Controller

Just create temporary AD site and move the Domain Controller which you want to remove, make sure the temporary AD site only has the DC Subnet, so that there wont be any client authentication reaching the DC

Also check the DC SRV records are pointing to new temporary AD site and delete if any record pointing from old user site, this should be dynamic and no manual action required, just make sure SRV records in-place as excepted

Also See: How secure channel determine the Domain controller in cross-forest

Check Domain Controller event log for any client authentication request

Make sure auditing been enabled for all logon and logoff, check for Event ID 540 for Windows Server 2003 DC and Event ID 4624 for Windows server 2012 r2, windows 2008 R2 and windows 2016 in the decommissioning Domain Controller security event log to find any users have logged on the site from any workstation and even you will able to see is any application uses the DC using static configuration

Also Read: How to troubleshoot workstation Trust relationship issues on Domain

Check Domain Controller Role

Check is any FSMO roles are holding on this DC by “netdom query fsmo”, move the roles to other Domain Controllers

Check the DNS Role

Check is any member server/computer or DHCP Scope uses the Domain Controller IP as a primary DNS server, just change this to other DNS Server on the Domain

Check is any other roles are holding by the DC

Roles like DFSR, file server, print server and any other server role, move all the roles to different live Server

Final Check

Just Shutdown the Domain Controller for a week time before permanent decommission/powered off , if any application server, users, client system uses the DC will be failed and you will be notified by them, you can fix the issue by re-pointing to other working Domain Controller

In worst case you can power on the Domain Controller and keep live till the issue been fixed, this will minimize the impact

Also See: Active Directory real time issues and solutions


If you follow all the above checklist, you can safely remove a Domain Controller without major impacting any application

Also Read:Troubleshoot Active Directory Server Replication

Active Directory  Interview Questions and Answers

Windows Server Administrator Interview Questions and Answers


Leave a Reply

Your email address will not be published. Required fields are marked *