Domain Controllers are among the most critical components in any Windows-centric IT environment. Their importance grows significantly when your infrastructure relies on AD-integrated services like Exchange, SharePoint, Failover Clustering, DFS, and other enterprise applications. In such scenarios, a Domain Controller becomes a vital backbone of your operations.
Given this level of dependency, it’s crucial to approach the demotion of a Domain Controller with careful planning.
In this article, we share a production-tested checklist that we’ve used to successfully decommission over 50 Domain Controllers across diverse environments—with a 99% success rate and no major outages.
While preparing such a checklist is time-consuming, it’s a worthwhile investment considering the critical role Domain Controllers play. This checklist also addresses considerations for AD-integrated DNS servers, which are commonly deployed in most Active Directory environments.
Additionally, the article outlines a high-level action plan for Domain Controller decommissioning and the necessary post-cleanup tasks.
Please note that this article does not cover the step-by-step demotion process itself—for that, we recommend referring to the relevant TechNet documentation specific to your Windows Server version.
The Checklist
| Item | How to Check |
| Verify that this server is not the last Domain Controller for this Domain (Most Important) | Use ADUC console or PowerShell Command to get a list of Active Domain Controllers. Alternatively, use this script to get a list of all Domain Controllers. |
| Are any system (Servers or Workstations) points to this server as the DNS server? | Use this script to find out the list of preferred DNS Servers for multiple systems. |
| Is there any DHCP Scope, which is assigning this Server IP as the preferred DNS server to DHCP clients? Please also check the DHCP Global Scope (Server Option). | Validate each DHCP scope; including global scope (Server Option for Windows-based DHCP Server). |
| Is there any DNS Forwarder which is pointing to this DNS Server? | Use this script to find out the list of forwarders for multiple DNS Servers. |
| Is there any conditional forwarder within this Forest, which is using this DNS Server IP? | Check manually or with the help of a PowerShell script |
| Is there any conditional forwarder outside this Forest, which is using this DNS Server IP? | Check manually or with the help of a PowerShell script |
| Are other login servers (Domain Controllers) available on the AD site, from where you are decommissioning this Domain Controller? | Use this script, to get below information:
1) List of DCs and GCs site wise. 2) Domain and Forest FSMO Role Holder Details. |
| If this server is a Global Catalog, please make sure there is another Global Catalog server available in the same AD site. | |
| Is this Domain Controller holding any Operation Master (FSMO) role? | |
| Is Exchange server / Email server in your environment has any kind of dependency on this Domain Controller? | Check with Exchange Team. |
| Is this Domain Controller acts as an ADFS server? | Check Server Role from the Server Manager. Also, check Services. |
| Is this Domain Controller acts as an LDS server? | Check Server Role from the Server Manager. Also, check Services. |
| Is this Domain Controller acts as a KMS server? | Check Server Role from the Server Manager. Also, check Services. |
| Is this Domain Controller acts as a DHCP server? | Check Server Role from the Server Manager. Also, check Services. |
| Is this Domain Controller acts as a Certificate server? | Check Server Role from the Server Manager. Also, check Services. |
| Is this Domain controller acts as a DFS Namespace server? | Check from DFS Console. |
| Is any other application /tool / role installed on this server and if yes, is there still any dependency on this server? | Check all installed programs, roles and services. Also, notify all application owner before you demote this Domain Controller. |
High-Level Action Plan
Below table shows the high-level action plan which you should follow. However, some steps may vary depending on your environment.
| Sr. No | Item |
| 1 | Inform all teams and stakeholders about the upcoming decommission activity, along with the DC list. Also, share the details of new DC / DNS server to be used as a replacement. |
| 2 | Perform an impact analysis and ensure there is no dependency remains for this server. For that, follow the previous (checklist) worksheet. |
| 3 | Once all dependencies have been assessed, raise a Change Request to remove those and then shut down the Domain Controllers. |
| 4 | Keep those DCs powered off for 1-2 week(s) to ensure that there is no dependency left. |
| 5 | Once it has been ensured that there is no dependency, raise a Change record and get it approved by all Stakeholders. Begin the decommission activity only when the Change Record is an approved state. |
| 6 | Demote the Domain Controller. Ensure that this server is NOT the last Domain Controller. |
| 7 | Disjoin the server from the Domain. |
| 8 | Shut Down the Server. |
| 9 | Delete (for VM) or format (for Physical) the server as per the organization policy, and update the inventory. |
| 10 | Return the IP address to Network Team for reuse. |
Validation
After 1 hour of DC Demotion, run a replication report for the entire forest and validate that the demoted DC is not showing as a replication member. Also, validate that replication of other Domain Controllers is not impacted.
Post-Decommission Cleanup
This is one of the most commonly overlooked areas during Domain Controller and DNS decommissioning activities. However, it’s important to understand that if proper cleanup isn’t performed at the time of decommissioning, it often gets forgotten—until stale entries cause issues down the line. Therefore, make it a best practice to complete the cleanup immediately after decommissioning, and don’t consider the activity fully complete until this step is done.
While the exact implementation may vary based on your environment, there are some fundamental guidelines you should always follow.
| Sr. No | Item |
| 1 | Remove the computer account from AD (If not removed already) |
| 2 | Remove DNS Host Record |
| 3 | Remove the Server from the Name Server entry from all DNS zones. |
| 4 | Remove all delegations (Glue Records) pointing to this server |
| 5 | Remove the Server from all SRV records |
| 6 | Remove DHCP Reservation (If applicable) |
| 7 | Remove the Server from backup console |
| 8 | Remove the Server from monitoring console (Ex: SCOM) |
| 9 | Remove the Server from antivirus console |
| 10 | Remove the Server from Patch Management console (Ex: WSUS or SCCM) |
| 11 | Remove the Server from Inventory or mark it as decommissioned |
Summary
In this article, we have gone through the various activities that need to be performed before, during and after decommissioning of Domain Controllers and AD integrated DNS Server.
Subhro.blog 