Runbooks Resources Tools About Consulting →
Home Runbooks The Real-World Checklist for Decommissioning a Domain Controller Properly
IT Projects FREE

The Real-World Checklist for Decommissioning a Domain Controller Properly

Transfer FSMO roles, sync replication, run demotion, verify DNS — every step in the right order with the right commands. The one runbook you want before pulling the plug on a DC.

⌛ 10 min read· Updated 2026

Do This First — Check FSMO Roles

Before touching anything, find out if this DC holds any FSMO roles. Demoting a role holder without transferring first is the most common mistake — and the hardest to recover from.

# Check which FSMO roles are held by the DC you're decommissioning
netdom query fsmo

# Or using PowerShell
Get-ADDomain | Select PDCEmulator, RIDMaster, InfrastructureMaster
Get-ADForest | Select SchemaMaster, DomainNamingMaster

If your DC appears in any of those outputs, transfer the roles to another healthy DC before proceeding. See the FSMO Migration runbook for the exact commands.

WarningNever demote the last DC in a domain. Verify you have at least one other healthy, fully-replicated DC before starting.

Pre-Demotion Health Check

# Verify replication is current — no backlog or failures
repadmin /replsummary
repadmin /showrepl

# Run full DC diagnostics
dcdiag /test:Replications
dcdiag /test:Services
dcdiag /test:FSMOCheck

# Force a full sync to make sure all changes replicate off this DC before demotion
repadmin /syncall /AdeP

Fix any replication errors before demoting. A DC that demotes with unsynced changes may leave orphaned objects or inconsistent data on other DCs.

Transfer the Global Catalog Role (if applicable)

# Check if this DC is a Global Catalog server
Get-ADDomainController -Identity DCTOREMOVE | Select Name, IsGlobalCatalog

If IsGlobalCatalog: True, either transfer the GC role to another DC first, or ensure another DC in the site is already a GC. Without a local GC, logins slow dramatically (Universal Group Membership caching can mitigate this but adds complexity).

# Add GC role to another DC before removing it from this one
Set-ADObject -Identity "CN=NTDS Settings,CN=TARGETDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=corp,DC=local" `
  -Replace @{options=1}

Wait 15 minutes after adding the GC role before demoting the old DC. Confirm the new GC is advertising with nltest /dsgetdc:corp.local /gc.

Run the Demotion

1
Demote via PowerShell (recommended)
# Run on the DC you're demoting — as domain admin
Uninstall-ADDSDomainController `
  -DemoteOperationMasterRole:$false `
  -RemoveApplicationPartition:$true `
  -Confirm:$false

The DC will prompt for a local administrator password (the machine will become a standalone server after demotion). It reboots automatically when done.

2
Demote via Server Manager (GUI alternative)

Open Server Manager → Manage → Remove Roles and Features → Active Directory Domain Services → Demote this domain controller. The wizard walks through the same process.

NoteIf the demotion wizard shows an error about not being able to contact another DC, check network connectivity and DNS. The DC must reach another DC during demotion to transfer its remaining changes.

Post-Demotion Cleanup

After the server reboots as a member server, clean up its traces from Active Directory and DNS on a healthy DC:

# Remove the computer account from the Domain Controllers OU
# (This also cleans up the NTDS metadata on Server 2008 R2+)
Get-ADComputer -Identity DCTOREMOVE | Remove-ADObject -Recursive -Confirm:$false

# Remove from AD Sites and Services
dssite.msc
# Navigate: Sites -> [Site] -> Servers -> [DCTOREMOVE]
# Delete NTDS Settings first, then the server object
# Remove stale DNS records
Remove-DnsServerResourceRecord -ZoneName "corp.local" -Name "DCTOREMOVE" -RRType A -Force
Remove-DnsServerResourceRecord -ZoneName "_msdcs.corp.local" -Name "DCTOREMOVE" -RRType A -Force

# Re-register surviving DC DNS records
net stop netlogon && net start netlogon

Verify Everything is Clean

# Confirm the DC is gone from the directory
Get-ADDomainController -Filter * | Select Name, Site, IsGlobalCatalog

# Confirm FSMO roles are on healthy DCs
netdom query fsmo

# Confirm replication is healthy across remaining DCs
repadmin /replsummary

# Full diagnostics on a healthy DC
dcdiag /test:Replications
dcdiag /test:FSMOCheck
dcdiag /test:DNS
Final stepIf the server is a VM, snapshot or archive it before deleting. Keep it for 30 days. If a dependency surfaces (old backup job, monitoring agent, hardcoded script), you'll want the ability to recover data from it without a full restore.

Common Demotion Failures

  • "This server is the last domain controller in the domain" — Windows detected no other DCs. Verify another DC exists and is reachable. Check DNS.
  • "Active Directory Domain Services could not transfer the remaining data" — Replication to other DCs failed. Fix replication errors first, then retry.
  • Demotion hangs indefinitely — Usually a DNS issue preventing the DC from finding peers. Verify the DC's DNS server setting points to another DC, not itself.
  • "You cannot demote this domain controller because it is the last..." — Check if this DC is the only one holding the Infrastructure Master or RID Master. Transfer those roles first.
Related Runbooks
AD Artifacts After a DC Wasn't Properly Decommissioned
Troubleshooting · FREE
DC Decommission Companion: What dcpromo Leaves Behind
Troubleshooting · FREE
How to Migrate FSMO Roles Safely
IT Projects · FREE