1. Move FSMO Roles to new DC.
2. Backup the Certificate Authority role and remove it
Certificate Services is installed by default in SBS 2008/2011, and it is unlikely to be required moving forward. 99% of the time, you can safely remove this role with no ill effects. If there are no active certificates or pending requests, you should be good to go. However, it is good practice to follow the proper procedures to backup the Certificate Authority in case it needs to be resurrected in the future on a new server. To backup the database and certificate key, open a command prompt (as Administrator), and perform the following:
- Type Certutil.exe –backupdb C:CABackup and press ENTER to backup the database.
- Type Certutil.exe –backupkey C:CABackup and press ENTER to backup the certificate keys. Note: You will be asked to enter a password to protect the keys.
- Type net stop certsvc and press ENTER to stop the Active Directory Certificate Services service.
- Type reg export HKLMSYSTEMCurrentControlSetServicesCertSvcConfiguration C:CABackupCAregistry.reg and press ENTER to export the the registry key to a file.
You may also need to copy the CAPolicy.inf file from %SystemRoot% directory (if using custom policy). Verify your backup files are present at the location you specified, and copy them to a safe location. Then you can go ahead and remove the role, also. From Server Manager, go to Roles > Remove Roles. Make sure to deselect Active Directory Certificate Services and complete the wizard. Reboot required.
3. Remove Exchange Server
- Exchange should be removed before AD/DNS: The uninstall procedure needs to be done in advance of removing Active Directory roles from the SBS server;
- Windows Server editions: Note that this procedure is also valid for removing the last legacy Exchange 2007 / 2010 Server from Windows Standard / Enterprise / Datacenter editions;
- Hybrid/Remote Move Migrations: if you had performed a Remote Move migration from SBS 2011 or Exchange 2010, then you need to follow a slightly different procedure, to ensure that Directory synchronization and the hybrid relationship is properly retired before uninstall. Therefore, only proceed with the below if you are positive that you do not have a hybrid connection, and/or Directory Synchronization in place. Alternatively, you may consider keeping a free Exchange server on-premises to maintain the hybrid connection.
Prepare Exchange for Uninstall
You will need to run several PowerShell commands to help prepare your server for uninstall. Warning: this assumes all data has been migrated to Office 365, and you have no further need of Exchange data / services on-premises. Proceed at your own risk.
Open the Exchange Management Shell as Administrator, and run the following PoSH snippets in this order for SBS 2008/2011 or Exchange 2007/2010, answering prompts for confirmation in the affirmative for all (A).
#Remove default Public folders
Get–PublicFolder “” -Recurse -ResultSize:Unlimited |
Remove-PublicFolder -Recurse -ErrorAction:SilentlyContinue
#Remove system Public folders
Get-PublicFolder “Non_Ipm_Subtree” –Recurse –ResultSize:Unlimited |
Remove–PublicFolder –Recurse –ErrorAction:SilentlyContinue
#Remove Offline Address Book
Get–OfflineAddressBook | Remove–OfflineAddressBook
#Remove send connectors
Get–SendConnector | Remove–SendConnector
#Remove Public Folder database (SBS 2011/Exchange 2010 Only)
Get–PublicFolderDatabase | Remove–PublicFolderDatabase
#Remove arbitration mailboxes (SBS 2011/Exchange 2010 Only)
Get–Mailbox –Arbitration | Disable–Mailbox –Arbitration –DisableLastArbitrationMailboxAllowed
Get–Mailbox | Disable–Mailbox
Now you are ready to run the uninstaller. From an elevated command prompt, navigate to the directory “C:Program FilesMicrosoftExchange ServerBin” or “C:Program FilesMicrosoftExchange Serverv14Bin” and run:
That should be it. After Exchange is fully removed, you can proceed with the rest of the decom process, which will be covered in an upcoming post.
4. Remove the Global Catalog
Note: Exchange must already be completely uninstalled from the source server before proceeding.
This operation will prevent other computers on the domain from referring to this server as a logon server. I usually wait at least 1 business day after performing this operation before I proceed with dcpromo, in case there are adverse impacts on the network that need to be resolved before completely removing the AD/DNS roles. Some people even prefer to power off the source server entirely at this time, which is also an acceptable step to take.
From AD Sites & Services, locate the NTDS Settings object for the source server, right-click and select Properties. Then clear the check mark box for Global Catalog, and click OK.
5. Demote the Domain Controller
Step through the wizard to demote the server, however, be sure to leave this box unchecked (do not delete the domain):
After it is completed, you will reboot the server.
Make sure your new server no longer refers to the old server in TCP/IP settings (Control Panel > Network Connections). Remove the reference now if it is still present, and do the same on other statically configured servers/devices. Only the new server(s) should be referenced at this point.
6. Remove the Active Directory roles
Assuming you have taken all steps necessary to decommission these roles, it is time to remove them from the server. From Server Manager, go to Roles > Remove Roles. Make sure to deselect Active Directory Domain Services and DNS Server. Complete the wizard to remove the roles.
At this point it is also good to double-check that no servers or other devices refer to this server’s IP address for DNS. The server should also no longer reference itself as a DNS server in its own NIC settings.
7. Clean up AD metadata
Delete the server object from Active Directory Sites & Services.
8. Clean up DNS
From the DNS Manager console, open the Properties on every one of your lookup zones (including _msdcs), and check the Name Servers tab. If there are still references to the old DNS server(s), remove them all now.
Open the DNS zones and delete any other records that you find in here also that refer to the old server. Work through the entire tree until it is clean.
Run DCDIAG and BPA analyzers once more just to ensure that you have a good, clean environment at the end of the day. Make adjustments if necessary. Otherwise, this concludes the process of removing Active Directory & DNS roles in order to retire the source server from your domain.
9. Remove from Domain and Power down the SBS server
Remove from domain and Power off.