Best practice for decommissioning a Domain Controller Server: In general Decommission of Domain Controller is straightforward procedure and not required a much planning as we always have a redundant Domain Controller in a same site, so the client authentication will be handled by the other DC’s, if you want to find is any application hard-coded(“hard path” setting) the DC’s, or the site itself closing and you want to know is any users or application still using Domain Controller before power-off/shutdown, will be listing steps by steps procedure without impacting users
Thinks to check before demote a DC from AD DS
Isolate the Domain Controller
Just create temporary AD site and move the Domain Controller which you want to remove, make sure the temporary AD site only has the DC Subnet, so that there wont be any client authentication reaching the DC
Also check the DC SRV records are pointing to new temporary AD site and delete if any record pointing from old user site, this should be dynamic and no manual action required, just make sure SRV records in-place as excepted
Also See: How secure channel determine the Domain controller in cross-forest
Check Domain Controller event log for any client authentication request
Make sure auditing been enabled for all logon and logoff, check for Event ID 540 for Windows Server 2003 DC and Event ID 4624 for Windows server 2012 r2, windows 2008 R2 and windows 2016 in the decommissioning Domain Controller security event log to find any users have logged on the site from any workstation and even you will able to see is any application uses the DC using static configuration
Also Read: How to troubleshoot workstation Trust relationship issues on Domain
Check Domain Controller Role
Check is any FSMO roles are holding on this DC by “netdom query fsmo”, move the roles to other Domain Controllers
Check the DNS Role
Check is any member server/computer or DHCP Scope uses the Domain Controller IP as a primary DNS server, just change this to other DNS Server on the Domain
Check is any other roles are holding by the DC
Roles like DFSR, file server, print server and any other server role, move all the roles to different live Server
Final Check
Just Shutdown the Domain Controller for a week time before permanent decommission/powered off , if any application server, users, client system uses the DC will be failed and you will be notified by them, you can fix the issue by re-pointing to other working Domain Controller
In worst case you can power on the Domain Controller and keep live till the issue been fixed, this will minimize the impact
Also See: Active Directory real time issues and solutions
Conclusion
If you follow all the above checklist, you can safely remove a Domain Controller without major impacting any application
Also Read:Troubleshoot Active Directory Server Replication
Active Directory Interview Questions and Answers
Windows Server Administrator Interview Questions and Answers
Related posts:
AD Slow Authentication and prompting for credentials again and again
Active directory Troubleshooting (Part1 – Diagnostics Logging)
Replsummary showing unknown for largest delta on AD replication checks
Windows Server 2012 Active Directory Trust Relationship Problem
How to troubleshoot workstation Trust relationship issues on Domain
