Remove SBS 2008 or SBS 2011 Source Server from the domain
Sorry Old Yeller–I know you were a faithful companion for many years–but it’s time to put you down, buddy.
I usually wait until the end of the migration project for this. There is no harm leaving the old server as-is for the duration of the project while you finish migrating file shares, DHCP, Remote Access and so forth. In fact, it is the preferred approach. You absolutely must have already completed your email migration, and removed Exchange from the source server, before you decommission Active Directory and DNS on Small Business Server.
Note: the migration of AD/DNS would have been completed prior to this. This article is part of a series–see here for more on the AD/DNS migration process. In particular, you should have already moved the FSMO roles. Otherwise, see this step first:
Pre-Req: Transfer FSMO roles to the new server
From the destination server, open a PowerShell session (Run as Administrator), and type the following command:
Move-ADDirectoryServerOperationMasterRole -Identity “DestinationServerName” –OperationMasterRole 0,1,2,3,4
Replace “DestinationServerName” with the name of your new server.
To accomplish this last part, you will need to complete the following steps, which are detailed below:
- Backup the Certificate Authority role and remove it
- Remove the Global Catalog
- Run dcpromo
- Remove AD / DNS roles
- Clean up AD metadata
- Clean up DNS
- Power down the SBS server for good
Step 1. Backup the Certificate Authority role and remove it
Certificate Services is installed by default in SBS 2008/2011, and it is unlikely to be required moving forward. 99% of the time, you can safely remove this role with no ill effects. If there are no active certificates or pending requests, you should be good to go. However, it is good practice to follow the proper procedures to backup the Certificate Authority in case it needs to be resurrected in the future on a new server. To backup the database and certificate key, open a command prompt (as Administrator), and perform the following:
- Type Certutil.exe –backupdb C:\CABackup and press ENTER to backup the database.
- Type Certutil.exe –backupkey C:\CABackup and press ENTER to backup the certificate keys. Note: You will be asked to enter a password to protect the keys.
- Type net stop certsvc and press ENTER to stop the Active Directory Certificate Services service.
- Type reg export HKLM\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration C:\CABackup\CAregistry.reg and press ENTER to export the the registry key to a file.
You may also need to copy the CAPolicy.inf file from %SystemRoot% directory (if using custom policy). Verify your backup files are present at the location you specified, and copy them to a safe location. Then you can go ahead and remove the role, also. From Server Manager, go to Roles > Remove Roles. Make sure to deselect Active Directory Certificate Services and complete the wizard. Reboot required.
Step 2. Remove the Global Catalog
Note: Exchange must already be completely uninstalled from the source server before proceeding.
This operation will prevent other computers on the domain from referring to this server as a logon server. I usually wait at least 1 business day after performing this operation before I proceed with dcpromo, in case there are adverse impacts on the network that need to be resolved before completely removing the AD/DNS roles. Some people even prefer to power off the source server entirely at this time, which is also an acceptable step to take.
From AD Sites & Services, locate the NTDS Settings object for the source server, right-click and select Properties. Then clear the check mark box for Global Catalog, and click OK.
Step 3. Run dcpromo
When you are ready to proceed, on the source server, go to Start > Run, and type dcpromo, hit enter.
Step through the wizard to demote the server, however, be sure to leave this box unchecked (do not delete the domain):
After it is completed, you will reboot the server.
Make sure your new server no longer refers to the old server in TCP/IP settings (Control Panel > Network Connections). Remove the reference now if it is still present, and do the same on other statically configured servers/devices. Only the new server(s) should be referenced at this point.
Step 4. Remove the Active Directory roles
Assuming you have taken all steps necessary to decommission these roles, it is time to remove them from the server. From Server Manager, go to Roles > Remove Roles. Make sure to deselect Active Directory Domain Services and DNS Server. Complete the wizard to remove the roles.
At this point it is also good to double-check that no servers or other devices refer to this server’s IP address for DNS. The server should also no longer reference itself as a DNS server in its own NIC settings.
Step 5. Clean up AD metadata
Delete the server object from Active Directory Sites & Services.
Step 6. Clean up DNS
From the DNS Manager console, open the Properties on every one of your lookup zones (including _msdcs), and check the Name Servers tab. If there are still references to the old DNS server(s), remove them all now.
Open the DNS zones and delete any other records that you find in here also that refer to the old server. Work through the entire tree until it is clean.
Run DCDIAG and BPA analyzers once more just to ensure that you have a good, clean environment at the end of the day. Make adjustments if necessary. Otherwise, this concludes the process of removing Active Directory & DNS roles in order to retire the source server from your domain.
Step 7. Power down the SBS server for good
This is self-explanatory. You can even remove it from the domain if you really want to, or just by deleting the Computer object from Active Directory forever. Go out for a beer. Drink an extra for your dearly departed SBS server.
Comments (55)
Very helpful article Alex – thanks, saved me some time.
You’re welcome!
Great article Alex but I think you miss the step where you transfer the FSMO roles to the new domain controller
Actually I have another article on migrating the roles–this article only covers the removal of the roles after the rest is completed. I should put together a page that has links to all the posts in this series. Thanks for the comment!
Thanks for this Alex! One question, what are we doing with the clients if SBS 2011 is the only server? Removing them from the domain prior to this?
Thanks again!
Hi Noel, I typically recommend keeping the domain rather than discarding it–even if you’re just consolidating to a Windows Server Essentials deployment. Reason being, it is still the best way to manage security policies and other settings on the workstations. I would certainly recommend this, unless you’re confident/comfortable using a third party agent to control and push policies, updates, antivirus, etc. to the endpoints.
Great article – but you don’t mention anything about moving FSMO roles.
See here–I do, in a prior article in this series.
Hi Alex, this is great article and I have used it for a check list for a previous migration that worked perfectly!
My question is I have run into a new client where the they migrated from SBS to 2012 and I believe they didn’t do the step of removing the CA before DCpromo removal of the old SBS DC. They are now getting event ID 13 for autoenrollment as it looks like its looking for the old SBS DC to renew the CERTs.
Is there a cleanup that can be done on the standalone DC , now that the old server is long gone?
thanks!
Great question, Scott. Yes, there is. Check out this article–that should be the solution you need. I may even add this link to my own article (note: applicable only if you’re sure CA is no longer needed). Depending on the environment, I sometimes will bring a new VM online, give it the same name as the old server after the old one is offline, and restore the CA backup/registry info, if it seems like the CA was doing a lot more. It does not have to be a DC; member server is fine. I have a client right now that has certificates issued to other services like System Center Configuration Manager, etc., so simply adding back the CA is the simplest route. If you don’t have a backup of the old CA, however, then you’re probably better off just completely removing it as described in that article I linked.
So, re Step 1, that’s an earlier generation of AD CS, which is (forcibly?) installed with Essentials Experience Role, too. Do you generally also uninstall AD CS from Essentials then? Apparently it’s mainly for Anywhere Access, though maybe other things, and I’m not sure that it’s mandatory for AA. Its presence does prevent you from accessing Computer name/domain settings.
Thanks
No you can leave AD CS intact. When removing the SBS server however, usually AD CS should also be removed. This is all that is required in most cases. However, if you’re using EFS (encrypting documents on your file servers, etc.) then there is a bit more to it. I can recommend this article by Robert Pearman (Title Required): SBS 2011 How To Backup Your EFS Recovery Agent Certificate.
Super helpful. Just decommissioned an old SBS 2008 server that had been hanging around for at least a year after we migrated to other servers.
Thank you so much for your tutorials, they have been a real life saver! I have a question for you if you don’t mind answering. I migrated everyone from SBS 2003 to 2016 Standard. All users reside under subfolders in the domain called MyBusiness -> Users -> SBSUsers (the default). Can I safely move those to the general domain users or is it best to leave them in their current container? I also have several users that I would like to delete (SQL users that have the name of the old server on embedded in them) and am wondering if there is anything I need to be careful of. Any help is greatly appreciated!
1. To answer your first question, it all depends on what Group Policy Objects you have linked to that OU container; check it out under the Group Policy Management container. You can use this as an opportunity to clean up–move the users but do not link any GPO objects that you do not want to keep (link the ones you do want to keep however).
2. You can disable users instead of delete them, to start. Create an OU container for “Disabled Users” then move them over, right click, and disable the accounts. If there are no issues reported, after a period of time, you are probably safe to delete them as well.
After these steps have been completed, what kind of state is the server in? I have an SBS 2011 server and I want to remove all AD functionality from it as we have 2 Server 2012 R2 DCs in place. I may need to leave the file server that resides on it intact for a few weeks. Will the SBS2011 server allow me to logon locally after all of this, and will it be in a workgroup? Any assistance would be much appreciated.
Do not remove the AD/DNS roles before the file shares are moved. Demoting the SBS server is the LAST step, not the second to last or third to last. There is no harm leaving it as the primary DC with FSMO. Just empty the other roles, and when you are good and ready, transfer FSMO and DCPROMO/remove the roles at that time.
This is an excellent guide. I’ve used it to decom several SBS 2008/2011 servers.
I am stuck at “initializing removal…” during the Role removal in Active Directory Certificate Services. Rebooted the server but the process is not completing. Please help?
If you already backed up the CA, then don’t worry too much about the rest. I’m sure there is a solution for that issue out there, but it is also possible to whack the object in ADSI edit, if needed, after the server is offline for good.
Just in case it helps anyone else, I had the same thing happen, ADCS stuck initializing removal, as posted elsewhere, if you leave it a very very long time, I left it overnight from lunchtime the previous day, it does eventually complete and I was able to continue with a graceful demotion/migration.
I have successfully completed the decommissioning of the SBS2008 using these Step-by-step instructions. Even though removing few tasks seems ‘frozen’ actually they are not. I have to be patient and leave it till completion. They all completed without an error after couple of hours. I administered last rites to SBS2008, pull the plug and stored it in the shelves. Thank you for the excellent guide. Couldn’t ask a better one. THANK YOU! THANK YOU!! THANK YOU!!!
You are welcome, sir!
Thank you. The only issue I had is when uninstalling Exchange Server.
I succed by following this link : https://blogs.technet.microsoft.com/mukutdas/2015/09/11/remove-public-folder-using-adsiedit/
Hi Alex,
I wonder if you might be able to help with something. I thought that I had successfully migrated SBS 2008 to server 2016 with the Essentials role. However users reported that some group policies were not applying, mainly redirected folders and desktop.
When I have gone to check group policy on 2016, I get access denied when editing or trying to create any new group policies.
I have transferred all the roles to the new server but I have not yet run dcpromo to demote the server as I was leaving it offline for a few weeks to make sure everything was okay before removing it fully.
Thanks
Jonathan
I’d check DCDIAG and BPA results, see if there are any errors to remediate.
Great article Alex – I have already migrated to office365 so is it still necessary to uninstall Exchange. All FSMO roles have been transferred already, and Microsoft Support tells me that all i need to do is uninstall Certificate Services and run dcpromo.
thoughts?
If you have Azure AD Connect in place it is advisable to keep an on-premises Exchange server, but I usually replace SBS with a new version of Exchange in that case. Otherwise, it is no longer needed if you do not intend to use Azure AD Connect with Office 365. It is always advisable to properly remove server roles that are not in use.
Thanks for the great article Alex
I would suggest to reconfigure the time source for the domain. Something like this:
PDC:
w32tm /config /manualpeerlist:timeserverNameOrIP,0x1 /syncfromflags:manual /reliable:yes /update
net stop w32time
net start w32time
w32tm /resync /rediscover
SBS and Clients:
w32tm /config /syncfromflags:domhier /update /reliable:no
net stop w32time
net start w32time
w32tm /resync /rediscover
If you have issues with Get-Mailbox -Arbitration | Disable-Mailbox -Arbitration -DisableLastArbitrationMailboxAllowed
Run:
Get-Mailbox | Set-Mailbox -ModerationEnabled $false
Get-DistributionGroup | Set-DistributionGroup -ModerationEnabled $false
Get-DynamicDistributionGroup | Set-DynamicDistributionGroup -ModerationEnabled $false
And it should now work
Hi Alex,
thank you for this great post and your website as a highly valuable ressource!
With regards to the AD CS you write: “Certificate Services is installed by default in SBS 2008/2011, and it is unlikely to be required moving forward. 99% of the time, you can safely remove this role with no ill effects. If there are no active certificates or pending requests, you should be good to go.”
We are currently preparing for migrating from our old 2008 SBS to a new 2016 environment.
When I check AD CS I see certificates listed under our servername in Enterprise PKI as well as some issued certificates under our server name which are still valid.
Is there a way to check whether these certificates and the Enterprise PKI are still in use?
When looking at migrating the AD CS role an additional step via Server 2012 R2 seems to be required: https://social.technet.microsoft.com/wiki/contents/articles/37373.migrating-ad-certificate-services-from-windows-server-2008-to-windows-server-2016.aspx?Redirected=true
Usually I find that nothing has been done with these. There will usually be some issued to DC, not very often to other places. One gotcha however is if users have encrypted files using EFS. Check out the below resource for more detail.
https://windowsserveressentials.com/2017/03/28/sbs-2011-how-to-backup-your-efs-recovery-agent-certificate/
Hello Alex,
Thanks, very helpful. I’m close to finishing my migration to 2016 and cam across your guide. You stated “You absolutely must have already completed your email migration, and removed Exchange from the source server, before you decommission Active Directory and DNS on Small Business Server.”
I did install Exchange 2016 on a new server but didn’t remove from the SBS. I have already transfered the FSMO roles but not yet run dcpromo.
Can I still remove exchange and do I simply uninstall it?
Thanks again,
Mark
If there are no more mailboxes or data of any kind on premises then yes you should be able to uninstall it. In case the uninstaller gives you any guff just google the error it trips on and that usually yields a quick fix, whether you need to remove all public folders or whatever the case may be.
Very helpful information!
Hi Alex,
Thank for your helpful instructions.
I want to remove the sbs2011 from server2008 on the control panel, but there no an uninstall button.
I go to the folder in program file but still don’t see any uninstall file. Can you help me how to uninstall it?
Thank you
What are you uninstalling? Exchange? Active Directory (this post)?
I’ve followed these directions a few times. very graceful removal every time. Thanks
Great article! all works flawlessly
As someone asked the question earlier. If the SBS original setup, had users in the the AD folders, All users reside under subfolders in the domain called MyBusiness -> Users -> SBSUsers (the default). when I decommission the SBS server\domain, those foldres will continue to exist and can be used. ? I added a new Windows 2019 server, promotoed to DC, DHCP, has DNS, FSMO role holder. I am basically at the point of just getting rid of the old SBS server completely.
Yes the OU structure can remain the same. It does not remove those OU’s when you remove SBS.
Thank you. Do we need to uninstall Exchange ? the users were moved to a 3rd party hosting provider last year. exchange services are still loaded and runningon the SBS server. Just trying to make sure I dont run into any small issues when I start the dc demotion process.
If there is no more mail function left on-prem then you can remove Exchange safely. That is the best practice.
hi
old article. used it twice with succes.
now i have another challange.
we use 2012R2/2016 AD servers, On-Prem Exchange, FS´s, SP etc.
our company bought a smaller company that uses SBS2011
now we have to merge those 2 networks together. for now they are not physically connected. but will have to be in the near future. on SBS there are only about 25 User Accounts and about 15 Computer Accounts.
Migrating Exchange Mailboxes won´t be a problem. already done most of them
the problem that we have are the File Shares. there´s 1TB of data in 7.5M files. and we would like to leave it there for now. Data must be sorted out. most of it should be put in an archive but no time to do that right now.
now the question:
can i decomission the SBS to this point that he´s in a workgroup and not port of any domain anymore? following the instructions but checking the box – This is the last DC on the network. then connect the 2 networks and join the server to our main domain?
file shares and user permissions would need to be recreated but this is doable.
Users will access everything with new (our AD) Accounts over Citrix.
it´s a tricky one and i would appreciate any advice on this :)
Thanks
Yeah that’s tough. I would find another solution for moving those files. I don’t remember the exact limitations but something happens after you fully decom SBS–it will literally stop working after a week or something like that, or it reboots itself all the time or something. I don’t know–it’s been awhile, but what it comes down to is that you have to move all functions off before you run the decom process.
Maybe you can’t sort out 100% all at one time, but you could ask people to take all current/active data with them to new locations (what are they working on right now and for the next month or whatever). Then that gives them the immediate needs while the rest can be sorted later.
Just wanted to say a big thanks for these articles, i work for a small IT firm in canada and these guides have been very useful. ive done like 10 SBS to server 2016-2019 using this and the exchange decom guide.
just wanted you to know that your work is appreciated.
Thanks dude.
SoI am at the point that we have a new domain controller running on Windows 2019. All FSMO roles, DHCP, Printers, Data moved to the new 2019 server. I am going to start to decomm the old SBS 2011 server . Whats the best way to get Exchange removed from SBS ? is it simply and add\remove from the Programs in Control Panel. I want to remove the attributes for exchange on the Users domain accts also as its not needed. Exchange was moved to an online hosting provider last year. I saw this in a previous article “You absolutely must have already completed your email migration, and removed Exchange from the source server, before you decommission Active Directory and DNS on Small Business Server.”
You should be able to uninstall Exchange from SBS, yes. You can also refer to this.
This guide along with the supporting ones were very good and easy to follow. However, perhaps I missed it one of the guides but there are several Group Policies that SBS pushes on to machines that if not removed could cause issues. In addition, there is a SBS client that installs on each machine that again if not removed it can create some issues. Those are always the last things I do after having done the things in the guides you have above. Thank you again.
Should I change the DNS pointing prior to running DCpromo on the legacy DC (SBS 2011 Essentials)? In a 2 DC setup, I usually point DNS to the opposite DC for primary and then secondary DNS to itself. I presume I should switch this prior to running DCpromo. Thanks for input.
Yes, you can change the DNS either before or after. If one of the DNS entries is no longer available it will use the other entry. But, it is a good practice to clear those that you are demoting/removing in advance.
For organizations using Entra ID Sync (formerly Azure AD Sync) to sync attributes from on-site for Password hash Sync (and who use the Attribute Editor to add ProxyAddress any time a new user is created to sync), what can be done to preserve the Exchange attributes after uninstalling “the last exchange server”? An “install” of a newer exchange server (with no setup) – will that force the attributes to stay and not be removed? Or can we SKIP the exchange uninstall if we keep these attributes?
These days it is supported to remove the last exchange server but there is a process to doing so correctly. See this article for instance: https://practical365.com/removing-the-last-exchange-server/
Hi Alex,
Once you have xfered the FSMO roles to a new DC and demoted the old server to just a member server, can the old server be left running in the bachground for a while or will it still shut itself down?
I have literally never left a server running for that long after decom procedures. I remember reading about something like that (auto-shutdown of SBS after FSMO transfer)–I am not sure which version(s) of SBS it applies to. Seems kind of dumb, but then this is Microsoft we’re talking about. I just wait to do this until the last step after all other functions/roles were migrated (printers, files, etc.). Then it doesn’t matter if it stays running or not.