Remove SBS 2008 or SBS 2011 Source Server from the domainAlex Fields
Sorry Old Yeller–I know you were a faithful companion for many years–but it’s time to put you down, buddy.
I usually wait until the end of the migration project for this. There is no harm leaving the old server as-is for the duration of the project while you finish migrating file shares, DHCP, Remote Access and so forth. In fact, it is the preferred approach. You absolutely must have already completed your email migration, and removed Exchange from the source server, before you decommission Active Directory and DNS on Small Business Server.
Note: the migration of AD/DNS would have been completed prior to this. This article is part of a series–see here for more on the AD/DNS migration process. In particular, you should have already moved the FSMO roles. Otherwise, see this step first:
Pre-Req: Transfer FSMO roles to the new server
From the destination server, open a PowerShell session (Run as Administrator), and type the following command:
Move-ADDirectoryServerOperationMasterRole -Identity “DestinationServerName” –OperationMasterRole 0,1,2,3,4
Replace “DestinationServerName” with the name of your new server.
To accomplish this last part, you will need to complete the following steps, which are detailed below:
- Backup the Certificate Authority role and remove it
- Remove the Global Catalog
- Run dcpromo
- Remove AD / DNS roles
- Clean up AD metadata
- Clean up DNS
- Power down the SBS server for good
Step 1. Backup the Certificate Authority role and remove it
Certificate Services is installed by default in SBS 2008/2011, and it is unlikely to be required moving forward. 99% of the time, you can safely remove this role with no ill effects. If there are no active certificates or pending requests, you should be good to go. However, it is good practice to follow the proper procedures to backup the Certificate Authority in case it needs to be resurrected in the future on a new server. To backup the database and certificate key, open a command prompt (as Administrator), and perform the following:
- Type Certutil.exe –backupdb C:\CABackup and press ENTER to backup the database.
- Type Certutil.exe –backupkey C:\CABackup and press ENTER to backup the certificate keys. Note: You will be asked to enter a password to protect the keys.
- Type net stop certsvc and press ENTER to stop the Active Directory Certificate Services service.
- Type reg export HKLM\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration C:\CABackup\CAregistry.reg and press ENTER to export the the registry key to a file.
You may also need to copy the CAPolicy.inf file from %SystemRoot% directory (if using custom policy). Verify your backup files are present at the location you specified, and copy them to a safe location. Then you can go ahead and remove the role, also. From Server Manager, go to Roles > Remove Roles. Make sure to deselect Active Directory Certificate Services and complete the wizard. Reboot required.
Step 2. Remove the Global Catalog
Note: Exchange must already be completely uninstalled from the source server before proceeding.
This operation will prevent other computers on the domain from referring to this server as a logon server. I usually wait at least 1 business day after performing this operation before I proceed with dcpromo, in case there are adverse impacts on the network that need to be resolved before completely removing the AD/DNS roles. Some people even prefer to power off the source server entirely at this time, which is also an acceptable step to take.
From AD Sites & Services, locate the NTDS Settings object for the source server, right-click and select Properties. Then clear the check mark box for Global Catalog, and click OK.
Step 3. Run dcpromo
When you are ready to proceed, on the source server, go to Start > Run, and type dcpromo, hit enter.
Step through the wizard to demote the server, however, be sure to leave this box unchecked (do not delete the domain):
After it is completed, you will reboot the server.
Make sure your new server no longer refers to the old server in TCP/IP settings (Control Panel > Network Connections). Remove the reference now if it is still present, and do the same on other statically configured servers/devices. Only the new server(s) should be referenced at this point.
Step 4. Remove the Active Directory roles
Assuming you have taken all steps necessary to decommission these roles, it is time to remove them from the server. From Server Manager, go to Roles > Remove Roles. Make sure to deselect Active Directory Domain Services and DNS Server. Complete the wizard to remove the roles.
At this point it is also good to double-check that no servers or other devices refer to this server’s IP address for DNS. The server should also no longer reference itself as a DNS server in its own NIC settings.
Step 5. Clean up AD metadata
Delete the server object from Active Directory Sites & Services.
Step 6. Clean up DNS
From the DNS Manager console, open the Properties on every one of your lookup zones (including _msdcs), and check the Name Servers tab. If there are still references to the old DNS server(s), remove them all now.
Open the DNS zones and delete any other records that you find in here also that refer to the old server. Work through the entire tree until it is clean.
Run DCDIAG and BPA analyzers once more just to ensure that you have a good, clean environment at the end of the day. Make adjustments if necessary. Otherwise, this concludes the process of removing Active Directory & DNS roles in order to retire the source server from your domain.
Step 7. Power down the SBS server for good
This is self-explanatory. You can even remove it from the domain if you really want to, or just by deleting the Computer object from Active Directory forever. Go out for a beer. Drink an extra for your dearly departed SBS server.