Remove SBS 2008 or SBS 2011 Source Server from the domain

Back to Blog

Remove SBS 2008 or SBS 2011 Source Server from the domain

Sorry Old Yeller–I know you were a faithful companion for many years–but it’s time to put you down, buddy.

I usually wait until the end of the migration project for this. There is no harm leaving the old server as-is for the duration of the project while you finish migrating file shares, DHCP, Remote Access and so forth. In fact, it is the preferred approach. You absolutely must have already completed your email migration, and removed Exchange from the source server, before you decommission Active Directory and DNS on Small Business Server.

Note: the migration of AD/DNS would have been completed prior to this.  This article is part of a series–see here for more on the AD/DNS migration process. In particular, you should have already moved the FSMO roles. Otherwise, see this step first:

Pre-Req: Transfer FSMO roles to the new server

From the destination server, open a PowerShell session (Run as Administrator), and type the following command:

Move-ADDirectoryServerOperationMasterRole -Identity “DestinationServerName” –OperationMasterRole 0,1,2,3,4

Replace “DestinationServerName” with the name of your new server.

FMSO-move-PoSH

To accomplish this last part, you will need to complete the following steps, which are detailed below:

  1. Backup the Certificate Authority role and remove it
  2. Remove the Global Catalog
  3. Run dcpromo
  4. Remove AD / DNS roles
  5. Clean up AD metadata
  6. Clean up DNS
  7. Power down the SBS server for good

Step 1. Backup the Certificate Authority role and remove it

Certificate Services is installed by default in SBS 2008/2011, and it is unlikely to be required moving forward. 99% of the time, you can safely remove this role with no ill effects. If there are no active certificates or pending requests, you should be good to go. However, it is good practice to follow the proper procedures to backup the Certificate Authority in case it needs to be resurrected in the future on a new server. To backup the database and certificate key, open a command prompt (as Administrator), and perform the following:

  1. Type Certutil.exe –backupdb C:\CABackup and press ENTER to backup the database.
  2. Type Certutil.exe –backupkey C:\CABackup and press ENTER to backup the certificate keys.  Note: You will be asked to enter a password to protect the keys.
  3. Type net stop certsvc and press ENTER to stop the Active Directory Certificate Services service.
  4. Type reg export HKLM\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration C:\CABackup\CAregistry.reg and press ENTER to export the the registry key to a file.

Backup-CAcmd1

You may also need to copy the CAPolicy.inf file from %SystemRoot% directory (if using custom policy). Verify your backup files are present at the location you specified, and copy them to a safe location.  Then you can go ahead and remove the role, also. From Server Manager, go to Roles > Remove Roles. Make sure to deselect Active Directory Certificate Services and complete the wizard. Reboot required.

Step 2. Remove the Global Catalog

Note: Exchange must already be completely uninstalled from the source server before proceeding.

This operation will prevent other computers on the domain from referring to this server as a logon server. I usually wait at least 1 business day after performing this operation before I proceed with dcpromo, in case there are adverse impacts on the network that need to be resolved before completely removing the AD/DNS roles. Some people even prefer to power off the source server entirely at this time, which is also an acceptable step to take.

From AD Sites & Services, locate the NTDS Settings object for the source server, right-click and select Properties. Then clear the check mark box for Global Catalog, and click OK.

remove-GC-2

Step 3. Run dcpromo

When you are ready to proceed, on the source server, go to Start > Run, and type dcpromo, hit enter.

dcpromo-1

Step through the wizard to demote the server, however, be sure to leave this box unchecked (do not delete the domain):

dcpromo-2

After it is completed, you will reboot the server.

Make sure your new server no longer refers to the old server in TCP/IP settings (Control Panel > Network Connections). Remove the reference now if it is still present, and do the same on other statically configured servers/devices. Only the new server(s) should be referenced at this point.

Step 4. Remove the Active Directory roles

Assuming you have taken all steps necessary to decommission these roles, it is time to remove them from the server. From Server Manager, go to Roles > Remove Roles. Make sure to deselect Active Directory Domain Services and DNS Server. Complete the wizard to remove the roles.

At this point it is also good to double-check that no servers or other devices refer to this server’s IP address for DNS. The server should also no longer reference itself as a DNS server in its own NIC settings.

 Step 5. Clean up AD metadata

Delete the server object from Active Directory Sites & Services.

Step 6. Clean up DNS

From the DNS Manager console, open the Properties on every one of your lookup zones (including _msdcs), and check the Name Servers tab. If there are still references to the old DNS server(s), remove them all now.

dns-cleanup-1b

Open the DNS zones and delete any other records that you find in here also that refer to the old server. Work through the entire tree until it is clean.

dns-cleanup-1c

Run DCDIAG and BPA analyzers once more just to ensure that you have a good, clean environment at the end of the day. Make adjustments if necessary. Otherwise, this concludes the process of removing Active Directory & DNS roles in order to retire the source server from your domain.

Step 7. Power down the SBS server for good

This is self-explanatory. You can even remove it from the domain if you really want to, or just by deleting the Computer object from Active Directory forever. Go out for a beer. Drink an extra for your dearly departed SBS server.

Comments (51)

  • Matthew Reed Reply

    Very helpful article Alex – thanks, saved me some time.

    July 26, 2016 at 5:33 am
    • Alexander Reply

      You’re welcome!

      July 26, 2016 at 9:42 am
  • Enos Reply

    Great article Alex but I think you miss the step where you transfer the FSMO roles to the new domain controller

    November 4, 2016 at 7:03 pm
    • Alexander Reply

      Actually I have another article on migrating the roles–this article only covers the removal of the roles after the rest is completed. I should put together a page that has links to all the posts in this series. Thanks for the comment!

      November 14, 2016 at 3:04 pm
  • Noel Reply

    Thanks for this Alex! One question, what are we doing with the clients if SBS 2011 is the only server? Removing them from the domain prior to this?

    Thanks again!

    November 14, 2016 at 1:43 pm
    • Alexander Reply

      Hi Noel, I typically recommend keeping the domain rather than discarding it–even if you’re just consolidating to a Windows Server Essentials deployment. Reason being, it is still the best way to manage security policies and other settings on the workstations. I would certainly recommend this, unless you’re confident/comfortable using a third party agent to control and push policies, updates, antivirus, etc. to the endpoints.

      November 14, 2016 at 3:08 pm
  • GD Reply

    Great article – but you don’t mention anything about moving FSMO roles.

    November 15, 2016 at 12:38 pm
    • Alexander Reply

      See here–I do, in a prior article in this series.

      November 15, 2016 at 1:58 pm
  • Scott Mcdonnell Reply

    Hi Alex, this is great article and I have used it for a check list for a previous migration that worked perfectly!

    My question is I have run into a new client where the they migrated from SBS to 2012 and I believe they didn’t do the step of removing the CA before DCpromo removal of the old SBS DC. They are now getting event ID 13 for autoenrollment as it looks like its looking for the old SBS DC to renew the CERTs.

    Is there a cleanup that can be done on the standalone DC , now that the old server is long gone?
    thanks!

    April 8, 2017 at 5:01 pm
    • Alexander Reply

      Great question, Scott. Yes, there is. Check out this article–that should be the solution you need. I may even add this link to my own article (note: applicable only if you’re sure CA is no longer needed). Depending on the environment, I sometimes will bring a new VM online, give it the same name as the old server after the old one is offline, and restore the CA backup/registry info, if it seems like the CA was doing a lot more. It does not have to be a DC; member server is fine. I have a client right now that has certificates issued to other services like System Center Configuration Manager, etc., so simply adding back the CA is the simplest route. If you don’t have a backup of the old CA, however, then you’re probably better off just completely removing it as described in that article I linked.

      April 9, 2017 at 9:41 am
  • Rick Reply

    So, re Step 1, that’s an earlier generation of AD CS, which is (forcibly?) installed with Essentials Experience Role, too. Do you generally also uninstall AD CS from Essentials then? Apparently it’s mainly for Anywhere Access, though maybe other things, and I’m not sure that it’s mandatory for AA. Its presence does prevent you from accessing Computer name/domain settings.

    Thanks

    May 11, 2017 at 1:55 am
    • Alexander Reply

      No you can leave AD CS intact. When removing the SBS server however, usually AD CS should also be removed. This is all that is required in most cases. However, if you’re using EFS (encrypting documents on your file servers, etc.) then there is a bit more to it. I can recommend this article by Robert Pearman (Title Required): SBS 2011 How To Backup Your EFS Recovery Agent Certificate.

      May 11, 2017 at 2:47 pm
  • Stephen Ott Reply

    Super helpful. Just decommissioned an old SBS 2008 server that had been hanging around for at least a year after we migrated to other servers.

    July 26, 2017 at 1:12 pm
  • Alex Georgevitch Reply

    Thank you so much for your tutorials, they have been a real life saver! I have a question for you if you don’t mind answering. I migrated everyone from SBS 2003 to 2016 Standard. All users reside under subfolders in the domain called MyBusiness -> Users -> SBSUsers (the default). Can I safely move those to the general domain users or is it best to leave them in their current container? I also have several users that I would like to delete (SQL users that have the name of the old server on embedded in them) and am wondering if there is anything I need to be careful of. Any help is greatly appreciated!

    September 1, 2017 at 1:21 pm
    • Alex Reply

      1. To answer your first question, it all depends on what Group Policy Objects you have linked to that OU container; check it out under the Group Policy Management container. You can use this as an opportunity to clean up–move the users but do not link any GPO objects that you do not want to keep (link the ones you do want to keep however).
      2. You can disable users instead of delete them, to start. Create an OU container for “Disabled Users” then move them over, right click, and disable the accounts. If there are no issues reported, after a period of time, you are probably safe to delete them as well.

      September 2, 2017 at 3:16 pm
  • Nick Tulloch Reply

    After these steps have been completed, what kind of state is the server in? I have an SBS 2011 server and I want to remove all AD functionality from it as we have 2 Server 2012 R2 DCs in place. I may need to leave the file server that resides on it intact for a few weeks. Will the SBS2011 server allow me to logon locally after all of this, and will it be in a workgroup? Any assistance would be much appreciated.

    October 23, 2017 at 10:20 am
    • Alex Reply

      Do not remove the AD/DNS roles before the file shares are moved. Demoting the SBS server is the LAST step, not the second to last or third to last. There is no harm leaving it as the primary DC with FSMO. Just empty the other roles, and when you are good and ready, transfer FSMO and DCPROMO/remove the roles at that time.

      October 26, 2017 at 9:50 pm
  • Marty Reply

    This is an excellent guide. I’ve used it to decom several SBS 2008/2011 servers.

    November 16, 2017 at 11:30 am
  • Oswald Reply

    I am stuck at “initializing removal…” during the Role removal in Active Directory Certificate Services. Rebooted the server but the process is not completing. Please help?

    December 13, 2017 at 11:28 am
    • Alex Reply

      If you already backed up the CA, then don’t worry too much about the rest. I’m sure there is a solution for that issue out there, but it is also possible to whack the object in ADSI edit, if needed, after the server is offline for good.

      December 17, 2017 at 12:26 pm
      • Jim S Reply

        Just in case it helps anyone else, I had the same thing happen, ADCS stuck initializing removal, as posted elsewhere, if you leave it a very very long time, I left it overnight from lunchtime the previous day, it does eventually complete and I was able to continue with a graceful demotion/migration.

        October 17, 2020 at 4:41 am
  • Oswald Reply

    I have successfully completed the decommissioning of the SBS2008 using these Step-by-step instructions. Even though removing few tasks seems ‘frozen’ actually they are not. I have to be patient and leave it till completion. They all completed without an error after couple of hours. I administered last rites to SBS2008, pull the plug and stored it in the shelves. Thank you for the excellent guide. Couldn’t ask a better one. THANK YOU! THANK YOU!! THANK YOU!!!

    December 19, 2017 at 5:40 pm
    • Alex Reply

      You are welcome, sir!

      December 20, 2017 at 10:06 am
  • Kwasi Apaloo Reply

    Thank you. The only issue I had is when uninstalling Exchange Server.
    I succed by following this link : https://blogs.technet.microsoft.com/mukutdas/2015/09/11/remove-public-folder-using-adsiedit/

    February 9, 2018 at 2:32 pm
  • Jonathan Reply

    Hi Alex,

    I wonder if you might be able to help with something. I thought that I had successfully migrated SBS 2008 to server 2016 with the Essentials role. However users reported that some group policies were not applying, mainly redirected folders and desktop.

    When I have gone to check group policy on 2016, I get access denied when editing or trying to create any new group policies.

    I have transferred all the roles to the new server but I have not yet run dcpromo to demote the server as I was leaving it offline for a few weeks to make sure everything was okay before removing it fully.

    Thanks

    Jonathan

    May 15, 2018 at 6:41 am
    • Alex Reply

      I’d check DCDIAG and BPA results, see if there are any errors to remediate.

      May 18, 2018 at 1:59 pm
  • Lyle Reply

    Great article Alex – I have already migrated to office365 so is it still necessary to uninstall Exchange. All FSMO roles have been transferred already, and Microsoft Support tells me that all i need to do is uninstall Certificate Services and run dcpromo.

    thoughts?

    July 30, 2018 at 10:39 am
    • Alex Reply

      If you have Azure AD Connect in place it is advisable to keep an on-premises Exchange server, but I usually replace SBS with a new version of Exchange in that case. Otherwise, it is no longer needed if you do not intend to use Azure AD Connect with Office 365. It is always advisable to properly remove server roles that are not in use.

      July 31, 2018 at 10:09 am
  • JD Reply

    Thanks for the great article Alex
    I would suggest to reconfigure the time source for the domain. Something like this:
    PDC:
    w32tm /config /manualpeerlist:timeserverNameOrIP,0x1 /syncfromflags:manual /reliable:yes /update
    net stop w32time
    net start w32time
    w32tm /resync /rediscover
    SBS and Clients:
    w32tm /config /syncfromflags:domhier /update /reliable:no
    net stop w32time
    net start w32time
    w32tm /resync /rediscover

    August 22, 2018 at 5:35 am
  • Anthony Reply

    If you have issues with Get-Mailbox -Arbitration | Disable-Mailbox -Arbitration -DisableLastArbitrationMailboxAllowed

    Run:
    Get-Mailbox | Set-Mailbox -ModerationEnabled $false
    Get-DistributionGroup | Set-DistributionGroup -ModerationEnabled $false
    Get-DynamicDistributionGroup | Set-DynamicDistributionGroup -ModerationEnabled $false

    And it should now work

    November 28, 2018 at 1:32 am
  • Julius Reply

    Hi Alex,

    thank you for this great post and your website as a highly valuable ressource!

    With regards to the AD CS you write: “Certificate Services is installed by default in SBS 2008/2011, and it is unlikely to be required moving forward. 99% of the time, you can safely remove this role with no ill effects. If there are no active certificates or pending requests, you should be good to go.”

    We are currently preparing for migrating from our old 2008 SBS to a new 2016 environment.
    When I check AD CS I see certificates listed under our servername in Enterprise PKI as well as some issued certificates under our server name which are still valid.

    Is there a way to check whether these certificates and the Enterprise PKI are still in use?
    When looking at migrating the AD CS role an additional step via Server 2012 R2 seems to be required: https://social.technet.microsoft.com/wiki/contents/articles/37373.migrating-ad-certificate-services-from-windows-server-2008-to-windows-server-2016.aspx?Redirected=true

    December 11, 2018 at 7:00 am
  • Mark Richter Reply

    Hello Alex,

    Thanks, very helpful. I’m close to finishing my migration to 2016 and cam across your guide. You stated “You absolutely must have already completed your email migration, and removed Exchange from the source server, before you decommission Active Directory and DNS on Small Business Server.”

    I did install Exchange 2016 on a new server but didn’t remove from the SBS. I have already transfered the FSMO roles but not yet run dcpromo.

    Can I still remove exchange and do I simply uninstall it?

    Thanks again,

    Mark

    January 28, 2019 at 12:20 pm
    • Alex Reply

      If there are no more mailboxes or data of any kind on premises then yes you should be able to uninstall it. In case the uninstaller gives you any guff just google the error it trips on and that usually yields a quick fix, whether you need to remove all public folders or whatever the case may be.

      January 28, 2019 at 2:58 pm
  • Casey Davis Reply

    Very helpful information!

    May 16, 2019 at 10:15 am
  • Nick Reply

    Hi Alex,
    Thank for your helpful instructions.
    I want to remove the sbs2011 from server2008 on the control panel, but there no an uninstall button.
    I go to the folder in program file but still don’t see any uninstall file. Can you help me how to uninstall it?
    Thank you

    October 13, 2019 at 5:31 pm
    • Alex Reply

      What are you uninstalling? Exchange? Active Directory (this post)?

      October 14, 2019 at 3:48 pm
  • Michael Roberts Reply

    I’ve followed these directions a few times. very graceful removal every time. Thanks

    November 7, 2019 at 3:54 pm
  • Saif Amir Reply

    Great article! all works flawlessly

    April 1, 2020 at 12:45 am
  • Silvio Manziano Reply

    As someone asked the question earlier. If the SBS original setup, had users in the the AD folders, All users reside under subfolders in the domain called MyBusiness -> Users -> SBSUsers (the default). when I decommission the SBS server\domain, those foldres will continue to exist and can be used. ? I added a new Windows 2019 server, promotoed to DC, DHCP, has DNS, FSMO role holder. I am basically at the point of just getting rid of the old SBS server completely.

    April 17, 2020 at 10:29 am
    • Alex Reply

      Yes the OU structure can remain the same. It does not remove those OU’s when you remove SBS.

      April 17, 2020 at 10:50 am
      • Silvio Manziano Reply

        Thank you. Do we need to uninstall Exchange ? the users were moved to a 3rd party hosting provider last year. exchange services are still loaded and runningon the SBS server. Just trying to make sure I dont run into any small issues when I start the dc demotion process.

        April 17, 2020 at 10:56 am
        • Alex Reply

          If there is no more mail function left on-prem then you can remove Exchange safely. That is the best practice.

          April 20, 2020 at 11:17 am
  • Marko Reply

    hi
    old article. used it twice with succes.
    now i have another challange.
    we use 2012R2/2016 AD servers, On-Prem Exchange, FS´s, SP etc.
    our company bought a smaller company that uses SBS2011
    now we have to merge those 2 networks together. for now they are not physically connected. but will have to be in the near future. on SBS there are only about 25 User Accounts and about 15 Computer Accounts.
    Migrating Exchange Mailboxes won´t be a problem. already done most of them
    the problem that we have are the File Shares. there´s 1TB of data in 7.5M files. and we would like to leave it there for now. Data must be sorted out. most of it should be put in an archive but no time to do that right now.
    now the question:
    can i decomission the SBS to this point that he´s in a workgroup and not port of any domain anymore? following the instructions but checking the box – This is the last DC on the network. then connect the 2 networks and join the server to our main domain?
    file shares and user permissions would need to be recreated but this is doable.
    Users will access everything with new (our AD) Accounts over Citrix.
    it´s a tricky one and i would appreciate any advice on this 🙂

    Thanks

    April 20, 2020 at 7:20 am
    • Alex Reply

      Yeah that’s tough. I would find another solution for moving those files. I don’t remember the exact limitations but something happens after you fully decom SBS–it will literally stop working after a week or something like that, or it reboots itself all the time or something. I don’t know–it’s been awhile, but what it comes down to is that you have to move all functions off before you run the decom process.

      Maybe you can’t sort out 100% all at one time, but you could ask people to take all current/active data with them to new locations (what are they working on right now and for the next month or whatever). Then that gives them the immediate needs while the rest can be sorted later.

      April 20, 2020 at 11:42 am
  • Ty Devine Reply

    Just wanted to say a big thanks for these articles, i work for a small IT firm in canada and these guides have been very useful. ive done like 10 SBS to server 2016-2019 using this and the exchange decom guide.
    just wanted you to know that your work is appreciated.
    Thanks dude.

    April 21, 2020 at 9:19 am
  • Silvio Manziano Reply

    SoI am at the point that we have a new domain controller running on Windows 2019. All FSMO roles, DHCP, Printers, Data moved to the new 2019 server. I am going to start to decomm the old SBS 2011 server . Whats the best way to get Exchange removed from SBS ? is it simply and add\remove from the Programs in Control Panel. I want to remove the attributes for exchange on the Users domain accts also as its not needed. Exchange was moved to an online hosting provider last year. I saw this in a previous article “You absolutely must have already completed your email migration, and removed Exchange from the source server, before you decommission Active Directory and DNS on Small Business Server.”

    August 7, 2020 at 10:12 am
    • Alex Reply

      You should be able to uninstall Exchange from SBS, yes. You can also refer to this.

      August 7, 2020 at 7:32 pm
  • Mohammad R Khorasani Reply

    This guide along with the supporting ones were very good and easy to follow. However, perhaps I missed it one of the guides but there are several Group Policies that SBS pushes on to machines that if not removed could cause issues. In addition, there is a SBS client that installs on each machine that again if not removed it can create some issues. Those are always the last things I do after having done the things in the guides you have above. Thank you again.

    August 15, 2020 at 7:43 pm
  • Ken Shep Reply

    Should I change the DNS pointing prior to running DCpromo on the legacy DC (SBS 2011 Essentials)? In a 2 DC setup, I usually point DNS to the opposite DC for primary and then secondary DNS to itself. I presume I should switch this prior to running DCpromo. Thanks for input.

    July 22, 2022 at 12:28 pm
    • Alex Fields Reply

      Yes, you can change the DNS either before or after. If one of the DNS entries is no longer available it will use the other entry. But, it is a good practice to clear those that you are demoting/removing in advance.

      August 5, 2022 at 12:24 pm

Leave a Reply

Back to Blog

Helping IT Consultants Succeed in the Microsoft Cloud

Have a Question? Contact me today.