All Collections
itopia WorkAnywhere Help Library
Migrating Customers to the Cloud
Removing old Domain Controllers in AD extension deployments
Removing old Domain Controllers in AD extension deployments

Gracefully decommission on-prem domain after creating an AD extension deployment

Craig Medland avatar
Written by Craig Medland
Updated over a week ago

If you launched an AD extension type deployment and want to decommission the on-prem servers, keep the following things in mind. Your FSMO roles may still be hosted on your local domain controller. To check what server holds the roles you can run the following command in an elevated Powershell or Command prompt window:

PS C:\Windows\system32> netdom query fsmo

The output should look something like this:

Schema master               dc1.itopia.test
Domain naming master        dc1.itopia.test
PDC                         dc1.itopia.test
RID pool manager            dc1.itopia.test
Infrastructure master       dc1.itopia.test
The command completed successfully.

Moving the FSMO roles

If the output points to one of your new domain controllers then you can skip this part but if they are pointing to your old on-prem domain controllers then you will need to run the following command to move the roles over.

Move-ADDirectoryServerOperationMasterRole -Identity "target domain contorller" -OperationMasterRole SchemaMaster,RIDMaster,InfrastructureMaster,DomainNamingMaster,PDCEmulator

If the domain controller is already offline and the roles were not transferred, you can run the previous command with the "-Force" option to seize the roles:

Move-ADDirectoryServerOperationMasterRole -Identity "target domain controller" -OperationMasterRole SchemaMaster,RIDMaster,InfrastructureMaster,DomainNamingMaster,PDCEmulator -Force

Demoting old domain controllers

After the FSMO roles are transferred to the new domain controller, gracefully demote the old domain controllers from your active directory. You can do this through the Server manager, Powershell or Command prompt. 

Once the domain controllers have been demoted go ahead and remove them from the domain. Update any local devices DNS servers so they can still resolve domain resources and authenticate with it.

Optional - Removing the VPN

If you don't need connectivity to the Active directory from your on-prem location, or if the old domain controllers were located in a data center and that site will no longer be used, you can remove the VPN connecting the two locations. If you intend to have users log into the domain using their local devices as they did before, or will need to use network devices such as printers, then please leave the VPN in place.

Did this answer your question?