If you launched an AD extension type deployment and want to decommission the on-prem servers, keep the following things in mind. Your FSMO roles may still be hosted on your local domain controller. To check what server holds the roles you can run the following command in an elevated Powershell or Command prompt window:
PS C:\Windows\system32> netdom query fsmo
The output should look something like this:
Schema master dc1.itopia.test
Domain naming master dc1.itopia.test
RID pool manager dc1.itopia.test
Infrastructure master dc1.itopia.test
The command completed successfully.
Moving the FSMO roles
If the output points to one of your new domain controllers then you can skip this part but if they are pointing to your old on-prem domain controllers then you will need to run the following command to move the roles over.
Move-ADDirectoryServerOperationMasterRole -Identity "target domain contorller" -OperationMasterRole SchemaMaster,RIDMaster,InfrastructureMaster,DomainNamingMaster,PDCEmulator
If the domain controller is already offline and the roles were not transferred, you can run the previous command with the "-Force" option to seize the roles:
Move-ADDirectoryServerOperationMasterRole -Identity "target domain controller" -OperationMasterRole SchemaMaster,RIDMaster,InfrastructureMaster,DomainNamingMaster,PDCEmulator -Force
Demoting old domain controllers
After the FSMO roles are transferred to the new domain controller, gracefully demote the old domain controllers from your active directory. You can do this through the Server manager, Powershell or Command prompt.
Once the domain controllers have been demoted go ahead and remove them from the domain. Update any local devices DNS servers so they can still resolve domain resources and authenticate with it.
Optional - Removing the VPN
If you don't need connectivity to the Active directory from your on-prem location, or if the old domain controllers were located in a data center and that site will no longer be used, you can remove the VPN connecting the two locations. If you intend to have users log into the domain using their local devices as they did before, or will need to use network devices such as printers, then please leave the VPN in place.