Part 6: DNS Migration and Decommissioning Legacy Domain Controllers
With FSMO roles now on the new DCs, our old Windows Server 2016 domain controllers are ready for retirement. The final steps are to migrate the remaining services, like DNS, and to demote the old DCs cleanly. DNS is a critical AD-integrated service; ensuring it is fully transitioned is key to a successful migration.
DNS Migration: Ensuring the New DCs are DNS Authorities
Confirm DNS Zones on New DCs
On one of the new domain controllers (e.g., DC2025-1), open DNS Manager and verify all relevant zones (like contoso.com and _msdcs.contoso.com) are present. Active Directory-integrated zones should have replicated automatically if some zones are missing or set to limited replication scopes, update as needed.
Replicate Custom DNS Configurations
DNS forwarders and root hint settings are server-specific and don’t replicate. Manually configure any custom forwarders on DC2025-1 and DC2025-2. If you used conditional forwarders, confirm they are also in place.
Confirm Client DNS Settings
Ensure that DHCP scopes and statically configured devices now point to the new DCs for DNS. You may temporarily keep the old DCs listed, but plan to remove them before demotion.
Validate DNS Resolution
From a command prompt or PowerShell:
nslookup contoso.com 192.0.2.20
nslookup microsoft.com 192.0.2.20
nslookup -q=SRV _ldap._tcp.dc._msdcs.contoso.com 192.0.2.20
Ensure internal and external name resolution works and the new DC resolves all necessary SRV records.
External Dependencies
Update any systems outside of AD (e.g., routers, firewalls) that reference the old DCs as DNS servers. Replace these with the IPs of the new DCs.
Decommissioning the Old Domain Controllers
Pre-Demotion Checks
- Confirm that all FSMO roles are held by new DCs (see Part 5).
- Use repadmin /replsummary to verify that there are no lingering replication issues.
- Demote one DC at a time, retaining one legacy DC temporarily as backup.
Demotion via PowerShell
Uninstall-ADDSDomainController -DemoteOperationMasterRole:$false -RemoveApplicationPartitions:$false -LocalAdministratorPassword (ConvertTo-SecureString “TempPass@123” -AsPlainText -Force)
This removes AD DS from the server, sets a local admin password, and reboots the system. The machine becomes a member server.
Post-Demotion Cleanup
- The demoted DC is removed from the Domain Controllers OU and AD Sites and Services.
- DNS records (SRV, NS, A, CNAME) should be automatically removed. If not, manually delete the leftovers.
- Remove the old server from the DNS zone’s Name Server tab if it still appears.
Repeat for Remaining Legacy DCs
Follow the same steps for DC2016-2. Confirm:
- Application partitions like ForestDNSZones and DomainDNSZones have other DNS servers.
- No required services (CA, file shares) are hosted on the legacy server.
Final Environment Cleanup
- Confirm that only new DCs appear in the Domain Controllers OU.
- Delete lingering server objects in AD Sites and Services.
- Remove any leftover DNS entries.
- Reassess Group Policies or login scripts tied to old DCs.
- Remove old servers from the domain entirely via disjoin or manual cleanup in AD.
Verifying After Decommission
Functional Testing
- Log in as a domain user to ensure authentication works.
- Access file shares or mapped drives.
- Confirm Group Policy processing and DNS lookups.
Run DCDiag
dcdiag /v /c /e
Verify that all tests pass. Minor DNS warnings related to decommissioned DCs can be ignored if expected.
DFSR SYSVOL Validation
Check the DFS Management console to confirm that only new DCs are listed in SYSVOL replication.
Real-World Insight
Ensure decommissioned DCs were not hosting other services (like Certificate Services or Print Server roles). If they were, migrate those services separately. Properly planned demotion avoids residual issues.
Congratulations! Your domain is now fully supported by Windows Server 2025 domain controllers. The transition occurred with no downtime and complete continuity. Next, we’ll handle optional IP reassignment (Part 7) and then raise forest/domain functional levels to unlock new features.
Cristal Kawula, Checkyourlogs.net
