How to Gracefully Decommission a Domain Controller in AWS?

Here's a step-by-step for demoting it: Log in to the DC with admin credentials, then go to Server Manager, select Manage, and hit Remove Roles and Features. Uncheck Active Directory Domain Services, and you'll get a prompt to demote the DC. Provide a domain admin's credentials when asked, and if it’s the last DC in your domain, make sure to confirm the domain removal if needed. It usually takes about 10-20 minutes for the process to complete.

There are lots of guides available online you can check out. It's a good idea to start there to get an overview before diving in. Also, make sure to do all the pre-checks: verify the replication status, and ensure that everything is healthy before proceeding.

From my experience, you can use a command like 'dcpromo /demote' in an elevated command prompt to carry out the demotion. Just ensure that the DC isn’t holding any FSMO roles before you proceed. When I did a similar task, I unplugged the DC for a day to confirm that everything else in the environment functioned smoothly without it.

Make sure that no external systems are relying on LDAP authentication through the DC you're about to demote. You should confirm whether this DC is functioning as a certificate server or a Terminal Services Licensing server. It’s also important to check all server roles and DNS services related to it. Before anything, verify that your other DCs are working fine, and utilize tools like DCDiag to check for any issues.