I've got an old Domain Controller (DC) that was running Windows Server 2012, and we wanted to shut it down because it's no longer receiving security updates. I made sure all the FSMO roles were transferred and replication was looking good, but my director wanted to keep it powered off instead of demoting it first. Unfortunately, I lost track of time, and now it's been over three months since it went offline.
I'm wondering if I should power it back up to properly demote it, or if it's better to just remove it from Active Directory (AD) at this stage?
5 Answers
I agree, just delete it. Turning it on could result in unexpected issues.
If your forest was set up after Windows Server 2003 R2, then the tombstone lifetime should be 180 days. You should check this using ADSIEdit.msc. If the tombstone lifetime has passed, you'll want to forcibly demote it by deleting its object from AD and doing a metadata cleanup instead. Please remind your director that waiting this long before taking action is risky for the health of AD.
I suggest just deleting it from AD and cleaning up all the metadata. Turning it back on might lead to some major headaches.
Here's a link that might help: [AD DS Metadata Cleanup Guide](https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/deploy/ad-ds-metadata-cleanup?source=recommendations).
Agreed, definitely the way to go!
By default, the tombstone life is 180 days, so if it's been more than that, you'll definitely want to clean it up in AD, DNS, and Sites and Services instead of turning it back on.
Just a heads up, if your domain was created under 2008 or earlier, it could be around 60 days, so double-check that.
Just treat it like it’s dead: clean up the metadata and remove any DNS records associated with it.
Yep, came here to say the same thing!