After you have installed new domain controllers there comes a moment when you need to remove or better said, demote the old domain controller. Old domain controllers can’t just be simply turned off, they need to be properly removed from the domain.
In some cases though, you might not have access anymore to the old domain controller. In this case, we can still demote the domain controller. Only we will need to use a different method for it.
In this article
In this article, I will explain both methods to demote a domain controller. The steps below can be used for Windows Server 2008r2 and newer, including Windows Server 2022.
Preparing the domain
Before we can demote the domain controller we will need to check the following points to ensure a smooth transition and avoid any issues:
- Check replication – We need to make sure that the replication between the old and new domain controller is running without any error. Use the command
repadmin /replsummary <new-dc-name>to check for any errors. - DHCP and DNS – If the old domain controller is also running DHCP and DNS, make sure that these services are also transferred to the new domain controller
- DNS on clients – Ensure that the DNS records on the clients (and other servers) are pointing to the new domain controller. Otherwise, they won’t be able to log in
- Create a Backup – Create a full backup of the old domain controller and verify the backup. This way you can always restore the server in case of any issues
FSMO roles will be transferred automatically when you demote the domain controller. You can check where the FSMO roles are running with the command netdom query FSMO.
Demoting an active Domain Controller
If you still have access to the domain controller then we can easily remove the domain controller using the Server Manager. Make sure that you have checked the points above before you continue.
Time needed: 5 minutes
- Open the Server Manager and go to Manage > Remove Roles and Features
– Open the Server Manager (you can find it in the start menu)
– Click on Manage > Remove Roles and Features
- Select the old domain controller
In the Server Selection, make sure that the old domain controller is selected
- Remove the Active Directory Domain Services
Deselect the role Active Directory Domain Services. In the popup click on Remove Features
- Demote the Domain Controller
You will get an error that the validation is failed, this is normal. To remove the features we will need to demote the domain controller. Click on Demote this domain controller
- Credentials
In the next screen, we can change the credentials, normally you will perform these steps as domain administrator and don’t need to change the credentials.
Make sure that you leave the Force the removal of this domain controller Unchecked . Only select this when you are deleting the last domain controller in the network.
- Proceed with removal
The server is probably also running DNS. We are going to remove this as well. Make sure that you have pointed your clients to the new DNS server.
Select Proceed with removal and click Next
- Remove DNS
In the removal options, other services are listed as well that can be removed. Make sure the Remove DNS delegation is selected and click next.
- Enter New Administrator Password
We will need to enter a new administrator password. This is for the local administrator account on the server after it’s removed from the domain.
- Review and Demote
Review the settings and click on Demote to remove the domain controller. The server will restart to complete the process.
- Remove the server from the Active Directory Sites and Services
After the server is rebooted we will need to perform one last step, removing the server from the Active Directory Sites and Services.
– Open the Active Directory Sites and Services from the start menu
– Expand Sites > Default-Fist-Sites-Name > Servers
– Right-click on the old domain controller and choose Delete
Verify the Removal of the Domain Controller
Now the old domain controller is removed, we will need to make sure that everything is running smoothly. On the new domain controller, open the console and run the command dcdiag. This will check the health of your domain controller and will show any errors.
If you have two or more domain controllers left, then run the command repadmin /showrepl to verify that the replication between the remaining domain controllers is running without any errors.
Demote a Domain Controller with PowerShell
We can also use PowerShell to demote the domain controller. Instead of clicking through 9 screens, you can remove the domain controller with a couple of commands:
# Import the ADDSDeployment module Import-Module ADDSDeployment # Demote the server Uninstall-ADDSDomainController -DemoteOperationMasterRole:$true -RemoveDnsDelegation:$true -Force:$true # Run the following command after the reboot to remove the Active Directory Sites and Services Uninstall-WindowsFeature AD-Domain-Services -IncludeManagementTools
Manually Remove a Domain Controller
We can also manually remove a domain controller. Is step is only recommended to use when you don’t have access anymore to the server.
- Open Active Directory and Services on the active domain controller
- Open the Domain Controllers OU
- Delete the old domain controller
- Click Yes
- Select Delete this Domain Controller anyway
- Click on Delete
- Confirm it one last time by clicking on Yes
The last step is to remove the server from the Active Directory Sites and Services:
- Open the Active Directory Sites and Services from the start menu
- Expand Sites > Default-Fist-Sites-Name > Servers
- Right-click on the old domain controller and choose Delete
If the old domain controller also had a DNS role, then we also need to remove the server from the Name Servers in the DNS Manager.
- Open the DNS Manager on the active domain controller
- Expand Forward Lookup Zones
- Right-click on your domain and select properties
- Open the Name Servers tab
- Delete the old server from the names server
Also, delete the Name Server record from the domain DNS zone and any subfolder.
Wrapping Up
Demoting a domain controller isn’t that difficult anymore since Windows Server 2008r2. A lot is done on background these days automatically, like transferring the FSMO roles and cleaning up the metadata.
The recommended method to remove the domain controller is using the Server Manager or PowerShell. Only use the manual method if you really can’t access the server anymore.
I hope you found this article useful, if you have any questions, just drop a comment below.
Hi Rudy.
I have a lot DC´s in the organization.
In one of the DC´s, I need demote DC service, but in the same DC I have the Print Server.
The question is:
When I demote DC, is the Print Server still working?
Thanks for your dedicated time!
Yes, the print server isn’t related to the domain controller. Only keep in mind that you might have to reboot the server.
Create article; like all articles of Lazyadmin (Ruud). 🙂
I’m demoting WS2016 Domaincontrollers in Core-Mode and I just found one difference between WS2008 and WS2016 demotion process. Domain will keep alive and i just perform migrations to new Operatingsystems of the Domaincontroller.
For WS2016 Domaincontrollers, there is no option to check or uncheck the “DNS Delegation” in GUI Mode. As I’m working in Core Mode, I need to use the PowerShell-Script and I’m trying to figure out if the paramter “RemoveDnsDelegation:$true” is needed?!?
My feeling tells me it will be the same if the parameter is set with “$true” or if the parameter will not be set. I’m right?
Yes, you should set that to true indeed: https://learn.microsoft.com/en-us/powershell/module/addsdeployment/uninstall-addsdomaincontroller?view=windowsserver2022-ps#-removednsdelegation
I am getting an error like this when trying to delete the DC from AD Sites and Services: “do not delete the container object contains objects representing domain controller”
Any idea how this could be solved?
Hi Rudy,
Thanks for this great article.
If I do the DC removal using the PowerShell method, are those commands the only required for complete removal of the old domain controller?
Also how do I backup and restore the domain controller in case of any issues?
Thanks
Yes, that are the only two commands.
Restoring, well you will need a backup of your AD and ofcourse backup of the old domain controller. But if you have done all the checks up front, then it should go fine.
Thanks
How do I backup the DC? It is a VM running on a Vmware esxi server. is it enough to create a snapshot of the VM before the upgrade?
Or should I use the Windows Server Backup feature? or another way of backup?
Yes, that should be enough. But I recommend checking your backup software for any special settings that are maybe required. Commonly you will need to make sure that the backup is application aware, for example.
After completion of the above decommission process in my domain, it found that some trace mark of old domain controller were still there in DNS management console. as like:
_msdcs same as parent folder NS domain_name.com
ForestDnsZones same as parent folder A Old_domain_IP
Does it essential to delete or can leave it as it is ?
They should have been removed after the demotion. Have you DNS scavening configured? You can also removed them manually.
Nice article thanks.
Could you say some more (or link to an article) about how to
transfer DHCP and DNS to the new DC, and update the DNS records on the clients (and other servers) to point to the new DC ?
Good article, but if you end up using the last option and manually removing the DC by simply deleting it, you may also need to perform a manual cleanup of the metadata belonging to removed DC. More details here:
https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/deploy/ad-ds-metadata-cleanup
According to this section, the metadata cleanup is automatically performed if you delete the domain controller from the Domain Controller OU in the Active Directory User and Computers console.
Yes, but I have seen, on more than one occasion, references to old DCs floating around long after they were deleted using ADUC..
Perhaps something to keep in mind on the off chance the cleanup doesn’t happen automatically..