How to Demote (Remove) a Domain Controller

3 Comments

After you have installed new domain controllers there comes a moment when you need to remove or better said, demote the old domain controller. Old domain controllers can’t just be simply turned off, they need to be properly removed from the domain.

In some cases though, you might not have access anymore to the old domain controller. In this case, we can still demote the domain controller. Only we will need to use a different method for it.

In this article, I will explain both methods to demote a domain controller. The steps below can be used for Windows Server 2008r2 and newer, including Windows Server 2022.

Preparing the domain

Before we can demote the domain controller we will need to check the following points to ensure a smooth transition and avoid any issues:

  • Check replication – We need to make sure that the replication between the old and new domain controller is running without any error. Use the command repadmin /replsummary <new-dc-name> to check for any errors.
  • DHCP and DNS – If the old domain controller is also running DHCP and DNS, make sure that these services are also transferred to the new domain controller
  • DNS on clients – Ensure that the DNS records on the clients (and other servers) are pointing to the new domain controller. Otherwise, they won’t be able to log in
  • Create a Backup – Create a full backup of the old domain controller and verify the backup. This way you can always restore the server in case of any issues

FSMO roles will be transferred automatically when you demote the domain controller. You can check where the FSMO roles are running with the command netdom query FSMO.

Demoting an active Domain Controller

If you still have access to the domain controller then we can easily remove the domain controller using the Server Manager. Make sure that you have checked the points above before you continue.

Time needed: 5 minutes.

  1. Open the Server Manager and go to Manage > Remove Roles and Features

    – Open the Server Manager (you can find it in the start menu)
    – Click on Manage > Remove Roles and Features

  2. Select the old domain controller


    In the Server Selection, make sure that the old domain controller is selected

    select old domain controller

  3. Remove the Active Directory Domain Services


    Deselect the role Active Directory Domain Services. In the popup click on Remove Features

    demote domain controller

  4. Demote the Domain Controller


    You will get an error that the validation is failed, this is normal. To remove the features we will need to demote the domain controller. Click on Demote this domain controller

    remove domain controller

  5. Credentials


    In the next screen, we can change the credentials, normally you will perform these steps as domain administrator and don’t need to change the credentials.

    Make sure that you leave the Force the removal of this domain controller Unchecked . Only select this when you are deleting the last domain controller in the network.

    remove domain controller from active directory

  6. Proceed with removal


    The server is probably also running DNS. We are going to remove this as well. Make sure that you have pointed your clients to the new DNS server.

    Select Proceed with removal and click Next

    proceed with removal

  7. Remove DNS


    In the removal options, other services are listed as well that can be removed. Make sure the Remove DNS delegation is selected and click next.

    remove DNS role

  8. Enter New Administrator Password


    We will need to enter a new administrator password. This is for the local administrator account on the server after it’s removed from the domain.

    new administrator password

  9. Review and Demote


    Review the settings and click on Demote to remove the domain controller. The server will restart to complete the process.

    demote domain controller

  10. Remove the server from the Active Directory Sites and Services


    After the server is rebooted we will need to perform one last step, removing the server from the Active Directory Sites and Services.

    – Open the Active Directory Sites and Services from the start menu
    Expand Sites > Default-Fist-Sites-Name > Servers
    Right-click on the old domain controller and choose Delete

    Remove from sites and services

Verify the Removal of the Domain Controller

Now the old domain controller is removed, we will need to make sure that everything is running smoothly. On the new domain controller, open the console and run the command dcdiag. This will check the health of your domain controller and will show any errors.

If you have two or more domain controllers left, then run the command repadmin /showrepl to verify that the replication between the remaining domain controller is running without any errors.

Demote a Domain Controller with PowerShell

We can also use PowerShell to demote the domain controller. Instead of clicking through 9 screens, you can remove the domain controller with a couple of commands:

# Import the ADDSDeployment module
Import-Module ADDSDeployment

# Demote the server
Uninstall-ADDSDomainController -DemoteOperationMasterRole:$true -RemoveDnsDelegation:$true -Force:$true

# Run the following command after the reboot to remove the Active Directory Sites and Services
Uninstall-WindowsFeature AD-Domain-Services -IncludeManagementTools
delete domain controller with powershell

Manually Remove a Domain Controller

We can also manually remove a domain controller. Is step is only recommended to use when you don’t have access anymore to the server.

  1. Open Active Directory and Services on the active domain controller
  2. Open the Domain Controllers OU
  3. Delete the old domain controller
  4. Click Yes
  1. Select Delete this Domain Controller anyway
  2. Click on Delete
  3. Confirm it one last time by clicking on Yes

The last step is to remove the server from the Active Directory Sites and Services:

  • Open the Active Directory Sites and Services from the start menu
  • Expand Sites > Default-Fist-Sites-Name > Servers
  • Right-click on the old domain controller and choose Delete
Remove from sites and services

If the old domain controller also had a DNS role, then we also need to remove the server from the Name Servers in the DNS Manager.

  1. Open the DNS Manager on the active domain controller
  2. Expand Forward Lookup Zones
  3. Right-click on your domain and select properties
  4. Open the Name Servers tab
  5. Delete the old server from the names server

Also, delete the Name Server record from the domain DNS zone and any subfolder.

Wrapping Up

Demoting a domain controller isn’t that difficult anymore since Windows Server 2008r2. A lot is done on background these days automatically, like transferring the FSMO roles and cleaning up the metadata.

The recommended method to remove the domain controller is using the Server Manager or PowerShell. Only use the manual method if you really can’t access the server anymore.

I hope you found this article useful, if you have any questions, just drop a comment below.

Tweet
Pin
Share
Share
0 Shares

Related Posts

Get more stuff like this

IT, Office365, Smart Home, PowerShell and Blogging Tips

I hate spam to, so you can unsubscribe at any time.

3 thoughts on “How to Demote (Remove) a Domain Controller”

      • Yes, but I have seen, on more than one occasion, references to old DCs floating around long after they were deleted using ADUC..

        Perhaps something to keep in mind on the off chance the cleanup doesn’t happen automatically..

Leave a Comment

0 Shares
Tweet
Pin
Share
Share