After you have installed new domain controllers there comes a moment when you need to remove or better said, demote the old domain controller. Old domain controllers can’t just be simply turned off, they need to be properly removed from the domain.
In some cases though, you might not have access anymore to the old domain controller. In this case, we can still demote the domain controller. Only we will need to use a different method for it.
In this article
In this article, I will explain both methods to demote a domain controller. The steps below can be used for Windows Server 2008r2 and newer, including Windows Server 2022.
Preparing the domain
Before we can demote the domain controller we will need to check the following points to ensure a smooth transition and avoid any issues:
- Check replication – We need to make sure that the replication between the old and new domain controller is running without any error. Use the command
repadmin /replsummary <new-dc-name>
to check for any errors. - DHCP and DNS – If the old domain controller is also running DHCP and DNS, make sure that these services are also transferred to the new domain controller
- DNS on clients – Ensure that the DNS records on the clients (and other servers) are pointing to the new domain controller. Otherwise, they won’t be able to log in
- Create a Backup – Create a full backup of the old domain controller and verify the backup. This way you can always restore the server in case of any issues
FSMO roles will be transferred automatically when you demote the domain controller. You can check where the FSMO roles are running with the command netdom query FSMO
.
Demoting an active Domain Controller
If you still have access to the domain controller then we can easily remove the domain controller using the Server Manager. Make sure that you have checked the points above before you continue.
Time needed: 5 minutes
- Open the Server Manager and go to Manage > Remove Roles and Features
– Open the Server Manager (you can find it in the start menu)
– Click on Manage > Remove Roles and Features - Select the old domain controller
In the Server Selection, make sure that the old domain controller is selected - Remove the Active Directory Domain Services
Deselect the role Active Directory Domain Services. In the popup click on Remove Features - Demote the Domain Controller
You will get an error that the validation is failed, this is normal. To remove the features we will need to demote the domain controller. Click on Demote this domain controller - Credentials
In the next screen, we can change the credentials, normally you will perform these steps as domain administrator and don’t need to change the credentials.
Make sure that you leave the Force the removal of this domain controller Unchecked . Only select this when you are deleting the last domain controller in the network. - Proceed with removal
The server is probably also running DNS. We are going to remove this as well. Make sure that you have pointed your clients to the new DNS server.
Select Proceed with removal and click Next - Remove DNS
In the removal options, other services are listed as well that can be removed. Make sure the Remove DNS delegation is selected and click next. - Enter New Administrator Password
We will need to enter a new administrator password. This is for the local administrator account on the server after it’s removed from the domain. - Review and Demote
Review the settings and click on Demote to remove the domain controller. The server will restart to complete the process. - Remove the server from the Active Directory Sites and Services
After the server is rebooted we will need to perform one last step, removing the server from the Active Directory Sites and Services.
– Open the Active Directory Sites and Services from the start menu
– Expand Sites > Default-Fist-Sites-Name > Servers
– Right-click on the old domain controller and choose Delete
Verify the Removal of the Domain Controller
Now the old domain controller is removed, we will need to make sure that everything is running smoothly. On the new domain controller, open the console and run the command dcdiag
. This will check the health of your domain controller and will show any errors.
If you have two or more domain controllers left, then run the command repadmin /showrepl
to verify that the replication between the remaining domain controller is running without any errors.
Demote a Domain Controller with PowerShell
We can also use PowerShell to demote the domain controller. Instead of clicking through 9 screens, you can remove the domain controller with a couple of commands:
# Import the ADDSDeployment module Import-Module ADDSDeployment # Demote the server Uninstall-ADDSDomainController -DemoteOperationMasterRole:$true -RemoveDnsDelegation:$true -Force:$true # Run the following command after the reboot to remove the Active Directory Sites and Services Uninstall-WindowsFeature AD-Domain-Services -IncludeManagementTools
Manually Remove a Domain Controller
We can also manually remove a domain controller. Is step is only recommended to use when you don’t have access anymore to the server.
- Open Active Directory and Services on the active domain controller
- Open the Domain Controllers OU
- Delete the old domain controller
- Click Yes
- Select Delete this Domain Controller anyway
- Click on Delete
- Confirm it one last time by clicking on Yes
The last step is to remove the server from the Active Directory Sites and Services:
- Open the Active Directory Sites and Services from the start menu
- Expand Sites > Default-Fist-Sites-Name > Servers
- Right-click on the old domain controller and choose Delete
If the old domain controller also had a DNS role, then we also need to remove the server from the Name Servers in the DNS Manager.
- Open the DNS Manager on the active domain controller
- Expand Forward Lookup Zones
- Right-click on your domain and select properties
- Open the Name Servers tab
- Delete the old server from the names server
Also, delete the Name Server record from the domain DNS zone and any subfolder.
Wrapping Up
Demoting a domain controller isn’t that difficult anymore since Windows Server 2008r2. A lot is done on background these days automatically, like transferring the FSMO roles and cleaning up the metadata.
The recommended method to remove the domain controller is using the Server Manager or PowerShell. Only use the manual method if you really can’t access the server anymore.
I hope you found this article useful, if you have any questions, just drop a comment below.
Nice article thanks.
Could you say some more (or link to an article) about how to
transfer DHCP and DNS to the new DC, and update the DNS records on the clients (and other servers) to point to the new DC ?
Good article, but if you end up using the last option and manually removing the DC by simply deleting it, you may also need to perform a manual cleanup of the metadata belonging to removed DC. More details here:
https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/deploy/ad-ds-metadata-cleanup
According to this section, the metadata cleanup is automatically performed if you delete the domain controller from the Domain Controller OU in the Active Directory User and Computers console.
Yes, but I have seen, on more than one occasion, references to old DCs floating around long after they were deleted using ADUC..
Perhaps something to keep in mind on the off chance the cleanup doesn’t happen automatically..