How to Demote (Remove) a Domain Controller

After you have installed new domain controllers there comes a moment when you need to remove or better said, demote the old domain controller. Old domain controllers can’t just be simply turned off, they need to be properly removed from the domain.

In some cases though, you might not have access anymore to the old domain controller. In this case, we can still demote the domain controller. Only we will need to use a different method for it.

In this article, I will explain both methods to demote a domain controller. The steps below can be used for Windows Server 2008r2 and newer, including Windows Server 2022.

Preparing the domain

Before we can demote the domain controller we will need to check the following points to ensure a smooth transition and avoid any issues:

  • Check replication – We need to make sure that the replication between the old and new domain controller is running without any error. Use the command repadmin /replsummary <new-dc-name> to check for any errors.
  • DHCP and DNS – If the old domain controller is also running DHCP and DNS, make sure that these services are also transferred to the new domain controller
  • DNS on clients – Ensure that the DNS records on the clients (and other servers) are pointing to the new domain controller. Otherwise, they won’t be able to log in
  • Create a Backup – Create a full backup of the old domain controller and verify the backup. This way you can always restore the server in case of any issues

FSMO roles will be transferred automatically when you demote the domain controller. You can check where the FSMO roles are running with the command netdom query FSMO.

Demoting an active Domain Controller

If you still have access to the domain controller then we can easily remove the domain controller using the Server Manager. Make sure that you have checked the points above before you continue.

Time needed: 5 minutes

  1. Open the Server Manager and go to Manage > Remove Roles and Features

    – Open the Server Manager (you can find it in the start menu)
    – Click on Manage > Remove Roles and Features

  2. Select the old domain controller

    In the Server Selection, make sure that the old domain controller is selected

    select old domain controller

  3. Remove the Active Directory Domain Services

    Deselect the role Active Directory Domain Services. In the popup click on Remove Features

    demote domain controller

  4. Demote the Domain Controller

    You will get an error that the validation is failed, this is normal. To remove the features we will need to demote the domain controller. Click on Demote this domain controller

    remove domain controller

  5. Credentials

    In the next screen, we can change the credentials, normally you will perform these steps as domain administrator and don’t need to change the credentials.

    Make sure that you leave the Force the removal of this domain controller Unchecked . Only select this when you are deleting the last domain controller in the network.

    remove domain controller from active directory

  6. Proceed with removal

    The server is probably also running DNS. We are going to remove this as well. Make sure that you have pointed your clients to the new DNS server.

    Select Proceed with removal and click Next

    proceed with removal

  7. Remove DNS

    In the removal options, other services are listed as well that can be removed. Make sure the Remove DNS delegation is selected and click next.

    remove DNS role

  8. Enter New Administrator Password

    We will need to enter a new administrator password. This is for the local administrator account on the server after it’s removed from the domain.

    new administrator password

  9. Review and Demote

    Review the settings and click on Demote to remove the domain controller. The server will restart to complete the process.

    demote domain controller

  10. Remove the server from the Active Directory Sites and Services

    After the server is rebooted we will need to perform one last step, removing the server from the Active Directory Sites and Services.

    – Open the Active Directory Sites and Services from the start menu
    Expand Sites > Default-Fist-Sites-Name > Servers
    Right-click on the old domain controller and choose Delete

    Remove from sites and services

Verify the Removal of the Domain Controller

Now the old domain controller is removed, we will need to make sure that everything is running smoothly. On the new domain controller, open the console and run the command dcdiag. This will check the health of your domain controller and will show any errors.

If you have two or more domain controllers left, then run the command repadmin /showrepl to verify that the replication between the remaining domain controllers is running without any errors.

Demote a Domain Controller with PowerShell

We can also use PowerShell to demote the domain controller. Instead of clicking through 9 screens, you can remove the domain controller with a couple of commands:

# Import the ADDSDeployment module
Import-Module ADDSDeployment

# Demote the server
Uninstall-ADDSDomainController -DemoteOperationMasterRole:$true -RemoveDnsDelegation:$true -Force:$true

# Run the following command after the reboot to remove the Active Directory Sites and Services
Uninstall-WindowsFeature AD-Domain-Services -IncludeManagementTools
delete domain controller with powershell

Manually Remove a Domain Controller

We can also manually remove a domain controller. Is step is only recommended to use when you don’t have access anymore to the server.

  1. Open Active Directory and Services on the active domain controller
  2. Open the Domain Controllers OU
  3. Delete the old domain controller
  4. Click Yes
  1. Select Delete this Domain Controller anyway
  2. Click on Delete
  3. Confirm it one last time by clicking on Yes

The last step is to remove the server from the Active Directory Sites and Services:

  • Open the Active Directory Sites and Services from the start menu
  • Expand Sites > Default-Fist-Sites-Name > Servers
  • Right-click on the old domain controller and choose Delete
Remove from sites and services

If the old domain controller also had a DNS role, then we also need to remove the server from the Name Servers in the DNS Manager.

  1. Open the DNS Manager on the active domain controller
  2. Expand Forward Lookup Zones
  3. Right-click on your domain and select properties
  4. Open the Name Servers tab
  5. Delete the old server from the names server

Also, delete the Name Server record from the domain DNS zone and any subfolder.

Wrapping Up

Demoting a domain controller isn’t that difficult anymore since Windows Server 2008r2. A lot is done on background these days automatically, like transferring the FSMO roles and cleaning up the metadata.

The recommended method to remove the domain controller is using the Server Manager or PowerShell. Only use the manual method if you really can’t access the server anymore.

I hope you found this article useful, if you have any questions, just drop a comment below.

15 thoughts on “How to Demote (Remove) a Domain Controller”

  1. Hi Rudy.
    I have a lot DC´s in the organization.
    In one of the DC´s, I need demote DC service, but in the same DC I have the Print Server.
    The question is:
    When I demote DC, is the Print Server still working?
    Thanks for your dedicated time!

  2. Create article; like all articles of Lazyadmin (Ruud). 🙂

    I’m demoting WS2016 Domaincontrollers in Core-Mode and I just found one difference between WS2008 and WS2016 demotion process. Domain will keep alive and i just perform migrations to new Operatingsystems of the Domaincontroller.

    For WS2016 Domaincontrollers, there is no option to check or uncheck the “DNS Delegation” in GUI Mode. As I’m working in Core Mode, I need to use the PowerShell-Script and I’m trying to figure out if the paramter “RemoveDnsDelegation:$true” is needed?!?

    My feeling tells me it will be the same if the parameter is set with “$true” or if the parameter will not be set. I’m right?

  3. I am getting an error like this when trying to delete the DC from AD Sites and Services: “do not delete the container object contains objects representing domain controller”

    Any idea how this could be solved?

  4. Hi Rudy,

    Thanks for this great article.

    If I do the DC removal using the PowerShell method, are those commands the only required for complete removal of the old domain controller?

    Also how do I backup and restore the domain controller in case of any issues?


    • Yes, that are the only two commands.

      Restoring, well you will need a backup of your AD and ofcourse backup of the old domain controller. But if you have done all the checks up front, then it should go fine.

      • Thanks

        How do I backup the DC? It is a VM running on a Vmware esxi server. is it enough to create a snapshot of the VM before the upgrade?

        Or should I use the Windows Server Backup feature? or another way of backup?

        • Yes, that should be enough. But I recommend checking your backup software for any special settings that are maybe required. Commonly you will need to make sure that the backup is application aware, for example.

  5. After completion of the above decommission process in my domain, it found that some trace mark of old domain controller were still there in DNS management console. as like:
    _msdcs same as parent folder NS
    ForestDnsZones same as parent folder A Old_domain_IP

    Does it essential to delete or can leave it as it is ?

  6. Nice article thanks.

    Could you say some more (or link to an article) about how to
    transfer DHCP and DNS to the new DC, and update the DNS records on the clients (and other servers) to point to the new DC ?

      • Yes, but I have seen, on more than one occasion, references to old DCs floating around long after they were deleted using ADUC..

        Perhaps something to keep in mind on the off chance the cleanup doesn’t happen automatically..

Leave a Comment