Remove (Demote) Domain Controller from Active Directory (Guide). Once we install new domain controllers (DC), a point arises where it becomes necessary to eliminate or, more precisely, demote the existing domain controller. We must do more than turn off old or unused DCs; we must decommission and disconnect them from the domain properly. We explain both methods to demote a domain controller in this article.
Remove (Demote) Domain Controller from Active Directory (Guide)
Occasionally, access to the former domain controller may no longer be available. The scope of the steps for this article covers all Windows Server builds from Windows Server 2008R2 to the latest. This article is helpful, especially if we still have DCs with end-of-life operating systems.
Preparing the Domain
Before initiating the domain controller’s demotion process, examine the following aspects to guarantee a seamless transition and prevent potential complications. Make sure to create a pre-checklist that contains the below items:
- Check replication – Ensure the replication between the old and new domain controller runs without error. Use the command below to check for any replication errors.
repadmin /replsummary
- DHCP and DNS – Confirm that if the previous domain controller handles DHCP and DNS, we seamlessly transfer these services to the new domain controller.
- DNS on clients – Verify that the DNS records on clients (as well as other servers) direct to the new domain controller to ensure successful logins; otherwise, bad perpetrators may compromise your network.
- Create a Backup – Generate a comprehensive backup of the former domain controller and validate its integrity. This allows for server restoration in the event of any unforeseen issues.
We can transfer the Flexible Single Master Operations (FSMO) roles automatically when we demote the domain controller. Check where the FSMO roles run with the command below.
netdom query FSMO
Demoting an Active Domain Controller
If we still have access to the domain controller, we easily remove the domain controller using the Server Manager. Make sure that we have checked the points above before we can continue.
- Launch the Server Manager by accessing it through the Start Menu and navigating to Manage > Remove Roles and Features.
- a. Open the Server Manager from the Start Menu.
- b. Click on Manage > Remove Roles and Features.
2. Select the old domain controller in the Server Selection.
3. Disable the Active Directory Domain Services role by deselecting it. In the subsequent popup, click on Remove Features.
4. Initiate the demotion process for the Domain Controller, acknowledging the anticipated error in the installation wizard’s validation failure. Click on Demote this domain controller.
5. Verify and, if necessary, modify credentials in the subsequent screen. It’s customary to execute these steps with domain administrator privileges. Leave the Force the removal of this domain controller option unchecked unless it’s the last domain controller in the network.
6. Proceed with the removal, ensuring clients are directed to the new DNS server, especially if Active Directory Sites and Services (ADDS) and DNS services are on the server. Select Proceed with removal and click Next.
7. Opt to remove DNS in the provided removal options, ensuring Remove DNS delegation is selected, and proceed by clicking Next.
8. Set a new administrator password; this is for the local administrator account post-domain removal.
9. Review the configured settings and click Demote to initiate the removal of the DC. The server restarts to complete the process.
Note: There is a view script button that generates a PowerShell script to automate all the steps we just walked through. If we have additional domain controllers to remove, use this script.
10. After the server reboot, the final step involves removing the server from Active Directory Sites and Services.
- Open Active Directory Sites and Services (ADDS) from the Start Menu.
- Expand Sites > Default-First-Site-Name > Servers
- Right-click on the old DC and choose Delete.
The above screenshots are screenshots that we see from modern Windows Server builds (Build 9600 and above). However, this still follows the same process as Windows Server 2008. So, there are no issues, if we still use legacy servers.
Try our Active Directory & Office 365 Reporting & Auditing Tools
Try us out for Free. 100’s of report templates available. Easily customise your own reports on AD, Azure AD & Office 355.
Verify the Removal of the Domain Controller
Ensuring the thorough verification of a Domain Controller’s removal is a critical step in the demotion process, validating the operation’s success and maintaining the integrity of the Active Directory. Follow these steps to verify the removal effectively:
- Active Directory Users and Computers:
- Navigate to the “Domain Controllers” organizational unit and confirm the absence of the demoted controller.
- DNS Records:
- Check DNS records to ensure we removed all references to the demoted controller, preventing potential connectivity issues.
- ADSIEdit.msc:
- Use ADSIEdit.msc to inspect the Active Directory database and verify that entries related to the demoted controller are no longer present.
- Sites and Services:
- Review Active Directory Sites and Services to confirm that our domain removed the demoted controller from the respective site.
- Replication Monitoring:
- Monitor replication status to ensure the demotion process has propagated successfully across the domain controllers.
By following these verification steps, administrators confidently confirm the complete removal of a Domain Controller, maintaining a well-functioning and secure Active Directory environment.
Demote a Domain Controller Using PowerShell
PowerShell provides an efficient alternative for demoting the domain controller, streamlining the process with a few commands:
Import-Module ADDSDeployment
Uninstall-ADDSDomainController -DemoteOperationMasterRole:$true -RemoveDnsDelegation:$true -Force:$true Uninstall-WindowsFeature AD-Domain-Services -IncludeManagementTools
This approach replaces the need to navigate multiple screens, allowing for a more concise and script-based domain controller demotion.
Manually Remove an Unreachable Domain Controller
We can also manually remove a DC. This step is only recommended for use when we no longer have access to the server.
- Launch Active Directory and Services on the active domain controller.
- Access the Domain Controllers OU.
- Delete the old domain controller and confirm by clicking Yes.
4. Opt to Delete this Domain Controller anyway.
5. Click Delete and confirm the action again by clicking Yes.
The final step involves removing the server from Active Directory Sites and Services:
- Open Active Directory Sites and Services (ADDS) from the Start menu.
- Expand Sites > Default-First-Site-Name > Servers.
- Right-click on the old domain controller and select Delete.
Unreachable DC with a DNS Role
If the old domain controller had a DNS role, additional steps are required:
- Open DNS Manager on the active domain controller.
- Expand Forward Lookup Zones.
- Right-click on the domain and choose Properties.
- Open the Name Servers tab.
- Delete the old server from the name servers.
Also, remove the Name Server (NS) record from the domain DNS zone and any subfolder.
- Launch DNS Manager on the active domain controller.
- In DNS Manager, expand the Forward Lookup Zones section.
- Identify and right-click on the domain you want to remove from the NS record.
- Choose Properties from the context menu.
- Inside the Zone Properties, navigate to the Name Servers tab.
- Select the NS record corresponding to the old server.
- Click on Delete or use the Delete key on your keyboard.
- Confirm the deletion of the NS record when prompted.
- If there are subfolders or subzones within the domain, repeat steps 3 to 7 for each relevant subfolder.
- Review your changes and save the updated DNS configuration.
Removing DC from our environment despite being powered off is considered best practice in infrastructure management. If the DC is not removed, the domain still considers the server part of the network and may cause unexpected domain issues. Following the above steps, we effectively remove the DC even if it is unreachable or powered off.
Reasons Why We Need To Retire a Domain Controller
Demoting domain controllers is a strategic maneuver in network administration, driven by various factors that revolve around optimizing and streamlining the Active Directory environment. Here are the key reasons for demotion:
- Hardware Upgrades/Replacement:
- Ensure the network remains robust and up-to-date by retiring or replacing aging hardware.
- Organizational Changes:
- Adapt to structural shifts like mergers or downsizing, requiring adjustments in domain controller configurations to align with the evolving business landscape.
- Resource Optimization:
- Efficiently manage the distribution of resources across the network for improved performance.
- Enhanced Security Posture:
- Implement changes to bolster security measures, addressing vulnerabilities and ensuring a resilient defense against potential threats.
- Dynamic IT Ecosystem:
- Maintain agility in the network infrastructure to accommodate the evolving needs of a dynamic IT environment.
Administrators proactively address these considerations by demoting domain controllers fostering a more resilient, adaptive, and secure Active Directory environment.
That is it. Thank you for reading Remove (Demote) Domain Controller from Active Directory (Guide).
Remove (Demote) Domain Controller from Active Directory (Guide) Conclusion
In wrapping up this detailed guide on removing or demoting a Domain Controller from Active Directory, it’s evident that careful planning and execution are crucial to maintaining a healthy network infrastructure. Following the outlined steps, administrators seamlessly navigate the demotion process, ensuring minimal disruption to the Active Directory environment. This article confidently enables IT professionals to oversee the transformation of their network architecture.
Try InfraSOS for FREE
Try InfraSOS Active Directory, Azure AD & Office 365 Reporting & Auditing Tool
- Free 15-Days Trial
- SaaS AD Reporting & Auditing Solution
