How to Demote a Domain Controller (Step-by-Step Guide)
Is your domain controller broken and do you want to remove it manually? No problem. In this guide, I will go through two options to remove a domain controller. If you still have access to the server, option 1 is preferred.
Option 1:
Demote a domain controller using Server Manager.
Use this option if you still have access to the server.
Optie 2:
Manually delete a domain controller.
Use this option if the server is broken or you no longer have access to it.
In both examples I am using Windows Server 2016, but these steps also work for Server 2012 and later.
Tip 1
Starting with Server 2008, domain controller metadata is automatically cleaned.
For Windows Server 2003 or earlier, the “ntdsutil” command must be used to clean metadata. That said, you still have to manually delete the server from sites and services.
Tip 2
Make sure there are no other services running on the server (such as DNS or DHCP) before shutting down the server. If you can avoid this, you can save yourself a major headache.
Tip 3
If the domain controller you are removing has FSMO roles configured, they will be automatically transferred to another DC. You can check this with the command ”netdom query FSMO”.
Option 1:
How to Demote a Domain Controller Using Server Manager
This is Microsoft's recommended method for removing a domain controller.
Step 1
Open Server Manager
Step 2
Select “Remote Roles and Features”
Click Next on the “Before You Begin” page
Step 3.
On the server selection page, select the server you want to demote and click the next button.
In this example, I am demoting server “srv-2016”
Step 4.
Disable “Active Directory Domain Services” on the Server Roles page.
When you uncheck the box, you will get a popup to remove features that require Active Directory Domain Services.
Step 5.
Select “Demote this domain controller”.
Make sure you do NOT select “Force the removal of this domain controller” on the next screen. You should only select this if you are removing the last domain controller in the domain.
You can also change login information on this screen if necessary.
Click next
Step 6.
On the warning screen you will be warned that this server has additional roles. If you have client computers that use this server for DNS, you will need to update them to point to a different server as the DNS role will be removed.
Check the box “Continue uninstalling and click next”
Step 7.
If you have DNS delegation, you can select “Remove DNS delegation” and click next. In most cases you will not have DNS delegation and you can uncheck this box.
Step 8.
Now enter the new administrator password. This is for the local administrator account on this server.
Step 9.
Review the options and click “Demote”
Tip
There is a “view script” button that generates a PowerShell script to automate all the steps we just went through. If you want to remove additional domain controllers, you can use this script.
When you click demote, the server will be demoted and restarted. Once restarted, the server will be a member server. You can log in with domain credentials to the server.
Additional cleanup steps
For some reason, Microsoft decided not to include sites and services in the cleaning process. Maybe it's left there in case you want to promote the server back to a domain controller. If you are not going to promote the server back to a DC, follow these steps.
- Open Active Directory Sites en Services en verwijder de server
You can see above that the server I just demoted is still listed in Sites and Services. I'll just right-click on it and delete it.
That's it for option 1. You can go to the “Domain Controllers” folder and check if the server has been deleted. It is also a good idea to run the "dcdiag" command after removing a DC to ensure that your environment does not contain any major errors.
You may also need to monitor and test the replication. You can use the command ”repadmin” to test for replication issues.
Option 2: Manually remove a domain controller
Use this option if the server is broken, disconnected, or you simply cannot access it. There is actually only 1 step.
Step 1
On another domain controller or computer with RSAT tools, open “Active Directory Users and Computers”
Go to the domain controllers folder. Right-click the domain controller you want to remove and click Remove.
In the next screen, select the box “Delete this domain controller anyway” and click on delete”
If the DC is a global catalog server, you will receive an additional message to confirm the deletion. click Yes.
The last step would be to delete the Sites and Services server, just like I showed you in option 1.
As I mentioned at the top of this article, starting with server 2008, metadata cleaning is done automatically with both options. Most manuals will tell you to open the command prompt and run the command "ntdsutil" to clean up the metadata. This is not necessary if your server operating system is 2008 or later.
It seems easier to remove the DC manually than going through the server management wizard. Technically, I'm not sure what the difference is, but Microsoft recommends using the removal wizard if you can. Use the manual method as the last option.
Conclusion
In this guide, I have shown you two methods for removing a domain controller. Microsoft has made this process very easy by automatically cleaning up the metadata starting in Server 2008. Since networks and systems are constantly changing, there may come a time when you need to remove a domain controller.
24 hours a day, 365 days a year
IT Support
Our IT support is excellently organized. Our employees are available 365 days a year, 24 hours a day, 7 days a week.
EN 
NL 