In today’s article, you’ll see how to demote a Windows Server 2016 Domain Controller from a company’s Active Directory infrastructure.
In the following scenario, we assume that the Domain Controller is online, functional and communicates with at least one other DC of the infrastructure. We will also see how the demotion process takes place, both using the Server Manager GUI and PowerShell. Otherwise, if DC is not working then you will need to proceed with a forced removal from Active Directory.
Before you begin the demote process, you will need to determine if the DC holds one of the FSMO roles. If it does, then you will need to transfer the FSMO roles to another DC.
Before you start demoting the Domain Controller
Although not necessary, we will first use the Test-ADDSDomainControllerUninstallation cmdlet to test any dependencies or potential problems that will occur when removing the Domain Controller from Active Directory. Think of it as a simulation without any change being made yet.
The basic syntax of the command for a typical simulation is as follows. It’s good to have a look at the other parameters to try this one that suits your case.
Test-ADDSDomainControllerUninstallation |
You will be asked to enter the local administrator password and after a few seconds, the corresponding success or failure message will be displayed. In the event of a failure, you will have to correct the error, such as transferring the FSMO roles and then proceed to the DC demotion.
Demote Domain Controller using Server Manager
Open Server Manager, click Manage and then Remove Roles and Features.
In the Before You Begin section, click Next to continue.
In the Server Selection section, select DC and click Next to continue.
Under Server Roles, uncheck the Active Directory Domain Services role.
In the new window, click the Remove Features button.
Immediately afterward, a new window will appear informing you that you can not simply remove the role and that you will need to demote DC first. Click Demote this domain controller to start the wizard.
In the Credentials section, select a user account (for example, Domain or Enterprise Administrator) that has the right to remove DC, and click Next to continue. If the DC does not communicate with at least one other DC, then only enable the Force the removal of this domain controller option. Also, Force will leave orphaned metadata in Active Directory and you will need to clean them up immediately to avoid problems in the future.
In the Warnings subsection, which appears only if you have DNS and Global Catalog server roles installed, select Proceed with removal and click Next to continue.
In the New Administrator Password section, enter the new administrator account password and click Next to continue.
In the Review Options section, click the Demote button to continue.
Then, the demote process of DC will start and your server will automatically restart.
After rebooting, your old DC now appears to be part of the domain as a member server rather than DC. If you plan to re-promote it to DC in a short period of time then you do not have to do anything else for the time being.
Otherwise, you will need to uninstall the Active Directory Domain Services role as you tried before. Reopen the wizard from Remove Roles and Features.
Under Server Roles, uncheck the Active Directory Domain Services role and click Next to continue. As you will see, a message no longer appears as your server is no longer DC.
Demote Domain Controller using PowerShell
When you promoted a server to a Domain Controller, you first installed Active Directory Domain Services and then promoted it to Domain Controller. Correspondingly, but in the opposite direction, we will do in case we want to remove a Domain Controller from the Active Directory domain. That is, first we will demote it and then we will uninstall the role.
First, open PowerShell with Administrator privileges. Then type the following command and press Enter. You will be prompted to type in the local administrator’s account twice, and then confirm your action by pressing Y or A, depending on your preferences.
Uninstall-ADDSDomainController |
Immediately afterward, the demotion of the Domain Controller will proceed and the server will be restarted automatically.
Once you log in again by opening Server Manager, you will notice that there is the corresponding notification for you to promote the server to a Domain Controller. Obviously, once the Active Directory Domain Services role is still in place.
To uninstall it, use the following command in PowerShell.
Uninstall-WindowsFeature AD-Domain-Services |
That’s it! After restarting, your server is no longer a Domain Controller, but just an Active Directory domain member server.
Just came across your article here. Never seen the TEST-ADDSDomainControllerUninstall command before. I have a question about the password used for this. Do I enter the Domain Admin PW? Do I enter the Directory Restore Mode PW? Do I enter the PW of the local domain acct I used before this became a DC? Or can I enter ANY PW I like? And if I enter any PW I like, does that actually set this PW to any account in ADDS or local admin on the DC I am testing for demotion? Thx for any help.
Perfect article!!
thank you
When I use Uninstall-WindowsFeature AD-Domain-Services, I’m getting an error:
“Uninstall-WindowsFeature : A prerequisite check for the AD-Domain-Services feature failed.”
Here on Windows Server. version 1709