Do you need to demote a domain controller?
Is your domain controller dead and you want to manually remove it?
In this guide, I’ll walk through two options to remove a domain controller. If you still have access to the server then option 1 is the preferred choice.
- Option 1: Demote a Domain Controller Using Server Manager
- Use this option if you still have access to the server.
- Option 2: Manually Remove a Domain Controller
- Use this option if the server is dead or you no longer have access to it.
In both examples, I’ll be using Windows Server 2016 server but these steps will work for Server 2012 and up.
Tip #1 Starting with Server 2008 domain controller metadata is cleaned up automatically. Windows Server 2003 server or earlier will require using the ntdsutil command to cleanup metadata. With that said you still need to manually remove the server from sites and services.
Tip #2 Make sure there are no other services running on the server (like DNS or DHCP) before shutting down the server. If you can avoid this you may save yourself a big headache.
Tip #3 If the domain controller you are removing has FSMO roles configured they will get transferred to another DC automatically. You can check this with the netdom query FSMO command.
If you don’t like video tutorials or want more details, then continue reading the instructions below.
Option 1: Demote a Domain Controller Using Server Manager
This is Microsoft’s recommended method for removing a domain controller.
Step 1. Open Server Manager
Step 2. Select “Remote Roles and Features”
Click next on the “Before you begin page”
Step 3. On the server selection page, select the server you want to demote and click the next button.
In this example, I’m demoting server “srv-2016”
Step 4. Uncheck “Active Directory Domain Services” on the Server Roles page.
When you uncheck you will get a popup to remove features that require Active Directory Domain Services.
Step 5. Select Demote this domain controller
On the next screen make sure you DO NOT select “Force the removal of this domain controller”. You should only select this if you are removing the last domain controller in the domain.
You can also change credentials on this screen if needed.
Step 6. On the warnings screen, it will give you a warning this server hosts additional roles. If you have client computers using this server for DNS you will need to update them to point to a different server since the DNS role will be removed.
Check the box “Proceed with removal and click next
Step 7. If you have DNS delegation you can select “Remove DNS delegation and click next. In most cases, you will not have DNS delegation and can uncheck this box.
Step 8. Now put in the new administrator password. This will be for the local administrator account on this server.
Step 9. Review options and click “Demote”
#Tip – There is a “view script” button that generates a PowerShell script to automate all the steps we just walked through. If you have additional domain controllers to remove you could use this script.
When you click demote the server will be demoted and rebooted. Once it reboots the server will be a member server. You can log in with domain credentials to the server.
Additional Cleanup Steps
For some reason, Microsoft decided not to include sites and services in the cleanup process. Maybe it’s left there in case you want to promote the server back to a domain controller. If you are not going to promote the server back to a DC then follow these steps.
- Open Active Directory Sites and Services and remove the server
You can see above the server I just demoted is still listed in sites and services. I’ll just right-click on it and delete it.
That is it for option 1. You can go into the “Domain Controllers” folder and verify the server is removed. It’s also a good idea to run dcdiag after removing a DC to make sure your environment has no major errors.
You may also need to review and test replication. You can use the repadmin command to test for replication issues.
Option 2: Manually Remove a Domain Controller
Use this option if the server is dead, disconnected, or you just can’t access it. There is really only 1 step.
Step 1. On another domain controller or computer with RSAT tools open “Active Directory Users and Computers”
Go to the domain Controllers folder. Right click the domain controller you want to remove and click delete.
On the next screen select the box “Delete this Domain Controller anyway” and click delete”
If the DC is a global catalog server you will get an additional message to confirm the deletion. I’m going to click Yes.
That is pretty much it. Easy hu?
The last step would be to remove the server from Sites and Services just like I showed you in option 1.
As I mentioned at the top of this article starting with server 2008 the metadata cleanup is done automatically with both options. Most how to guides will tell you to open the command prompt and run the ntdsutil to cleanup the metadata. This is not needing if your server operating system is 2008 or above.
It seems easier to just manually remove the DC than going through the server manager wizard. Technically I’m not sure what the difference is but Microsoft recommends using the removal wizard if you can. Use the manual method as a last option.
In this guide, I showed you two methods for removing a domain controller. Microsoft has made this process very easy by automatically cleaning up the metadata starting with server 2008. As networks and systems are constantly changing there may come a time when you need to remove a domain controller. I’ve provided some Microsoft links below if you would like to read more about this topic.
- https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/deploy/ad-ds-metadata-cleanup – This article mentions how the metadata is automatically cleaned up using the GUI tools.
- My 15+ years of Active Directory experience
- Working with medium and large customer AD environments
- Testing in my Active Directory Lab.