How to Demote a Domain Controller (Step-by-Step Guide)
Demoting Domain Controller using Server Manager
This article explains how to remove ADDS, using Server Manager. Demoting a domain controller refers to the process of removing its role as a domain controller in an Active Directory domain. This process effectively removes the domain controller’s ability to authenticate users and replicate directory information with other domain controllers.
Pre steps required before proceeding DC demotion:
Prepare for demotion: Before demoting a domain controller, we should ensure that it does not hold any FSMO roles. If it does, we will need to transfer these roles to another domain controller. Additionally, verify that the domain controller is functioning properly and that it has replicated with other domain controllers in the domain.
Replication Health Check: We need to make sure that the replication between the old and new domain controllers should be running fine without any error. If there is any error or issue, need to fix it before proceeding for DC demotion.
Application Dependency: Please make sure there should not be any application dependency on DC which we are going to demote. If there is any dependency, please try to find out the application which still using this DC and coordinate with application owner to redirect their application to new DC or use domain name instead of DC FQDN in their applications. please see Net logon debugging logs article for more information.
Verify DNS configuration: Before making any changes, verify the current DNS configuration on the remaining domain controllers and client computers. Ensure that they are using the correct DNS server addresses for the domain.
Update DNS server addresses: If the demoted domain controller was hosting DNS services, we need to update the DNS server addresses on the remaining domain controllers and client computers to remove the demoted domain controller from the list of DNS servers. We can do this by modifying the TCP/IP settings on each computer or by using Group Policy to distribute the DNS server settings.
Create a Backup: Before making any changes or demoting this, please take a full restore point of the existing domain controller. If something goes wrong, we can restore this server to its original role as domain controller.
Demote a Domain Controller Using Server Manager
Microsoft recommends using this technique to get removal of a domain controller.
- Open Server Manager
- Click on Manage > Remove Roles and Features
- Select the old domain controller.
- In the Server Selection, please make sure that select the server which you are demoting. I am demoting server “DC10.”
- Uncheck “Active Directory Domain Services” on the Server Roles page.
- It’s common to receive an error stating that the validation failed. We will have to demote the domain controller in order to remove the functionalities. To demote this domain controller, click.
- Make sure you DO NOT select “Force the removal of this domain controller” on the next screen. Only select this option if you are removing the domain’s last domain controller.
- The following screen allows us to change the credentials; frequently you will carry out these actions in your role as domain administrator and the credentials won’t need to be changed.
- Click Next
- Check the box “Proceed with removal and click next.
- You may select “Remove DNS delegation” and click “Next” if you have DNS delegation. You may select this box if you don’t have DNS delegation, which is most of the time.
- Please give Administrator credentials, these will be for the local administrator account on this server.
- Review options and click “Demote”
Further Cleanup Procedures
Sites and services were left out of the cleansing procedure by Microsoft, for whatever reason. If you decide to promote the server back to a domain controller, it might still be there. Proceed with these actions if you decide not to promote the server back to a DC.
- Open Active Directory Sites and Services and remove the server.
You can see above the server I just demoted is still listed in sites and services. I’ll just right-click on it and delete it.
Manually Remove a Domain Controller
Moreover, a domain controller can be physically decommissioned. This step should only be used if you are no longer able to access the server.
- Open Active Directory users and computers (DSA.msc) on the active domain controller
- Open the Domain Controllers OU
- Delete the old domain controller.
- Click Yes
- Select Delete this Domain Controller anyway.
- Click on Delete
- Confirm it one last time by clicking on Yes.
If the DC is a global catalog server, you will get an additional message to confirm the deletion. I am going to click Yes.
So, that’s all in this blog. I will meet you soon with next stuff. Have a nice day!!!
Guys please don’t forget to like and share the post. Also join our WindowsTechno Community and where you can post your queries/doubts and our experts will address them.
You can also share the feedback on below windows techno email id.
If you have any questions feel free to contact us on admin@windowstechno.com also follow us on facebook@windowstechno to get updates about new blog posts.