Windows OS Hub
  • Windows
    • Windows 11
    • Windows Server 2022
    • Windows 10
    • Windows Server 2019
    • Windows Server 2016
  • Microsoft
    • Active Directory (AD DS)
    • Group Policies (GPOs)
    • Exchange Server
    • Azure and Microsoft 365
    • Microsoft Office
  • Virtualization
    • VMware
    • Hyper-V
  • PowerShell
  • Linux
  • Home
  • About

Windows OS Hub

  • Windows
    • Windows 11
    • Windows Server 2022
    • Windows 10
    • Windows Server 2019
    • Windows Server 2016
  • Microsoft
    • Active Directory (AD DS)
    • Group Policies (GPOs)
    • Exchange Server
    • Azure and Microsoft 365
    • Microsoft Office
  • Virtualization
    • VMware
    • Hyper-V
  • PowerShell
  • Linux

 Windows OS Hub / Active Directory / How to Remove (Demote) a Domain Controller in Active Directory

March 16, 2024

How to Remove (Demote) a Domain Controller in Active Directory

In this article, we’ll show how to correctly remove (demote) an Active Directory domain controller on Windows Server 2022/2019/2016/2012R2. When removing a domain controller, usually one of the following scenarios is used.

Contents:
  • Removing an Active Directory Domain Controller and ADDS Role (Step-by-Step)
  • How to Remove a Failed Domain Controller in Active Directory?

Removing an Active Directory Domain Controller and ADDS Role (Step-by-Step)

If you are going to decommission one of your AD domain controllers (common DC or read-only domain controller – RODC), you have to take some preparatory steps before demoting your domain controller to a member server and removing the Active Directory Domain Services (ADDS) role.

  1. Check the state of your domain controller, Active Directory, and replication. There is a separate article on how to check a domain controller’s health and replication in AD using dcdiag, repadmin, and PowerShell scripts. Fix the issues if found. To display a list of errors on a specific domain controller, run the following command: dcdiag.exe /s:mun-dc03 /q
  2. Make sure that the AD FSMO roles are not running on the domain controller: netdom query fsmo check fsmo role owners in actove directory If needed, move the FSMO roles to another DC.
  3. Make sure that the DHCP server role is not running on the domain controller. If it is, migrate it to another server;
  4. Change DNS settings for the DHCP scopes that are assigning IP addresses to the clients. Change the configuration of the DHCP scopes so that they assign a different DNS server address (wait for the IP lease time to expire so that all clients get new DNS server settings). You can display a list of DNS servers set for all zones (DNS Servers Option 006) on a server using the following PowerShell command: Get-DhcpServerv4Scope -ComputerName mun-dhcp.woshub.com| Get-DhcpServerv4OptionValue | Where-Object {$_.OptionID -like 6} | FT Value
  5. Some clients may be manually set to use a DNS server on the DC (network devices, servers, printers, scanners, etc.). You need to find such devices and reconfigure them to another DNS server. It is easier to find such devices accessing your DNS server by its logs. Here is a detailed article: How to Audit Client DNS Queries in Windows Server;
  6. If a Certificate Authority role is running on the domain controller, migrate it to another server;
  7. If other services (like a KMS server, Radius/NPS, WSUS, etc.) are running on the domain controller, decide whether you want to move them to other hosts;
  8. Use the Test-ADDSDomainControllerUninstallation cmdlet to make sure if there are any dependencies or issues you may come across when removing a DC. If the cmdlet returns Success, you may move on. Test-ADDSDomainControllerUninstallation

You are now ready to demote the domain controller to a member server. Before Windows Server 2012, the dcpromo command was used for this. In modern Windows Server editions, this tool is deprecated and is not recommended to be used.

You can demote your domain controller using the Server Manager. Open Server Manager -> Remote Roles and Features -> uncheck Active Directory Domain Services in the Server Roles section.

Removing Active Directory Domain Services using Server Manager

Click Demote this domain controller.

Demote this domain controller

The Active Directory Domain Services Configuration Wizard appears. Force the removal of this domain controller option is used to remove the last domain controller in a domain. Do not use it. Later we will delete all DC metadata manually.

In the next screen, check the Proceed with removal option.

Force the removal of the Active Directory domain controller

Then set the local server administrator password.

Set local admin password on a demoted DC

Then you just need to click Demote.

uninstall domain controller role on windows server

Wait till the domain controller demotion is over. The following message will appear: Successfully demoted the Active Directory Domain Controller.

Successfully demoted the Active Directory Domain Controller

Restart your Windows Server host. Open the Server Manager again to remove the Active Directory Domain Services role.

When removing the ADDS role, the following components will be removed by default:

  • Active Directory Module for Windows PowerShell
  • AD DS and AD LDS Tools feature
  • Active Directory Administrative Center
  • AD DS Snap-ins and Command-line Tools
  • DNS Server
  • Group Policy Management Console (gpmc.msc)

Run the Active Directory Users and Computers console (dsa.msc) and make sure that the domain controller computer account has been removed from the Domain Controllers OU.

You can also uninstall a domain controller using the Uninstall-ADDSDomainController PowerShell cmdlet. The command will prompt you to set a local administrator password and confirm the DC demotion.

After the restart, you will just remove the ADDS role using PowerShell:

Uninstall-WindowsFeature AD-Domain-Services -IncludeManagementTools

Then open the Active Directory Sites and Services (dssite.msc) console, find the domain controller site, and its account in the Servers section. Expand the DC, right-click the NTDS Settings, and select Delete.

Delete domain controller account in Active Directory Sites and Services snap-in

Confirm the DC removal by checking Delete This Domain Controller anyway. It is permanently offline and can no longer be removed using the removal wizard.

Delete This Domain controller anyway. It is permanently offline and can no longer be removed using the removal wizard

Then delete the server account.

Wait till the AD replication is over and check the domain state using dcdiag and repadmin commands (described above).

How to Remove a Failed Domain Controller in Active Directory?

If your domain controller has failed (physical server or virtual DC files on storage) and you are not going to restore the DC from the domain controller backup created earlier, you can force delete it.

Important. A domain controller removed in this way should never be brought online.

In Windows Server 2008 R2 or earlier, the ntdsutil tool was used to remove a failed domain controller and clear its metadata from AD. In the current Windows Server 2022/2019/2016/2012, you can delete the failed DC and clear its metadata correctly using graphic AD management MMC snap-ins.

Open the ADUC console (dsa.msc) and navigate to the Domain Controllers. Find your DC account and delete it.

delete domain controller computer account manually

A window to confirm deleting the domain controller appears. Check Delete this Domain Controller anyway. Click Delete.

confirm domain controller account removal

Active Directory will automatically clear the metadata of the removed DC from the ntds.dit database.

Then delete the domain controller in the AD Sites and Services console as shown above.

The last step is to remove the domain controller records from the DNS. Open the DNS Manager (dnsmgmt.msc).

Remove the server from the Name Servers list in the zone settings.

Removing domain controller records in DNS

Remove static Name Servers (NS) records related to the deleted DC in your DNS zone and _msdcs, _sites, _tcp, _udp sections, as well as PTR records in the reverse lookup zone.

Delete Name Server (NS) records of a domain controller

Or use PowerShell to find and remove records in DNS.

Here is a step-by-step guide showing how to uninstall a domain controller or delete a failed DC from Active Directory.

3 comments
5
Facebook Twitter Google + Pinterest
Active DirectoryPowerShellWindows Server 2019
previous post
Using Windows Update Delivery Optimization in Local Networks
next post
Remove Old and Useless Drivers from the Windows Driver Store

Related Reading

Refresh AD Groups Membership without Reboot/Logoff

March 15, 2024

How to Find the Source of Account Lockouts...

March 12, 2024

Configuring Windows Firewall Rules Using Group Policy

March 15, 2024

Allow Non-admin Users RDP Access to Windows Server

March 16, 2024

Copy Files and Folders to User Computers via...

March 15, 2024

How to Disable NTLM Authentication in Windows Domain

March 16, 2024

Configure Windows LAPS (Local Administrator Passwords Solution) in...

March 15, 2024

How to Install the PowerShell Active Directory Module...

March 15, 2024

3 comments

Mayank Agarwal January 12, 2023 - 6:50 am

Nice article, use the below powershell script to find and remove dns records associated with the orphaned DC

$Hostnames = Read-Host "Please provide Hostname"
$IPAddress = Read-Host "Please provide Ip Address"
$Zones = Get-DnsServerZone | ?{$_.ZoneType -eq "Primary"} | Select -ExpandProperty ZoneName
$Hostname = Resolve-DnsName $Hostnames | Select -ExpandProperty Name
$Hostname = $Hostname + "."
foreach($Zone in $Zones)
{
Get-DnsServerResourceRecord -ZoneName $Zone | Where-Object {$_.RecordData.IPv4Address -eq $IPAddress -or $_.RecordData.NameServer -like $Hostname -or $_.RecordData.DomainName -like $Hostname} | Remove-DnsServerResourceRecord -ZoneName $Zone -Force
}

Reply
Mike T. December 27, 2023 - 8:45 pm

If you have a lot of static-IP devices out there pointing at the failed DC IP address for DNS, can you simply assign its address as a second IP address on another DC and then restart DNS on that DC so that it responds to DNS queries on both IPs? After that you’d still have to do the forced removal from AD for the failed DC, right?

Reply
admin January 16, 2024 - 6:31 am

This can be difficult to configure from an IP routing point of view.

Reply

Leave a Comment Cancel Reply

join us telegram channel https://t.me/woshub
Join WindowsHub Telegram channel to get the latest updates!

Recent Posts

  • Map a Network Drive over SSH (SSHFS) in Windows

    May 13, 2025
  • Configure NTP Time Source for Active Directory Domain

    May 6, 2025
  • Cannot Install Network Adapter Drivers on Windows Server

    April 29, 2025
  • Change BIOS from Legacy to UEFI without Reinstalling Windows

    April 21, 2025
  • How to Prefer IPv4 over IPv6 in Windows Networks

    April 9, 2025
  • Load Drivers from WinPE or Recovery CMD

    March 26, 2025
  • How to Block Common (Weak) Passwords in Active Directory

    March 25, 2025
  • Fix: The referenced assembly could not be found error (0x80073701) on Windows

    March 17, 2025
  • Exclude a Specific User or Computer from Group Policy

    March 12, 2025
  • AD Domain Join: Computer Account Re-use Blocked

    March 11, 2025

Follow us

  • Facebook
  • Twitter
  • Telegram
Popular Posts
  • Configure Google Chrome Settings with Group Policy
  • Get-ADUser: Find Active Directory User Info with PowerShell
  • Allow Non-admin Users RDP Access to Windows Server
  • How to Find the Source of Account Lockouts in Active Directory
  • How to Disable or Enable USB Drives in Windows using Group Policy
  • Get-ADComputer: Find Computer Properties in Active Directory with PowerShell
  • Configuring Proxy Settings on Windows Using Group Policy Preferences
Footer Logo

@2014 - 2024 - Windows OS Hub. All about operating systems for sysadmins


Back To Top