How to Remove (Demote) a Domain Controller

Now that you have a new Domain Controller running in Active Directory, it’s time to demote the old Domain Controller. There are two options to remove a Domain Controller. It depends on whether the Domain Controller is accessible or not. In this article, you will learn how to remove a Domain Controller step-by-step.

Domain Controller removal options

The preferred method to demote a Domain Controller is using Server Manager or PowerShell. Which one you choose is up to you. They are, in the end, the same. But there are times when the Domain Controller can’t boot anymore, and you can’t bring it back up anymore. Then, you must choose the method to remove it manually.

To make it easier, you have the below options:

• Option 1: Domain Controller is accessible – Remove the Domain Controller with Server Manager or PowerShell.
• Option 2: Domain Controller is NOT accessible – Remove the Domain Controller manually.

Let’s look at both options to delete a Domain Controller in Active Directory and its cleanup process.

Remove Domain Controller with Server Manager

To demote a Domain Controller using Server Manager, go through the below steps:

Step 1. Move FSMO roles (optional)

The FSMO roles will automatically move to another Domain Controller when you remove the Domain Controller through the removal wizard. If you would like to move the FSMO roles and not let the uninstall process do it automatically for you, you can do so.

The DC02-20222 in the below command is the target Domain Controller hostname where we will transfer the FSMO roles too.

Move-ADDirectoryServerOperationMasterRole "DC02-2022" -OperationMasterRole 0,1,2,3,4 -Force -Confirm:$false

Step 2. Test Domain Controller uninstallation

An excellent way is to run the Test-ADDSDomainControllerUninstallation cmdlet before you start with the Domain Controller removal. This will check and alert if everything is set or if there are any issues.

Test-ADDSDomainControllerUninstallation

If the above command doesn’t work, run the below command.

Test-ADDSDomainControllerUninstallation -LocalAdministratorPassword (Read-Host -Prompt "password" -AsSecureString)

Fill in the local admin password and confirm it again.

LocalAdministratorPassword: ************
Confirm LocalAdministratorPassword: ************

In our example, the below output shows the status Succes. So, everything looks good, and we can proceed further.

Message                          Context                                  RebootRequired  Status
-------                          -------                                  --------------  ------
Operation completed successfully Test.VerifyDcPromoCore.DCPromo.General.1          False Success

Step 3. Demote Domain Controller

In our example, we will remove Domain Controller DC01-2019.

1. Open Server Manager

2. Click on Manage and select Remove Roles and Features

3. Select Next

4. Select the server from the pool and click Next

5. Clear the checkbox Active Directory Domain Services

6. Click Remove Features

7. Click on Demote this domain controller

8. Supply the admin credentials if needed and click Next

Note: Do NOT select the option Force the removal of this domain controller and leave it unchecked.

9. Check Proceed with removal and click Next

10. Enter a new administrator password for the local administrator account after the Domain Controller is demoted

11. Click on Demote

12. The server will go through the demotion process

12. Once the demote is done, the Windows Server will restart automatically

Step 4. Remove Active Directory Domain Services role

After the restart, you need to remove the ADDS role with the below steps:

1. Open Server Manager
2. Click on Manage and select Remove Roles and Features
3. Select the server from the pool and click Next
4. Clear the checkbox Active Directory Domain Services

2. Click Remove Features

3. Click Next

4. Click Next

5. Check the checkbox Restart the destination server automatically if required.

6. The removal is in progress

7. The Windows Server will restart and proceed further with the removal and finishes. Click Close.

8. Shut down the server.

Step 5. Remove AD computer object

Once the server is shutdown, remove the AD computer object with the below steps:

1. Sign in on another Domain Controller
2. Start Active Directory Users and Computers
3. Click in the menu on the Computers container
4. Right-click the server and click Delete

5. Confirm with Yes

You successfully deleted the AD computer object.

Step 6. Remove server from Active Directory Sites and Services

Remove the server from Active Directory Sites and Services with the below steps:

1. Open Active Directory Sites and Services
2. Expand Sites > Default-First-Site-Name > Servers
3. Right-click the Server and select Delete

4. Confirm with Yes

You successfully deleted the server from Active Directory Domain Services (ADDS).

Step 7. Remove DNS leftovers

There are leftovers in DNS after you remove the Domain Controller. Even if you have Setup DNS Aging and Scavenging in Active Directory. That’s because it will remove the stale dynamic DNS records and not the stale static DNS records.

You can go through every zone in DNS Manager and remove the DNS records associated with the old Domain Controller. But that takes time.

The below script will clean up all stale records in DNS. It will go through DNS and search for the old Domain Controller FQDN, Hostname, and IP address. You only have to change lines 1, 2, and 3.

Suppose you kept the same IP address for the new Domain Controller, and only want to check for the old FQDN and Hostname in DNS, uncomment line 3 in the script.

Note: The script has the -WhatIf parameter, so nothing will happen to the environment when you run the script. Once you identify the stale records, remove the -WhatIf parameter and rerun the script. Read more about the script in the article How to Clean up stale DNS records with PowerShell.

$ServerFQDN = "dc01-2019.exoip.local." #Keep the dot (.) at the end
$ServerHostname = "dc01-2019"
$IPAddress = "192.168.1.51"

$Zones = Get-DnsServerZone | Where-Object { $_.ZoneType -eq "Primary" } |
Select-Object -ExpandProperty ZoneName

foreach ($Zone in $Zones) {
    Get-DnsServerResourceRecord -ZoneName $Zone | Where-Object { 
        $_.RecordData.IPv4Address -eq $IPAddress -or
        $_.RecordData.NameServer -eq $ServerFQDN -or
        $_.RecordData.DomainName -eq $ServerFQDN -or
        $_.RecordData.HostnameAlias -eq $ServerFQDN -or
        $_.RecordData.MailExchange -eq $ServerFQDN -or
        $_.HostName -eq $ServerHostname
    } | Remove-DnsServerResourceRecord -ZoneName $Zone -Force -WhatIf
}

You successfully did demote a Domain Controller from Active Directory and followed the necessary cleanup steps afterward.

Remove Domain Controller manually

When you can’t start a Domain Controller anymore, you must manually remove it.

The above steps are the proper way to remove a Domain Controller from Active Directory when you can access it. There are situations when the Domain Controller server crashes, and you can’t bring it up anymore. This requires manual removal of the Domain Controller from Active Directory.

Note: Do the below steps if you have Windows Server 2008 R2 and higher.

Go through the below steps to force remove a Domain Controller:

Step 1. Move FSMO roles (optional)

The FSMO roles will automatically move to another Domain Controller when you remove the Domain Controller through the removal wizard. If you would like to move the FSMO roles and not let the uninstall process do it automatically, you can do so.

The DC02-20222 in the below command is the target Domain Controller hostname where we will transfer the FSMO roles too.

Move-ADDirectoryServerOperationMasterRole "DC02-2022" -OperationMasterRole 0,1,2,3,4 -Force -Confirm:$false

Step 2. Force delete Domain Controller computer object

Remove the AD computer object with the below steps:

1. Sign in on another Domain Controller
2. Open Active Directory Users and Computers
3. Click in the menu on the Domain Controllers Organizational Unit
4. Right-click the server and click Delete

4. Select Yes to confirm the computer object deletion

5. Check the checkbox Delete this Domain Controller anyway. It’s permanently offline and can no longer be removed using the removal wizard

6. Confirm with Yes

7. Select OK if you get a warning message about the FSMO roles that need to be moved to a new server

You successfully deleted the Domain Controller.

Step 3. Remove server from Active Directory Sites and Services

Remove the server from Active Directory Sites and Services with the below steps:

1. Open Active Directory Sites and Services
2. Expand Sites > Default-First-Site-Name > Servers
3. Right-click the Server and select Delete

4. Confirm with Yes

You successfully deleted the server from Active Directory Domain Services (ADDS).

Step 4. Remove DNS leftovers

There are leftovers in DNS after you remove the Domain Controller. Even if you have Setup DNS Aging and Scavenging in Active Directory. That’s because it will remove the stale dynamic DNS records and not the stale static DNS records.

You can go through every zone in DNS Manager and remove the DNS records associated with the old Domain Controller. But that takes time.

The below script will clean up all stale records in DNS. It will go through DNS and search for the old Domain Controller FQDN, Hostname, and IP address. You only have to change lines 1, 2, and 3.

Suppose you kept the same IP address for the new Domain Controller, and only want to check for the old FQDN and Hostname in DNS, uncomment line 3 in the script.

Note: The script has the -WhatIf parameter, so nothing will happen to the environment when you run the script. Once you identify the stale records, remove the -WhatIf parameter and rerun the script. Read more about the script in the article How to Clean up stale DNS records with PowerShell.

$ServerFQDN = "dc01-2019.exoip.local." #Keep the dot (.) at the end
$ServerHostname = "dc01-2019"
$IPAddress = "192.168.1.51"

$Zones = Get-DnsServerZone | Where-Object { $_.ZoneType -eq "Primary" } |
Select-Object -ExpandProperty ZoneName

foreach ($Zone in $Zones) {
    Get-DnsServerResourceRecord -ZoneName $Zone | Where-Object { 
        $_.RecordData.IPv4Address -eq $IPAddress -or
        $_.RecordData.NameServer -eq $ServerFQDN -or
        $_.RecordData.DomainName -eq $ServerFQDN -or
        $_.RecordData.HostnameAlias -eq $ServerFQDN -or
        $_.RecordData.MailExchange -eq $ServerFQDN -or
        $_.HostName -eq $ServerHostname
    } | Remove-DnsServerResourceRecord -ZoneName $Zone -Force -WhatIf
}

You successfully did force remove a Domain Controller from Active Directory manually and followed the necessary cleanup steps afterward.

Verify Domain Controller health

Now that the old Domain Controller is removed, it’s good to check the new Domain Controller health.

Go through the article Active Directory health check with PowerShell script and create a report. The HTML report will show the status of all the Domain Controllers in Active Directory.

That’s it!

Read more: Rename administrator account with Group Policy »

Conclusion

You learned how to demote a Domain Controller from Active Directory. It’s important that you remove the Domain Controller from the domain using the Remove Roles and Features Wizard in Server Manager. If the Domain Controller is inaccessible, delete it from Active Directory Users and Computers.

Did you enjoy this article? You may also like Change TTL for DNS record in Windows Server. Don’t forget to follow us and share this article.