In this article, we'll walk through the procedures for gracefully removing an Active Directory domain controller on Windows Server 2022/2019/2016/2012R2. Typically, one of the following scenarios is considered when removing a domain controller.
Demote a domain controller to remove the Active Directory Domain Services role.
If you are performing a scheduled decommissioning (decommissioning) of one of your existing AD domain controllers (regular DC or RODC), then before you demote the domain controller to a regular Windows Server and remove the ADDS role, you need to complete a number of preparatory steps.
- Check the status of your domain controller, Active Directory, and replication. The site has a separate article describing the commands for diagnosing the health of a domain controller and replication in AD using dcdiag , repadmin and PowerShell scripts. Fix any issues you find. To display a list of errors on a specific domain controller, run the command:
dcdiag.exe /s:dc01 /q
- Make sure that the AD role FSMOs are not running on the domain controller:
netdom query fsmo
If necessary, move the FSMO roles to another DC;
- Make sure the DC is not running the DHCP server role. If running, migrate it to another server;
- Change the DNS settings for DHCP realms that are given IP addresses to clients. Reconfigure DHCP clients to a different DNS server (wait for the IP lease time to expire so that all clients receive the new DNS settings). You can list the DNS servers set for all zones (DNS Servers Option 006) on a specific server with the following PowerShell command (more on managing DHCP in Windows Server with PowerShell ):
Get-DhcpServerv4Scope -ComputerName msk-dhcp01.winitpro.ru| Get-DhcpServerv4OptionValue | Where-Object {$_.OptionID -like 6} | FT Value
- Some clients can be manually configured to use the DNS server on the DC (network devices, servers, printers, scanners, etc.). You need to find such devices and reconfigure them to another DNS server. The easiest way to detect devices accessing the DNS server is by its logs. Here is a detailed article: Auditing DNS queries of clients in Windows Server by DNS logs;
- If a certificate authority (Certificate Authority role) is running on a domain controller, you need to migrate it to another server;
- If other services are running on the domain controller (for example, KMS server, Raduis/NPS, WSUS, etc.), decide whether to move them to other servers;
- Use the cmdlet Test-ADDSDomainControllerUninstallation to check for any remaining dependencies and issues you might encounter while removing the DC. If the cmdlet returns status Sucсess, you can continue.
You are now ready to demote the domain controller to a member server. Prior to Windows Server 2012, the dcpromo command was used for this. In modern versions of Windows Server, this tool is deprecated and is not recommended.
You can demote a domain controller using Server Manager . Run Server Manager -> Remote Roles and Features -> uncheck Active Directory Domain Services in the Server Roles section.
Click the Demote this domain controller button.
The Active Directory Domain Services Configuration Wizard window should open. The Force the removal of this domain controller option is used when removing the last domain controller. You don't need to turn it on . In the future, we will remove the DC metadata manually.
In the next window, check the Proceed with removal option.
Then set the password for the local server administrator account.
At the last stage, it remains to press the button Demote.
Wait for the domain controller to be demoted. Successfully demoted the Active Directory Domain Controller should appear.
Reboot the server, run Server Manager again to remove the Active Directory Domain Services role.
When you remove the ADDS role, the following components will be removed by default:
- Module Active Directory Module for Windows PowerShell
- AD DS and AD LDS Tools feature
- Active Directory Administrative Center
- AD DS Snap-ins and Command-line Tools
- DNS Server
- Group Policy Management Console (gpmc.msc)
Run the Active Directory Users and Computers console (dsa.msc) and verify that the domain controller account has been removed from OU Domain Controllers.
You can also remove a domain controller using the PowerShell cmdlet Uninstall-ADDSDomainController. The command will ask you to set a local administrator password and confirm the DC downgrade.
After the reboot, it remains to remove the ADDS role using PowerShell:
Uninstall-WindowsFeature AD-Domain-Services -IncludeManagementToolsNow run the Active Directory Sites and Services console (dssite.msс), find the domain controller site and its account in the Servers section. Expand DC, right click on NTDS Settings and select Delete.
Confirm the deletion of the DC by checking the Delete This Domain controller anyway option. It is permanently offline and ac no longer be removed using the removal wizard.
Then delete the server account.
Wait for replication to finish in AD and check the status of the domain using dcdiag and repadmin (as described above).
Removing a Failed Active Directory Domain Controller.
If your domain controller has failed (physical server or virtual DC files on storage) and you do not plan to restore its DC from a previously created backup copy of the domain controller, you can forcefully delete it.
Important. A domain controller removed in this way should never be brought online.Prior to Windows Server 2008 R2, the ntdsutil console utility was used to remove a failed domain controller and clean up its metadata in AD . In modern versions of Windows Server 2022/2019/2016/2012, you can remove the failed DC and gracefully clean up the metadata using the graphical mmc AD management snap-ins.
Open the ADUC console (dsa.msc) and navigate to the Domain Controllers container. Find your DC account and delete it.
A window will appear confirming the deletion of the DC. Check the Delete this Domain Controller anyway option . And click the Delete button.
Active Directory will automatically purge the remote DC's metadata from the ntds.dit database.
Now you need to remove the domain controller in the AD Sites and Services console as described above.
And the last step is to remove records about the domain controller in DNS. Open the DNS Manager console (dnsmgmt.msc).
Remove the server from the Name Servers list in the zone settings.
Delete the static Name Servers (NS) records left over from the remote DC in your DNS zone and the _msdcs , _sites , _tcp , _udp , and PTR sections of the records in the reverse zone.
Or use PowerShell to find and remove records in DNS.
So, in this article, we have described a step-by-step procedure that will help you demote a domain controller or remove a failed DC from Active Directory.