≡ Menu

Demoting a Active Directory Domain Controller in Windows 2012

In one of my previous articles I showed you how to install and configure active directory in Windows Server 2012. In this post, I will talk about step-by-step removal of active directory from a domain controller in Windows  Server 2012.

Like the change in installation procedure of active directory, demotion/removal also will not depend on dcpromo. The demotion of domain controller in a windows server 2012 domain contains two main operations.

  1. Removing the configuration of active directory from Domain Controller
  2. Removal of active directory related roles

1. Removing the configuration of active directory from Domain Controller

Follow the below procedure to uninstall active directory from a windows server 2012 using Server Manager wizards.

  • In Server Manager, click Manage, and then click Remove Roles and Features.
  • On the Before you begin page, review the information and then click Next.
  • On the Select destination server page, click the name of the server that you want to remove AD DS from and then click Next.

  • On the Remove server roles page, clear the check box for Active Directory Domain Services and then on the Remove Roles and Features Wizard dialog box, click Remove Features, and then click Next.

  • The Remove Roles and Features Wizard returns the following validation error:
  • The validation error appears by design because the AD DS server role binaries cannot be removed while the server is running as a domain controller. Click Demote this domain controller.
  • On the Credentials page, specify credentials to remove AD DS. If previous attempts to remove AD DS on this domain controller have failed, then you can select the Force the removal of this domain controller check box. For more information about forcing the removal of AD DS, see Forcing the removal of AD DS. If you are removing the last domain controller in the domain, click Last domain controller in the domain check box. Click Next.

  • On the Warnings page, review the information about the roles hosted by the domain controller, click Proceed with removal, and then click Next.

  • On the Removal Options page: (Note: this page will not appear if you chose Force Removal of Domain Controller)
    • If you plan to reinstall the domain controller using the same domain controller account, click Retain the domain controller metadata.
    • In addition, if either of the following two options appears, it must be selected before you can proceed.
      • If you are removing the last DNS server that hosts the zones hosted on this domain controller, click Remove this DNS zone (this is the last server that hosts the zone).
      • If you want to delete the application partitions, click Remove application partitions.
        • NOTE: This option will appear only if this is last server for DNS zone

  • Click Next.
  • On the New Administrator Password page, type and confirm the password for the local Administrator account for the server, and then click Next.
  • On the Review Options page, click Demote.
  • The server will restart automatically to complete the domain controller demotion. Continue with the next steps, which are needed to fully remove the AD DS server role binaries after the machine restarts to complete the demotion.

2. Removal of active directory related roles

  • After completion of demotion of Domain controller and try removing the Active Directory Domain Services and DNS Server roles as mentioned in step 1 above and this time it should get succeeded without any errors.
  • Removal of roles from Server Manager completes the Domain Controller Demotion Process in Windows Server 2012

Please refer to this technet article if you still have any questions about demotion of domain controller. Most of the above steps are copied from the technet site since I hate to write my own sometimes. I tried to give a good perception about demotion process with my understanding about process in the beginning of the article and with a bunch of screenshots to help you understanding the steps.

Hope this helps and happy learning.

{ 8 comments… add one }
  • sujeeth October 5, 2012, 12:20 pm

    Hello everyone can any one tell me
    what is the difference between default domain policy and default domain controller policy in 2008

    • Sitaram Pamarthi October 5, 2012, 11:44 pm

      Sujeeth, in simple terms, Domain Policy will get applied to all users/computers in the domain. This generally contains password policy settings like complexity, account lockout policy, kerberose related settings. But the Default Domain Controller policy is different. As the name indicates, it is a policy that is applied to all domain controllers by default. By default this policy is linked to Domain Controllers OU. Using this domain controller policy you can configure GPOs to on domain controllers like restricting event log size, auditing settings, managing services etc. Hope this helps you.

      Please refer to http://technet.microsoft.com/en-us/library/dd378987%28v=ws.10%29.aspx for more details.

  • mohammed sabran December 2, 2014, 10:11 pm

    nice. I m. intersecting mcsa

  • Flow In April 18, 2016, 6:58 am

    is there any way of doing this when DNS is broken? I can’t force remove the AD roles as it can’t resolve itself in DNS. Its freaking annoying. going to format the box soon

  • Pete July 6, 2016, 3:27 pm

    What about FSMO roles? Do you need to transfer these in 2012R2 before/after doing this?

    • Wintel Rocks July 9, 2016, 9:43 am

      @Pete, Active Directory transfers the roles to another DC before starting the demotion process. However, it does to a random one. So you need to plan the DCs that you want to hold the FSMO roles and move them before the demotion.

Leave a Comment