Last Update: Sep 04, 2024 | Published: Jul 11, 2018
In this Ask the Admin, I’ll show you how to demote a domain controller and remove the Active Directory Domain Services server role.
Most Windows system administrators know how to promote a server to a domain controller. In older versions of Windows Server, this was easily achieved by running dcpromo. In newer versions, you add the Active Directory Domain Services (ADDS) role using Server Manager. Once the role has been added, Server Manager prompts you to complete the process and opens a wizard that guides you through the installation of a domain controller.
There are several ways to demote a domain controller. Server Manager offers two ways to achieve this. The first, and maybe most obvious, is to use the Remove Roles and Features command in the Manage menu. If you try to remove the ADDS server role this way, you will be guided through the removal process by a wizard. Another way you can start the process is to click on Local Server in the left of Server Manager and then scroll down to ROLES AND FEATURES on the right. Then right click Active Directory Domain Services in the list of roles and click Remove Role or Feature in the menu.
Before removing ADDS, Windows Server will perform a validation check. You won’t be able to remove the role until the domain controller has been demoted. The validation results will show a warning and provide a link that opens the Active Directory Domain Services Configuration Wizard.
Checking Force the removal of this domain controller leaves the demoted domain controller’s object metadata in Active Directory. If the domain controller is the last in the domain, you will need to check Last domain controller in the domain before you can proceed. You can also change the credentials used for the demotion by clicking Change…
You’ll be prompted to reboot the server after a few minutes. At which point, you can complete the removal of the ADDS server role in Server Manager.
The above procedure can also be performed using two AD PowerShell cmdlets. The first step is to demote the domain controller to a member server. Open a PowerShell prompt and run the command as shown below. The AD Remote Server Administration Tools (RSAT) need to be installed before you can use the AD PowerShell module.
Uninstall-ADDSDomainController
Other parameters can be added to Uninstall-ADDSDomainController to reflect the options that are available in the Active Directory Domain Services Configuration Wizard.
Uninstall-ADDSDomainController -Credential (Get-Credential) -ForceRemoval
For a full list of available parameters, use Get-Help Uninstall-ADDSDomainController.
Once the server has been demoted and rebooted, run Uninstall-WindowsFeature to remove the ADDS server role:
Uninstall-WindowsFeature AD-Domain-Services -IncludeManagementTools
If you try to remove ADDS before demoting the domain controller, PowerShell will return an error.
In this Ask the Admin, I showed you how to demote a Windows Server 2016 domain controller and remove the Active Directory Domain Services role.
Follow Russell on Twitter @smithrussell.