This article provides a step-by-step guide on correctly removing an Active Directory domain controller on servers running Windows Server 2022, 2019, 2016, and 2012R2. Removing a domain controller may be necessary in various situations, such as during planned demotion or in case of hardware failure. We will cover both scenarios: demoting a domain controller with the removal of the ADDS role and forcibly removing a failed domain controller.
Original Windows Server installers can be downloaded from our catalog.
Demoting a Domain Controller with Removal of the Active Directory Domain Services (ADDS) Role
If you plan to remove an existing domain controller, it’s critical to perform several preparatory steps before demoting the domain controller and removing the ADDS role. In modern versions of Windows Server, the outdated dcpromo command is no longer used for domain controller removal.
Preparatory Steps
1. Verify the health of the domain controller, Active Directory, and replication. Use the following command for diagnostics:
dcdiag.exe /s:dc01 /q
2. Ensure that the domain controller does not hold any FSMO roles:
netdom query fsmo
If necessary, transfer FSMO roles to another domain controller.
3. Confirm that the domain controller is not running the DHCP Server role. If it is, migrate DHCP to another server.
4. Update DNS settings in DHCP scopes to ensure clients can obtain IP addresses and new DNS settings from other servers.
Use the following PowerShell command to list DNS servers:
Get-DhcpServerv4Scope -ComputerName msk-dhcp01.winitpro.ru | Get-DhcpServerv4OptionValue | Where-Object {$_.OptionID -like 6} | FT Value
5. If clients are manually configured to use the DNS server on the domain controller being removed, reconfigure these devices to use another DNS server. The easiest way to identify devices accessing the DNS server is through its logs.
6. If the domain controller is running a Certificate Authority role, migrate it to another server.
7. If additional services (such as KMS, RADIUS/NPS, WSUS, etc.) are running on the domain controller, determine whether they need to be transferred to other servers.
8. Check for dependencies using the following PowerShell cmdlet:
Test-ADDSDomainControllerUninstallation
If the cmdlet returns a Success status, you can proceed with the removal process.
Demoting a Domain Controller via Server Manager
1. Open Server Manager -> Remove Roles and Features.
2. Uncheck Active Directory Domain Services in the Server Roles section.
3. Click Demote this domain controller to open the Active Directory Domain Services Configuration Wizard.
4. Select the Proceed with removal option.
5. Specify the local administrator password for the server.
6. Click Demote and wait for the demotion process to complete.
7. Wait for the domain controller demotion to finish. You should see the message Successfully demoted the Active Directory Domain Controller.
8. Reboot the server, then reopen Server Manager to remove the Active Directory Domain Services role.
After demoting the domain controller, the following components will be automatically removed:
– Active Directory Module for Windows PowerShell
– AD DS and AD LDS Tools
– Active Directory Administrative Center
– AD DS Snap-ins and Command-line Tools
– DNS Server
– Group Policy Management Console (gpmc.msc)
Removing a Domain Controller via PowerShell
You can demote a domain controller using the following PowerShell cmdlet:
Uninstall-ADDSDomainController
After demoting the server to a member server, remove the ADDS role:
Uninstall-WindowsFeature AD-Domain-Services -IncludeManagementTools
Then, open the Active Directory Sites and Services console (dssite.msc), locate the site and account of the domain controller in the Servers section. Expand the DC entry, right-click on NTDS Settings, and select Delete.
Confirm the deletion by selecting Delete This Domain controller anyway.
Then, delete the server’s account.
Wait for replication to complete in Active Directory and verify the domain’s health using dcdiag and repadmin.
Forcibly Removing a Failed Domain Controller
If a domain controller has failed and recovery is not planned, it must be manually removed.
Important: A removed domain controller must not be reconnected to the network after removal.
In previous versions of Windows Server, the ntdsutil utility was used to remove a domain controller. In Windows Server 2022/2019/2016/2012, you can use graphical tools to clean up metadata and remove the DC.
1. Open the Active Directory Users and Computers console (dsa.msc).
2. Navigate to the Domain Controllers container and delete the domain controller’s account.
3. Enable the Delete this Domain Controller anyway option and click Delete.
4. Active Directory will automatically clean up the removed DC’s metadata from the ntds.dit database. Next, remove the domain controller from the AD Sites and Services console as described above.
5. The final step is to clean up the domain controller’s records in DNS. Open the DNS Manager console (dnsmgmt.msc).
6. Remove the server from the Name Servers list in the zone settings.
Delete the static Name Server (NS) records left by the removed DC in your DNS zone and the following sections:
– _msdcs
– _sites
– _tcp
– _udp
– PTR records in the reverse lookup zone.
You can use PowerShell to search for and delete these records.
This article provides a step-by-step guide for removing an Active Directory domain controller. We covered both proper demotion and removal of the ADDS role from a functioning domain controller and the forcible removal of a failed DC. Following these recommendations will help avoid issues in the domain’s operation after the domain controller is removed.
Если нужно перевести другой текст или внести правки, дайте знать!
