- Docker logs tail: Troubleshoot Docker containers with real-time logging - Wed, Sep 13 2023
- dsregcmd: Troubleshoot and manage Azure Active Directory (Microsoft Entra ID) joined devices - Thu, Aug 31 2023
- Ten sed command examples - Wed, Aug 23 2023
Although it typically doesn't happen frequently, there are times when administrators need to demote a domain controller from Active Directory. You may be decommissioning a site, introducing a new domain controller to replace an aging operating system, etc. Let's look at the demotion process, including what it is, how it is carried out, and things to remember.
Active Directory domain controllers
Domain controllers are servers with the unique role of acting as "gatekeepers" for user authentication, enforcing security policies, and managing network resources in Active Directory. When a server is designated as a domain controller via the Server Manager, it inherits these duties and begins synchronizing the AD DS database with other domain controllers within the network.
What does it mean to demote a domain controller?
In the context of Active Directory Domain Services, "demote a domain controller" means removing the Domain Controller role from a server in the Windows Server environment. As part of this process, the Active Directory-specific services, such as NETLOGON, are removed, and the server ceases to hold a copy of the Active Directory database.
When an administrator chooses to demote the last domain controller, the Active Directory domain itself is removed. In addition, demoting the last domain controller in the forest removes the entire forest. As a result, domain controller demotion, specifically involving the last domain controller, must be executed carefully and strategically due to its considerable impact. Always double-check the server selection page, manage the DNS settings properly, and ensure that the IP addresses of other servers are correctly updated in the process.
Preparing for demotion: What you need
Before proceeding to demote a domain controller, several prerequisites must be met. First, you'll need access to the server through the Server Manager using domain administrator or enterprise administrator credentials. Additionally, knowledge of the Active Directory structure is crucial, including Active Directory sites and the DNS Server setup. Lastly, make sure to have backups of your domain controllers and system state backups (containing Active Directory database backups).
Third-party backup tools generally have "application-aware" backups that capture the Active Directory database and other vital components of Active Directory when backing up a domain controller. However, ensure that you have the application-aware feature turned on and test restoring your backups in a lab environment.
Flexible Single Master Operation roles
Demoting a domain controller is not always a straightforward process. For instance, if the domain controller holds Flexible Single Master Operation (FSMO) roles, the process becomes more complicated. In such cases, you may need to transfer these roles to other domain controllers before the demotion.
You can query your domain to see which servers hold Flexible Single Master Operation (FSMO) roles in the environment. Use the following command:
netdom query fsmo
Check the FSMO roles
The command will return the servers holding the roles. If the server you are preparing to remove holds one of the roles, you will want to transfer the FSMO role to another domain controller that will not be demoted.
Steps for demoting a domain controller
Demoting a domain controller can be performed via the Server Manager. Open Server Manager, and navigate to the Remove Roles and Features option. It will launch the removal wizard, guiding you through the process. When prompted, choose the Demote this Domain Controller option. You must enter your domain credentials and the new administrator password before proceeding. Follow the prompts on the warnings screen and the domain services configuration wizard.
Beginning the Remove Roles and Features Wizard
Choose the server in the Remove Roles and Features Wizard that you want to demote.
Select the destination server
Uncheck the Active Directory Domain Services role.
Uncheck Active Directory Domain Services
It will prompt you to remove features that require Active Directory Domain Services.
Remove features that require AD DS
You will see a dialog box indicating that the Active Directory domain controllers need to be demoted before the AD DS role can be removed.
Message about demoting the Active Directory Domain Controller
If you are already logged in with credentials to demote the domain controller, you can continue without needing to change your credentials.
Supply the credentials for demoting the domain controller
Take note of any of the other roles the server may hold, such as DNS, global catalog server, etc.
Review warnings and proceed with the removal
Set a new administrator (local) password.
Set a new administrator password
Review the options for the demotion. You can also click the View script button to see the equivalent PowerShell for the operation.
Review the options for the demotion
Below is a look at the PowerShell script for the demotion. You can also run these commands manually before running through the Server Manager Remove Role process to avoid having to repeat the steps to remove the role.
Viewing the PowerShell script for the demotion
The demotion of the Active Directory Domain Services (AD DS) domain controller begins.
The demotion process begins and starts transferring the remaining data to another DC
You will see critical Active Directory services stopped on the domain controller being demoted, such as NETLOGON.
Stopping the NETLOGON service
The demoted domain controller will reboot during the demotion process. After the server reboots, launch the Remove Roles and Features Wizard and uncheck the Active Directory Domain Services role again.
Remove Active Directory Domain Services
Next, remove features that require Active Directory Domain Services.
Remove features that require Active Directory Domain Services
Click Next.
Role services removed and ready to finish the wizard
Click Next on the Features screen.
No features to remove in addition to AD DS
Click the Remove button.
Confirm and remove the AD DS role
After removing the role, restart the server.
Reboot the domain controller to finish the domain controller demotion
Post-demotion cleanup and verification
Post-demotion, some manual cleanup may be necessary, such as removing the old domain controller from Active Directory Sites and Services or verifying the removal in the DNS Manager. It's also essential to confirm that replication to other domain controllers has been completed successfully and to check the health of the Active Directory and DNS Server.
You can use built-in tools, such as DCDiag and repadmin, to test the health of your remaining domain controllers and Active Directory replication.
Wrapping up
While it might seem daunting to demote a domain controller, it is relatively straightforward, with careful planning and understanding. Always back up the necessary data, prepare thoroughly, and monitor the process to ensure minimal disruption to your Active Directory Domain Services.
Subscribe to 4sysops newsletter!
Demoting a domain controller requires a meticulous approach, and it's essential to understand the potential implications for your Windows Server environment, particularly with DNS resolution and the roles of other domain controllers. Ensure you thoroughly check the environment after you demote a server to verify that Active Directory properly reflects that the domain controller has been removed and replication and other activities are healthy.
Thanks very much for this. I happen to be in the middle of upgrading a 2012 R2 estate and your articles on RDS Upgrade and this one on Domain Controller demotion are a real life saver. Please keep posting things like this. They are really useful for us poor old one man IT departments.