Share via

Demote Last Domain Controller and Impact on Synced Users in Entra ID

SF-6505 516 Reputation points
2025-03-09T10:12:07.2766667+00:00

What is the impact on synced users in Entra ID when demoting the last domain controller for a synced domain?

Microsoft Security | Microsoft Entra | Microsoft Entra ID
Accepted answer
  1. Thameur-BOURBITA 36,261 Reputation points Moderator
    2025-03-09T10:20:36.41+00:00

    Hi @SF-6505

    If you want delete synced user, before demoting the last domain controller you should:

    • In the connector you remove all synced OUs
    • Run a full sync (if the number of deleted objects exceed the threshold you should to disable it temporary)
    • Demote the last domain controllers

    If you want keep synced users in Entra ID you should follows theses steps:

    • Check if the Password hash synchronization is enabled
    • Turnoff the directory synchronization , all synced users from this domain will be converted to Cloud Only accounts
    • Demote the last domain controller
    1 person found this answer helpful.
    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. ASHOKKUMAR V 0 Reputation points
    2025-03-09T11:13:43.7233333+00:00

    In summary:

    • Demoting the last domain controller disrupts on-premises AD DS.
    • Entra ID users who have already been synchronized will generally retain their cloud identities.
    • The Microsoft Entra connect server is the critical link, and it's continued function is paramount.

    It's highly recommended to consult Microsoft's official documentation and best practices before making significant changes to your identity infrastructure.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.