Demoting domain controllers and domains
Applies to: Windows Server 2022, Windows Server 2019, Windows Server
This article explains how to remove Active Directory Domain Services (AD DS) using Server Manager or Windows PowerShell.
AD DS removal workflow
Caution
Removing the AD DS roles with Dism.exe or the Windows PowerShell DISM module after promotion to a Domain Controller (DC) isn't supported and prevents the server from booting normally.
Unlike Server Manager or the ADDSDeployment module for Windows PowerShell, DISM is a native servicing system that has no inherent knowledge of AD DS or its configuration. We don't recommend using Dism.exe or the Windows PowerShell DISM module to uninstall the AD DS role unless the server is no longer a domain controller.
Demotion and role removal with PowerShell
ADDSDeployment and ServerManager Cmdlets | Arguments (Bold arguments are required. Italicized arguments can be specified by using Windows PowerShell or the AD DS Configuration Wizard.) |
---|---|
Uninstall-ADDSDomainController | -SkipPreChecks -LocalAdministratorPassword -Confirm -Credential -DemoteOperationMasterRole -DNSDelegationRemovalCredential -Force -ForceRemoval -IgnoreLastDCInDomainMismatch -IgnoreLastDNSServerForZone -LastDomainControllerInDomain -Norebootoncompletion -RemoveApplicationPartitions -RemoveDNSDelegation -RetainDCMetadata |
Uninstall-WindowsFeature/Remove-WindowsFeature | -Name -IncludeManagementTools -Restart -Remove -Force -ComputerName -Credential -LogPath -Vhd |
To learn more about how to demote your DC using PowerShell, see the Uninstall-ADDSDomainController and Uninstall-WindowsFeature PowerShell references.
When using Uninstall-ADDSDomainController
and Uninstall-WindowsFeature
, these commands only require the minimum arguments as they each perform a single action. Pressing the Enter key during the confirmation phase initiates the irrevocable demotion process and restarts your device.
Note
The Credential argument is only required if you aren't already signed in as a member of the Enterprise Admins group or the Domain Admins group. The IncludeManagementTools argument is only required if you want to remove all of the AD DS management utilities.
Demote
Remove roles and features
There are two methods you can use to remove the AD DS role:
The Manage menu on the main dashboard, using Remove Roles and Features
Select AD DS or All Servers on the navigation pane. Scroll down to the Roles and Features section. Right-click Active Directory Domain Services in the Roles and Features list and select Remove Role or Feature. This interface skips the Server Selection page.
The ServerManager cmdlets Uninstall-WindowsFeature and Remove-WindowsFeature will prevent you from removing the AD DS role until you demote the domain controller.
Server selection
The Server Selection dialog enables you to choose from one of the servers previously added to the pool, as long as it's accessible. The local server running Server Manager is always automatically available.
Server Roles and Features
Clear the Active Directory Domain Services check box to demote a domain controller; if the server is currently a domain controller, this doesn't remove the AD DS role and instead switches to a Validation Results dialog with the offer to demote. Otherwise, it removes the binaries like any other role feature.
Don't remove any other AD DS-related roles or features - such as DNS, GPMC, or the RSAT tools - if you intend to promote the domain controller again immediately. Removing additional roles and feature increases the time to re-promote, as Server Manager reinstalls these features when you reinstall the role.
Remove unneeded AD DS roles and features at your own discretion if you intend to demote the domain controller permanently. This requires clearing the check boxes for those roles and features.
The full list of AD DS-related roles and features include:
- Active Directory Module for Windows PowerShell feature
- AD DS and AD LDS Tools feature
- Active Directory Administrative Center feature
- AD DS Snap-ins and Command-line Tools feature
- DNS Server
- Group Policy Management Console
The equivalent ADDSDeployment and ServerManager Windows PowerShell cmdlets are:
Uninstall-ADDSDomainController
Uninstall-WindowsFeature
Credentials
You configure demotion options on the Credentials page. Provide the credentials necessary to perform the demotion from the following list:
Demoting an additional domain controller requires Domain Admin credentials. Selecting Force the removal of this domain controller demotes the domain controller without removing the domain controller object's metadata from Active Directory.
Warning
Do not select this option unless the domain controller cannot contact other domain controllers and there is no reasonable way to resolve that network issue. Forced demotion leaves orphaned metadata in Active Directory on the remaining domain controllers in the forest. In addition, all un-replicated changes on that domain controller, such as passwords or new user accounts, are lost forever. Orphaned metadata is the root cause in a significant percentage of Microsoft Customer Support cases for AD DS, Exchange, SQL, and other software.
If you forcibly demote a domain controller, you must manually perform metadata cleanup immediately. For steps, review Clean Up Server Metadata.
Demoting the last domain controller in a domain requires Enterprise Admins group membership, as this removes the domain itself (if the last domain in the forest, this removes the forest). Server Manager informs you if the current domain controller is the last domain controller in the domain. Select the Last domain controller in the domain check box to confirm the domain controller is the last domain controller in the domain.
The equivalent ADDSDeployment Windows PowerShell arguments are:
-Credential <PSCredential>
-ForceRemoval <{ $true | $false }>
-LastDomainControllerInDomain <{ $true | $false }>
Warnings
The Warnings page alerts you to the possible consequences of removing this domain controller. To continue, you must select Proceed with removal.
Warning
If you previously selected Force the removal of this domain controller on the Credentials page, then the Warnings page shows all Flexible Single Master Operations roles hosted by this domain controller. You must seize the roles from another domain controller immediately after demoting this server. For more information on seizing FSMO roles, see Seize the Operations Master Role.
This page doesn't have an equivalent ADDSDeployment Windows PowerShell argument.
Removal Options
The Removal Options page appears depending on previously selecting Last domain controller in the domain on the Credentials page. This page enables you to configure additional removal options. Select Ignore last DNS server for zone, Remove application partitions, and Remove DNS Delegation to enable the Next button.
The options only appear if applicable to this domain controller. For instance, if there's no DNS delegation for this server then that checkbox won't display.
Select Change to specify alternate DNS administrative credentials. Select View Partitions to view additional partitions the wizard removes during the demotion. By default, the only additional partitions are Domain DNS and Forest DNS Zones. All other partitions are non-Windows partitions.
The equivalent ADDSDeployment cmdlet arguments are:
-IgnoreLastDnsServerForZone <{ $true | false }>
-RemoveApplicationPartitions <{ $true | false }>
-RemoveDNSDelegation <{ $true | false }>
-DNSDelegationRemovalCredential <PsCredential>
New Administrator Password
The New Administrator Password page requires you to provide a password for the built-in local computer's Administrator account, once the demotion completes and the computer becomes a domain member server or workgroup computer.
The Uninstall-ADDSDomainController cmdlet and arguments follow the same defaults as Server Manager if not specified.
The LocalAdministratorPassword argument is special:
- If not specified as an argument, then the cmdlet prompts you to enter and confirm a masked password. This is the preferred usage when running the cmdlet interactively.
- If specified with a value, then the value must be a secure string. This isn't the preferred usage when running the cmdlet interactively.
For example, you can manually prompt for a password by using the Read-Host cmdlet to prompt the user for a secure string.
Uninstall-ADDSDomainController -LocalAdministratorPassword (Read-Host -Prompt "Password:" -AsSecureString)
Warning
As the previous two options do not confirm the password, use extreme caution: the password is not visible.
You can also provide a secure string as a converted clear-text variable, although this is highly discouraged. For example:
Uninstall-ADDSDomainController -LocalAdministratorPassword (ConvertTo-SecureString "Password1" -AsPlainText -Force)
Warning
Providing or storing a clear text password is not recommended. Anyone running this command in a script or looking over your shoulder knows the local administrator password of that computer. With that knowledge, they have access to all of its data and can impersonate the server itself.
Confirmation
The Confirmation page shows the planned demotion; the page doesn't list demotion configuration options. This is the last page the wizard shows before the demotion begins. The View Script button creates a Windows PowerShell demotion script.
Select Demote to run the following AD DS Deployment cmdlet:
Uninstall-ADDSDomainController
Use the optional Whatif argument with the Uninstall-ADDSDomainController and cmdlet to review configuration information. This enables you to see the explicit and implicit values of a cmdlet's arguments.
For example:
The prompt to restart is your last opportunity to cancel this operation when using ADDSDeployment Windows PowerShell. To override that prompt, use the -force or confirm:$false arguments.
Demotion
When the Demotion page displays, the domain controller configuration begins and can't be halted or canceled. Detailed operations display on this page and write to logs:
- %systemroot%\debug\dcpromo.log
- %systemroot%\debug\dcpromoui.log
To accept the reboot prompt automatically, use the -force or -confirm:$false arguments with any ADDSDeployment Windows PowerShell cmdlet. To prevent the server from automatically rebooting at the end of promotion, use the -norebootoncompletion:$false argument.
Warning
Overriding the reboot is discouraged. The member server must reboot to function correctly.
Here's an example of forcibly demoting with its minimal required arguments of -forceremoval and -demoteoperationmasterrole. The -credential argument isn't required because the user logged on as a member of the Enterprise Admins group:
Here's an example of removing the last domain controller in the domain with its minimal required arguments of -lastdomaincontrollerindomain and -removeapplicationpartitions:
If you attempt to remove the AD DS role before demoting the server, Windows PowerShell blocks you with an error:
Important
You must restart the computer after demoting the server before you can remove the AD-Domain-Services role binaries.
Results
The Results page shows the success or failure of the promotion and any important administrative information. The domain controller will automatically reboot after 10 seconds.