ManageEngine x Forrester | Workforce Identity Platforms Landscape Report

Active Directory Policies

How to demote a Domain Controller: A step-by-step guide

Are you a Windows system administrator looking for how to demote Domain Controller in your Active Directory? You have landed on the right place. There are many reasons to demote a Domain Controller. For example, if a server is needed to be a member of a standalone server or if it needs to be migrated to another domain, demotion of Domain Controller is required to be performed first. These can be achieved by simply accessing the Active Directory Installation wizard or sometimes, manual demotion is required. This article explains the step-to-step guide to demote a Domain Controller.

Cautionary steps

  1. In order to perform authentication during logon, you will need Global Catalog. If the local server is Global Catalog server, make sure you hold a copy of the Golbal Catalog, else the logon authentication will fail.
  2. Never use the Deployment Image Servicing and Management module or the executable uninstall AD DS role as long as the server is a domain controller. Performing demotion of AD DS roles using Dism.exe or its PowerShell module equivalent will affect the server normal booting process.    
  3. When performing cleanup of metadata, verify “Protect object from accidental deletion” option for computer object and the NTDS Settings object associated with the domain controller is turned off. If it is not turned off, you will receive the message “Access is denied”. To rectify this, right-click on either computer object or the NTDS Settings object and click “Properties”. click on “Object” and uncheck the “Protect object from accidental deletion”.

Methods of demoting Domain Controller  

Demoting Domain Controller can be done in two ways.

  1. Using Server Manager
  2. Manual demotion

Using Server Manger 

This option is preferable when there is still access to the server. This is the option Microsoft recommends. 

  1. Open Server Manager
  2. In the menu bar, expand Manage. Select Remove Roles and Features and click Next.
  3. In the wizard, select the server you need to demote, click Next.
  4. In the list of roles, uncheck “Active Directory Domain Services”. A pop-up will appear regarding features that require Active Directory Domain Services. If you want to decommission the server entirely, uncheck everything. If you want to use the server for managing AD, keep them checked.
  5. In the Validation Results page, click on the hyperlink demote this domain controller. 
  6. This will open Active Directory Domain Services Configuration Wizard. Make sure the Force the removal of this domain controller” is UNCHECKED. This option is exclusively for removing the last server in the domain. If you like to change the current user, the credentials can be changed here. Click Next.
  7. The Domain Controller may host additional roles like hosting DNS and Global Catalog. Hence, a warning will pop-up. After having pointed the client computers to another server, it is safe to check Proceed with removal. Then click Next.
  8. In the Removal Options page, if you have your server enabled with DNS delegation, check “Remove DNS delegation”. If your server does not have DNS delegation, uncheck “Remove DNS delegation”.
  9. A new administrator is password is required for that local server. 
  10. After reviewing the options, click on Demote.

Pro tip: If you click on View script button, a PowerShell script will be generated. It can be used to automate demotion if you have additional domain controllers in your Active Directory.The server will be demoted and will remain as member server. It can be logged in using domain credentials.

Manual Demotion 

When the server is inaccessible,dead or disconnected, the only option is to demote it manually. 

  1. Login to any Domain Controller or computer with Remote Server Administrations (RSAT) tools installed. Expand “Active Directory Users and Computers” and navigate to Domain Controllers folder. On the right side, right-click on the Domain Controller you want to remove and then click delete.
  2. Deleting Domain Controller dialog box will open. Check the “Delete this Domain Controller anyway. It is permanently offline and can no longer be removed using the removal wizard.” option and click on Delete.

Metadata cleanup 

After removing a Domain Controller or any AD DS forcibly, metadata cleanup is generally required. It is because metadata constitutes the data that identifies a server as as domain controller to the replication system. So, any data pointing a DC to the replication system should be removed. The decommissioned or retired domain controller may also hold File Replication Service (FRS) and Distributed File System (DFS) data or connections to Flexible Single Master Operations (FSMO) roles. The cleanup process makes sure these data also be removed. 

Metadata cleanup can be performed:

  • Using GUI tools.
  • Using the command line.

Metadata Cleanup using GUI tools 

The Minimum requirement for a user to perform automatic cleanup is a membership in the domain Admins group. Windows Server 2008 or newer versions of RSAT performs cleanup of metadata automatically. Remote Server Administration Tools (RSAT) or AD Users and Computers console (Dsa.msc) or AD Sites and Services console (Dssite.msc) performs automatic metadata cleanup. But, while using Dssite.msc, it should be made sure that the NTDS Settings object under the computer account is deleted first. 

Cleanup using AD Users and Computers 

  1. Expand Active Directory Users and Computers. If there is a replication partner, right-click on the Active Directory Users and Computers and click Change Domain Controller and select the DC from which the metadata should be deleted. Then click OK.
  2. Navigate to the domain of the removed domain controller and click on Domain Controllers folder.
  3. In the details pane on the right side, delete the computer object of the intended DC. 
  4. An Active Directory Domain Services dialog box will open. Verify the DC name and click Yes.
  5. A Deleting Domain Controller dialog box will open.Check the This Domain Controller is permanently offline and can no longer be demoted using the Active Directory Domain Services Installation Wizard (DCPROMO), and then click Delete. If the DC is a global catalog server, another dialog box will open. Confirm deletion and click Yes.
  6. If the DC holds any FSMO role, click OK to migrate the role(s) to the DC that is shown. This DC cannot be changed during this procedure. Any change needed should be performed after the metadata cleanup.

Cleanup using AD Sites and Services 

  1. Open Active Directory Sites and Services. If there is a replication partner, right-click on the Active Directory Sites and Services and click Change Domain Controller and select the DC from which the metadata should be deleted. Then click OK.
  2. Expand the site of the domain controller, then Servers, then the removed DC. Right-click on the NTDS Settings object and then hit Delete.
  3. Follow the same steps 4 through 6 from the Cleanup using AD Users and Computers.

Metadata Cleanup using command line

All the servers that has AD Lightweight Directory Services (AD LDS) or RSAT installed in it come with a command-line tool – ntdsutil.exe. To cleanup server metadata using the above tool, follow the steps below.

  1. Open cmd as an Administrator. 
  2. Input ntdutil and press Enter.
  3. Next input metadata cleanup and press Enter.
  4. Now, input the command remove selected server <Your ServerName here> (Replace Your ServerName here with the name of your server).
  5. Click Yes after reviewing the information to perform metatdata cleanup.
  6. To confirm, go to the Active Directory Users and Computers console and expand the Domain Controllerstab/option/button. In the details pane, any object associated with the Domain Controller that you removed should NOT show up. Do the same for the Active Directory Sites and Services. The NTDS Settings object should NOT be found. 

Note: If there is any child object found below the server object, it means that an application is utilized the object. In this case, do not delete the server object.  There are no differences between the methods of demoting the servers. But it is best to keep manual demotion as the least priority.

Related posts
Active Directory Policies

Block windows app installation with elevated privileges using GPO

Active Directory Policies

GPO to prevent regular users from changing MSI installation options

Active Directory Policies

GPO to prevent autoplay on non-volume devices

Active Directory Policies

Prevent remote logon for local accounts with blank password - GPO

×

There are over 8,500 people who are getting towards perfection in Active Directory, IT Management & Cyber security through our insights from Identitude.

Wanna be a part of our bimonthly curation of IAM knowledge?

  • -Select-
  • By clicking 'Become an insider', you agree to processing of personal data according to the Privacy Policy.