How to Demote A Domain Controller on Windows Server?

You can remove the domain controller using the Server Manager

Reading time icon 4 min. read


Readers help support Windows Report. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help Windows Report sustain the editorial team. Read more

Key notes

  • To demote a domain controller, it is essential to end all the services running on the server before shutting down the server. 
  • Here we have mentioned two ways with step-by-step instructions to get the work done.
How to Demote A Domain Controller on Windows Server

The domain controller is a server that manages the authentication and authorization of users and computers on a Windows server. If you are looking for a way to demote a domain controller to remove it from the domain or modify its role in the network, look no further. 

To demote a domain controller, you need to remove Active Directory Domain Services role and return it to the member server.

Here, in this blog, we will discuss two scenarios and step-by-step instructions to complete the work. Let’s get started! 

How can I demote a domain controller on Windows Server?

Before moving to the methods to demote a domain controller, make sure you perform these checks: 

  • If you have Windows Server 2003 or earlier, clean up the metadata using the ntdsutil command.
  • Close all the services running on the server before shutting down the server. 

Once done, follow any of these methods to demote the domain controller on Windows Server 2008, 2016, and 2018

1. Use the Server Manager 

  1. Go to the search bar and click the Server Manager. 
  2. Select Manage and then click Remove Roles and features.Manage - Remove Roles
  3. On the navigation pane, select AD DS or All Servers. Then, go to the Roles and Features section.
  4. Now, select and right-click the Active Directory Domain Services from the list and choose the Remove Role or Feature option.Remove Roles and Features
  5. On the Before you begin page, click Next.
  6. Now on the Server Selection page, choose the server you want to demote and click Next. Server Selection
  7. Remove the checkmark next to Active Directory Domain Services on the Server Roles page. Server Roles
  8. On the Remove features that require Active Directory Domain Services page, click Remove features. Remove features
  9. Click on Demote this domain controller and then OK.
  10. On the next screen, remove the checkmark beside Force the removal of this domain controller. Click Next. 
  11. You can change the Credentials on the next screen and click Next.
  12. On the Warnings screen, place a checkmark beside Proceed with removal and click Next. 
  13. Now on the Removal Options page, select Remove DNS delegation if you have DNS delegation. Click Next.
  14. On the New Administrator Password window, put in the password for Password and Confirm Password fields and click Next. 
  15. Now on the Review Options page, click Demote. Demote
Tip icon Tip
If there are additional domain controllers to remove, you can click View script to generate a PowerShell script to automate the steps. 

2. Use the manual method: If the server is dead or out of reach

2.1 Removing domain controller

  1. Press Windows + R to open the Run window.DSA
  2. Type dsa.msc and press Enter to open Active Directory Users and Computers.DC -demote a domain controller
  3. Locate the Domain Controllers folder. Then, right-click the domain controller you want to remove and click Delete. ADUC Delete DC
  4. Click Yes on the following prompt.Deletge DC -demote a domain controller
  5. On the Deleting Domain Controller page, place a checkmark next to Delete this Domain Controller anyway. It is permanently offline and can no longer be removed using the removal wizard. Click Delete. Delete DM - DC -demote a domain controller
  6. Click Yes. 

2.2 Remove the DC server instance

  1. Go to Server Manager, then click Tools.
  2. Select Active Directory Sites and Services.Server delete -Delete DM - DC -demote a domain controller
  3. Expand the Sites, right-click the server you want to remove, and select Delete.
  4. Click Yes to confirm the action.

2.3 Remove metadata using Command Prompt

  1. Press Start and locate Command Prompt (Admin).
  2. Type the following command and press Enter: ntdsutil ntdsutil
  3. You will get a metadata cleanup prompt. Type the following command and replace servername with the name of the targeted domain controller and press Enter:  remove selected server <servername>
  4. Click Yes to proceed.

How long does it take to demote a domain controller?

Usually, it takes a couple of minutes to demote a domain controller. However, the exact time can’t be stipulated as it depends upon various things, including the number of domain controllers, the size of Active Directory, and available network bandwidth.

So, these are two methods that you can use to demote the domain controllers you want. Try any of them and let us know which way worked for you in the comments section below.

More about the topics: windows servers

User forum

0 messages