Skip to main content

Now that you have a new Domain Controller running in Active Directory, it’s time to demote the old Domain Controller. There are two options to remove a Domain Controller. It depends on whether the Domain Controller is accessible or not. In this article, you will learn how to remove a Domain Controller step-by-step.

Domain Controller removal options

The preferred method to demote a Domain Controller is using Server Manager or PowerShell. Which one you choose is up to you. They are, in the end, the same. But there are times when the Domain Controller can’t boot anymore, and you can’t bring it back up anymore. Then, you must choose the method to remove it manually.

To make it easier, you have the below options:

  • Option 1: Domain Controller is accessible – Remove the Domain Controller with Server Manager or PowerShell.
  • Option 2: Domain Controller is NOT accessible – Remove the Domain Controller manually.

Let’s look at both options to delete a Domain Controller in Active Directory and its cleanup process.

Remove Domain Controller with Server Manager

To demote a Domain Controller using Server Manager, go through the below steps:

Step 1. Move FSMO roles (optional)

The FSMO roles will automatically move to another Domain Controller when you remove the Domain Controller through the removal wizard. If you would like tomove the FSMO roles and not let the uninstall process do it automatically for you, you can do so.

The DC02-20222 in the below command is the target Domain Controller hostname where we will transfer the FSMO roles too.

Move-ADDirectoryServerOperationMasterRole "DC02-2022" -OperationMasterRole 0,1,2,3,4 -Force -Confirm:$false

Step 2. Test Domain Controller uninstallation

An excellent way is to run the Test-ADDSDomainControllerUninstallation cmdlet before you start with the Domain Controller removal. This will check and alert if everything is set or if there are any issues.

Test-ADDSDomainControllerUninstallation

If the above command doesn’t work, run the below command.

Test-ADDSDomainControllerUninstallation -LocalAdministratorPassword (Read-Host -Prompt "password" -AsSecureString)

Fill in the local admin password and confirm it again.

LocalAdministratorPassword: ************
Confirm LocalAdministratorPassword: ************

In our example, the below output shows the status Succes. So, everything looks good, and we can proceed further.

Message                          Context                                  RebootRequired  Status
-------                          -------                                  --------------  ------
Operation completed successfully Test.VerifyDcPromoCore.DCPromo.General.1          False Success

Step 3. Demote Domain Controller

In our example, we will remove Domain Controller DC01-2019.

  1. Open Server Manager
Open Server Manager
  1. Click on Manage and select Remove Roles and Features
Remove Roles and Features
  1. Select Next
Before you begin in Remove Roles and Features Wizard
  1. Select the server from the pool and click Next
Select Domain Controller as destination server
  1. Clear the checkbox Active Directory Domain Services
Clear the checkbox Active Directory Domain Services
  1. Click Remove Features
Remove Features that require Active Directory Domain Services
  1. Click on Demote this domain controller
Demote this domain controller from the wizard
  1. Supply the admin credentials if needed and click Next

Note: Do NOT select the option Force the removal of this domain controller and leave it unchecked.

Fill in administrator credentials
  1. Check Proceed with removal and click Next
Proceed with Domain Controller removal
  1. Enter a new administrator password for the local administrator account after the Domain Controller is demoted
Fill in new administrator password for the server
  1. Click on Demote
Review options to remove Active Directory Domain Services from this computer
  1. The server will go through the demotion process
Demotion Domain Controller in progress
  1. Once the demote is done, the Windows Server will restart automatically

Step 4. Remove Active Directory Domain Services role

After the restart, you need to remove the ADDS role with the below steps:

  1. Open Server Manager
  2. Click on Manage and select Remove Roles and Features
  3. Select the server from the pool and click Next
  4. Clear the checkbox Active Directory Domain Services
Clear the checkbox Active Directory Domain Services
  1. Click Remove Features
  1. Click Next
  1. Click Next
  1. Check the checkbox Restart the destination server automatically if required.
  1. The removal is in progress
  1. The Windows Server will restart and proceed further with the removal and finishes. Click Close.
  1. Shut down the server.

Step 5. Remove AD computer object

Once the server is shutdown, remove the AD computer object with the below steps:

  1. Sign in on another Domain Controller
  2. Start Active Directory Users and Computers
  3. Click in the menu on the Computers container
  4. Right-click the server and click Delete
  1. Confirm with Yes

You successfully deleted the AD computer object.

Step 6. Remove server from Active Directory Sites and Services

Remove the server from Active Directory Sites and Services with the below steps:

  1. Open Active Directory Sites and Services
  2. Expand Sites > Default-First-Site-Name > Servers
  3. Right-click the Server and select Delete
Remove Domain Controller from Active Directory Sites and Services
  1. Confirm with Yes

You successfully deleted the server from Active Directory Domain Services (ADDS).

Step 7. Remove DNS leftovers

There are leftovers in DNS after you remove the Domain Controller. Even if you have Setup DNS Aging and Scavenging in Active Directory. That’s because it will remove the stale dynamic DNS records and not the stale static DNS records.

You can go through every zone in DNS Manager and remove the DNS records associated with the old Domain Controller. But that takes time.

The below script will clean up all stale records in DNS. It will go through DNS and search for the old Domain Controller FQDN, Hostname, and IP address. You only have to change lines 1, 2, and 3.

Suppose you kept the same IP address for the new Domain Controller, and only want to check for the old FQDN and Hostname in DNS, uncomment line 3 in the script.

Note: The script has the -WhatIf parameter, so nothing will happen to the environment when you run the script. Once you identify the stale records, remove the -WhatIf parameter and rerun the script.

$ServerFQDN = "dc01-2019.exoip.local." #Keep the dot (.) at the end
$ServerHostname = "dc01-2019"
$IPAddress = "192.168.1.51"

$Zones = Get-DnsServerZone | Where-Object { $_.ZoneType -eq "Primary" } |
Select-Object -ExpandProperty ZoneName

foreach ($Zone in $Zones) {
    Get-DnsServerResourceRecord -ZoneName $Zone | Where-Object { 
        $_.RecordData.IPv4Address -eq $IPAddress -or
        $_.RecordData.NameServer -eq $ServerFQDN -or
        $_.RecordData.DomainName -eq $ServerFQDN -or
        $_.RecordData.HostnameAlias -eq $ServerFQDN -or
        $_.RecordData.MailExchange -eq $ServerFQDN -or
        $_.HostName -eq $ServerHostname
    } | Remove-DnsServerResourceRecord -ZoneName $Zone -Force -WhatIf
}

You successfully did demote a Domain Controller from Active Directory and followed the necessary cleanup steps afterward.

Remove Domain Controller manually

When you can’t start a Domain Controller anymore, you must manually remove it.

The above steps are the proper way to remove a Domain Controller from Active Directory when you can access it. There are situations when the Domain Controller server crashes, and you can’t bring it up anymore. This requires manual removal of the Domain Controller from Active Directory.

Note: Do the below steps if you have Windows Server 2008 R2 and higher.

Go through the below steps to force remove a Domain Controller:

Step 1. Move FSMO roles (optional)

The FSMO roles will automatically move to another Domain Controller when you remove the Domain Controller through the removal wizard. If you would like to move the FSMO roles and not let the uninstall process do it automatically, you can do so.

The DC02-20222 in the below command is the target Domain Controller hostname where we will transfer the FSMO roles too.

Move-ADDirectoryServerOperationMasterRole "DC02-2022" -OperationMasterRole 0,1,2,3,4 -Force -Confirm:$false

Step 2. Force delete Domain Controller computer object

Remove the AD computer object with the below steps:

  1. Sign in on another Domain Controller
  2. Open Active Directory Users and Computers
  3. Click in the menu on the Domain Controllers Organizational Unit
  4. Right-click the server and click Delete
Delete Domain Controller GC
  1. Select Yes to confirm the computer object deletion
  1. Check the checkbox Delete this Domain Controller anyway. It’s permanently offline and can no longer be removed using the removal wizard
Deleting Domain Controller
  1. Confirm with Yes
  1. Select OK if you get a warning message about the FSMO roles that need to be moved to a new server
Delete Domain Controller FSMO roles move

You successfully deleted the Domain Controller.

Step 3. Remove server from Active Directory Sites and Services

Remove the server from Active Directory Sites and Services with the below steps:

  1. Open Active Directory Sites and Services
  2. Expand Sites > Default-First-Site-Name > Servers
  3. Right-click the Server and select Delete
Remove Domain Controller from Active Directory Sites and Services
  1. Confirm with Yes

You successfully deleted the server from Active Directory Domain Services (ADDS).

Step 4. Remove DNS leftovers

There are leftovers in DNS after you remove the Domain Controller. Even if you have Setup DNS Aging and Scavenging in Active Directory. That’s because it will remove the stale dynamic DNS records and not the stale static DNS records.

You can go through every zone in DNS Manager and remove the DNS records associated with the old Domain Controller. But that takes time.

Domain Controller leftovers DNS Manager

The below script will clean up all stale records in DNS. It will go through DNS and search for the old Domain Controller FQDN, Hostname, and IP address. You only have to change lines 1, 2, and 3.

Suppose you kept the same IP address for the new Domain Controller, and only want to check for the old FQDN and Hostname in DNS, uncomment line 3 in the script.

Note: The script has the -WhatIf parameter, so nothing will happen to the environment when you run the script. Once you identify the stale records, remove the -WhatIf parameter and rerun the script.

$ServerFQDN = "dc01-2019.exoip.local." #Keep the dot (.) at the end
$ServerHostname = "dc01-2019"
$IPAddress = "192.168.1.51"

$Zones = Get-DnsServerZone | Where-Object { $_.ZoneType -eq "Primary" } |
Select-Object -ExpandProperty ZoneName

foreach ($Zone in $Zones) {
    Get-DnsServerResourceRecord -ZoneName $Zone | Where-Object { 
        $_.RecordData.IPv4Address -eq $IPAddress -or
        $_.RecordData.NameServer -eq $ServerFQDN -or
        $_.RecordData.DomainName -eq $ServerFQDN -or
        $_.RecordData.HostnameAlias -eq $ServerFQDN -or
        $_.RecordData.MailExchange -eq $ServerFQDN -or
        $_.HostName -eq $ServerHostname
    } | Remove-DnsServerResourceRecord -ZoneName $Zone -Force -WhatIf
}

You successfully did force remove a Domain Controller from Active Directory manually and followed the necessary cleanup steps afterward.

Verify Domain Controller health

Now that the old Domain Controller is removed, it’s good to check the new Domain Controller health.

That’s it!

Leave a Reply