To demote a domain controller

Xavier Mustin

Administrator
Staff member
#1
  1. Demote a Windows Server 2003 R2 Domain Controller

    May 9, 2011​
    by iso_admin
    You may come across certain moments in your IT life managing Active Directory, where you need to remove a Windows Server 2003 R2 Domain Controller from your network. However, you cannot remove the server from the network just by unplugging the network cable or shutdown the server because this will leave orphan objects in your domain. This article describes the important notes and steps to accomplish this tasks.
    To remove a Domain Controller from the network,
    1. You will have to demote the server to a member server.
    2. Disjoin the member server from the domain.
    3. Remove the server from the network.
    However, before performing such tasks, there is a little data gathering that needs to be done. You need to note the following:
    1. Is the server the last Domain Controller in the domain? – This means once removed, the domain will no longer exists and any objects associated with the domain will be deleted.
    2. Is the server acting as the only Global Catalog Server? – It is crucial that each domain have at least on Global Catalog Server. So before you remove this Domain Controller, you need to make sure that the domain contains another Global Catalog server.
    3. Does the server hosts Operation Master (FSMO) roles? – It is important to note down any FSMO roles assigned to the Domain Controller before removing it from the network. When the server is being demoted, any FSMO roles are transferred to another Domain Controller in the domain. Thus we need to verify if this was done correctly.
    4. Does the server hosts any other Server Roles? – If the server hosts any other roles, removing the server from the network may cause certain services to stop working. It is important to migrate these roles any other Server Roles from the Domain Controller before demoting the server.
    For our demo, we have two Domain Controllers in our itserveronline.local domain, namely SRVPDC (Windows Server 2003 R2) and SRVPDC2008R2 (Windows Server 2008 R2). We are going to remove the SRVPDC server from the network. We notice that this is not the last Domain Controller in the domain and thus the demotion process will convert the Domain Controller to a member server. Therefore, we need to ensure that the member server will have the DNS settings needed to be able to find and communicate to another directory service server (SRVPDC2008R2). The picture below shows the alternate DNS configuration set (192.168.1.65), which is the IP address of SRVPDC2008R2.

    The SRVPDC server is also the FSMO role holder for all the 5 roles, as shown below. Thus we need to ensure that these roles are transferred.

    We now proceed to demote the server. To demote the server,
    • Go to Start and select Run.
    • In the Open textbox, type dcpromo.
    • Click Next on the Welcome Page. If the server is a Global Catalog server, a warning appears asking you to make sure that another Global Catalog server exists. Once confirmed, Click OK.

    • The next page is the Remove Active Directory page. This is the important and critical page where you decide whether to remove the domain or not. If this was your last Domain Controller, you would have checked the option “This is the last domain controller in the domain” and the domain would have been removed completely. However, this is not the case with our demo, since SRVPDC2008R2 still exists. Thus we leave the option unchecked and click Next.

    • The Administrator Password page follows where we need to specify a password for the Local Administrator account. Type in a password and click Next.

    • On the Summary page, it clearly mentions that when the process is complete, the server will be a member of the existing domain. Click Next to launch the Active directory Installation Wizard.

    • Once the process completes,click in the Finish button and restart the server. Note that the server is now a member server and will have the ability to log in to the domain. The picture below shows the login page after reboot.

    • Once logged in, we verify the FSMO roles. We can see below, that the roles have been transferred.


    Once the server is demoted to a member server, we now need to determine whether to leave it as a member server or to disjoin it from the domain, based on other factors discussed above.
    So we are done! We have successfully removed a Domain Controller hosting Windows Server 2003 R2 from the network.
    We hope that our article has been and will be in good help to you.
 
Haut