If you have a domain controller that is no longer on the network, hasn’t replicated during the forest’s tombstone lifetime, or has been cleaned up in Active Directory via metadata cleanup, you’ll need to do a forced demotion in order to get the server back to a normal state. The procedure to do this varies depending on whether the server in question is running Windows Server 2012 or newer, or if it’s running a prior version of Windows Server.
Windows Server 2012 and Newer (PowerShell)
The easiest way to forcefully demote a Windows Server 2012 (or newer) domain controller is with the Uninstall-ADDSDomainController PowerShell cmdlet.
- Launch an elevated PowerShell prompt. You can do this by right clicking the PowerShell icon pinned to the taskbar:
- Next, run the following PowerShell command. You will be prompted to provide a local administrator password to be used after the server reboots. The cmdlet will provide some progress information prior to rebooting the server.
Uninstall-ADDSDomainController -ForceRemoval -DemoteOperationMasterRole
- Once the server reboots, login with the local administrator password you provided in the previous step. The server is now in a workgroup. If desired, you can safely promote the server back in to service as a domain controller.
Windows Server 2008 R2 and Older (DCPromo)
Versions of Windows prior to Windows Server 2012 do not have a convenient PowerShell cmdlet for forceful demotion of a domain controller. Instead, you must run the DCPromo wizard with a secret parameter.
- From the Run dialog, enter “dcpromo /forceremoval”.
- If the domain controller holds any FSMO roles, you will receive a warning for each role. Following the completion of this process, you must seize these FSMO roles on new domain controller(s) to ensure that your forest continues to function correctly.
|RID Master Warning||PDC Emulator Warning||Infrastructure Master Warning|
|Domain Naming Master Warning||Schema Master Warning|
- If the domain controller is a global catalog or a DNS server, you will also be warned. In the case of DNS, ensure that clients aren’t looking to this server for their DNS needs.
|DNS Server Warning||Global Catalog Warning|
- Once any necessary warnings have been displayed, the wizard will start.
- You must supply a new local administrator password. This password will be used to login to the server following the completion of the forced demotion process. This password must comply with the domain password policy that applies to the domain controller.
- Once you’re sure you want to proceed, click Next to begin the process.
- The demotion process will take some time to complete. The progress dialog provides information about what task is currently being performed, but no indication of overall progress.
- If you didn’t check Reboot on completion, the wizard will let you know when it’s done.
Once the server reboots, you should immediately seize any FSMO roles that were previously held and perform a metadata cleanup. You can then safely promote the server back to domain controller status if desired.