• Technologies

  • Instructors

  • How to demote a Domain Controller (DC) in Windows Server 2012 Active Directory Domain Services (AD DS)

    In this blog we will explore how to demote a domain controller in Windows Server 2012 Active Directory Domain Services (AD DS).

    In previous versions of Windows Server to demote a domain controller you would use the DCPROMO.exe utility.  In Windows Sever 2012 the DCPROMO utility has been deprecated.

    In Windows Server 2012 we will use Server Manager or PowerShell to demote the DC.  In this blog I will be using the GUI to demote the server manager. So let’s get started.

    To demote a DC from AD DS complete the following steps:

    Use Server Manager to remove the Active Directory Domain Services Role.

    Launch Server Manager, select the Manage drop down menu, select Remove roles and features.

    1. Review the Before You Begin page, Click Next.
    2. On the Select installation type page ensure Role-based or feature-based installation radial button is selected, click Next.
    3. On the Select destination server page Select the desired server from the Server Pool.

    Note:  The 2012 Server Manager allows roles and features to be installed remotely.

    1. On the Remove Roles and Features Wizard, click on the Active Directory Domain Services box to remove the check box.
    You may also like:  Using File Server Resource Manager (FSRM) to Move Files Containing Sensitive Data


    1. The Remove Roles and Features dialog box Remove features that require Active Directory Domain Service pops up, select Remove Features.
    2. On the Remove Roles and Features Wizard dialog box Validation Results box will appearThe domain controller must be demoted before continuing.  Click on Demote this domain controller.

    1. On the Active Directory Domain Services Configuration Wizard enter the required credentials to demote this server, click Next.

    Note:  To demote replica domain controller you must be at the least a Domain Admin to remove an entire domain from the forest or to demote the last DC of a Forest you must provide Enterprise Admin credentials.

    Note:  Only select Force the removal of this domain controller if the DC and not communicate with the remaining DCs.


    1. On the New Administrator Password, enter and confirm the new local administrator account password, click Next.

    1. On the Review Options verify the information is correct and click Demote.

    This will begin the demotion process.  To finish the demotion the server will automatically restart.

    You may also like:  Video - How to Recover and Reset Passwords in Azure by Mike Pfeiffer

    Note:  When the server restarts it will be a member of the domain that is was previously a domain controller in.

    Note:  The Binaries for AD DS are still installed on the server.  If this server is not going to be promoted back to a domain controller in the future rerun the Remove Roles and Features Wizard to remove the AD DS Role from the server.

    Verifying the Removal of AD DS

    1. Logon to the server hosting the DNS service for the domain using the Administrator account credentials.
    2. Launch the DNS console and verify the deletion of Service Records for the removed domain controller.

    Active Directory Domain Services is now been removed from this server.

    Until then, RIDE SAFE!

    Rick Trader
    Windows Server Instructor – Interface Technical Training
    Phoenix, AZ

    See what people are saying...

    1. Mohd Zarul Azali

      Hi, i want to ask, my standalone window server 2012 now cannot login after restart, it says “the security database on the server does not have a computer account workstation trust relationship”. When i go through in server manager in CMD login (utilman.exe) and look up to ADDS services, after i click to the ADDS tab, it says ” Naming information cannot be Located because : The Username or password is incorrect”..
      Can anybody solve this for me…i looking for answer about 1 month ago but still not find anything…please..

    2. Alessandro

      can You please tell me ho to remove a domain replica server withouth having issues? That second server is offline, but the replica configuration is still active in the first DC.
      Thank You,

    3. tarkan

      what will happen in case of a disaster in the forest…Schema corruption and you run the disaster recovery process, build up the Domains from backup isolated and in parallel remove the Domain Controllers in the forest and here we run into the “new” Problem:

      1. Logon is not possible as we have a corruption even with RID500
      2. F8 Disaster Recovery Mode no longer available unless you can logon to the System normally and execute shutdown -o -r to active after 2x reboots the mode again….but we cannot logon!

      So, how we can now forcefully remove the roles from the Domain Controllers without reinstallation of the whole System?

      So, how we can use the DSRM account to logon when System is not showing this Option during boot, as safemode is not usable for the removal of the roles!

    4. Sarrah

      I did all these steps, however when I login to the read only domain controller and type Remove-Computer -restart into the powershell it gives me an error: This machine is a domain controller and cannot be unjoined from a domain.

      How do I unjoin them?

    5. andrewcamary

      Hi Lucas,
      As others mentioned above, “If the domain controller is demoted using the demotion wizard there is no need to perform a Metadata cleanup manually. The domain controller is removed from the Metadata as part of the demotion.”
      If you still required to perform metadata cleanup, you can follow the steps mentioned in below article –

    6. Krishna Prasad

      Thanks a Lot. Really a wonderful article with step by step procedure!

    7. you know nothing john snow

      while virtualising one of our domain controllers, i had to demote it prior to converting it to a VM.
      There are still other DCs on the domain, so i jsut wanted to demote the Server, convert it and promote it again. However the DC i demoted couldn’t connect to other DCs in the progress so i have to force the demotion. Do i have to do the metadata cleanup now? Or is it just fine, since i will bring the converted DC back online?
      I Guess i will find out ;D

    8. flow

      DNS broke, couldn’t fix it, tried to demote DC to rebuild, couldn’t as DNS was broken. format time. I miss dcpromo /forceremoval

    9. Assin Ontivi

      Not a good idea IMO to remove AD from a 2012 R2 server, even though it’s within your rights to do so. I’ve seen several problems with this. Just one, in my case, was the loss of interface IP addresses from DNS server – removing and re-installing the DNS server didn’t help. DNS server was rendered useless!

      Better to re-install the server without AD. You can run the install from within Windows, and it will move the prior Windows install to \windows.old, leaving the rest of your boot drive (and other drives) intact.

    10. Pingback: Can’t log in to Windows Server 2012 after removing AD DS – Internet and Tecnnology Answers for Geeks

    11. bala

      hi i m having more doubts in sever 2012 .actuallyactually i demote the domain controller and the system was restarted after that restart i can’t able to login windows server . i was struck in cmd prompt i Dont know why ? again. i reinstalled my server .can u please tell anyone what is the solution for without reinstall please

    12. CS

      There are circumstances where you may need to do this, if the DC had a equipment failure and was down for an extended period or roles were seized, brining the server up offline and forceremoval then metadata cleanup. Or if it was taken offline for DR testing, force removal then metadata cleanup.

    13. myk

      Just removed the ADDS role from my server 2012 but can log into the administrators account with the same password again….

    14. saqib Rehman

      thanx Mr. rick informition is very good and work properly.

    15. ThommyMac

      Great article. Sadly:
      “Second, if the domain controller can not communicate with other domain controllers or the normal demotion wizard fails and you have to run the demotion wizard in -force mode, you will have to manually perform a Metadata cleanup.”

      The DC in question can see the other DCs through network browsing AND they show up in the ‘pool’ for the all servers function. Its a long story but I have to get this box off the network. I still enjoyed the article but was wondering why the box in question sees the objects in question but still insists I force it. I will force, then cleanup, and will post how it went. Thanks

    16. Interface Technical Training

      If the domain controller is demoted using the demotion wizard there is no need to perform a Metadata cleanup manually. The domain controller is removed from the Metadata as part of the demotion.

      There are a couple of situations that may require you to manually perform a Metadata cleanup.

      First, if the domain controller fails and you were unable to run the demotion wizard (example you had to rebuild the computer operating system from scratch and had no backup).

      Second, if the domain controller can not communicate with other domain controllers or the normal demotion wizard fails and you have to run the demotion wizard in -force mode, you will have to manually perform a Metadata cleanup.

      In most instances, using your desired tool, deleting the domain controller object in AD DS will remove the domain controller from the Metadata and a manual Metadata cleanup will not be required. This is supported in Windows Server 2008, Windows Server 2008 R2 and Windows Server 2012. Before performing a manual Metadata cleanup try deleting the object first. You can then use NTDSUTIL.EXE to verify the domain controller no longer exists in the database.

    17. Lucas Garcia

      Thanks Rick!
      I was looking for an Article of this topic. Is there any need to perfmon a metadata cleanup after these steps?

    Share your thoughts...

    Please fill out the comment form below to post a reply.