Demote Domain Controllers in Windows Server in PowerShell and GUI
August 15, 2021
This article shows you how to demote a domain controller in Windows Server. This method is applicable for Windows Server 2012 and later, up to Windows Server 2019 and Windows Server 2022.
You can undo a promotion to a domain controller in PowerShell as well as using the GUI configuration tools.
This article explains step by step how to uninstall AD DS using Server Manager or Windows PowerShell.
Error “The Active Directory domain controller needs to be demoted before the AD DS role can be removed”
You may need to cancel the addition of the Domain Controller role if you want to remove Active Directory components.
For example, when deleting Active Directory, you may encounter the following error:
Error A prerequisite check for the AD-Domain-Services feature failed. 1. The Active Directory domain controller needs to be demoted before the AD DS role can be removed
To fix it, you need to start by turning off the domain controller on the server, below is shown how to do it.
Downgrading and Removing an Active Directory domain controller role Using PowerShell
To disable the Domain Controller role, use the Uninstall-ADDSDomainController cmdlet. And you can remove Active Directory and DNS server using the Uninstall-WindowsFeature (Remove-WindowsFeature) cmdlet. Let's consider their options:
| ADDSDeployment and ServerManager Cmdlets | Arguments (Arguments in bold are required. Arguments in italics can be specified using Windows PowerShell or the AD DS Configuration Wizard.) |
|---|---|
| Uninstall-ADDSDomainController |
-SkipPreChecks -LocalAdministratorPassword -Confirm -Credential -DemoteOperationMasterRole -DNSDelegationRemovalCredential -Force -ForceRemoval -IgnoreLastDCInDomainMismatch -IgnoreLastDNSServerForZone -LastDomainControllerInDomain -Norebootoncompletion -RemoveApplicationPartitions -RemoveDNSDelegation -RetainDCMetadata |
| Uninstall-WindowsFeature/Remove-WindowsFeature |
-Name -IncludeManagementTools -Restart -Remove -Force -ComputerName -Credential -LogPath -Vhd |
Note: The -credential argument is only required if you are not already logged in as a member of the Enterprise Admins group (whose DC you are downgrading) or the Domain Admins group (whose DC you are downgrading). The -includemanagementtools argument is required only if you want to remove all AD DS management utilities.
The following command will downgrade the server from a domain controller to a regular server:
Uninstall-ADDSDomainController -DemoteOperationMasterRole:$true -IgnoreLastDnsServerForZone:$true -LastDomainControllerInDomain:$true -RemoveDnsDelegation:$true -RemoveApplicationPartitions:$true -IgnoreLastDCInDomainMismatch:$true -Force:$true
At runtime, you will be prompted for a password for the local administrator, which, after removing the Domain Controller, will become the primary account and replace the domain administrator.
You can specify the password directly in the command using the following option:
- -localadministratorpassword (convertto-securestring "Password1" -asplaintext -force)
After executing the command, the computer will automatically reboot.
Use the following commands to remove Active Directory and DNS server:
Uninstall-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools Uninstall-WindowsFeature -Name DNS -IncludeManagementTools
The components (roles) were successfully removed, but a server restart is required for the changes to take effect:
Success Restart Needed Exit Code Feature Result
------- -------------- --------- --------------
True Yes SuccessRest... {Active Directory Domain Services, Group P...
WARNING: You must restart this server to finish the removal process.
Now let's look at removing roles and features through Server Manager.
Removing a Domain Controller in Server Manager
Press the “Windows” key on your keyboard and type “Server Manager” to search for the application, open it.
Click “Manage” → “Remove Roles and Features”.
Click “Next”.
Select a server and click “Next”.
Find the item “Active Directory Domain Services” and uncheck the checkbox, then click “Next”.
In the window that opens, click “Remove Feature”.
Since this server is a Domain Controller, it is not possible to uninstall Active Directory Domain Services until the promotion to Domain Controller is canceled. Therefore, an error occurs:
Validation Results The validation process found problems on the server from which you want to remove features. The selected features cannot be removed from the selected server. Click OK to select different features. Validation Results, Server The Active Directory domain controller needs to be demoted before the AD DS role can be removed.
To start the process of removing the Domain Controller, click on “Demote this domain controller”.
Check the “Proceed with removal” checkbox and click “Next”.
Check the “Last domain controller in the domain” checkbox and click “Next”.
Check the boxes “Remove this DNS zone (this is the last DNS server that hosts the zone”, “Remove application partitions”, “Remove DNS delegation” and click “Next”.
Enter the password of the local administrator, under whose account you will be logged in after removing the domain controller and click “Next”.
Check the summarized information and click the “Demote” button.
Wait for the domain controller demotion process to complete.
The computer will then automatically restart.
After rebooting the server, go to Server Manager again. In it, click “Manage” → “Remove Roles and Features”.
Click “Next”.
Select a server and click “Next”.
Find the item “Active Directory Domain Services” and uncheck the checkbox, then click “Next”. In the window that opens, click “Remove Feature”.
Then find the item “DNS Server” and uncheck the checkbox, then click “Next”. In the window that opens, click “Remove Feature”.
After removing all more unnecessary features and roles, click “Next”.
On the next window, the check-boxes corresponding to the auxiliary functions and snap-in to be removed will already be cleared, click “Next”.
On the confirmation page, click “Remove”.
Now you can close the wizard window.
Related articles:
- How to install the Active Directory PowerShell module on Windows Server, Windows 11 and Windows 10 (86.5%)
- What is Windows Admin Center and do regular users need it? (82.5%)
- How to install Windows Server (Desktop Experience) 2022 (82.5%)
- How to install Windows Server Core 2022 (82.5%)
- How to configure the network interface to use a dynamic IP address (DHCP) in PowerShell (67.6%)
- How to shut down computers in PowerShell (RANDOM - 54.1%)
