3.3. Demoting a Domain Controller


You want to demote a domain controller from a domain. If you want to decommission a domain controller due to lack of use or change in architecture, you’ll need to follow these demotion procedures.


Using a graphical user interface

  1. Run the dcpromo command from a command line or Start Run.

  2. Click Next.

  3. If the server is the last domain controller in the domain, check the box beside “This server is the last domain controller in the domain.”

  4. Click Next.

  5. Type and confirm the password for the local Administrator account.

  6. Click Next twice to begin the demotion.


Before demoting a domain controller, ensure that all of the FSMO roles have been transferred to other servers; otherwise, they will be transferred to random domain controllers that may not be optimal for your installation. Also, if the server is a global catalog, ensure that other global catalog servers exist in the forest that can handle the load.

It is important to demote a server before decommissioning or rebuilding it so that its associated objects in Active Directory are removed, its DNS locator resource records are dynamically removed, and replication with the other domain controllers is not interrupted. If a domain controller does not successfully demote, or if you do not get the chance to demote it because of failed hardware, see Recipe 3.6 for manually removing a domain controller from Active Directory.

See Also

Recipe 3.6 for removing an unsuccessfully demoted domain controller, ...

Get Active Directory Cookbook now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.