Demoting Domain Controller

Solution 1

Removing Active Directory (AD) from a Domain Controller (DC) in a single domain environment where there are other replica DCs is pretty easy. Be sure that the remaining DC is flagged as a Global Catalog (GC) server (visible in "Active Directory Sites and Services" in the properties for the "NTDS Settings" under the DC object). If it isn't, flag it as such, because you need at least one GC at all times.

Just be sure that the machine has as its first specified DNS server the IP address of another computer hosting a copy of the AD domain's DNS and run dcpromo.exe, taking the defaults (be sure NOT to specify that this is the last DC in the domain).

When you say "...we did the AD, WINS, File Server, DNS and DHCP roles. We are going to keep it as a file server and demote everything else.", however, you make me think that you're also looking at moving DHCP, DNS, and WINS off this machine. Removing the functionality those services provide involves some planning.

You can use the netsh dhcp server dump > dump-filename command to dump the DHCP server configuration into a text file (named "dump-filename", in this example) which can be imported onto a new DHCP server using netsh -f dump-filename.

You'll want to be sure that your DHCP scopes don't reference the DNS or WINS services provided by the machine you'll be removing the services from. You'll also want to be sure that machines with static IP configurations also don't reference these services.

You'll want to remove the WINS server from any replication configuration on other WINS servers.

Having said all this, you really should have at least two DCs at all times. Don't migrate to a configuration with a single DC.

Solution 2

Microsofts technet has a whole chapter on this. One would assume they know the 'right' way of doing this. See the chapter Steps for Removing AD DS.

However, if you are not sure of what and how to do this, then consider that you are messing with the core functionality of your network. Tread carefully. Double and triple check. (Or hire someone to do this for you).

Solution 3

Yes, that MS guide is the "correct" way to do it. Though, heed Hennes advice and tread very carefully and/or hire an experienced consultant to do it. (Oh, and make sure you have a functional backup of your domain first.) It's pretty easy, honestly, and I could do it in my sleep (as could anyone with a lot of AD experience), but you want someone around who knows about AD in the event something goes wrong.

Now, a bit of advice that's more useful than how to do demote a DC... DON'T DEMOTE YOUR DOMAIN CONTROLLER.

It's a very bad idea to only have one (which it sounds like what would happen if you demoted it). Having a second around provides redundancy and allows you to actually do things on your DCs (patches come to mind) without having downtime.

Also, why do you want to demote this at all? In general, as a sysadmin, you shouldn't be making changes for no reason. If there isn't a good reason to do something, don't do it. Why do you want to demote this DC, and what do you think you'll gain from doing it? I'd bet that even if this goes off smooth as silk, you'll be putting yourself in worse position than if you hadn't done it all, which should be plenty of reason to reconsider this action.

Related videos on Youtube

16 : 04

How to demote Windows Server 2012 R2 Domain Controller (Step by Step guide)

NLB Solutions

73

07 : 52

How to properly demote an Active Directory Domain Controller in Windows Server 2012 R2

Patrick Hornung

26

08 : 35

14. How To Remove Or Demote Additional Domain Controller(ADC) In Windows Server 2019

ITSmartTraining

7

10 : 36

How to Demote a Domain Controller running Windows Server 2016

Active Directory Pro

5

05 : 35

Demoting a Active Directory Domain Controller in Windows 2012 R2

MSFT WebCast

4

Author by

George

Updated on September 18, 2022