Decommissioning broken Domain Controller
Sometimes, we want to remove Domain Controller from a network but it is not possible. We see some errors that DC cannot be demoted. We are afraid because on that server we have also another services or data (which is not recommended, DC should have only AD:DS, DNS and possibly DHCP roles to avoid server overloading or corruption). This situation mostly can be found in small organizations where only very few servers are available.
What we can do in this case when formatting or reinstalling server is not an option? We can use special mode of demoting Domain Controller in case that we see similar error message
on this broken server in run box we need to run dcpromo but with additional switch to be able to decommission a DC. This switch is /forceremoval
Log on to that faulty DC and type dcpromo /forceremoval
If Domain Controller holds any of FSMO roles you will get a warnings that you should transfer them to another server.
It is unfortunately impossible because DC cannot contact to another Domain Controller within network. In this case you have to seize FSMO roles.
How to do that you can find in another article at http://kpytko.wordpress.com/2011/08/28/seizing-fsmo-roles/
To continue press “Yes” on each warning related with FSMO roles. At the final step (if your DC held also DNS role) you will be warned that you should fix your network settings according to DNS servers after its removal. If you didn’t do that before, remember that you have to fix it after DC demotion. Confirm that you are sure with Active Directory services to remove
When your DC held also Global Catalog you will be warned to check if at least one GC is available in a network to prevent problem with logon to the domain.
Now, you should see standard Active Directory Installation wizard which helps you in decommission process. Follow with its suggestions
Before this process starts, there is the last information that after all you have to do metadata cleanup because it won’t be done automatically.
Also DNS needs to be clean up after DC demotion, click “OK”
Now, set up local administrator password which will be necessary, to log on to that server. Decommission process removes Active Directory role from a server and makes it a domain member box.
after role removal, reboot server to fully complete a task
on Windows Server 2003 you have to do it manually
on Windows Server 2008/2008 R2 you can select a checkbox to reboot server automatically
Voila! Your DC has been decommissioned and now it’s a domain member server with all other roles and data on it. You can log on, on a password specified during demotion process
Now, you need to do metadata cleanup, remove DNS records related with that server and delete it from Sites and Services.
How to do metadata cleanup you can find in another article at
You can promote this server as DC again or change its name and use only as standard box in your network.
To clean DNS records, open DNS management console and delete all DNS records related with removed Domain Controller. Next, run Active Directory Sites and Services console and from appropriate Site, remove a server.
Confirm that you want to remove this object and that’s it.
Author: Krzysztof Pytko