Decommissioning broken Domain Controller


Sometimes, we want to remove Domain Controller from a network but it is not possible. We see some errors that DC cannot be demoted. We are afraid because on that server we have also another services or data (which is not recommended, DC should have only AD:DS, DNS and possibly DHCP roles to avoid server overloading or corruption). This situation mostly can be found in small organizations where only very few servers are available.

What we can do in this case when formatting or reinstalling server is not an option? We can use special mode of demoting Domain Controller in case that we see similar error message

decommissioning error

on this broken server in run box we need to run dcpromo but with additional switch to be able to decommission a DC. This switch is /forceremoval

 Log on to that faulty DC and type dcpromo /forceremoval

forcing Domain Controller demotion

If Domain Controller holds any of FSMO roles you will get a warnings that you should transfer them to another server.

FSMO roles warning

It is unfortunately impossible because DC cannot contact to another Domain Controller within network. In this case you have to seize FSMO roles.

How to do that you can find in another article at

To continue press “Yes” on each warning related with FSMO roles. At the final step (if your DC held also DNS role) you will be warned that you should fix your network settings according to DNS servers after its removal. If you didn’t do that before, remember that you have to fix it after DC demotion. Confirm that you are sure with Active Directory services to remove

DNS removal confirmation

When your DC held also Global Catalog you will be warned to check if at least one GC is available in a network to prevent problem with logon to the domain.

Global Catalog removal confirmation

Now, you should see standard Active Directory Installation wizard which helps you in decommission process. Follow with its suggestions

Active Directory Installation wizard

Before this process starts, there is the last information that after all you have to do metadata cleanup because it won’t be done automatically.

Active Directory Installation wizard

Also DNS needs to be clean up after DC demotion, click “OK”

Now, set up local administrator password which will be necessary, to log on to that server. Decommission process removes Active Directory role from a server and makes it a domain member box.

Setting local administrator password

after role removal, reboot server to fully complete a task

on Windows Server 2003 you have to do it manually

Reboot Windows Server 2003

on Windows Server 2008/2008 R2 you can select a checkbox to reboot server automatically

Reboot server

Voila! Your DC has been decommissioned and now it’s a domain member server with all other roles and data on it. You can log on, on a password specified during demotion process

A domain member server - Windows 2008

A domain member server - Windows 2003

Now, you need to do metadata cleanup, remove DNS records related with that server and delete it from Sites and Services.

How to do metadata cleanup you can find in another article at

You can promote this server as DC again or change its name and use only as standard box in your network.

 To clean DNS records, open DNS management console and delete all DNS records related with removed Domain Controller. Next, run Active Directory Sites and Services console and from appropriate Site, remove a server.

Sites and Services

Confirm that you want to remove this object and that’s it.

Removing demoted DC from Sites and Services

It’s done.

Author: Krzysztof Pytko


Leave a Reply

Your email address will not be published. Required fields are marked *