Remove a Domain Controller from AD: Difference between revisions
No edit summary |
No edit summary |
||
| Line 1: | Line 1: | ||
=== Determine FSMO role === | ===Determine FSMO role=== | ||
If the DC which you want to demote holds any FSMO role, you need to transfer the FSMO roles to another DC. | If the DC which you want to demote holds any FSMO role, you need to transfer the FSMO roles to another DC. | ||
| Line 20: | Line 20: | ||
<code>netdom query fsmo</code> | <code>netdom query fsmo</code> | ||
[[File:Remove Domain Controller 1.png|alt=Remove_Domain_Controller_1]] | [[File:Remove Domain Controller 1.png|alt=Remove_Domain_Controller_1]] | ||
The powershell commands | The powershell commands | ||
| Line 37: | Line 39: | ||
[[File:Remove Domain Controller 2.png|alt=Remove_Domain_Controller_2]] | [[File:Remove Domain Controller 2.png|alt=Remove_Domain_Controller_2]] | ||
=== Transfer the FSMO roles to another DC (Optional) === | ===Transfer the FSMO roles to another DC (Optional)=== | ||
If the DC you want to demote doesn’t hold any FSMO role, you can skip this step. | If the DC you want to demote doesn’t hold any FSMO role, you can skip this step. | ||
| Line 43: | Line 45: | ||
PowerShell commands | PowerShell commands | ||
<code>Move-ADDirectoryServerOperationMasterRole -Identity <targetDC> -OperationMasterRole pdcemulator, ridmaster, infrastructuremaster, schemamaster, domainnamingmaster</code> | <code>Move-ADDirectoryServerOperationMasterRole -Identity <targetDC> -OperationMasterRole pdcemulator, ridmaster, infrastructuremaster, schemamaster, domainnamingmaster</code> | ||
| Line 50: | Line 51: | ||
<code>Move-ADDirectoryServerOperationMasterRole -Identity <targetDC> -OperationMasterRole 0,1,2,3,4</code> | <code>Move-ADDirectoryServerOperationMasterRole -Identity <targetDC> -OperationMasterRole 0,1,2,3,4</code> | ||
[[File:Remove Domain Controller 3.png|alt=Remove_Domain_Controller_3]] | [[File:Remove Domain Controller 3.png|alt=Remove_Domain_Controller_3]] | ||
=== Dry-run === | ===Dry-run=== | ||
<code>Test-ADDSDomainControllerUninstallation</code> | <code>Test-ADDSDomainControllerUninstallation</code> | ||
| Line 59: | Line 60: | ||
[[File:Remove Domain Controller 4.png|alt=Remove_Domain_Controller_4]] | [[File:Remove Domain Controller 4.png|alt=Remove_Domain_Controller_4]] | ||
=== Demote Domain Controller using PowerShell === | ===Demote Domain Controller using PowerShell=== | ||
==== demote domain controller ==== | ====demote domain controller==== | ||
First, open PowerShell with Administrator privileges. Then type the following command and press Enter. You will be prompted to type in the local administrator’s account twice, and then confirm your action by pressing '''Y''' or '''A''', depending on your preferences. | First, open PowerShell with Administrator privileges. Then type the following command and press Enter. You will be prompted to type in the local administrator’s account twice, and then confirm your action by pressing '''Y''' or '''A''', depending on your preferences. | ||
| Line 68: | Line 69: | ||
Immediately afterward, the demotion of the Domain Controller will proceed and the server will be restarted automatically. | Immediately afterward, the demotion of the Domain Controller will proceed and the server will be restarted automatically. | ||
==== uninstall the role ==== | ====uninstall the role==== | ||
Once you log in again by opening Server Manager, you will notice that there is the corresponding notification for you to promote the server to a Domain Controller. Obviously, once the Active Directory Domain Services role is still in place. | Once you log in again by opening Server Manager, you will notice that there is the corresponding notification for you to promote the server to a Domain Controller. Obviously, once the Active Directory Domain Services role is still in place. | ||
Revision as of 08:12, 29 March 2020
Determine FSMO role
If the DC which you want to demote holds any FSMO role, you need to transfer the FSMO roles to another DC.
The 5 FSMO roles are:
Schema Master (forest-wide)
Domain Naming Master (forest-wide)
RID Master (domain-specific)
PDC Emulator (domain-specific)
Infrastructure Master (Domain-specific)
Login as Domain Administrator on one DC
In a command prompt window, type
netdom query fsmo
The powershell commands
To determine the domain-specific FSMO roles for a domain
Get-ADDomain | Select-Object InfrastructureMaster, RIDMaster, PDCEmulator
To determine the forest-specific FSMO roles for a Forest
Get-ADForest | Select-Object DomainNamingMaster, SchemaMaster
to view a list of all DCs that have FSMO roles
Get-ADDomainController -Filter * | Select-Object Name, Domain, Forest, OperationMasterRoles | Where-Object {$_.OperationMasterRoles}
Transfer the FSMO roles to another DC (Optional)
If the DC you want to demote doesn’t hold any FSMO role, you can skip this step.
Login as Domain Administrator on one DC
PowerShell commands
Move-ADDirectoryServerOperationMasterRole -Identity <targetDC> -OperationMasterRole pdcemulator, ridmaster, infrastructuremaster, schemamaster, domainnamingmaster
or
Move-ADDirectoryServerOperationMasterRole -Identity <targetDC> -OperationMasterRole 0,1,2,3,4
Dry-run
Test-ADDSDomainControllerUninstallation
Demote Domain Controller using PowerShell
demote domain controller
First, open PowerShell with Administrator privileges. Then type the following command and press Enter. You will be prompted to type in the local administrator’s account twice, and then confirm your action by pressing Y or A, depending on your preferences.
Uninstall-ADDSDomainController
Immediately afterward, the demotion of the Domain Controller will proceed and the server will be restarted automatically.
uninstall the role
Once you log in again by opening Server Manager, you will notice that there is the corresponding notification for you to promote the server to a Domain Controller. Obviously, once the Active Directory Domain Services role is still in place.
To uninstall it, use the following command in PowerShell.
Uninstall-WindowsFeature AD-Domain-Services
That’s it! After restarting, your server is no longer a Domain Controller, but just an Active Directory domain member server.