Determine FSMO role

If the DC which you want to demote holds any FSMO role, you need to transfer the FSMO roles to another DC.

The 5 FSMO roles are:

  • Schema Master (forest-wide)

  • Domain Naming Master (forest-wide)

  • RID Master (domain-specific)

  • PDC Emulator (domain-specific)

  • Infrastructure Master (Domain-specific)

Login as Domain Administrator on one DC

In a command prompt window, type

netdom query fsmo 

remove_domain_controller_1

The powershell commands

To determine the domain-specific FSMO roles for a domain

Get-ADDomain | Select-Object InfrastructureMaster, RIDMaster, PDCEmulator

To determine the forest-specific FSMO roles for a Forest

Get-ADForest | Select-Object DomainNamingMaster, SchemaMaster

to view a list of all DCs that have FSMO roles

Get-ADDomainController -Filter * | Select-Object Name, Domain, Forest, OperationMasterRoles | Where-Object {$_.OperationMasterRoles} 

remove_domain_controller_2

Transfer the FSMO roles to another DC (Optional)

If the DC you want to demote doesn’t hold any FSMO role, you can skip this step.

Login as Domain Administrator on one DC

PowerShell commands

Move-ADDirectoryServerOperationMasterRole -Identity <targetDC> -OperationMasterRole pdcemulator, ridmaster, infrastructuremaster, schemamaster, domainnamingmaster

or

Move-ADDirectoryServerOperationMasterRole -Identity <targetDC> -OperationMasterRole 0,1,2,3,4 

remove_domain_controller_3

Dry-run

Test-ADDSDomainControllerUninstallation

remove_domain_controller_4

Demote Domain Controller using PowerShell

demote domain controller

First, open PowerShell with Administrator privileges. Then type the following command and press Enter. You will be prompted to type in the local administrator’s account twice, and then confirm your action by pressing Y or A, depending on your preferences.

Uninstall-ADDSDomainController

Immediately afterward, the demotion of the Domain Controller will proceed and the server will be restarted automatically.

uninstall the role

Once you log in again by opening Server Manager, you will notice that there is the corresponding notification for you to promote the server to a Domain Controller. Obviously, once the Active Directory Domain Services role is still in place.

To uninstall it, use the following command in PowerShell.

Uninstall-WindowsFeature AD-Domain-Services

That’s it! After restarting, your server is no longer a Domain Controller, but just an Active Directory domain member server.

本文采用 知识共享署名 4.0 国际许可协议(CC-BY 4.0)进行许可。转载请注明来源: https://snowfrs.com/2020/06/28/remove-a-Domain-Controller-from-AD.html 欢迎对文中引用进行考证,欢迎指出任何不准确和模糊之处。