demote old domain controller

Posted on 2012-09-01
Last Modified: 2012-09-08
Hi there,

I have 2 old domain controllers 2003 (dc1 & dc2) and 1 new dc 2008 r2.  The dc1 holds a FSMO role.  If I want to demote dc2 to member server, what is any prerequisites need before run the dcpromo and remote it from AD.


Question by:Vincent2211
    LVL 17

    Expert Comment

    by:Lior Karasenti
    Is there any roles installed on dc2? DHCP,DNS,Shares ?

    Read here you can test your DC with
    dcdiag /v /c /d /e /s:dcname >c:\dcdiag.txt
    LVL 9

    Expert Comment

    As you have already mention that all fsmo roles are on DC1.
    You can go ahead with DCPROMO.
    LVL 23

    Expert Comment

    by:Suliman Abu Kharroub
    Also make sure that dc1 is a global catalogs.

    And run dcdiag on dc1  to make sure it's working properly.
    LVL 2

    Expert Comment

    In most case, dcpromo will warn you, if there is a problem, if you go to depromote this dc. But follow the instructions mentioned before on Microsoft teched.
    LVL 18

    Expert Comment

    by:Sushil Sonawane
    Make sure that in domain other server also hold a global catalogs.

    And run dcdiag on dc1 and dc2  to make sure it's working properly and does not hold any service like certificate authority. If it's hold then migrate with anohter domain controller.

    You already mention the all fsmo roles are on DC1 so you can go ahead with DCPROMO for removal.

    Refer below article (

    If it is failed then try to remove forcefully domain controller.

    To remove forcefully domain controller please refer the below article (
    LVL 23

    Expert Comment

    by:Stelian Stan
    The only concern would be the the Global Catalog. If you have a global catalog on another DC you can proceed with the decommission of that domain controller by running dcpromo.
    LVL 18

    Expert Comment


    Output from Above article of Pbbergs

    Decommissioning a dc requires all domain services that currently reside on a server need to be moved to other dc’s.  


    You need to move any fsmo roles from this dc to another dc (KB255960)
    To learn where the roles reside run the command     netdom query fsmo
    If the PDCe fsmo role resided on this DC then you need to reconfigure the new holder of the PDCe to either use the internal hardware clock or an external source.  I would recommend using an external source KB816042.
    There needs to be at least one Global Catalog (GC) in each domain and it is recommended that there is one in each site (KB313994)
    Move DNS services to other DC’s if this DC is a DNS provider.  Also point all clients that use this server for DNS to the new DNS server
    If AD integrated simply installing DNS on a member server prior to promotion will bring up a new DNS server
    If not AD integrated and this is a primary server then a new primary server will need to be brought online.  From DNS server manager the server needs to be promoted to primary
    If a secondary server then make the new dc a new secondary server
    If a dhcp server then the dhcp servers database needs to be backed up and copied to the new dhcp server.  The old dhcp server deauthorized and the new dhcp server authorized (KB325473)
    If you have Encryption File System (EFS) enabled you will need to move the private key if it resides on this dc (KB241201).  You use the recovery agent's private key to recover data in situations when the copy of the EFS private key that is located on the local computer is lost
    If this server manages Terminal Server Licensing (TSL) then it will have to be moved to a new DC.  From Add/Remove programs you will need to add a new TSL.  You can then restore the licenses by using the TS License Manager tool with the Telephone activation mechanism. You can switch to the Telephone mechanism by right clicking on the server in TS License Manager, and then selecting properties from the menu. (TS FAQ)

    Finally once this is all accomplished go ahead and demote the dc to a member server (KB238369)
    LVL 8

    Expert Comment

    If DC2 not FSMO , yo can just demote it directly , make sure it no any sharing or DFS running
    Also the Glocal catalog should not be click in DC2

    Accepted Solution

    the dcpromo demote work well after migrate the certificate service to new dc.
    Thanks ..

    Author Closing Comment

    it work ..

    Featured Post

    What Security Threats Are You Missing?

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    Join & Write a Comment

    Have you considered what group policies are backwards and forwards compatible? Windows Active Directory servers and clients use group policy templates to deploy sets of policies within your domain. But, there is a catch to deploying policies. The…
    Learn about cloud computing and its benefits for small business owners.
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
    This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

    754 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    20 Experts available now in Live!

    Get 1:1 Help Now