How to (best practice) demote a 2008R2 Domain Controller from Active Directory!

Laszlo Denes
Laszlo Denes used Ask the Experts™
Can someone comment briefly on what best-practice is for demoting a healthy domain controller?
I am planning to replace our 2008R2 DC's with 2016 DC's and will be reusing the existing Names and IP's.
Obviously this is not something we do very often and I just want to makes sure I get it right the first time.
So generally speaking would we demote the DC to a member server and then uninstall ADDS, WINS, DNS, etc. and then remove it from the domain into a workgroup or would we uninstall ADDS, WINS, DNS, then demote the DC into being a member server and then into a workgroup?

We have at least two DC's that host and replicate ADDS, WINS, DNS, GC, GPO, etc. and our replications are good. Neither of the DC servers does anything else other than act as a DC.
We are not running a Certificate Authority on the DC.
Neither DC acts as a bridgehead server as we only have one site and both DC's are in the same subnet/vlan.
Both DC's are patched to within 1 month of current MS updates and are on the same patch level.
Need to verify that replication between all existing DC's works flawlessly.
Do general server checks (review logs, run dcdiag and netdiag) to isolate and mitigate any existing issues.
Make sure remaining DC can handle the domain functions (user logon etc.) on its own.
Remove all FSMO roles hosted on the DC that is being demoted to another DC.
Make sure it is not the only Global Catalogue, DNS/WINS or only DC in the domain, i.e. that another functioning DC can provide those services.
Account used for process must be a member of the Domain Admins group or the Enterprise Admins group in Active Directory.
DFS is not hosted on the DC and it is my understanding that values within AD will replicate from the existing remaining 2008R2 DC to the new 2016 DC once it is up. Use dfsdiag /testdcs to make sure everything is healthy and consistent (it is right now) after new 2016 DC is added.
Will using DCPROMO to remove the DC cleanly also remove any/all remains of the existing DC from AD or is manual intervention required after the successful demotion process? I ask because when we removed 2003 DC before we were left with remains of the DCs object in the Active Directory and when we tried install another server with the same computer name and tried to promote it to become a Domain Controller it failed because the DCPROMO process will still found the old objects and therefore refuse to re-create the objects for the new-old server. We had to manually remove the failed DC object from the Site & Services, manually remove the failed DC entries from each DNS console, etc. Is there anything (apart from maybe DNS entries) that needs to be manually adjusted after the fact? Hopefully it does not require us to run ntdsutil to remove remnants from within AD.

As always many thanks to all the amazing techs who kindly share their insights and expertise.

Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
This is a really easy process to accomplish, the only problem I see here is it is not best practices to reuse the existing names and IP addresses.

Best practices here would be to Add an Additional Domain Controller to your existing environment allow for replication and then demote the old if that is what you deem fit.
here is the process to accomplish this :
step 1)  Make sure replication to DC2 is running well, '  repadmin /replsum. '

step 2) Move all fsmo roles to the secondary DC (assuming this one your replacing is your primary.)

step 3)  Move any function that are on the server, such as DHCP, etc. over to the secondary server ans make sure its functional (shut down function in existing DC and test)

step 4) Assuming this is all new to you, test all is well - turn off the old DC01 for a few days and make sure things are running smoothly.

step 5) Power on the old DC01, make sure it is replicating correctly again (repadmin /replsum )

step 6) Demote the old DC01, reboot the system

step 7) Unjoin DC01 from the domain, reboot the system

step 8) Log in, change tbe name of the sgstem and its IP (or just shut it down as preferred)

step 9) Make sure the object with the DCs name is femoved from AD, and DNS (delete by hand if not.)

step 10) Build a new system with the same name and IP as the old DC.

step 11) Promote the new system to a Domain Controller

step 12) Confirm replication

step 13) if preffered: move FSMO roles and any functions bacl to this DC.

Referenced :
Jeff GloverSr. Systems Administrator

We have done this several times. It may not be best practice but in reality, it is an accepted one. since you indicate it is not really running much more than AD, it is a pretty easy task.
1. Demote the DC gracefully. This makes it a Member server. If it is running DNS, then after the Demotion, Set a forwarder in DNS pointing to another DC running DNS. This is just in case some machine is using that DC as its primary DNS.
2. Build the new server. Give it a temporary IP and Name. Install any services needed. Set DNS with a Forwarder to a DC running DNS
3. When you are ready to promote it, Rename the old DC to name-old. Rename the New DC to the old DCs Name. Change the IP address on the old server and new servers.
4.  Install AD and promote to DC. AFter promotion, remove the DNS forwarder.
5. Verify replication.

We have done this at least a dozen times, even with DHCP installed. (just have to backup the DHCP config and restore it on the new server.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!


We have various reasons to reuse the name/ip


Jeff - We have two DC's that all serve DNS and all servers are pointing to both, as well as the primary is not the one we are demoting this time
New servers are already built (not in AD yet).
So do I uninstall ADDS (role) and DNS, WINS etc. before I demote it from being a DC to member server?
I was thinking of demoting the existing one followed by brief cleanup and then (same day) promoting the new one (temp name ion  a workgroup right now and fully patched) as member server and then DC and then DNS/WINS replication etc.
Sr. Systems Administrator
Well, you cannot remove ADDS before you demote it. Cart before the horse there.  Not sure why you are still using WINS but...

You demote the server first. As I said, the way I did it was to demote it and then setup a Forwarder in DNS (Since your DNS zones should go away on that server if it is AD integrated). Then I did exactly what I wrote above.  The only reason I did not remove DNS was to give myself time before I had to change the IP adn names.
  From what you wrote, your situation is as close to ideal as can get here. With a well functioning AD, it is pretty easy to do what you want.  Once you have the new servers up, patched and on the domain, Demote the old server. Change the name and Ip of the old server. Change the name and IP of the new server. Promote new server as DC. You may want to allow a little time for replication if you have any DCs that are remote but as I said, we have done this dozens of times with no issues.


LOL! I didn't say it was a smart question (remove ADDS before demote).
But since the remaining DC (also DNS) is still there and all member servers point to both DC (in DNS) why do I need a forwarder?
WINS is a long story... let's leave it at that...


thank you everyone

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial