Demote Windows Server 2012 R2 Domain Controller

Demote Windows Server 2012 R2 Domain Controller

Hi All,

I have to admit, that one of my Active Directory Domain Controller was still running Windows Server 2012 R2.

According to the Support Lifecycle for Windows Server 2012 R2 it’s about time to get rid of it.

Current Situation

  • ICESRV01 Windows 2016 Domain Controller
    • Domain Controller
    • Global Catalog
    • DNS Server
  • ICESRV02 Windows 2012R2 Domain Controller
    • Domain Controller
    • Global Catalog
    • DNS Server
    • DHCP Server
    • FileServer
    • Azure FileSync Source
    • WebServer


In my case i had to do several things, before i could demote the Domain Controller

  • Migrated Blog to Hugo and Azure Static Website
  • Remove Azure File Sync
    • Uninstall Azure File Sync Agent on ICESRV02
    • Remove File Sync Resources In Azure
  • Migrate FileShare
    • The Shares where on a seperate Disk in VMWare
    • Remove File Shares on ICESRV02
    • Remove VMDK from ICESRV02 / Attach VMDK to ICESRV01
    • Create File Shares on ICESRV01
  • DNS
    • DNS Role was already installed on both Domain Controllers
    • I needet to make sure, all Devices will use ICESRV01 for DNS Lookups in the future
  • Mitgrate DHCP Role
    • Install DHCP Role on ICESRV01
    • Authorize DHCP Server ICESRV01
    • Create Scopes and Options
    • Unauthorize DHCP Server ICESRV02
    • Uninstall DHCP Role on Server ICESRV02
  • Migrate Certificate Authorithy
    • Install ADCS (Active Directory Certificate Authority) on ICESRV01
    • Recreate all Certificates from the new CA
    • Uninstall ADCS (Active Directory Certificate Authority) on ICESRV02
  • Scripts
    • Move Scripts to another Server
  • Move FSMO Roles to ICESRV01

Make sure, you check the Programms and Features so no essential Application or Service is still running on that Server

Open up Server Manager and “Remove Roles and Features”

Unselect “Active Directory Domain Services”

The Wizard proposes to uninstall also the AD Management Tools

Then the Wizard will detect, that it is still an Active Domain Controller that has to be demoted first

After the demtion of the Domain Controller Role the Server will be a Member Server. So you have to set a new Password for the Administrator Account.

After demote the Server will be rebooting and become a Member Server.

When we check Active Directory Users and Computers (dsa.msc), you can see that there is only one Active Directory Domain Controller left

Now we can raise the Forest Functional Level (domain.msc)

Andres Bohren

Windows Logo