PowerShell: Demote Domain Controllers

Windows 2016 or Higher
Import-Module ActiveDirectory
Uninstall-ADDSDomainController -Force -LocalAdministratorPassword (convertto-securestring "Password1!" -asplaintext -force) -norebootoncompletion:$false #Optional for PDC: -ForceRemoval -DemoteOperationMasterRole #Last DC: -LastDomainControllerInDomain -IgnoreLastDnsServerForZone
Uninstall-WindowsFeature AD-Domain-Services
Windows 2008 R2 and Older
# Remove DHCP Server Service
$oldDHCPServername=$ENV:computername
$oldDHCPServerIP=(gwmi Win32_NetworkAdapterConfiguration | ? { $_.IPAddress -ne $null }).ipaddress[0]
netsh dhcp delete server $oldDHCPServername $oldDHCPServerIP
# Remove DC from the Global Catalog Role
repadmin.exe /options $oldDHCPServername –IS_GC
# Check FSMO to ensure that it does not hold any operation master roles
PS C:\Windows\system32> netdom query fsmo
Schema master DC01.INTRA.NET
Domain naming master DC01.INTRA.NET
PDC DC01.INTRA.NET
RID pool manager DC01.INTRA.NET
Infrastructure master DC01.INTRA.NET
The command completed successfully.
# Remove AD Role for Windows 2008 (suppress warnings about fsmo)
dcpromo /unattend /uninstallbinaries /AdministratorPassword:Password1! /DemoteFSMO:Yes /RebootOnCompletion:Yes

# use this if the demoting DC could not contact other DCs on the network - hence, it will join a WORKGROUP thereafter
dcpromo /forceremoval /uninstallbinaries /demotefsmo:yes /administratorpassword:Password1! /RebootOnCompletion:Yes

Follow the dcpromo wizard…

# Remove DNS
ServerManagerCmd.exe -remove dns -restart
# Cleanup metadata
ADUC > Domain Controllers > right-click the orphanated DC > Delete > put a check mark next to "Delete this Domain Controller anyway..." > Delete > Confirm 'Yes'

# Cleanup orphanated DC from AD Sites and Services
Active Directory Sites and Services > Default-First-Site-Name > Servers > Right-click bad record > Properties > Uncheck the box next to "Protect object from accidental deletion" > OK > Right-click bad record again > Delete > OK

# Cleanup orphanated DC metadata using ntdsutil
ntdsutil
metadata cleanup
select operation target
list domains
select domain 0 <assuming default domain>
list sites
select site 0 <assuming default site>
list servers in site
select server <number>
quit
remove selected server
quit
Cleanup DNS
Import-Module DnsServer

# Set Variables
$pdc = (Get-ADDomainController -Discover -Service PrimaryDC).HostName
$zones=(Get-DNSServerZone).ZoneName
$orphanatedDC="AD007.INTRA.NET." #notice the dot at the end. It's important

# Remove orphanated record from all zones
$zones | % { Remove-DnsServerResourceRecord -ZoneName $_ -RRType "Ns" –Name "@" -RecordData $orphanatedDC -computerName $pdc -Force}

# View 1 Zone
Get-DnsServerResourceRecord -ZoneName _msdcs.INTRA.NET -RRType "Ns" -computerName $pdc -Node

# Remove orphanated DC from 1 zone
Remove-DnsServerResourceRecord -ZoneName 1.10.in-addr.arpa -RRType "Ns" –Name "@" -RecordData $orphanatedDC -computerName $pdc

Leave a Reply

Your email address will not be published. Required fields are marked *