Remove Active Directory Domain Services (Level 100)
Applies To: Windows Server 2012
This topic covers procedures for removing Active Directory Domain Services (AD DS). You can remove AD DS using these methods:
After AD DS is removed, the DNS server role remains installed and running if it was previously installed on the domain controller. But any Active Directory–integrated DNS zones that were installed are removed. By default, the AD DS removal process also attempts to remove the Domain Name System (DNS) delegations for the zones that point to the domain controller.
If the DNS server no longer serves any purpose after you remove AD DS, use Remove Roles Wizard to remove DNS server role. If you remove the DNS server role, you must reconfigure any DHCP scopes and DNS clients that resolved against this DNS server to use a suitable alternative (typically, another DNS server running on a domain controller within the same domain).
If you are removing the last domain controller in a domain, the wizard displays a list of all the application directory partitions that are stored on the domain controller. If the application directory partitions were created by an application other than AD DS, first try to use an appropriate tool that is provided by the application to remove these directory partitions. If the application does not provide such a tool, you can let the wizard remove the directory partitions. Application directory partitions that are created by AD DS, such as the DomainDNSZones application directory partition, cannot be retained if you remove AD DS.
Remove AD DS using Windows PowerShell
Windows PowerShell allows you to script the removal of AD DS. If you plan to demote a domain controller temporarily, you do not need to remove and then reinstall the AD DS server role.
To view the syntax and parameter options for removing AD DS using the ADDSDeployment module in Windows PowerShell, type the following command:
get-help Uninstall-ADDSDomainController
The command syntax for removing AD DS is as follows. Optional parameters appear within brackets.
Uninstall-ADDSDomainController [-skipprechecks] –LocalAdministratorPassword <SecureString> [-Credential <PS Credential>] [-DemoteOperationsMasterRole] [-DNSDelegationRemovalCredential <PS Credential>] [-ForceRemoval] [-IgnoreLastDCInDomainMismatch] [-IgnoreLastDNSServerForZone] [-LastDomainControllerInDomain] [-NoRebootOnCompletion] [-RemoveApplicationPartitions] [-RemoveDNSDelegation] [-RetainDCMetadata] [-Force] [-WhatIf] [-Confirm] [<common parameters>]
Uninstall-ADDSDomainController –ForceRemoval [-skipprechecks] –LocalAdministratorPassword <SecureString> [-Credential <PS Credential>] [-DemoteOperationsMasterRole] [-NoRebootOnCompletion] [-Force] [-WhatIf] [-Confirm] [<common parameters>]
Tip
Normally on demotion, any warnings with high importance will require explicit acknowledgment of the user. To ensure that those warnings do not wait for user acknowledgment, specify –force option. The UI always passes the –Force flag. The –Forceremoval option is typically used to remove AD DS when the domain controller has no connectivity with other domain controllers.
For example, to remove AD DS from an additional domain controller in a domain and be prompted to set the local Administrator password, type the following command:
Note
You will be prompted to supply the local Administrator password.
Uninstall-ADDSDomainController
To remove AD DS from an additional domain controller in a domain and be prompted to set the local Administrator password but not prompted to confirm the command, type the following command:
Uninstall-ADDSDomainController -confirm:$false
Here is an example of forcibly demoting with its minimal required arguments of -forceremoval and -demoteoperationmasterrole. The -credential argument is not required because the user logged on as a member of the Enterprise Admins group:
.jpeg)
Here is an example of removing the last domain controller in the domain with its minimal required arguments of -lastdomaincontrollerindomain and –removeapplicationpartitions:
.jpeg)
Using Test-ADDSDomainControllerUninstallation cmdlet
The Test-ADDSDomainControllerUninstallation cmdlet runs those prerequisite checks (only) which would be performed if you were to use the Uninstall-ADDSDomainController cmdlet to uninstall a domain controller in Active Directory. It differs from using the -WhatIf parameter with the Uninstall-ADDSDomainController cmdlet in that instead of summarizing the changes that would occur during the uninstallation process, this cmdlet actually tests whether those changes are possible given the current environment.
For more information on the scope of these prerequisite checks that the ADDSDeployment module performs when using this cmdlet, see Prerequisite Checking.
The syntax for the Test-ADDSDomainControllerUninstallation cmdlet is:
Test-ADDSDomainControllerUninstallation [-Credential <PSCredential>] [-DemoteOperationMasterRole] [-DnsDelegationRemovalCredential <PSCredential>] [-Force] [-IgnoreLastDCInDomainMismatch] [-IgnoreLastDnsServerForZone] [-LastDomainControllerInDomain] [-LocalAdministratorPassword <SecureString>] [-NoRebootOnCompletion] [-RemoveApplicationPartitions] [-RemoveDnsDelegation] [-RetainDCMetadata] [<CommonParameters>]
Test-ADDSDomainControllerUninstallation -ForceRemoval [-Credential <PSCredential>] [-DemoteOperationMasterRole] [-Force] [-LocalAdministratorPassword <SecureString>] [-NoRebootOnCompletion] [<CommonParameters>]
Remove AD DS using the Remove Roles Wizard in Server Manager
The following procedure shows the steps to remove AD DS using the Remove Roles Wizard in Server Manager.
Administrative credentials
To remove a domain controller, you must be a member of the Domain Admins group in the domain. To remove the last domain controller in a domain or forest, you must be a member of the Enterprise Admins group.
Note
If you force the removal of AD DS while the domain controller is started in Directory Services Restore Mode (DSRM), credentials are optional.
To Remove AD DS using the Remove Roles Wizard
In Server Manager, click Manage, and then click Remove Roles and Features.
On the Before you begin page, review the information and then click Next.
On the Select destination server page, click the name of the server that you want to remove AD DS from and then click Next.
On the Remove server roles page, clear the check box for Active Directory Domain Services and any other server roles that you want to remove, such as DNS Server, and then on the Remove Roles and Features Wizard dialog box, click Remove Features, and then click Next.
The Remove Roles and Features Wizard returns the following validation error:
.jpeg)
The validation error appears by design because the AD DS server role binaries cannot be removed while the server is running as a domain controller. Click Demote this domain controller.
On the Credentials page, specify credentials to remove AD DS. If previous attempts to remove AD DS on this domain controller have failed, then you can select the Force the removal of this domain controller check box. If you are removing the last domain controller in the domain, click Last domain controller in the domain check box. Click Next.
On the Warnings page, review the information about the roles hosted by the domain controller, click Proceed with removal, and then click Next.
On the Removal Options page:
Note
This page does not appear if you chose Force the removal of this domain controller.
- If you plan to reinstall the domain controller using the same domain controller account, click Retain the domain controller metadata.
In addition, if either of the following two options appears, it must be selected before you can proceed.
If you are removing the last DNS server that hosts the zones hosted on this domain controller, click Remove this DNS zone (this is the last server that hosts the zone).
Important
This option will be shown only if the domain controller is the last DNS server for the zone.
If you want to delete the application partitions, click Remove application partitions.
Click Next.
On the New Administrator Password page, type and confirm the password for the local Administrator account for the server, and then click Next.
On the Review Options page, click Demote.
The server will restart automatically to complete the domain controller demotion. Continue with the next steps, which are needed to fully remove the AD DS server role binaries after the machine restarts to complete the demotion.
In Server Manager, click Manage, and then click Remove Roles and Features.
On the Before you begin page, review the information and then click Next.
On the Select destination server page, click the name of the server that you want to remove AD DS from and then click Next.
On the Remove server roles page, clear the check box for Active Directory Domain Services and any other server roles that you want to remove, such as DNS Server. On the Remove Roles and Features Wizard dialog box, clear the Remove management tools (if applicable) check box if you plan to administer another domain controller from this server, and click Remove Features, and then click Next.
On the Remove features page, clear the check box for any feature you want to remove and then click Next.
On the Confirm removal selections page, click Remove.
After the role is removed, click Close, and restart the server.