Identity with Windows Server 2016：Microsoft 70-742 MCSA Exam Guide

上QQ阅读APP看书，第一时间看更新

Removing a domain controller from a domain

Adding a new domain controller was covered in the previous section. We now know how to deploy a new forest or an additional domain controller with the GUI wizard or with PowerShell commands. Sometimes, you need to remove the domain controller from the domain, a process that's logically different from adding a new domain controller.

The domain controller removal process consists of two steps: demoting the domain controller and removing an AD DS role from the server. Like other tasks, this can be done using either the GUI wizard or PowerShell commands.

If you want to remove the domain controller using the GUI wizard, the removal process consists of several steps that need to be performed:

The removal process starts with Remove Roles and Features using the Server Manager console:

You need to select the Active Directory Domain Services role, as that role needs to be removed:

Because the removal process is dependent on the demotion of the domain controller, the process will fail on validation. The wizard will give you the option to click on Demote this domain controller, as shown in the following screenshot. A new wizard for the demotion process will be opened automatically:

If your domain controller is not the last in the domain, you don't need to check the Force the removal of this domain controller checkbox. If your domain controller is the last in the domain, or if it doesn't have any connectivity to other domain controllers, then you do need to check this checkbox:

Confirm that you want to proceed with the domain controller removal:

Finally, you need to click on the Demote button to start the demotion process:

On the very first tab of the GUI wizard to demote the domain controller, you'll have the option to select the Force the removal of this domain controller checkbox. Don't check this checkbox unless the domain controller isn't the last domain controller in the domain. If you check this, the demoting process will not inform other domain controllers about the change, and the metadata cleanup process will need to be performed manually.

During the process, you'll be asked to enter your password twice. That is because the domain controller doesn't have local users or groups, and if you demote the domain controller from the server, the server will stay part of the domain as a member server. This means that the local users and groups will be active on the server again. The provided password is for the local Administrator account.

Once the domain controller is successfully demoted from the server, the server will restart. After the server is restarted, you need to start the AD DS removal process from the Server Manager in order to remove the AD DS role from the server.

If you decide to demote the domain controller and remove the AD DS role from the server using PowerShell, you need to start the process by demoting the domain controller. After that, you can remove the AD DS role from the server:

Import-Module ADDSDeployment
Uninstall-ADDSDomainController -DemoteOperationMasterRole:$true -Force:$true

You'll be asked to enter a new local administrator password twice. Once the PowerShell command successfully demotes the domain controller from the server, the server will restart. After the server is restarted, you need to run the following command to remove an AD DS role from the server:

Uninstall-WindowsFeature AD-Domain-Services -IncludeManagementTools -Restart

If you try to remove AD DS before demoting the domain controller, PowerShell will return an error .