Q. I'm having a problem demoting a domain controller (DC)? How can I demote it?

A. If you run Dcpromo on an existing DC to demote it and Dcpromo fails because of a problem with your network, name resolution, authentication, or replication, you should resolve the problem and then restart Dcpromo. If you try to resolve the problem and Dcpromo still fails, you can still demote the DC by running Dcpromo with the /forceremoval switch, which tells Dcpromo to ignore errors. The /forceremoval switch is a last resort that you should use only when absolutely necessary. If you use the /forceremoval switch, make sure you perform the following tasks after the DC is demoted:

  • Use the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in to remove the computer account from the domain.
  • Verify that DNS records, including A, CNAME, and SRV records, have been removed. If the records still exist, use the MMC DNS snap-in to remove them.
  • Verify that File Replication Service (FRS) member objects (FRS and DFS) have been removed; if they still exist, use the DNS snap-in to remove them.
  • If the demoted DC is a member of any security groups, remove it from those groups.
  • Remove any DFS references to the demoted server (i.e., links or root replicas).
  • If the server held any Flexible Single-Master Operation (FSMO) roles, make sure that another DC explicitly takes these roles.
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.