Published on

Active Directory Server Core

Authors
  • Name
    Jackson Chen
dcpromo /unattend /username:<domain admin> /userdomain:<domain> /password:<DA password> /administratorpassword:<local admin password>

    where
        /administratorpassword      # enter new local admin password


To demote with alternate settings, options are:

The following is a list of unattend parameters for demotion (default values are enclosed in <>):

/AdministratorPassword:”administrator password” default is empty password

Specifies a local administrator account password when demoting a domain controller.

/DemoteFSMO:{Yes | <No>}

Indicates that (forced) demotion should continue even if a FSMO role is discovered on domain controller being demoted.

/DNSDelegationPassword:{“password” | *}

Specifies the password for the user name (account credentials) to use for creating or removing DNS delegation. Specify * to prompt the user to enter credentials.

/DNSDelegationUserName:”user_name”

Specifies the user name (account credentials) used for creating or removing DNS delegation. If no value is specified, the credentials used for the domain controller installation or removal are used.

/IgnoreIsLastDcInDomainMismatch:{Yes | <No>} default causes the wizard to prompt the user to continue and causes the command-line tool to exit with an error.

Specifies whether to continue the demotion of the domain controller when either the switch /IsLastDCInDomain:Yes is specified and dcpromo detects that there is actually another active domain controller in the domain, or when the switch /IsLastDCInDomain:No is specified and dcpromo cannot contact any other domain controller in the domain.

/IgnoreIsLastDNSServerForZone:{Yes | <No>}

Specifies whether to continue demotion despite that the domain controller is the last DNS server for one or more of the Active Directory-integrated DNS zones that it hosts.

/IsLastDCInDomain:{Yes | <No>}

Specifies whether the computer which is being demoted is the last domain controller in the domain.

/Password:{“password” | *}

Specifies the password corresponding to the user name (account credentials) used for the operation. Specify * to prompt the user to enter credentials.

/RebootOnCompletion:{<Yes> | No}

Specifies whether to restart the computer upon completion, regardless of success.

/RebootOnSuccess:{<Yes> | No | NoAndNoPromptEither}

Specifies whether to restart the computer upon successful completion.

/RemoveApplicationPartitions:{Yes | <No>}

Specifies whether to remove application partitions during the demotion of the domain controller.

/RemoveDNSDelegation:{<Yes> | No}

Specifies whether DNS delegations pointing to this DNS server should be removed from the parent zone.

/RetainDCMetadata:{Yes | <No>}

Specifies to retain domain controller metadata in the domain after AD DS removal. Delegated read-only domain controller (RODC) administrators should specify this option to demote an RODC.

/UserDomain:”domain_name”

Specifies the domain name for the user name (account credentials) used for the operation. It also helps to specify the forest where you plan to install the domain controller or create an RODC account. If no value is specified, the domain of the computer will be used.

/UserName:”user_name”

Specifies the user name (account credentials) used for the operation. If no value is specified, the credentials of the current user are used for the operation.


#*********************
https://www.dell.com/support/kbdoc/en-au/000135188/how-to-demote-a-domain-controller-in-windows-server-2012-and-later-versions

Demoting a 2012 / 2012 R2 DC using Powershell (quick and easy method)

1.) Open a Powershell Prompt

2). Enter 'uninstall-addsdomaincontroller'

a.) To do a forceremoval add '<cmdstring> -forceremoval $true' to the command line

3. Enter the new local Administrator password when prompted and press Enter.

4. Confirm the password and press Enter.

5. Accept the default and press enter.

6. The server will demote and automatically reboot. The AD DS binaries will still be present on the server, but the server will have demoted.

PowerShell commands

# Get ADDS Deployment Modules
Get-Command -Module ADDSDeployment

# Create a credential variable
$cred = Get-Credential  # Enter domain admin credential

# Create a local admin password secure string
 $adminPassword = ConvertTo-SecureString -String "NewAdminPasswordWhenDemotionRequired" -AsPlainText -Force

# Run uninstall-ADDSDomainController -WhatIf
Uninstall-ADDSDomainController -LocalAdministratorPassword $adminPassword -Credential $cred -DnsDelegationRemovalCredential $cred -RemoveDnsDelegation -WhatIf

# Run uninstallation test or simulation
# Check any issues or dependencies while uninstalling
# It also prompt for new local administrator password after the server is demoted
Test-ADDSDomainControllerUninstallation -DemoteOperationMasterRole -LastDomainControllerInDomain -RemoveApplicationpartitions“

# Demote DC
Uninstall-ADDSDomainController -LocalAdministratorPassword $adminPassword `
    -Credential $cred `
    -DnsDelegationRemovalCredential $cred `
    -RemovalDnsDelegation -Confirm:$false

# Remote to remote server core DC
Enter-PSSession <dc-name>
Uninstall-ADDSDomainController -DemoteOperationMasterRole -Force
    # It will prompt for new local admin password

Remove-Computer -Restart -Force
Get-ADComputer <dc-name> | Remove-ADObject -Recursive -Confirm:$false

# Remove computer object from site
Set-Location AD:
Remove-Item -Path 'AD:CN=<dc-name>,CN=Servers,CN=<site-name>,CN=Sites,CN=Configuration,DC=LAB,DC=LOCAL' -Force
Discuss on TwitterView on GitHub