Demoting a Domain Controller When Normal Demotion Fails

If DCPromo fails to demote a Domain Controller gracefully, you can force the machine to forget it’s a DC by temporarily tricking it into thinking it’s a member server.

Step 1 — Modify the product type in the registry

Boot into Directory Services Restore Mode (DSRM) and open Regedit. Navigate to:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions

Change the ProductType value from LanmanNT to ServerNT. Reboot normally.

Step 2 — Disjoin from the domain

The machine now identifies itself as a member server. Disjoin it from the domain and reboot.

Step 3 — Promote to a dummy domain

Run DCPromo and promote the machine into a throwaway domain (e.g., deleteme.com). Important:

• Point DNS to itself
• Accept the offer to install DNS during promotion
• Accept all default file locations

Step 4 — Demote gracefully

Once promotion completes, immediately run DCPromo again to demote. This graceful demotion removes all DC-specific components — SYSVOL, NTDS.dit, etc. The machine is now in a workgroup.

Step 5 — Rejoin the original domain

Point DNS back to your original DNS server, rejoin the domain, and run DCPromo to promote normally.