There may be circumstances where you need to demote a DC. For example, one reason is upgrading to a new version of Samba, another being that a DC is dead (and will never come back up).

Please note:

• Before demoting a DC, check if it owns any or all seven FSMO roles. If it does, they need to be transferred to another DC. Do not demote a DC that has any or all FSMO roles.

• If you have a dead server that owns any or all of the FSMO roles, seize them from another DC before remotely demoting it.

On DC2, execute:

samba-tool domain demote -U "Administrator"
systemctl stop samba-ad-dc.service

You can now continue to clean up DNS entries.

Please note: Never connect DC2 again after it has been remotely demoted.

On DC1 (the other working DC), execute:

samba-tool domain demote --remove-other-dead-server=DC2 -U "MAD\Administrator"

Let me say it again: Never ever reconnect a remotely demoted DC — it will break your AD.

Personally I like running these on a live DC after every demote:

samba-tool dbcheck --cross-ncs --fix --yes
samba-tool domain tombstones expunge --tombstone-lifetime=0

In both cases — unless you are demoting to upgrade and then re-join again with the same name (for example after upgrading Samba to a newer version) — you may want to go through the DNS tree (easier using the DNS tool from Windows RSAT) and search for and delete old entries of the demoted DC.

Caponato's Samba notebook. Start here or return to Main menu.