There may be circumstances where you need to demote a DC. For example, one reason is upgrading to a new version of samba, other being a DC is for any reason dead (and will never come back up).

Please note:

• Before demoting a DC, check if it owns any or all seven FSMO roles, if they do, they need to be transferred to another DC. Do not demote a DC that has any or all FSMO roles.

• If you have a dead server that owns any or all the FSMO roles, seize them from another DC before remotely demoting it.

On DC2, execute:

samba-tool domain demote -U "Administrator"
systemctl stop samba-ad-dc.service

You can now continue to cleanup DNS entries.

Please note: Never connect DC2 again after it has been remotely demoted

On DC1 (the other working DC), execute:

samba-tool domain demote --remove-other-dead-server=DC2 -U "MAD\Administrator"

Let me say it again: Never ever reconnect a remotely demoted DC, it will break your AD.

Personally I like running these on a live DC after every demote.

samba-tool dbcheck --cross-ncs --fix --yes
samba-tool domain tombstones expunge --tombstone-lifetime=0

In bothe cases, unless you are demoting to upgrade and then re-join again with same name (for example after upgrading samba to newer version), you may want to go trough DNS tree (easier using DNS tool from Windows RSAT) and search for and delete old entries of the demoted DC.

Caponato's Samba notebook. Start here or else Main menu