降級網域控制站和網域 (層級 200)Demoting Domain Controllers and Domains (Level 200)

適用於:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

本主題如何 AD DS,使用伺服器管理員及 Windows PowerShell 中移除。This topic explains how to remove AD DS, using Server Manager or Windows PowerShell.

AD DS 移除工作流程AD DS Removal Workflow

降級俠

警告

升級為網域控制站不支援後將會防止伺服器通常會開機,請移除 Dism.exe 或 Windows PowerShell DISM 模組 AD DS 角色。Removing the AD DS roles with Dism.exe or the Windows PowerShell DISM module after promotion to a Domain Controller is not supported and will prevent the server from booting normally.

伺服器管理員與或不同的 Windows PowerShell 模組 ADDSDeployment,DISM 是原生維護系統有既有不知道 AD DS 或其設定。Unlike Server Manager or the ADDSDeployment module for Windows PowerShell, DISM is a native servicing system that has no inherent knowledge of AD DS or its configuration. 請勿使用 Dism.exe 或 Windows PowerShell DISM 模組除非伺服器不再網域控制站解除安裝 AD DS 角色。Do not use Dism.exe or the Windows PowerShell DISM module to uninstall the AD DS role unless the server is no longer a domain controller.

降級及角色移除 Windows PowerShellDemotion and Role Removal Windows PowerShell

ADDSDeployment 和 ServerManager CmdletADDSDeployment and ServerManager Cmdlets 引數 (粗體所需的引數。Arguments (Bold arguments are required. 斜體引數可以使用 Windows PowerShell 或 AD DS 設定精靈指定。)Italicized arguments can be specified by using Windows PowerShell or the AD DS Configuration Wizard.)
Uninstall-AddsDomainControllerUninstall-AddsDomainController -SkipPreChecks-SkipPreChecks

-LocalAdministratorPassword-LocalAdministratorPassword

-確認-Confirm

認證-Credential

-DemoteOperationMasterRole-DemoteOperationMasterRole

-DNSDelegationRemovalCredential-DNSDelegationRemovalCredential

-推動-Force

-ForceRemoval-ForceRemoval

-IgnoreLastDCInDomainMismatch-IgnoreLastDCInDomainMismatch

-IgnoreLastDNSServerForZone-IgnoreLastDNSServerForZone

-LastDomainControllerInDomain-LastDomainControllerInDomain

-Norebootoncompletion-Norebootoncompletion

-RemoveApplicationPartitions-RemoveApplicationPartitions

-RemoveDNSDelegation-RemoveDNSDelegation

-RetainDCMetadata-RetainDCMetadata
解除安裝-WindowsFeature 日移除-WindowsFeatureUninstall-WindowsFeature/Remove-WindowsFeature 名稱-Name

-IncludeManagementTools-IncludeManagementTools

-重新開機-Restart

-中移除-Remove

-推動-Force

-電腦名稱-ComputerName

認證-Credential

-LogPath-LogPath

-Vhd-Vhd

注意

-認證僅需如果您不已登入的企業系統管理員(降級網域中的最後一個 DC)群組成員或(降級複本 DC).The -includemanagementtools引數只有如果您想要移除的所有 AD DS 管理公用程式。The -credential argument is only required if you are not already logged on as a member of the Enterprise Admins group (demoting last DC in a domain) or the Domain Admins group (demoting a replica DC).The -includemanagementtools argument is only required if you want to remove all of the AD DS management utilities.

降級Demote

移除角色與功能Remove Roles and Features

伺服器管理員會提供介面兩個移除 Active Directory Domain Services 角色:Server Manager offers two interfaces to removing the Active Directory Domain Services role:

  • 管理功能表上的主要儀表板使用移除角色與功能The Manage menu on the main dashboard, using Remove Roles and Features

    降級俠

  • 按一下AD DS所有伺服器]上瀏覽窗格。Click AD DS or All Servers on the navigation pane. 向下捲動角色與功能一節。Scroll down to the Roles and Features section. 以滑鼠右鍵按一下Active Directory Domain Services角色與功能清單,然後按移除角色或功能Right-click Active Directory Domain Services in the Roles and Features list and click Remove Role or Feature. 這個介面略過選擇伺服器頁面。This interface skips the Server Selection page.

    降級俠

ServerManager cmdlet WindowsFeature 解除安裝的移除-WindowsFeature以避免您直到您降級網域控制站移除 AD DS 角色。The ServerManager cmdlets Uninstall-WindowsFeature and Remove-WindowsFeature prevent you from removing the AD DS role until you demote the domain controller.

伺服器選取項目Server Selection

降級俠

選擇伺服器對話方塊,可讓您選擇其中一集區之前加入伺服器,只要無障礙。The Server Selection dialog enables you to choose from one of the servers previously added to the pool, as long as it is accessible. 本機伺服器執行伺服器管理員都可供使用。The local server running Server Manager is always automatically available.

伺服器角色與功能Server Roles and Features

降級俠

清除Active Directory Domain Services核取方塊將網域控制站;目前的網域控制站伺服器,如果這不會移除 AD DS 角色,改為切換到驗證結果對話方塊降級提供使用。Clear the Active Directory Domain Services check box to demote a domain controller; if the server is currently a domain controller, this does not remove the AD DS role and instead switches to a Validation Results dialog with the offer to demote. 或者,只要移除二進位像任何其他角色功能。Otherwise, it simply removes the binaries like any other role feature.

  • 請勿移除 AD DS 相關角色或功能-DNS、gpmc 中或 RSAT 工具-例如,如果您想要立即再試一次升級的網域控制站。Do not remove any other AD DS-related roles or features - such as DNS, GPMC, or the RSAT tools - if you intend to promote the domain controller again immediately. 移除額外的角色及功能隨著時間重新升級,當您重新安裝「角色伺服器管理員重新安裝這些功能。Removing additional roles and feature increases the time to re-promote, as Server Manager reinstalls these features when you reinstall the role.

  • 移除不需要的 AD DS 角色及功能自行選擇如果您想要永久降級網域控制站。Remove unneeded AD DS roles and features at your own discretion if you intend to demote the domain controller permanently. 這需要清除這些角色與功能的核取方塊。This requires clearing the check boxes for those roles and features.

    包含 AD DS 相關的角色與功能的完整清單:The full list of AD DS-related roles and features include:

    • 使用 Windows PowerShell Directory 模組的功能Active Directory Module for Windows PowerShell feature

    • AD DS 與廣告 LDS 工具功能AD DS and AD LDS Tools feature

    • Active Directory 管理中心功能Active Directory Administrative Center feature

    • AD DS 嵌入式管理單元及命令列工具功能AD DS Snap-ins and Command-line Tools feature

    • DNS 伺服器DNS Server

    • 群組原則管理主控台Group Policy Management Console

相當於 ADDSDeployment 及 ServerManager Windows PowerShell cmdlet︰The equivalent ADDSDeployment and ServerManager Windows PowerShell cmdlets are:

Uninstall-addsdomaincontroller  
Uninstall-windowsfeature  

降級俠

降級俠

認證Credentials

降級俠

您在設定降級選項認證頁面。You configure demotion options on the Credentials page. 提供從下列清單執行降級所需的認證:Provide the credentials necessary to perform the demotion from the following list:

  • 降級額外的網域控制站需要網域管理員認證。Demoting an additional domain controller requires Domain Admin credentials. 選取 [強制移除網域控制站的將網域控制站降級不 Active Directory 中移除網域控制站物件中繼資料。Selecting Force the removal of this domain controller demotes the domain controller without removing the domain controller object's metadata from Active Directory.

    警告

    請勿選取此選項,除非網域控制站無法連絡其他網域控制站和有未合理的方式解析該網路的問題。Do not select this option unless the domain controller cannot contact other domain controllers and there is no reasonable way to resolve that network issue. 強制的降級離開單獨中繼資料在 Active Directory 中,在森林中的其餘網域控制站。Forced demotion leaves orphaned metadata in Active Directory on the remaining domain controllers in the forest. 此外,所有複製未變更密碼] 或 [新增使用者帳號,例如該網域控制站,將會遺失永遠。In addition, all un-replicated changes on that domain controller, such as passwords or new user accounts, are lost forever. 單獨中繼資料是在 Microsoft 客戶支援案例的重大百分比 AD DS,Exchange、SQL,及其他軟體的根本原因。Orphaned metadata is the root cause in a significant percentage of Microsoft Customer Support cases for AD DS, Exchange, SQL, and other software.

    如果您強制降級網域控制站您必須以手動方式立即執行中繼資料清除。If you forcibly demote a domain controller, you must manually perform metadata cleanup immediately. 步驟,檢視全新向上伺服器中繼資料For steps, review Clean Up Server Metadata.

    降級俠

  • 降級網域中的最後一個網域控制站需要企業系統管理員群組成員資格,因為這會移除網域 (如果森林中的最後一個網域,這會移除樹系)。Demoting the last domain controller in a domain requires Enterprise Admins group membership, as this removes the domain itself (if the last domain in the forest, this removes the forest). 如果目前的網域控制站網域中的最後一個網域控制站伺服器管理員會通知您。Server Manager informs you if the current domain controller is the last domain controller in the domain. 選取 [網域中的最後一個網域控制站核取方塊來確認網域控制站是網域中的最後一個網域控制站。Select the Last domain controller in the domain check box to confirm the domain controller is the last domain controller in the domain.

相當於 ADDSDeployment Windows PowerShell 引數︰The equivalent ADDSDeployment Windows PowerShell arguments are:

-credential <pscredential>  
-forceremoval <{ $true | false }>  
-lastdomaincontrollerindomain <{ $true | false }>  

警告Warnings

降級俠

警告頁面上通知您移除此網域控制站可能影響。The Warnings page alerts you to the possible consequences of removing this domain controller. 若要繼續時,您必須選取繼續移除的To continue, you must select Proceed with removal.

警告

如果您先前選取強制移除網域控制站的認證頁面上,然後警告頁面會顯示此網域控制站裝載所有彈性的單一主機操作角色。If you previously selected Force the removal of this domain controller on the Credentials page, then the Warnings page shows all Flexible Single Master Operations roles hosted by this domain controller. 必須抓取從另一部網域控制站的角色立即之後降級此伺服器。You must seize the roles from another domain controller immediately after demoting this server. 如需有關抓取故障,請查看抓取操作主要角色For more information on seizing FSMO roles, see Seize the Operations Master Role.

此頁面不具有相同 ADDSDeployment Windows PowerShell 引數。This page does not have an equivalent ADDSDeployment Windows PowerShell argument.

移除選項Removal Options

降級俠

移除選項頁面隨即顯示根據先前選取網域中的最後一個網域控制站認證頁面。The Removal Options page appears depending on previously selecting Last domain controller in the domain on the Credentials page. 本頁可以讓您設定移除其他選項。This page enables you to configure additional removal options. 選取 [略過上次 DNS 伺服器區移除應用程式的磁碟分割,並移除 DNS 委派公開下一步按鈕。Select Ignore last DNS server for zone, Remove application partitions, and Remove DNS Delegation to expose the Next button.

如果是適用於此網域控制站,只會出現的選項。The options only appear if applicable to this domain controller. 例如,是否有此伺服器不 DNS 委派核取方塊會不顯示。For instance, if there is no DNS delegation for this server then that checkbox will not display.

按一下變更來指定替代 DNS 管理認證。Click Change to specify alternate DNS administrative credentials. 按一下的磁碟分割檢視若要檢視] 精靈會移除在降級額外的磁碟分割。Click View Partitions to view additional partitions the wizard removes during the demotion. 根據預設,只額外的磁碟分割的 DNS 網域和森林 DNS 區域。By default, the only additional partitions are Domain DNS and Forest DNS Zones. 所有其他磁碟分割的非 Windows 的磁碟分割。All other partitions are non-Windows partitions.

相當於 ADDSDeployment cmdlet 引數︰The equivalent ADDSDeployment cmdlet arguments are:

-ignorelastdnsserverforzone <{ $true | false }>  
-removeapplicationpartitions <{ $true | false }>  
-removednsdelegation <{ $true | false }>  
-dnsdelegationremovalcredential <pscredential>  

新的系統管理員密碼New Administrator Password

降級俠

系統管理員的新密碼頁面會要求您提供建本機電腦的系統管理員帳號,密碼之後,請降級完成時,電腦就會網域成員伺服器或工作群組的電腦。The New Administrator Password page requires you to provide a password for the built-in local computer's Administrator account, once the demotion completes and the computer becomes a domain member server or workgroup computer.

ADDSDomainController 解除安裝的cmdlet 和引數如果,請遵循相同的預設值為伺服器管理員未指定。The Uninstall-ADDSDomainController cmdlet and arguments follow the same defaults as Server Manager if not specified.

LocalAdministratorPassword引數是特殊:The LocalAdministratorPassword argument is special:

  • 如果未指定引數,然後 cmdlet 會提示您輸入並確認遮罩的密碼。If not specified as an argument, then the cmdlet prompts you to enter and confirm a masked password. 執行 cmdlet 互動時,這會是慣用的使用方式This is the preferred usage when running the cmdlet interactively

  • 如果指定的值,,然後值必須安全字串。If specified with a value, then the value must be a secure string. 這不是執行 cmdlet 互動時慣用的使用方式This is not the preferred usage when running the cmdlet interactively

例如,您可以手動提示密碼使用朗讀主機cmdlet 提示使用者安全字串For example, you can manually prompt for a password by using the Read-Host cmdlet to prompt the user for a secure string

-localadministratorpassword (read-host -prompt "Password:" -assecurestring)  

警告

在前兩個選項不要確認密碼、小心謹慎:看不到密碼As the previous two options do not confirm the password, use extreme caution: the password is not visible

您也可以提供安全字串為轉換明文變數,雖然這是非常不建議使用。You can also provide a secure string as a converted clear-text variable, although this is highly discouraged. 例如:For example:

-localadministratorpassword (convertto-securestring "Password1" -asplaintext -force)  

警告

不建議提供或儲存明文密碼。Providing or storing a clear text password is not recommended. 任何人指令碼執行這個命令或在您身邊尋找知道該電腦的本機系統管理員密碼。Anyone running this command in a script or looking over your shoulder knows the local administrator password of that computer. 知識,他們可以存取所有的資料與,可模擬伺服器本身。With that knowledge, they have access to all of its data and can impersonate the server itself.

確認Confirmation

降級俠

確認頁面會顯示降級計劃。在頁面上不會列出降級設定選項。The Confirmation page shows the planned demotion; the page does not list demotion configuration options. 這是最後一頁降級開始前精靈會顯示。This is the last page the wizard shows before the demotion begins. [檢視指令碼按鈕建立降級 Windows PowerShell 指令碼。The View Script button creates a Windows PowerShell demotion script.

按一下降級來執行下列 AD DS 部署 cmdlet:Click Demote to run the following AD DS Deployment cmdlet:

Uninstall-DomainController  

使用選擇性Whatif以引數ADDSDomainController 解除安裝的和 cmdlet 檢視設定的資訊。Use the optional Whatif argument with the Uninstall-ADDSDomainController and cmdlet to review configuration information. 這可讓您查看明確和隱含 cmdlet 的引數的值。This enables you to see the explicit and implicit values of a cmdlet's arguments.

例如:For example:

降級俠

提示您重新開機是您最後使用 ADDSDeployment Windows PowerShell 取消這項操作機會。The prompt to restart is your last opportunity to cancel this operation when using ADDSDeployment Windows PowerShell. 若要覆寫提示,請使用-強制確認:$false引數。To override that prompt, use the -force or confirm:$false arguments.

降級Demotion

降級俠

降級頁面會顯示,網域控制站設定開始和無法終止或取消。When the Demotion page displays, the domain controller configuration begins and cannot be halted or canceled. 詳細的作業會顯示在此頁面上,而且寫入登:Detailed operations display on this page and write to logs:

  • %systemroot%\debug\dcpromo.log%systemroot%\debug\dcpromo.log

  • %systemroot%\debug\dcpromoui.log%systemroot%\debug\dcpromoui.log

因為AddsDomainController 解除安裝的WindowsFeature 解除安裝的只能有一個動作,以讓,它們如下所示確認階段最低檔中。Since Uninstall-AddsDomainController and Uninstall-WindowsFeature only have one action apiece, they are shown here in the Confirmation phase with the minimum required arguments. 按下 ENTER 開始冒用降級程序,並在電腦重新開機。Pressing ENTER starts the irrevocable demotion process and restarts the computer.

降級俠

降級俠

若要自動接受重新開機命令提示字元中,使用-強制-確認: $false的任何 ADDSDeployment Windows PowerShell cmdlet 引數。To accept the reboot prompt automatically, use the -force or -confirm:$false arguments with any ADDSDeployment Windows PowerShell cmdlet. 若要防止伺服器促銷結尾自動重新開機,使用-norebootoncompletion: $false引數。To prevent the server from automatically rebooting at the end of promotion, use the -norebootoncompletion:$false argument.

警告

覆寫在重新開機,建議。Overriding the reboot is discouraged. 成員伺服器必須重新開機才能正確運作。The member server must reboot to function correctly.

降級俠

以下是範例強制降級的最低需要引數的-forceremoval-demoteoperationmasterroleHere is an example of forcibly demoting with its minimal required arguments of -forceremoval and -demoteoperationmasterrole. -認證引數不需要因為成員群組企業系統管理員的身分登入的使用者:The -credential argument is not required because the user logged on as a member of the Enterprise Admins group:

降級俠

以下是範例移除的最低所需的引數網域中的最後一個的網域控制站的-lastdomaincontrollerindomain-removeapplicationpartitions:Here is an example of removing the last domain controller in the domain with its minimal required arguments of -lastdomaincontrollerindomain and -removeapplicationpartitions:

降級俠

如果您嘗試移除 AD DS 角色降級伺服器之前,Windows PowerShell 封鎖您有意錯誤:If you attempt to remove the AD DS role before demoting the server, Windows PowerShell blocks you with an intentional error:

Uninstall-WindowsFeature : An uninstallation prerequisite step failed duringthe removal of AD-Domain-Services, and uninstallation cannot continue.1. The domain controller needs to be demoted before the Active DirectoryDomain Services Role can be uninstalled.  

降級俠

重要

您必須重新開機之後降級伺服器,然後才能移除 AD 網域服務角色二進位檔。You must restart the computer after demoting the server before you can remove the AD-Domain-Services role binaries.

結果Results

降級俠

結果頁面會顯示成功或失敗的升級與管理的任何重要資訊。The Results page shows the success or failure of the promotion and any important administrative information. 網域控制站將會自動重新開機之後 10 秒。The domain controller will automatically reboot after 10 seconds.