Category: Active Directory

Know it Prove it – Identity and Access Management

Know it Prove it

100% completed with 2 days of February 2015 (and the challenge) to go.

Promoting a Windows Server 2012 RODC to become a writeable domain controller

Having now moved the rest of the business into the new office it is no longer functioning as a branch office and so the RODC (Read-Only Domain Controller) I set up sometime ago is no longer required.

The plan was it would be demoted and we would return to having just the two domain controllers. However I changed my mind as the other domain controllers are VMs on ESXi which I don’t think is an ideal situation and I’d prefer to have at least one physical domain controller.

Unfortunately the process of converting a RODC to a writeable DC isn’t quick as you can’t go from one to the other you need to demote it and then promote it again.

Starting in Server Manager click on Manage > Remove Roles and Features

Select the server from the list. In my case there is just the one server to choose from.

Then counter-intuitively you need to select to remove Active Directory Domain Services even though you do want to continue using it as a Domain Controller. But it all becomes clear in the next step.


The AD DS role cannot be removed until the domain controller has been demoted. This is what we wanted to do all along so click on Demote this domain controller.

I don’t want to force the removal as it is able to communicate with the other domain controllers and so can be removed normally (See about forcing removal of domain controllers)

Warning that removal of AD DS role could break Active Directory, only a concern if clients can’t communicate with the other domain controllers. Tick the box to Proceed with removal and click Next.

The next bit is a crucial step as you are asked if you wish to Retain domain controller metadata. The only reason to do so would be if you planned to reinstate the server as a RODC in the future. If you wanted to remove it entirely as a domain controller or if you wish to promote it to being a writeable domain controller as I do then you need to ensure you leave the box unticked. Click Next.
I’ll show you later the error you would get if you ticked the box and then tried to promote it as a full domain controller.

Need to recreate a local administrator password for the server as domain controllers do not have local admin accounts they only accept domain accounts.

Review your selection. You can view the Powershell script at this stage that is actually run under the hood when you click the Demote button. As this is a one time only affair there isn’t a reason to do so.

The process runs and the server reboots.

Then we’re back looking at Server Manager and there is a flag indicating that you need to promote the server for it to become a domain controller. If you were removing the server as a domain controller you would in fact return to Manage > Remove Roles and Features and then complete the removal of the AD DS role.

But I do want to Promote it so I click on Promote this server to a domain controller.

Then the process is the same as shown in a previous post when I set the server up originally as a Domain controller.
Select Add a domain controller to an existing domain and select the desired Domain from the list and enter a domain administrators credentials.

Specify domain controller capabilities and site information. Click through the DNS delegation error.

Specify install/replication options. Install from media or replicate from another domain controller.

Choose the file paths for the AD DS Database, log files and SYSVOL. Defaults are fine with me.

Then the prerequisites will be validated before AD DS is installed on the server. In the case of installing AD DS on a former RODC where the metadata had been retained you would get the following error.

Otherwise the prerequisites check will pass and you can click Install to finalise the process.

Microsoft’s official instruction on Demoting a Server 2012 Domain controller is to be found here