How to remove Active Directory Domain from Windows Server 2012 Essentials (bad idea), attempt to restore the simplicity of Workgroup (failed)

Posted by Paul Braren on Jul 21 2012 in
  • HomeServer
  • HowTo
  • Podcasts
  • Jul 21 2012 Update 05:27pm ET:
    Warning: I am finding that I cannot get Windows 8 x64 Release Preview to connect to WS2012E when it's in the Workgroup mode described in the original article below. The IE browser in a Windows 8 can find the server by name or IP for example, and network shares work fine, no problems there. But the actual connector install fails when it says it cannot find the server (by name or IP). The actual error states:

    "Cannot locate or identify your server. Your server cannot be located. Enter your server's name or IP address to proceed."

    Visitor pcdoc also noticed issues with adding users after going to Workgroup, "There was a problem adding the user account. An unknown error occurred. Wait a few minutes and then try again. If the problem persists, open Event Viewer and examine the log files to determine the cause." Windows Server Media Streaming Services is broken by the demotion as well.

    Still working on possible ways around these issues, but please don't conclude anything just yet. My gut tells me we're headed to have to tweak a custom cfg.ini for an automated install in Workgroup mode from the start, but I don't really know yet if that cfg.ini Workgroup tweaking is even possible in WS2012E, or a good idea. And don't forget, this is all just beta code, back up (or snapshot your VM) first before trying anything like this!

    Jul 22 2012 Update 12:39am ET:
    no luck with an approach of getting the installer to keep from creating a Domain in the first place, such as the use of autounattend.xml outlined here (that works, avoiding all Windows install questions, but Domain creation is still required). Giving up trying for now. See also new screenshot taken during an install where you click "Learn More", making the likelihood of making this all work without a Domain seem even less likely, see also discussion here and here:


    Jul 25 2012 7:27pm ET Update: "TheAndyMac" comments here (9 hours ago):

    I think that one of the issues you will have with what you've done is the removal of certificate services - these seem to be key to some of the features in WHS and especially in WHS2011 where you had to cut out from the end-to-end installation if you wanted your machine to have a non-standard DNS suffix. If you can find a way to re-introduce certificate services correctly in workgroup mode, then maybe this will be closer. However, sounds like there may be breaking issues with the dashboard user management which is now probably assuming AD as the source and does not allow for non-AD (i.e. local) accounts to be managed. Even if you can fix some of these things, I would expect that Microsoft won't explicitly support it (i.e. they will say that you have to reinstall without customisation before they will help with problems) as this is a "non standard" configuraton ---- after all, they reduced the number of SKUs to make it all easier to support in the first place :-(

    The alternative approach is to live with AD running on the server but somehow finding a way to stop machines being forced to join the domain when they are added to the server. This configuration does work, as non-domain capable machines can still be connected (and I have also gone through joining a Win7Pro to the machine and then moving it back to the workgroup) and this all seems ok. The only problem here is that undoing it is a pain, and if you want to keep backups of a machine already joined to another domain, it will "override" this without telling you..... I have posted this up the forum (as have a number of others) with the request to have a prompt during install of the connector to allow you to leave them as workgroup machines.

    Aug 02 2012 Update: see also [Windows 8 Server Essentials multiple domains]( )

    Sep 22 2012 Update:
    Much better, sanctioned-by-Microsoft method available here:
    How to skip domain joining during client deployment in a Windows Server 2012 Essentials network
    which I've tested and seems to work fine.

    Original article:


    Many of you know that since the release of the beta of Windows Server 2012 Beta Essentials, I've had a bit of a thing for the notion of removing the Domain stuff, leaving just the WHSv1/WHS2011-like simple Workgroup stuff. This would allowing me to backup systems that are members of other domains, for example, discussed at length in the Home Server Show Forums:

    I can be a little stubborn, not coping well with the death of WHS2011, never entirely losing hope of resurrection of the Workgroup. This tenacity was discussed in a rather humorous way by the Home Server Show crew, 25 minutes and 25 seconds into the very recent Podcast 190, referring to my use of netplwiz.exe in Windows 7 and Windows 8 VMs in my lab, to auto-login at reboot.

    Today was my first stab at removing the Active Directory functionality from Windows Server 2012 Beta Essentials, deciding to stop Googling, and start doing. Given how close RTM likely is, I suspect this same procedure will apply for Windows Server 2012 Essentials as well, once it's actually released. I owe credit to Joe Miner for outlining this basic procedure last week here.

    Here's the basic steps you'll see me follow in the video, with more screenshots and more concise video, once I've started my lab over from scratch (relatively easy with vZilla, snapshots, and templates).

    How to Demote WS2012E:

    • Win+Q (shortcut for Search), type "Server Manager" and hit Enter
    • Manage (drop down menu at top-right)
    • Remove Roles and Features (wizard)
    • Expand "Active Directory Certificate Services"  section and uncheck "Certificate Authority Web Enrollment" and click Next, then Next again, then Remove button:
    • in "Server Manager" click Manage (drop down menu at top-right), "Remove Roles and Features" menu selection (wizard)
    • uncheck "Active Directory Certificate Services" click Next, Next again, then click the Remove button to confirm:
    • Close the dialogue, and Reboot
    • after reboot, Win+Q, type "Server Manager" and hit Enter
    • Manage (drop down menu at top-right)
    • Remove Roles and Features (wizard)
    • Next, Next, uncheck "Active Directory Domain Services" and click Next, then Remove Features button
    • choose "Demote this domain controller" click OK
    • confirm "Force the removal of this domain controller" and click Next
    • confirm "Proceed with removal" and click Next
    • type admin "Password" twice, and click Next
    • click "Demote"

    I have not yet tested if doing this demotion procedure breaks any basic functionality of the product, but at first blush, it appears not, as backups do appear to continue to work fine. This first test opens the door to my next recording sequel videos, hopefully showing:

    • install WS2012E (Windows Server 2012 Essentials)
    • remove AD Domain role and reboot
    • install client connector on PCs
    • determine if backup and shared folders functionality still appears to work fine

    so stay tuned!

    See also:

    For now, enjoy this initial discovery video, which was totally unrehearsed, and done on a slow external RAID5 (not SSD), and it turned out to be rather straight-forward. That's right, no PowerShell, no registry editing, or other somewhat-hack-like steps required, just straight-forward GUI stuff.