This is a very obvious and n00b mistake to make, and I am proud of my ignorance. When you remove a domain controller from a domain (not the last domain controller mind you), you do so by demoting it. In Windows 2012 R2 and newer the standard way is to uninstall the "Active Directory Domain Services" role from Server Manager, and selecting the "Demote this domain controller" option when prompted.
However, following this procedure will cause a reboot, and when you try to log in you may, if you were as ignorant as I was, find yourself locked out of the server. I tried to log in under the domain administrator account but got the error:
There are no logon servers available to service the logon request
I knew what the problem was immediately - I neglected to add the IP address of the new PDC to the secondary DNS IP of the demoted domain controller, since removing the ADDS role will also remove the DNS Server role, the server had no way to contact the remaining domain controller.
To do so I tried to log in as local administrator, only to be greeted by the "Please wait for the User Profile service..." message, and after a couple of seconds I got kicked out to the login screen. This is in a HyperV Gen2 VM.
Only way I found to get back in to make the required DNS change is to boot into safe mode with networking, configure the DNS IP, reboot into normal mode and log in as domain administrator.
To boot into safe mode is a nightmare. F8 does not work thanks to UEFI. A trick I use is to change the boot order to PXE first, then during the timeout at boot I can smash the F8 key and get the recovery options menu.
The progress we make as a species is breathtaking.