HOW TO: Replace a single Domain Controller with new Hardware

In some small environments, whereby there is only one Domain Controller, it sometimes becomes necessary to replace the existing Domain Controller with a newer, faster piece of hardware. There are several ways of doing this, but the easiest and most efficient is to build a second server, promote it to a second Domain Controller, transfer all roles and settings, and demote and remove the original Domain Controller. This article discusses how to do this.
There is only one minor issue with this method: the second and new replacement Domain Controller has to have a different name (and cannot later be renamed).

Note. The above statement is now only true for Windows 2000 DCs. Windows Server 2003 allows the renaming of DCs (and indeed domains as well).

There are several steps involved in this process. They are as follows:

Note. This document assumes you have built a second Windows 2000 server based computer/ server.

This document also assumes that you are running Windows NT 5.x DNS and that the DNS server is the DC; that is, the DC looks to itself for DNS.

Make the newly built server a member server in the existing domain; that is, join the server to the domain. Once the server has been successfully joined to the domain (this requires a reboot), promote the member server to a Domain Controller by typing dcpromo at the run command.

Once the Domain Controller promotion is complete, if you haven't already, install the DNS service on this machine.

Now, if you've not done so already, convert the DNS server's zone to Active Directory Integrated. To convert the zone to AD Integrated, right-click on the zone file, choose Properties, Change... and then choose Active Directory-integrated and then choose OK and OK again (figure 1).

Either allow for replication (5 minutes) or force replication using either Replication Monitor (replmon.exe) or Active Directory Sites & Services (dssite.msc).

Figure 1. Changing the zone type to Active Directory-integrated

After replication has completed, both DCs will hold a writeable copy of the DNS zone. At this point, you should configure the new DC (DC2) to point to itself for DNS, and you should also think about changing the clients over to point to the new DC (DC2) as well.

The next stage is to transfer all of the FSMO roles from the original DC (DC1), over to the new DC (DC2). To do this, follow the instructions in the following msresource.net knowledgebase article:

HOW TO: Move the FSMO Roles to a different Domain Controller

The other critical task is to make the new DC (DC2) a Global Catalog (GC) server. Please refer to the following msresource.net knowledgebase article for information on how to configure your DC as a GC:

HOW TO: Configure a Global Catalog Server

It is highly probable that you are running a DHCP environment. It is also highly probable that the DC and DNS server (DC1) is also the DHCP server. If this is the case you have two choices: recreate your scope(s) on the new DC (DC2); or migrate your existing DHCP scope, lease and reservations database from DC1 to DC2. The latter is the best unless you are in the simplest of environments.

To migrate the DHCP server, you will need to use the Resource Kit tool DHCPExIm.exe. The following Microsoft knowledgebase article explains how to migrate/ transfer a DHCP server to another server.

http://support.microsoft.com/?id=130642

Considerations

It is wise to test the environment without the first DC (DC1) before actually removing original DC (DC1). For example, turning the original DC (DC1) off at the end of the day and seeing if everything runs properly the next day.

The original DC (DC1) should always be demoted; simply powering off, or formatting doesn't remove the DC from the Active Directory database.

Remember that the DNS clients' resolver will cache both positive and negative responses. Therefore, ample time should be given for the clients to make the complete switch from one DC to another. It is therefore recommended, that once testing is complete, the demotion happens at the end of the day. This way, all clients should have flushed or overwritten their resolvers with the new details.

Do not forget to point all clients at the new DNS server. It is a common mistake that people move all of the roles, etc. but forget to point their systems at the new DNS server, which results in nothing working because DNS is how clients find information about domain controllers, etc.

Summary

In order to successfully move the role of a Domain Controller to another server and decommission the original DC, you need to perform the following steps:

Build a new member server.
Promote the member server into a new DC (DC2) and install DNS on this DC.
Enable AD-integrated DNS so that the new DC (DC2) also has a writeable copy of the DNS zone.
Make the new DC (DC2) a Global Catalog server.
Transfer (not seize) the five FSMO roles to the new DC (DC2).
Demote the original DC (DC1).

In some cases, it may also be necessary to transfer additional Windows Server roles, such as DHCP.

Document information

Author: Paul Williams
Written: 24-06-2004
Version: 2.0
Last updated: 07-08-2007
Last updated by: Paul Williams