Windows 2003 Server: Replace a Windows Server 2003 Domain Controller Page 1 of 4

October 04, 2010 9:37 AM

Article Author: tigermatt Date: 11/21/2008 - 09:55PM EAT

Title: Replace a Windows Server 2003 Domain Controller

Tags: `Microsoft` `Windows` `Server 2003` `R2` `non-R2` `domain controller` `active directory`
`replace`
Zone: Windows 2003 Server

It is a known fact that servers reach the end of their lives. Some get there quicker than others,
based on age, manufacturer, usage and several other factors. However, if your organization
has spent time deploying Microsoft's Active Directory server, you will know that replacing a
Domain Controller and migrating everything Active Directory based over is not the easiest
procedure you've ever performed.

Of course, you could simply image the old server and restore it to the new server, but this
could cause licensing and driver issues, not to mention the fact that I prefer to rebuild a
server from scratch rather than live with the clutter of an old server on new hardware. In
order for you to build a new server, promote it as a Domain Controller and then migrate
Active Directory, you need to follow several steps.

Note, at this stage, you must verify two things. First, check on the old server (to be replaced)
in Control Panel, Add/Remove Programs that Microsoft Exchange Server (any version) is
NOT installed on the server. Furthermore, do not perform this procedure if the old server to
be replaced is a Small Business (SBS) Server, since this procedure of replacing the server
will break the SBS, and special precautions must be taken. Look out for future articles on
how to migrate off an SBS server.

Check the network

1 Prior to working on the network, I suggest you download the Windows Server 2003
Support Tools to the old server from
http://www.microsoft.com/downloads/details.aspx?FamilyId=6EC50B78-8BE1-
4E81-B3BE-4E7AC4F0912D&displaylang=en. Once installed on the old server, you
can run the command dcdiag from a command prompt, which tests the Domain
Controller and verifies there are no present issues in Active Directory. This way, you can
fix those issues before migrating. If all tests are passed, and only when all tests are
passed, you should then run netdiag to test the network configuration of the server, and
again ensure all tests pass before proceeding.

Install the new server

2 Firstly, install Windows Server 2003 to the new server. If you have the R2 edition, install
Disk 2 of the CD-Rom media after initial setup completed and the system is up and
running.

Once the new server is up and running, install drivers for the Network Card and any
other necessary drivers. Then, once a Network Connection can be seen on the server and

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Serve... 10/04/2010
Windows 2003 Server: Replace a Windows Server 2003 Domain Controller Page 2 of 4

you can communicate over the network, configure the server with a static IP address on
your network. At this stage, set the Preferred DNS Server to be the IP address of (one of)
the existing Domain Controller(s). Do not enter any ISP DNS servers here.

Next, join the server to the existing Active Directory Domain. This is performed the
standard way - in the same way as you join a workstation - through Start, Control Panel,
System, Computer Name, Change. Choose the Domain option, enter the Domain Name
and then press OK. A restart is required at this stage.

Prepare the Domain

3 If you will be installing Windows Server 2003 into a Windows Server 2000 domain, or
Windows Server 2003 R2 into a non-R2 Server 2003 domain, you need to extend the
schema. This involves placing the Windows Server 2003 media into the Domain
Controller which currently holds the Schema Master FSMO role. For Windows Server
2003 R2, you must enter Disk 2, for other editions, enter Disk 1. For Windows Server
2003, browse, on the Schema Master, to the drive:\i386 folder at a command prompt. For
R2 edition, browse on Disk 2 to the drive:\CMPNENTS\R2\ADPREP folder at a
command prompt.

Once in the directory, the command dir should show the list of files available, one of
which should be the adprep.exe tool. At the prompt, you should execute the command
adprep /forestprep, to extend the forest schema. Once replication between all Domain
Controllers in the Forest has completed - any only when that has occurred - you should
then execute adprep /domainprep via the same procedure, and again, wait for replication
to take place before proceeding.

Promote the server

4 After the reboot, you can now invoke the dcpromo wizard, used to promote the server as
a Domain Controller. Start the wizard by entering dcpromo into the Start, Run box, then
press OK. When prompted whether to enable Advanced Mode, I suggest unless you wish
to see Advanced Features that you do not enable this feature. Follow through the wizard,
opting for the 'Additional Domain Controller in an existing domain' when prompted.
When the wizard completes, it will install Active Directory Services onto the server. Do
NOT press 'Cancel' at this stage. If you made a mistake, wait for the wizard to complete,
when you can restart the server and re-run the dcpromo wizard to correct the issue.

Install DNS
5 DNS is a crucial part of Active Directory, used for the whole of the Active Directory
system. As a result, we must migrate DNS from the old DC to the new DC.

The easiest route to do this is to use Active Directory-integrated DNS, so that the DNS
replicates from Domain Controller to Domain Controller with Active Directory
replication traffic. To check whether your DNS zones are Active Directory-integrated,
look on your existing Domain Controller in the DNS console (Start, Control Panel,
Administrative Tools, DNS). Under Forward Lookup Zones, look for
<yourdomainname.com> in the list. Beside the zone in the 'Type' column, you should see
'Active Directory-integrated' noted. If it does not report this, right-click the zone, choose

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Serve... 10/04/2010
Windows 2003 Server: Replace a Windows Server 2003 Domain Controller Page 3 of 4

Properties, then on the General tab beside Type, press the Change button and check the
box marked 'Store the zone in Active Directory'. Press OK.

Now the zone is stored in Active Directory, we simply need to install DNS on the new
Domain Controller, and the DNS information will replicate in due course. To install
DNS on the new server: Start, Control Panel, Add/Remove Programs, Add/Remove
Windows Components. Click 'Networking Services', then press the Details button. Check
the box to enable 'Domain Name System (DNS)' and then press OK. Pressing Next will
install the new roles you have checked (DNS, in this case).

Once DNS is installed, it could take a short amount of time before the data shows up in
the DNS console on the new server. However, it will show up in due course, so be
patient; you don't even need to manually create the zones.

Global Catalog
6 In a single-domain, single-forest environment, all Domain Controllers should be Global
Catalog servers. The Global Catalog contains a partial replica of all objects in the forest,
and is used to establish Universal Group Membership at logon. Without it, logins may
not work properly, if at all. Thus, the new server should be a Global Catalog server.

To achieve this, on either the old or the new server, open the Active Directory Sites and
Services tool from Administrative Tools in Control Panel. In the tool, expand the site
which owns the server, then expand the server object itself. Within the server object, you
will see an object entitled 'NTDS Settings'. Right-click on this, press Properties and then
check the box marked 'Global Catalog'. OK out, and then it is necessary for replication to
take place before the server will become a full Global Catalog.

FSMO Roles
7 The final step is to transfer the FSMO Operations Roles from the old server to the new
server. The Operations Roles dictate the DC which performs particular Active Directory
tasks. For example, the Schema Master role dicates upon which server the Schema can
be extended.

To transfer these roles to the new server, follow the instructions in this Microsoft
Knowledgebase article: http://support.microsoft.com/kb/324801. Note: Verify any
information you read is based on the TRANSFER of the roles. SEIZING is not
applicable here, and should not be performed for a graceful DC migration.

DNS Server on the new server

8 At this stage, DNS should have replicated, so you should now set the Preferred DNS
Server on the New Server's Network Card to point to the IP of the new server, and that IP
address only. Do not enter any ISP DNS servers. It is recommended you use the full IP
address of the server, rather than the loopback 127.0.0.1 address.

You may wish to enable Forwarders in the DNS console. Since no workstation or server
should have the ISP's DNS server manually configured on its NIC, the forwarder at the
server enables DNS on the server to resolve the IP address of external domains using the
ISP's DNS server. See http://technet.microsoft.com/en-us/library/cc773370.aspx for
details

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Serve... 10/04/2010
Windows 2003 Server: Replace a Windows Server 2003 Domain Controller Page 4 of 4

Test
9 Finally, before demoting the old server, I would shut down or unplug the old server from
the network, then test network resources and verify everything - particularly logins -
works properly. You may find that the workstations are still detecting the DNS Server as
the old server. This would need to be manually overridden to be the new server for test
purposes.

Demote
10If everything is working, then you can, at this stage, reconnect the old server, boot it up
and then run dcpromo and choose the options to demote the server. Before disconnecting
it from the network fully, you must remember that data and any other applications on the
server must be transferred to the new server. ROBOCOPY is a good tool for doing this,
since the /COPYALL switch enables you to copy the NTFS ACLs along with the actual
data (Windows' standard Copy operation will not carry the security permissions over).

If you have any questions, post a question on Experts Exchange, and we will be happy to
help.

-Matt

User Comment Author: ryanmnly Date: 09/11/2009 - 12:15PM EAT

In Step 2, I still need to add the server name to the Active Directory group prior to going to the Domain
option and changing the domain, correct? I'm assuming that that step actually includes changing the
domain name on the new server as well as adding it like a normal workstation on the existing domain
controller. Is that accurate?
User Comment Author: annasad Date: 07/26/2010 - 08:02AM EAT

Excellent Written , I havent done practial with this one , but good effort !!!

User Comment Author: goyal_251 Date: 08/30/2010 - 01:25PM EAT

good effort

User Comment Author: smtwkla Date: 09/25/2010 - 01:48PM EAT

How best to migrate My Documents redirection using ROBOCOPY or other such tool?

Copyright © 1996 - 2010 Experts Exchange, LLC.

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Serve... 10/04/2010