Community Pick: Many members of our community have endorsed this article.
Editor's Choice: This article has been selected by our editors as an exceptional contribution.

Replace a Windows Server 2003 Domain Controller

tigermattStaff Platform Engineer
It is a known fact that servers reach the end of their lives. Some get there quicker than others, based on age, manufacturer, usage and several other factors. However, if your organization has spent time deploying Microsoft's Active Directory server, you will know that replacing a Domain Controller and migrating everything Active Directory based over is not the easiest procedure you've ever performed.

Of course, you could simply image the old server and restore it to the new server, but this could cause licensing and driver issues, not to mention the fact that I prefer to rebuild a server from scratch rather than live with the clutter of an old server on new hardware. In order for you to build a new server, promote it as a Domain Controller and then migrate Active Directory, you need to follow several steps.

Note, at this stage, you must verify two things. First, check on the old server (to be replaced) in Control Panel, Add/Remove Programs that Microsoft Exchange Server (any version) is NOT installed on the server. Furthermore, do not perform this procedure if the old server to be replaced is a Small Business (SBS) Server, since this procedure of replacing the server will break the SBS, and special precautions must be taken. Look out for future articles on how to migrate off an SBS server.

1. Check the network

Prior to working on the network, I suggest you download the Windows Server 2003 Support Tools to the old server from Once installed on the old server, you can run the command dcdiag from a command prompt, which tests the Domain Controller and verifies there are no present issues in Active Directory. This way, you can fix those issues before migrating. If all tests are passed, and only when all tests are passed, you should then run netdiag to test the network configuration of the server, and again ensure all tests pass before proceeding.

2. Install the new server

Firstly, install Windows Server 2003 to the new server. If you have the R2 edition, install Disk 2 of the CD-Rom media after initial setup completed and the system is up and running.

Once the new server is up and running, install drivers for the Network Card and any other necessary drivers. Then, once a Network Connection can be seen on the server and you can communicate over the network, configure the server with a static IP address on your network. At this stage, set the Preferred DNS Server to be the IP address of (one of) the existing Domain Controller(s). Do not enter any ISP DNS servers here.

Next, join the server to the existing Active Directory Domain. This is performed the standard way - in the same way as you join a workstation - through Start, Control Panel, System, Computer Name, Change. Choose the Domain option, enter the Domain Name and then press OK. A restart is required at this stage.

3. Prepare the Domain

If you will be installing Windows Server 2003 into a Windows Server 2000 domain, or Windows Server 2003 R2 into a non-R2 Server 2003 domain, you need to extend the schema. This involves placing the Windows Server 2003 media into the Domain Controller which currently holds the Schema Master FSMO role. For Windows Server 2003 R2, you must enter Disk 2, for other editions, enter Disk 1. For Windows Server 2003, browse, on the Schema Master, to the drive:\i386 folder at a command prompt. For R2 edition, browse on Disk 2 to the drive:\CMPNENTS\R2\ADPREP folder at a command prompt.

Once in the directory, the command dir should show the list of files available, one of which should be the adprep.exe tool. At the prompt, you should execute the command adprep /forestprep, to extend the forest schema. Once replication between all Domain Controllers in the Forest has completed - any only when that has occurred - you should then execute adprep /domainprep via the same procedure, and again, wait for replication to take place before proceeding.

4. Promote the server

After the reboot, you can now invoke the dcpromo wizard, used to promote the server as a Domain Controller. Start the wizard by entering dcpromo into the Start, Run box, then press OK. When prompted whether to enable Advanced Mode, I suggest unless you wish to see Advanced Features that you do not enable this feature. Follow through the wizard, opting for the 'Additional Domain Controller in an existing domain' when prompted. When the wizard completes, it will install Active Directory Services onto the server. Do NOT press 'Cancel' at this stage. If you made a mistake, wait for the wizard to complete, when you can restart the server and re-run the dcpromo wizard to correct the issue.

5. Install DNS

DNS is a crucial part of Active Directory, used for the whole of the Active Directory system. As a result, we must migrate DNS from the old DC to the new DC.

The easiest route to do this is to use Active Directory-integrated DNS, so that the DNS replicates from Domain Controller to Domain Controller with Active Directory replication traffic. To check whether your DNS zones are Active Directory-integrated, look on your existing Domain Controller in the DNS console (Start, Control Panel, Administrative Tools, DNS). Under Forward Lookup Zones, look for <> in the list. Beside the zone in the 'Type' column, you should see 'Active Directory-integrated' noted. If it does not report this, right-click the zone, choose Properties, then on the General tab beside Type, press the Change button and check the box marked 'Store the zone in Active Directory'. Press OK.

Now the zone is stored in Active Directory, we simply need to install DNS on the new Domain Controller, and the DNS information will replicate in due course. To install DNS on the new server: Start, Control Panel, Add/Remove Programs, Add/Remove Windows Components. Click 'Networking Services', then press the Details button. Check the box to enable 'Domain Name System (DNS)' and then press OK. Pressing Next will install the new roles you have checked (DNS, in this case).

Once DNS is installed, it could take a short amount of time before the data shows up in the DNS console on the new server. However, it will show up in due course, so be patient; you don't even need to manually create the zones.

6. Global Catalog

In a single-domain, single-forest environment, all Domain Controllers should be Global Catalog servers. The Global Catalog contains a partial replica of all objects in the forest, and is used to establish Universal Group Membership at logon. Without it, logins may not work properly, if at all. Thus, the new server should be a Global Catalog server.

To achieve this, on either the old or the new server, open the Active Directory Sites and Services tool from Administrative Tools in Control Panel. In the tool, expand the site which owns the server, then expand the server object itself. Within the server object, you will see an object entitled 'NTDS Settings'. Right-click on this, press Properties and then check the box marked 'Global Catalog'. OK out, and then it is necessary for replication to take place before the server will become a full Global Catalog.

7. FSMO Roles

The final step is to transfer the FSMO Operations Roles from the old server to the new server. The Operations Roles dictate the DC which performs particular Active Directory tasks. For example, the Schema Master role dicates upon which server the Schema can be extended.

To transfer these roles to the new server, follow the instructions in this Microsoft Knowledgebase article: Note: Verify any information you read is based on the TRANSFER of the roles. SEIZING is not applicable here, and should not be performed for a graceful DC migration.

8. DNS Server on the new server

At this stage, DNS should have replicated, so you should now set the Preferred DNS Server on the New Server's Network Card to point to the IP of the new server, and that IP address only. Do not enter any ISP DNS servers. It is recommended you use the full IP address of the server, rather than the loopback address.

You may wish to enable Forwarders in the DNS console. Since no workstation or server should have the ISP's DNS server manually configured on its NIC, the forwarder at the server enables DNS on the server to resolve the IP address of external domains using the ISP's DNS server. See for details

9. Test

Finally, before demoting the old server, I would shut down or unplug the old server from the network, then test network resources and verify everything - particularly logins - works properly. You may find that the workstations are still detecting the DNS Server as the old server. This would need to be manually overridden to be the new server for test purposes.

10. Demote

If everything is working, then you can, at this stage, reconnect the old server, boot it up and then run dcpromo and choose the options to demote the server. Before disconnecting it from the network fully, you must remember that data and any other applications on the server must be transferred to the new server. ROBOCOPY is a good tool for doing this, since the /COPYALL switch enables you to copy the NTFS ACLs along with the actual data (Windows' standard Copy operation will not carry the security permissions over).
If you have any questions, post a question on Experts Exchange, and we will be happy to help.

tigermattStaff Platform Engineer

Comments (8)

How best to migrate My Documents redirection using ROBOCOPY or other such tool?

many thanks for this
Great article, however, if I unplug the origional dc, I'm unable to rdp to the new dc (rpc is unavailable)

Any ideas?

Your can use Replicator by DFS with Windows 2003 R2 or Windows 2008 R2.
To work with my documents redirections that are stored on the old server, you need to get the data and share moved over to the new server--lots of ways depending on your uptime/availability requirements.  If you can simply keep users off the network, just cut/paste (suitable in small environments), if you must keep max availability, consider robocopy /mir options several times during normal hours to keep a close duplicate of the files/folders right up till the last minute before cutover.  Verify permissions are proper on new ntfs system and in share perms, then make your gpo change to point to the new location.

If you have offline files turned on, you'll have to deal with the locally cached copies (client side cache), either manually or with the ms tool. Csccmd.exe for migrating the csc on each pc.  It's possible to simply let each user and client pc do it's own relocation of the files via folder redirection policy settings, but unless you only have a small numer of users with small my dox folders, almost everyone prefers to stage the file relocates in advance.

View More

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.