Replacing/adding 2003 Domain Controllers

Currently we have two domain controllers in our organization that need to be replaced.  My plan is to replace both of these with 2 brand new servers running Server 2003 enterprise.  I also plan on using Different names for these new DCs.  What I would like to happen is be able to add one newdc at a time and replicate all roles from the old dcs to newdc1 and then put newdc2 online and replicate from newdc1 to newdc2 and pull the olddc1 and olddc2 offline.  I do not have experience with implementing domain controllers so I am looking for any good articles, tips, advice, etc.


Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jeff BeckhamEngineerCommented:
You didn't mention what your current DC OSes are.  If they're already Windows Server 2003, adding DCs is a very straight-forward process.  If they're Windows 2000 Server, then you're talking about having to perform an AD upgrade.  If they're NT 4.0 Server, you've got some more work cut out for you.

Adding 2003 DCs to an existing 2003 AD environment involves installing the OS on the new hardware, promoting the new server to DC via dcpromo.exe, tranferring FSMO roles to the new server and demoting the old servere via dcpromo.exe.  You will also need to pay attention to other services being provided by the old server(s) such as DNS, DHCP, WINS, etc.

Here might be some helpful links:

Step-by-Step Guide to a Common Infrastructure for Windows Server 2003 Deployment:

How to view and transfer FSMO roles in Windows Server 2003

EE Title: Domain Controller Replacement

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Hello OhmErnie...

What you are trying to do is quitre straightforward and shouldn't be to hard.

Some links...

ohmErnieAuthor Commented:
So when I am all finished these two servers will not be identical as far as roles go...correct?  Also, the current dcs are 2003.
The 7 Worst Nightmares of a Sysadmin

Fear not! To defend your business’ IT systems we’re going to shine a light on the seven most sinister terrors that haunt sysadmins. That way you can be sure there’s nothing in your stack waiting to go bump in the night.

Jeff BeckhamEngineerCommented:
By roles, if you mean FSMO yes.  One correction to my above post though: you'll only transfer the FSMO roles to a single new DC and not both.

If you mean other roles (such as DNS, DHCP, WINS, File, Print, or other type of server role), then only after you transfer those network services  to the new PCs.
ohmErnieAuthor Commented:
Ok...FSMO roles will only be on one new DC, not both and SHOULD only be on one/cannot be on both?

But, all other roles/services as you mentioned (DNS, DHCP, WINS, File, Print, or other type of server role) can be on both servers correct?
Jeff BeckhamEngineerCommented:
The roles won't be able to exist on both DCs.  Each role may exist on only one DC in your domain/firest at the same time.

For more information on the descriptions of the roles and placement within your AD infrastructure, see:;en-us;223346

Yes, you should be able to use both servers for the other network services that I listed above.
ohmErnieAuthor Commented:
I am assuming I want to install my DNS, DCHP, etc first before switching roles?  Also, how do I replicate the data over to the new servers with dns, dhcp?
Jeff BeckhamEngineerCommented:
Once you bring them up as DCs, it doesn't really matter what order you move the FSMO roles and the other roles (DHCP, DNS, WINS, F&P, etc.).

The methods for transferring the non-FSMO network services will vary, depending on the services that your DCs are currently providing.

DNS: If you have AD-enabled DNS, then it's pretty easy. See "How to replace the current primary DNS server with a new primary DNS server in Windows Server 2003" ( for more info.

DHCP: The only trick here is moving your DHCP database from your old server to the new one (which really isn't that difficult).  See "How to move a DHCP database from a computer that is running Windows NT Server 4.0, Windows 2000, or Windows Server 2003 to a computer that is running Windows Server 2003" ( for more info.

Also, see EE article "" ( for more info on both DNS and DHCP moves.

WINS: This is just a matter of setting up a secondary WINS server and pointing your clients at it.  See "WINS Servers in Windows 2003 - The Basics" ( for more info.

File & Print: Specifics on how to do this will vary, depending on your environment.  Issues regarding a move of F&P services involves updating logon scripts, user training, updating existing printers on workstations, etc.
Jeff BeckhamEngineerCommented:
ohmErnieAuthor Commented:
DNS: My dns looks to be replicated to the new servers, but shows that I still need to configure the server.  Forward and reverse lookup.  When I run the wizard I get into Zone Type: I am not sure of the option I want to choose, Primary, Secondary or Stub zone for each new DC.

DHCP:  I did not know about the export, so I had already gone and created the scopes and properties for them.  Is this the same information I would get from the export or is there more?

FSMO roles:  Can these be transferred while the users are connected through the old DC's?
ohmErnieAuthor Commented:
DNS Update: I configured the server following this: "How to replace the current primary DNS server with a new primary DNS server in Windows Server 2003" ( for more info.

Under Forward Lookup Zones, my domain is already there and populated.  What I dont understand is the part about making the server primary.  Each one of my Domain controllers are saying they are the primary server.  This cannot be correct is it?
Jeff BeckhamEngineerCommented:
Regading DNS, it should be fine.  When you demote the old DCs via dcpromo.exe, I think they'll unregister as primaries.  If not, you can remove from from the zones from the new servers.

Regarding DHCP, you can migrate your database and it keeps all of your settings including existing scopes, reservations, options, history, current lease information, etc.

Regarding FSMO, you should be able to transfer them at any time.
ohmErnieAuthor Commented:
My FSMO roles have been transferred sucessfully.  Since I have created new scopes and am not concerned about reservations, options, current lease information what is necessary to fire this up?

Right now the scopes are deactivated on the new dc.  I would assume I need to deactivate my scopes on my old server, then activate them on the new server and reboot every machine?  Is this correct?  Then, demote my old dc's.

I appreciate your help on this jebeckham.
Jeff BeckhamEngineerCommented:
Assuming that your servers and clients are on a single subnet, just stop the DHCP service on the old DC, fire it up on the new DC (if it's not already started), and probably authorize the new server via the DHCP administration tool (right-click the server in the left-hand pane and select "Authorize").  That's really all it should take.
ohmErnieAuthor Commented:
Ok...When I stop the DHCP on the old server and start it (authorize it) on the new server.  I get a message saying the DHCP server cannot be reached.  All the settings are the same from what I can see.  Anything you can think of to look for?
Jeff BeckhamEngineerCommented:
The message is coming from a client PC?  If so, try an "ipconfig /release" followed by an "ipconfig /renew".  It should switch over to the new server running DHCP.
ohmErnieAuthor Commented:
I have tried the ipconfig /release then /renew and it will not renew.  That is when I get the DHCP server cannot be reached.  Yet, I have noticed that my clients when logging on are pulling their logon script from one of the new DC's.
Jeff BeckhamEngineerCommented:
Is the new DHCP server on the same subnet as the old one?  Are the client machines on the same subnet as the old/new server?
ohmErnieAuthor Commented:
I have 3 subnets for DHCP.

The new servers are on the same Subnet as the old servers.  The IP addresses on the new servers has not been switched to that of the old ips, but will be once I make the global switch.  Is this possibly why?
Jeff BeckhamEngineerCommented:
Possibly.  If the clients are on different subnets, there something on the client subnets (could be a Windows computer running the DHCP Relay Agent, but it's most likely the subnet's router/firewall) that's forwarding DHCP requests from the remote subnet to the IP address of your DHCP server.  You'll need to change the configuration on the forwarder, so that if sends DHCP requests to the new DHCP server.
ohmErnieAuthor Commented:

I change deactivated the scopes on my old DC's and change their IP address to something different.  I then changed the IP's on the new DC's to that of the old DC's and activated the scopes.  As long as I do an ipconfig/ release I have no problem obtaining a lease from the new DHCP server.  So I think all is well in this part.

I went ahead disable the NICs on the old DC's so I know they are not in the loop any more.  I plan to wait a few days then run dcpromo to remove them from the domain.  In doing this I assume I will have to enable the NICs again...will this be a problem since these servers will have old dns information and try to sync with the new?

Also, the DHCP relay agent...I dont have this configured, but sounds like it should be?  I have multiple subnets, but only scopes for two.  I thought I read somewhere if you have multiple subnets and your DHCP server does not sit on that subnet you need to have a DHCP relay.  If so, i suppose im sure which to configure this and on both of my servers or just one?
Jeff BeckhamEngineerCommented:
If you have multiple subnets with only a single DHCP server serving them all, you need some sort of relay agent whether it's Windows-based or something else.  The requirement is because of the way DHCP and routers work.  DHCP clients broadcast, looking for a DHCP server.  However, routers do not pass broadcasts between subnets, requiring the use of some sort of DHCP relay agent.

What you describe about changing the IP addresses of your DCs (specifically, the new DCs being assigned the IPs of the old DCs) and having DHCP work, makes me think that you do have a forwarder that's passing DHCP broadcasts in to the DC on the old DHCP server's IP address.  The forwarder/agent will be configured with the IP address of your DHCP server so by siwtching your servers IPs, you're tricking the relay agent to forward to the new correct DHCP server.  What you really should do, is reconfigure your DHCP relay to forward the DHCP request to your new DHCP IP instead of the old.
ohmErnieAuthor Commented:
Before I received your response, I ended up demoting (dcpromo) my old dc's from the domain.  The new domain controllers still have the old dc ip's as I had originally planned they would after this DC upgrade.  My clients seem to be obtaining lease information fine so I am a little confused about how this is so, if my DHCP servers do not have routing configured.  I am wondering if there is something programmed into the cisco VLANs that may be pointing to the IP addresses I am using.  Both of my DC's are DHCP servers and I have divided the scopes across them.
One thing I have noticed, but also in the past, is a Master browser issue,  where one of the clients thinks it is the master browser.  Not sure if this is related.

With this all this said, I cannot reconfigure my DHCP relay to forward the DHCP request to my new DHCP IP because IT IS the old ip.  This must already be occuring somewhere...just not sure where.  No other server or workstation could be doing this.  What do you think?  
Jeff BeckhamEngineerCommented:
It still makes sense that it's working now with the new DCs using the IPs of the old DCs.  The DHCP relay is operating as normal, forwarding remote DHCP requests to your new DCs on the old IPs.  Something must be performing the routing, and it's most likely your router.  You could move forward with changing the IP that your router is relaying to, but if you've got your DCs sitting on the old IPs and are close to retiring the old DCs, I wouldn't worry about it.

The master browser events you're seeing in your event logs are normal.  Depending on their configuration, machines will come up and initially try and become the master browser on the subnet.  Once an election happens, they will likely loose to a DC or other Windows server and go quiet.  If you want to prevent your workstations from becoming the master browser you can (see: for lots of detail or for a little shorter solution), but it doesn't hurt anything leaving it this way.  You can just disregard the messages.
ohmErnieAuthor Commented:
Thank you for your help...I have another problem, this may or may not be your area:

I am now experiencing problems with email attachments.  Any email that is sent to our exchange server is now found in the Server Failures folder in Outlook and a sync issue message is also produced in the Sync Issues folder.  Here is a copy of the sync issues email:

11:18:43 Synchronizer Version 11.0.6555
11:18:43 Synchronizing Mailbox 'Lastname, Firstname'
11:18:43 Synchronizing Hierarchy
11:18:43 Synchronizing server changes in folder 'Inbox'
11:18:43 Downloading from server ''
11:18:43     The following message had an error and synchronization of it was skipped (0x8004010f):
11:18:43         "test"
11:18:43 Done
11:18:43 Microsoft Exchange offline address book
11:18:43 Download successful

All other email messages seem to go through fine as long as there is no attachment on them.

I will post this in the exchange topic area.
ohmErnieAuthor Commented:
Issues was either the db size was at 16GB and need to be enlarged or it needed a reboot after demoting the old controllers.  I believe it was the reboot after demoting the old controllers.

Thanks for the help.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.