Demoting primary domain controller

Posted on 2008-06-12
Last Modified: 2010-04-21
Existing network uses W2K server as primary domain controller. Need to add new W2K3 server as the primary domain controller, but keep the existing W2K server on the network.
Can I simply join all workstations to the new W2K3 domain controller without issues? Or,,must I first demote the W2K server to a member server?
Appreciate input as need to get this done right away.
Question by:zackery
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +1
LVL 70

Accepted Solution

KCTS earned 500 total points
ID: 21768980
The process is as follows

Install Windows 2003 on the new machine
Assign the new computer an IP address and subnet mask on the existing network

Make sure that the preferred DNS server on new machine points to the existing DNS Server on the Domain (normally the existing domain controller)

Join the new machine to the existing domain as a member server

You now need to run ADprep on the 2000 machine

If the new Windows 2003 server is the R2 version Adprep is in the \CMPNENTS\R2\ folder on CD2
if not then ADPREP is in the i386 Folder

Put the 2003 CD into the 2000 DC and run

adprep /forestprep
adprep /domainprep

Now go back to the 2003 machine

From the command line promote the new machine to a domain controller with the DCPROMO command from the command line Select Additional Domain Controller in an existing Domain

Once Active Directory is installed then install DNS. You can do this through Add/Remove Programs->Windows Components->Networking Services->DNS.  If you are using Active Directory Integrated DNS then DNS will br replicated from the other DC/DNS.

Next make the new machine a global catalog server, go to Administrative Tools, Active Directory Sites and Services, Expand, Sites, Default first site and Servers. Right click on the new server and select properties and tick the Global Catalog checkbox. (Global catalog is essential for logon as it needs to be queried to establish Universal Group Membership)

If necessary install DHCP on the new DC. You can do this through Add/Remove Programs->Windows Components->Networking Services->DHCP.

You will then need to remove any existiing DHCP prior to authorising the new DHCP Server. When setting up the new DHCP server dont forget to set the default gateway (router) and DNS Servers. Talking of which all the clients (and the domain controllers themselves) need to have their Preferred DNS server set the new domain controller.

Both Domain Controllers by this point will have Active Directory, Global Catalog, DNS and the domain could function for a while at least should any one of them fail.

If you really want rid of the old DC then:-

Transfer all the FSMO roles to the new DC: See

Check that you have:-
Made the other DC a global catalog:
Installed DHCP on the new DC, set up the scope and authorise it. (If using DHCP)
Make sure that all clients use the new DC as their Preferred DNS server (either by static or DHCP options)

Power down to old DC and make sure that all is well, once satisfied power on the old DC again, then run DCPROMO for remove it's domain controller status. This is essential to avoid replication errors

If you want to remove the machine from the domain then you can do so one it's DC role has been removed
LVL 25

Expert Comment

ID: 21768983
hi check teh following gives you a good checklist of what you need to do and how to get to the point of running dcpromo on the 2003 server
LVL 70

Expert Comment

ID: 21768992
If you do it as above you will simply replace the DC - no need to remove and re-add the machines from the domain.
Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.


Expert Comment

ID: 21769014
There is no such thing as a primary domain controller in an AD environment. Just add the W2K3 server as an additonal DC into your AD domain. If you like you can then demote the W2K server. But it is VERY good pratice to always have a minimum of 2 DC's. W2K and W2K3 can easily co-exist in the same domain, so I would recommend to keep the two in your domain.

Author Comment

ID: 21769129
Thanks for all the quick feedback! The w2k3 is already at a domain controller status and I would prefer to make it the domain controller that all the workstations point to instead of the W2K domain controller. So, is it correct that I can just add the W2K3 domain controller to existing network, point the workstations to this new W2K3 server and still keep the existing W2K domain controller on the network as is?

Expert Comment

ID: 21769236
yes. definitively keep the w2k server as a DC. It will provide redudancy in case the w2k3 server fails (and vice versa)

Author Comment

ID: 21771778
KCTS: The current W2K DC is online and in service with Exchange 2003 also installed. What is the risk of installing adprep /forestprep
adprep /domainprep ?

Should I take this W2K DC off line before running these preps?


Author Closing Comment

ID: 31466528
This worked out just great yesterday for my situation. Much appreciated

Featured Post

Create the perfect environment for any meeting

You might have a modern environment with all sorts of high-tech equipment, but what makes it worthwhile is how you seamlessly bring together the presentation with audio, video and lighting. The ATEN Control System provides integrated control and system automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

We recently endured a series of broadcast storms that caused our ISP to shut us down for brief periods of time. After going through a multitude of tests, we determined that the issue was related to Intel NIC drivers on some new HP desktop computers …
This is the first one of a series of articles I’ll be writing to address technical issues that are always referred to as network problems. The network boundaries have changed, therefore having an understanding of how each piece in the network  puzzl…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Finding and deleting duplicate (picture) files can be a time consuming task. My wife and I, our three kids and their families all share one dilemma: Managing our pictures. Between desktops, laptops, phones, tablets, and cameras; over the last decade…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question