Demoting primary domain controller

Posted on 2008-06-12
Last Modified: 2010-04-21
Existing network uses W2K server as primary domain controller. Need to add new W2K3 server as the primary domain controller, but keep the existing W2K server on the network.
Can I simply join all workstations to the new W2K3 domain controller without issues? Or,,must I first demote the W2K server to a member server?
Appreciate input as need to get this done right away.
Question by:zackery
  • 3
  • 2
  • 2
  • +1
LVL 70

Accepted Solution

KCTS earned 500 total points
ID: 21768980
The process is as follows

Install Windows 2003 on the new machine
Assign the new computer an IP address and subnet mask on the existing network

Make sure that the preferred DNS server on new machine points to the existing DNS Server on the Domain (normally the existing domain controller)

Join the new machine to the existing domain as a member server

You now need to run ADprep on the 2000 machine

If the new Windows 2003 server is the R2 version Adprep is in the \CMPNENTS\R2\ folder on CD2
if not then ADPREP is in the i386 Folder

Put the 2003 CD into the 2000 DC and run

adprep /forestprep
adprep /domainprep

Now go back to the 2003 machine

From the command line promote the new machine to a domain controller with the DCPROMO command from the command line Select Additional Domain Controller in an existing Domain

Once Active Directory is installed then install DNS. You can do this through Add/Remove Programs->Windows Components->Networking Services->DNS.  If you are using Active Directory Integrated DNS then DNS will br replicated from the other DC/DNS.

Next make the new machine a global catalog server, go to Administrative Tools, Active Directory Sites and Services, Expand, Sites, Default first site and Servers. Right click on the new server and select properties and tick the Global Catalog checkbox. (Global catalog is essential for logon as it needs to be queried to establish Universal Group Membership)

If necessary install DHCP on the new DC. You can do this through Add/Remove Programs->Windows Components->Networking Services->DHCP.

You will then need to remove any existiing DHCP prior to authorising the new DHCP Server. When setting up the new DHCP server dont forget to set the default gateway (router) and DNS Servers. Talking of which all the clients (and the domain controllers themselves) need to have their Preferred DNS server set the new domain controller.

Both Domain Controllers by this point will have Active Directory, Global Catalog, DNS and the domain could function for a while at least should any one of them fail.

If you really want rid of the old DC then:-

Transfer all the FSMO roles to the new DC: See

Check that you have:-
Made the other DC a global catalog:
Installed DHCP on the new DC, set up the scope and authorise it. (If using DHCP)
Make sure that all clients use the new DC as their Preferred DNS server (either by static or DHCP options)

Power down to old DC and make sure that all is well, once satisfied power on the old DC again, then run DCPROMO for remove it's domain controller status. This is essential to avoid replication errors

If you want to remove the machine from the domain then you can do so one it's DC role has been removed
LVL 25

Expert Comment

ID: 21768983
hi check teh following gives you a good checklist of what you need to do and how to get to the point of running dcpromo on the 2003 server
LVL 70

Expert Comment

ID: 21768992
If you do it as above you will simply replace the DC - no need to remove and re-add the machines from the domain.
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.


Expert Comment

ID: 21769014
There is no such thing as a primary domain controller in an AD environment. Just add the W2K3 server as an additonal DC into your AD domain. If you like you can then demote the W2K server. But it is VERY good pratice to always have a minimum of 2 DC's. W2K and W2K3 can easily co-exist in the same domain, so I would recommend to keep the two in your domain.

Author Comment

ID: 21769129
Thanks for all the quick feedback! The w2k3 is already at a domain controller status and I would prefer to make it the domain controller that all the workstations point to instead of the W2K domain controller. So, is it correct that I can just add the W2K3 domain controller to existing network, point the workstations to this new W2K3 server and still keep the existing W2K domain controller on the network as is?

Expert Comment

ID: 21769236
yes. definitively keep the w2k server as a DC. It will provide redudancy in case the w2k3 server fails (and vice versa)

Author Comment

ID: 21771778
KCTS: The current W2K DC is online and in service with Exchange 2003 also installed. What is the risk of installing adprep /forestprep
adprep /domainprep ?

Should I take this W2K DC off line before running these preps?


Author Closing Comment

ID: 31466528
This worked out just great yesterday for my situation. Much appreciated

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A quick step-by-step overview of installing and configuring Carbonite Server Backup.
Resolve DNS query failed errors for Exchange
In a recent question ( here at Experts Exchange, a member asked how to add page numbers to a PDF file using Adobe Acrobat XI Pro. This short video Micro Tutorial sh…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

825 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question