Demoting primary domain controller

Posted on 2008-06-12
Last Modified: 2010-04-21
Existing network uses W2K server as primary domain controller. Need to add new W2K3 server as the primary domain controller, but keep the existing W2K server on the network.
Can I simply join all workstations to the new W2K3 domain controller without issues? Or,,must I first demote the W2K server to a member server?
Appreciate input as need to get this done right away.
Question by:zackery
  • 3
  • 2
  • 2
  • +1
LVL 70

Accepted Solution

KCTS earned 500 total points
ID: 21768980
The process is as follows

Install Windows 2003 on the new machine
Assign the new computer an IP address and subnet mask on the existing network

Make sure that the preferred DNS server on new machine points to the existing DNS Server on the Domain (normally the existing domain controller)

Join the new machine to the existing domain as a member server

You now need to run ADprep on the 2000 machine

If the new Windows 2003 server is the R2 version Adprep is in the \CMPNENTS\R2\ folder on CD2
if not then ADPREP is in the i386 Folder

Put the 2003 CD into the 2000 DC and run

adprep /forestprep
adprep /domainprep

Now go back to the 2003 machine

From the command line promote the new machine to a domain controller with the DCPROMO command from the command line Select Additional Domain Controller in an existing Domain

Once Active Directory is installed then install DNS. You can do this through Add/Remove Programs->Windows Components->Networking Services->DNS.  If you are using Active Directory Integrated DNS then DNS will br replicated from the other DC/DNS.

Next make the new machine a global catalog server, go to Administrative Tools, Active Directory Sites and Services, Expand, Sites, Default first site and Servers. Right click on the new server and select properties and tick the Global Catalog checkbox. (Global catalog is essential for logon as it needs to be queried to establish Universal Group Membership)

If necessary install DHCP on the new DC. You can do this through Add/Remove Programs->Windows Components->Networking Services->DHCP.

You will then need to remove any existiing DHCP prior to authorising the new DHCP Server. When setting up the new DHCP server dont forget to set the default gateway (router) and DNS Servers. Talking of which all the clients (and the domain controllers themselves) need to have their Preferred DNS server set the new domain controller.

Both Domain Controllers by this point will have Active Directory, Global Catalog, DNS and the domain could function for a while at least should any one of them fail.

If you really want rid of the old DC then:-

Transfer all the FSMO roles to the new DC: See

Check that you have:-
Made the other DC a global catalog:
Installed DHCP on the new DC, set up the scope and authorise it. (If using DHCP)
Make sure that all clients use the new DC as their Preferred DNS server (either by static or DHCP options)

Power down to old DC and make sure that all is well, once satisfied power on the old DC again, then run DCPROMO for remove it's domain controller status. This is essential to avoid replication errors

If you want to remove the machine from the domain then you can do so one it's DC role has been removed
LVL 25

Expert Comment

ID: 21768983
hi check teh following gives you a good checklist of what you need to do and how to get to the point of running dcpromo on the 2003 server
LVL 70

Expert Comment

ID: 21768992
If you do it as above you will simply replace the DC - no need to remove and re-add the machines from the domain.

Expert Comment

ID: 21769014
There is no such thing as a primary domain controller in an AD environment. Just add the W2K3 server as an additonal DC into your AD domain. If you like you can then demote the W2K server. But it is VERY good pratice to always have a minimum of 2 DC's. W2K and W2K3 can easily co-exist in the same domain, so I would recommend to keep the two in your domain.
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.


Author Comment

ID: 21769129
Thanks for all the quick feedback! The w2k3 is already at a domain controller status and I would prefer to make it the domain controller that all the workstations point to instead of the W2K domain controller. So, is it correct that I can just add the W2K3 domain controller to existing network, point the workstations to this new W2K3 server and still keep the existing W2K domain controller on the network as is?

Expert Comment

ID: 21769236
yes. definitively keep the w2k server as a DC. It will provide redudancy in case the w2k3 server fails (and vice versa)

Author Comment

ID: 21771778
KCTS: The current W2K DC is online and in service with Exchange 2003 also installed. What is the risk of installing adprep /forestprep
adprep /domainprep ?

Should I take this W2K DC off line before running these preps?


Author Closing Comment

ID: 31466528
This worked out just great yesterday for my situation. Much appreciated

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

A quick step-by-step overview of installing and configuring Carbonite Server Backup.
I'm a big fan of Windows' offline folder caching and have used it on my laptops for over a decade.  One thing I don't like about it, however, is how difficult Microsoft has made it for the cache to be moved out of the Windows folder.  Here's how to …
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now