Domain Controller upgrade

Posted on 2008-06-17
Last Modified: 2013-12-05
I have an old windows 2000 server acting as domain controller, as well as file and print server.
I also have a brand new server 2003/64bit acting as a member server.
What i wish to do i promote the new server to act as a domain controller as well. This will give me 2 domain controllers on the network.
I know this can be done.
My problem is that i have never done this before.
Can someone please advise me how this is done, plus any pit falls to avoid.
Note - win server is only 32 bit, new server is 64 bit. Will this cause a problem.
What else will need to be done. Must i transfer dns as well.
Question by:dexterhome
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
LVL 70

Accepted Solution

KCTS earned 250 total points
ID: 21802416
Essentially is no different from using a 32bit server

The first job is to prepare the domain for the new DC by running ADPREP If the new Windows 2003 server is the R2 version you need to run Adprep  from the \CMPNENTS\R2\ folder on CD2, if its not R2 then use adprep from the i386 folder (you may need to get the 32 bit version of this - If so download the trial copy)

Put the CD in the 2000 machine, you need to run

adprep /forestprep
adprep /domainprep

From the command line promote the new machine to a domain controller with the DCPROMO command from the command line Select Additional Domain Controller in an existing Domain

Once Active Directory is installed then install DNS. You can do this through Add/Remove Programs->Windows Components->Networking Services->DNS.  If you are using Active Directory Integrated DNS then DNS will br replicated from the other DC/DNS.

Next make the new machine a global catalog server, go to Administrative Tools, Active Directory Sites and Services, Expand, Sites, Default first site and Servers. Right click on the new server and select properties and tick the Global Catalog checkbox. (Global catalog is essential for logon as it needs to be queried to establish Universal Group Membership)

If necessary install DHCP on the new DC. You can do this through Add/Remove Programs->Windows Components->Networking Services->DHCP.

You will then need to remove any existiing DHCP prior to authorising the new DHCP Server. When setting up the new DHCP server dont forget to set the default gateway (router) and DNS Servers. Talking of which all the clients (and the domain controllers themselves) need to have their Preferred DNS server set the new domain controller.

Both Domain Controllers by this point will have Active Directory, Global Catalog, DNS and the domain could function for a while at least should any one of them fail.

If you really want to move the FSMO roles from the old DC then:-

Transfer all the FSMO roles to the new DC: See
LVL 31

Assisted Solution

by:Henrik Johansson
Henrik Johansson earned 250 total points
ID: 21802540
Having 32bit and 64bit DCs in the same domain doesn't matter.

Use the adprep-command from Win2k3 to do a adprep/forestprep and adprep/domainprep
Confirm that the DNS-zone allows dynamic updates, so the new DC can register its records correctly.
When the AD-prep is done, use dcpromo on the new DC.

On the DNS zone-properties->Change the zone-type to be stored in AD.
Add the DNS-zone on the new DC.
Configure both DCs to use its own IP as primary DNS-server and the other DC as secondary DNS-server.

Author Comment

ID: 21820922
How will this effect the group policy.
I wish to use GPO's to change settings on workstations but some features are not available on the win 2000 gpe to allow changes to win Xp ws. (mainly firewall settings)
Will i be able to use the editor in the win serv 2003 machine?
will it downgrade the group policy to match win 2000?
will it upgrade the gpe to match 2003?

please advise.
Guide to Performance: Optimization & Monitoring

Nowadays, monitoring is a mixture of tools, systems, and codes—making it a very complex process. And with this complexity, comes variables for failure. Get DZone’s new Guide to Performance to learn how to proactively find these variables and solve them before a disruption occurs.

LVL 31

Expert Comment

by:Henrik Johansson
ID: 21821048
Yes, you can use GPMC to manage GPOs for both Win2000,XP,2003
If the GPO-feature isn't available for Win2000, it will not affect those computers.

GPMC is downloadable at

Author Comment

ID: 21821195
Problem is that the GPMC tool is not supported under win 2003/64.
So i will have to use the standard GP from the AD.
This is where I think I will have the miss match.
If GPO's edited in win server 2003/64 will they/can they replicate to the win server 2000 AD.
What will happen with the DC promo.
The AD will be transferred(copied) across 2 different platforms. One systems AD will have to be either upgraded or downgraded to meet each other.
Which way will it go. I presume it will level the AD at the the windows 2000 GP/AD.
In which case this will not give me the features i require.

Sorry. I may actually be morphing questions.
LVL 31

Expert Comment

by:Henrik Johansson
ID: 21821406
You will have one AD with one domain with two domain controllers, and the GPOs will replicate between both DCs in the domain without any problem.
You can install GPMC on a XP-machine instead of neading to logon to the DCs to edit the GPOs. Also install adminpak.msi to get ADUC and other AD-tools on the XP-machine.

Author Comment

ID: 21821944
I see. I thought that the GP was controlled by the editor but clearly is not.
I have downloaded the adminpak and installed and used. this simplifies a lot of items.

Thanks for that.

Just got to upgrade the domain controllers now.

Will the system require restarting when running the DC promo updates.

LVL 31

Expert Comment

by:Henrik Johansson
ID: 21822709
Yes, dcpromo requires reboot.
Remember to run adprep/forestprep and adprep/domainprep with the Win2k3-version of the command before running dcpromo on the Win2k3-server.

Author Comment

ID: 21829562
I will try what has been advised in a test environment before applying to actual systems.
Will most likely take a week or two.
I will post back when have tested.

Author Closing Comment

ID: 31473499
Thank you for all the information. Finally got around to doing the job and it went all ok.

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
This article runs through the process of deploying a single EXE application selectively to a group of user.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question