windows 2003 DC change

Posted on 2009-04-30
Last Modified: 2012-05-06
Folks I currently have a windows 2003 DC and an additonal 2003 domain controller.

My DC has been heavily infected with virus,AD accounts keep getting locked, I cant even do regedit .

I have a new server on which i want to install 2003 & make that the DC.

Because my additional DC hardware is old I dont want to move FSMO roles to that server thus i want the additional dc to run as it is now.

Pls advise how I can :
1)move the roles to the new server hardware
2)Get rid of the current infected dc from the network
3)keep the existing additonal dc as it is
4)keep the GPO's as i have citrix users authenticating to dc

Question by:Musafeer79
    LVL 17

    Expert Comment

    by:Andres Perales
    Load up new server, as DC move all the roles to new DC.

    Then, reload the old DC and use that as your Second DC.
    LVL 57

    Accepted Solution

    sounds like you got hit with conficker, I'm assuming you already tried to clean the infected DC
    One thing you didn't cover is how you have DNS setup right now.  Are you using Active Directory Integrated DNS or another solution?  
    The answer won't be complete until we find out how DNS is now setup but we can get you started,
    On the new server install 2003 and have it point to a valid DNS server.  Now you have it as part of the domain
    You will run dcpromo on that server to promote it and make it an additional DC in the domain.  Step 4 in the link below
    Depending on how DNS is setup there may be a step here
    Make the new DC a global catalog server
    So now you have AD on the new server and you will have 3 DCs for the time being
    You can transfrer the FSMO roles to the new server
    So now you have the new DC as a GC and it holds all the FSMO roles
    As far as the old box if you can try to run dcpromo to demote it.   If you can't then you will have to wipe it and run metadata cleanup to get rid of it in AD
    The existing DC is fine and GPOs won't be affected by adding a new DC
    Let us know about DNS and I'll add on to this answer.

    Author Comment

    thanks mike,we have intergrated dns.This conficker virus is a headache.have u been able to get it off any DC.
    LVL 57

    Expert Comment

    by:Mike Kline
    Luckily we haven't been hit with conficker....hopefully we won't.
    So AD integrated DNS is good here.  On your new DC you just install DNS and after the DC promo sit back and wait and the DNS info will replicate to the new DC.
    Also make sure your clients (all static IPs, DHCP,and applications) that point to the old server for DNS are changed to point to the new DNS server
    On another note for anyone else that may find this thread in the future.  There are often questions on here for why it is critical to have at least two domain controllers (at a minimum)....this is a classic case.   If you would have had only 1 DC you would have been in  a much worse position right now.

    Author Comment


    I'm confused with the below part:

    1.      Type connect to server <servername>, where <servername> is the name of the server you want to use, and then press ENTER.

    Which server name should i put here.The OLD DC or the new 1 I'm trying to transfer the roles to.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Free Trending Threat Insights Every Day

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    Companies that have implemented Microsoft’s Active Directory need to ensure that the Active Directory is configured and operating properly. If there are issues found and not resolved, it eventually leads the components to fail or stop working and fi…
    Introduction You may have a need to setup a group of users to allow local administrative access on workstations.  In a domain environment this can easily be achieved with Restricted Groups and Group Policies. This article will demonstrate how to…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
    This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

    760 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    8 Experts available now in Live!

    Get 1:1 Help Now