Replacing a Primary Domain Controller with new hardware

Posted on 2012-09-20
Last Modified: 2012-09-27
I have a single Active Directory domain that contains a primary domain controller and 2 backup controllers (all Windows Server 2003 x86 boxes).  The PDC is getting old and it's time upgrade.  We have purchased the hardware and have installed Windows Server 2012 Standard x64.  

I'm looking for recommendations on how to best proceed with swapping out the old PDC with the new hardware.  Our domain consists of 60 or so desktops and laptops.  We allow staff to use their personal laptops to access shared network resources.  At present there are approx 80 staff owned non-domain member machines that frequently connect to the network.  The main complication is that our PDC is also our main file server and all machines include shortcuts that point to the UNC path of the shares on the file server/PDC. To avoid having to deal with broken shortcuts on close to 150 machines, we'd like the new PDC to have the same name and IP address as the old one. Also, the shares have a wide variety of ACLs that would be painful to recreate manually so I need to migrate the shares and permissions.  

I'm assuming we'd need to do something along the following lines:

1. Make the new box a DC by adding the Active Directory Domain Services role. (
2. Transfer FSMO Roles to the new DC (

3. Migrate File Services from the PDC to the new DC (
4. Demote the PDC by running DCPROMO to remove AD
5. Unjoin the old PDC from the domain and remove from the network.
6. Rename the new DC to match the name of the old PDC
7. Change the new DC's IP address to match the IP address of the old PDC
8. Run DCPROMOTE on the new DC to promote it to the PDC

Some questions:

Does this seem like a reasonable approach to take or have I missed some crucial steps?
Is there a better way to do this?
Will File Services Migration preserve shares and permissions?
Do I need to do anything to ensure GPOs are preserved?

Advice, comments, suggestions gratefully accepted!

Thanks -- Steve
Question by:SteveV
    LVL 57

    Expert Comment

    by:Mike Kline
    It seems reasonable, use these links for the 2012 dcpromo

    a lot has changed, you no longer have to worry about adprep (does it for you).  The dcpromo command no longer works in 2012.

    Very cool getting a 2012 box up less than a month after its release.  This is the first 2012 domain controller question I have seen on here, Outstanding!!


    LVL 77

    Accepted Solution

    Here is how I'd do it.. it requires a staging computer and a bit more time. (could be done in a virtual machine)
    1. on the staging computer create a domain controller.
    2. join the new 2012 server to the domain
    3. use robocopy /SEC option to copy from the OLD server to the new 2012 server.  This will copy over the ACL's from the old server to the new 2012.
    4. by now new new DC should have replicated the domain architecture, including all group  policy objects.
    5. demote the 2003 server and put it aside.  rename this machine and change it's ip address.. I'd also get a hardcopy of the root sharenames as the sharename doesn't always follow the 'disk filename' i.e share \\serverx\production\work could exist on c:\fileshare\abc\work
    6. Disjoin new 2012 from the domain
    7. remove 2003 server from the domain
    8. rename, change ip's  the 2012 server, join to domain.
    9. promote the 2012 server
    10. wait for domain to be replicated.
    11. demote and remove the scratch server.

    I added the step of the scratch server since you need to keep the SAME netbios name. In future I'd use DFS file shares rather than strict UNC shares.
    LVL 8

    Expert Comment

    Have you try migration in 2008 ...? if same domain.  so simple just join it to new domain ,
    set the FSMO role mainly and Global catalog, then demote the 2003 DCs .

    Make a writeable DC each site.

    Author Comment

    @ Mike
    Thanks for the links--very handy

    I already have 2 other DCs in addition to the PDC--do I really need the staging DC?   Regarding Robocopy; excellent suggestion--thanks.

    Not sure I follow. Addiing the new DC and promoting it isn't the hard part.  Keeping the original PDCs NETBIOS name, ip address, shares and ACLs is the bit I'm concerned about.

    Thanks -- Steve
    LVL 57

    Expert Comment

    by:Mike Kline
    I forgot to mention richcopy

    robocopy works too, but that GUI can be nice.


    LVL 77

    Expert Comment

    by:David Johnson, CD, MVP
    since you have other DC's (not RODC's I hope) then you don't need the staging DC

    Author Closing Comment

    Thanks to all who replied.  A couple of bits of info for anyone else looking to do this in the future.

    In ended up using RoboCopy over RichCopy.  For all it's convenience, RichCopy seems to have one fatal flaw; it doesn't copy ACL's reliably which I didn't discover until I copied over 500GB of data.  Some quick Googling indicates this is a common problem.

    After some experimenting with a number of robocopy cli switches I ended up with the following:

    robocopy \\server1\d$ d: /E /COPYALL /R:1 /B /LOG:"D:\Temp\RoboCopy\DRoboLog.log" /V /TEE

    This copied the data and ACLs properly but I still needed to recreate the shares.  Recreating the shares was as simple as exporting the following registry key from the old server: HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Shares and importing it into the new one.  Details here:

    We have yet to actually promote the new DC--we're planning to doing that over an up-coming long weekend on 10/6.


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    PRTG Network Monitor: Intuitive Network Monitoring

    Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

    Suggested Solutions

    If you migrate a Terminal Server licenses server inside the 2008 server family, you can takte advantage of the build-in migration tool. If you like to migrate an older 2003 Server (and the installed client CALs) to a 2008 R2 server for example, you …
    The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
    This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now