Replacing a Primary Domain Controller with new hardware

I have a single Active Directory domain that contains a primary domain controller and 2 backup controllers (all Windows Server 2003 x86 boxes).  The PDC is getting old and it's time upgrade.  We have purchased the hardware and have installed Windows Server 2012 Standard x64.  

I'm looking for recommendations on how to best proceed with swapping out the old PDC with the new hardware.  Our domain consists of 60 or so desktops and laptops.  We allow staff to use their personal laptops to access shared network resources.  At present there are approx 80 staff owned non-domain member machines that frequently connect to the network.  The main complication is that our PDC is also our main file server and all machines include shortcuts that point to the UNC path of the shares on the file server/PDC. To avoid having to deal with broken shortcuts on close to 150 machines, we'd like the new PDC to have the same name and IP address as the old one. Also, the shares have a wide variety of ACLs that would be painful to recreate manually so I need to migrate the shares and permissions.  

I'm assuming we'd need to do something along the following lines:

1. Make the new box a DC by adding the Active Directory Domain Services role. (
2. Transfer FSMO Roles to the new DC (

3. Migrate File Services from the PDC to the new DC (
4. Demote the PDC by running DCPROMO to remove AD
5. Unjoin the old PDC from the domain and remove from the network.
6. Rename the new DC to match the name of the old PDC
7. Change the new DC's IP address to match the IP address of the old PDC
8. Run DCPROMOTE on the new DC to promote it to the PDC

Some questions:

Does this seem like a reasonable approach to take or have I missed some crucial steps?
Is there a better way to do this?
Will File Services Migration preserve shares and permissions?
Do I need to do anything to ensure GPOs are preserved?

Advice, comments, suggestions gratefully accepted!

Thanks -- Steve
Who is Participating?
David Johnson, CD, MVPOwnerCommented:
Here is how I'd do it.. it requires a staging computer and a bit more time. (could be done in a virtual machine)
1. on the staging computer create a domain controller.
2. join the new 2012 server to the domain
3. use robocopy /SEC option to copy from the OLD server to the new 2012 server.  This will copy over the ACL's from the old server to the new 2012.
4. by now new new DC should have replicated the domain architecture, including all group  policy objects.
5. demote the 2003 server and put it aside.  rename this machine and change it's ip address.. I'd also get a hardcopy of the root sharenames as the sharename doesn't always follow the 'disk filename' i.e share \\serverx\production\work could exist on c:\fileshare\abc\work
6. Disjoin new 2012 from the domain
7. remove 2003 server from the domain
8. rename, change ip's  the 2012 server, join to domain.
9. promote the 2012 server
10. wait for domain to be replicated.
11. demote and remove the scratch server.

I added the step of the scratch server since you need to keep the SAME netbios name. In future I'd use DFS file shares rather than strict UNC shares.
Mike KlineCommented:
It seems reasonable, use these links for the 2012 dcpromo

a lot has changed, you no longer have to worry about adprep (does it for you).  The dcpromo command no longer works in 2012.

Very cool getting a 2012 box up less than a month after its release.  This is the first 2012 domain controller question I have seen on here, Outstanding!!


Have you try migration in 2008 ...? if same domain.  so simple just join it to new domain ,
set the FSMO role mainly and Global catalog, then demote the 2003 DCs .

Make a writeable DC each site.
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

SteveVAuthor Commented:
@ Mike
Thanks for the links--very handy

I already have 2 other DCs in addition to the PDC--do I really need the staging DC?   Regarding Robocopy; excellent suggestion--thanks.

Not sure I follow. Addiing the new DC and promoting it isn't the hard part.  Keeping the original PDCs NETBIOS name, ip address, shares and ACLs is the bit I'm concerned about.

Thanks -- Steve
Mike KlineCommented:
I forgot to mention richcopy

robocopy works too, but that GUI can be nice.


David Johnson, CD, MVPOwnerCommented:
since you have other DC's (not RODC's I hope) then you don't need the staging DC
SteveVAuthor Commented:
Thanks to all who replied.  A couple of bits of info for anyone else looking to do this in the future.

In ended up using RoboCopy over RichCopy.  For all it's convenience, RichCopy seems to have one fatal flaw; it doesn't copy ACL's reliably which I didn't discover until I copied over 500GB of data.  Some quick Googling indicates this is a common problem.

After some experimenting with a number of robocopy cli switches I ended up with the following:

robocopy \\server1\d$ d: /E /COPYALL /R:1 /B /LOG:"D:\Temp\RoboCopy\DRoboLog.log" /V /TEE

This copied the data and ACLs properly but I still needed to recreate the shares.  Recreating the shares was as simple as exporting the following registry key from the old server: HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Shares and importing it into the new one.  Details here:

We have yet to actually promote the new DC--we're planning to doing that over an up-coming long weekend on 10/6.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.