Add new 2016 DC into existing 2008 R2 FFL/DFL and replace existing 2008R2 DC but with SAME NAME AND STATIC IP?

Laszlo Denes
Laszlo Denes used Ask the Experts™
Quick question regarding the best way to do this and as always greatly appreciate any/all insights, tips and thoughts.
We currently have a FFL/DFL 2008 R2 with two 2008 R2 domain controllers.
I am planning to (after all tests/prerequisite steps, e.g. DNS health, AD replication, FSMO role transfer to other DC, etc. are successful) demote a 2008R2 DC and then replace it a newly built 2016 server standard as a DC.
Here is my challenge, i.e. the question I would like to clarify.
We are trying to keep the same name/IP (it is static obviously) for the new 2016 DC (temporary name assigned and already built but not in domain yet) as we currently have for the existing 2008R2 DC. The intent is to avoid having to individually reconfigure/repoint all services (e.g. static DNS/WINS Settings) on all member server network cards, applications/appliances that point to DC based on name/IP for LDAP integration, etc.
So would the steps be as follows or is there something else that needs to be done, before, during or after that I am still missing?
Existing name of current 2008R2 DC e.g. SERVERDC2 (with IP
1.  Move all FSMO roles, etc. to other DC (SERVERDC1 2008R2), demote SERVERDC2 as domain DC into being only a member server, then remove it as a member server from the domain into a workgroup.
2. Rename new 2016 server, currently in workgroup with temp name, to SERVERDC2 and promote it to the domain as a member server.
3. Assign the same static IP that the previous SERVERDC2 (2008R2) had, i.e.
4. Promote (install AD, etc.) new SERVERDC2 (2016) as domain controller.
5. Allow for DNS, AD replications across domain from other DC SERVERDC1 (2008R2) to new SERVERDC2 (2016).
6. Run health checks again (AD, DNS, etc.) and resolve any arising issues.
7. Move all FSMO roles from SERVERDC1 (2008R2) to new SERVERDC2 (2016) and then turn off SERVERDC1 (2008 R2)for a few hours to make sure everything works and then repeat step to remove SERVERDC1 (2008R2) and replace with another SERVERDC1 (now 2016) added the same way as SERVERDC2 (2016) and thus replacing the existing SERVERDC1 (2008R2) with same name and IP as well.
Do I demote the existing DCSERVER2 (2008R2) as DC from the domain into being merely a member server, but then do not remove it from the domain, i.e. the computer account remains registered in domain (DNS, WINS), into a workgroup so when I change the name of the new 2016 DC from the temp name to SERVERDC2 and promote it to the domain then the computer account already exists? I am inclined to think that I totally remove the existing DC (as DC and member server) and then add everything as new, but only because we normally do not need to keep the same name/IP. So is there anything special I need to take into account or consider because of that requirement or are the above steps (1-7) correct with full removal and then full promotion/addition of new server with same name/IP?
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

The better path is to demote the existing server and remove it *completely* from AD.  Server promotion shouldn't take a long time.  If you plan it accordingly, you should be able to get by with minimum fuss during some scheduled downtime.  One thing I would definitely recommend is that you ensure that you are currently using DFS-r as opposed to FRS.

Distinguished Expert 2018

Remove completely dc from domain would be applicable only if you failed to demote it gracefully
Otherwise u could simply demote it, make sure u run ad replication and ensure that account is converted to member server simply on all dc servers, then reset it from ad users and computers snap-in and join new 2016 server to domain with that name and promote itas dc
Finally swap ip addresses
This is standard process
kevinhsiehNetwork Engineer

What points to the DCs by name? Generally, the only things that I commonly see where keeping the same name is at all important is if you are pointing to the DCs for file or print services. Otherwise, just keeping the same IP address is generally sufficient. You can also add a cname record for the old DCs after they are retired.

I always keep the same IP address when replacing DCs. The process is actually very simple. Join the new server to the domain and promote as usual. Setup DHCP, DNS, and perform all standard health checks. When you are ready to cut over, take the old DC and give it a new IP address. Then immediately take the new DC and give it the original IP address and reboot it. You are basically done at that point. Follow normal process for transferring FMSO roles  and demoting the old server.

Renaming DCs has given me weird problems and I swear that we will never do it again.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!


yes we are running DFS-r since we raised ffl/dfl/dc to 2008 r2 :-)
Sr. Systems Administrator
We did this several times and is not a difficult thing. You have the new 2016 server ready. Hopefully your current 2 DCs both have DNS installed with AD integrated Zones. If so, here are the steps we followed.
1. Demote the DC you want to replace
2. AFter demotion, if you need time to do the next steps, you can add a forwarder to DNS on the demoted server pointing to the other one.
3. Rename the demoted server to name-old.
4. Change name on 2016 server to the name of the old DC and add to domain as a Member server
5. Add DNS role to 2016 server
6. Change IP of old server to something different
7. Change IP of 2016 server to what you want
8. Add AD role and promote.

FSMO roles will transfer gracefully when you demote as long as your AD is in good health so you don't have to move them beforehand (but you can if you want)


Thanks Jeff (and everyone else)
Both DC have DNS installed, but based on this article
"There are no behavioral changes from Windows Server 2003-based DNS integration with Active Directory".. but "the following DNS-specific application directory partitions are created during AD DS installation: A forest-wide application directory partition, called ForestDnsZones, Domain-wide application directory partitions for each domain in the forest, named DomainDnsZones"

We are FFL/DFL and DC 2008R2 and DNS seems healthy (no errors, etc.) but when I look at our DNS (on the main DC) I do not see any of those directories mentioned above (see screenshot of what I se under DNS on our DC), but we did not make any DNS related changes (except turn on scav which is unrelated) when we raised the FFL/DFL from 2003 to 2008R2 recently. Or am I not understanding this properly (frequently with increasing age lol)?
Jeff GloverSr. Systems Administrator

Expand Forward lookup Zones to see the Application Directory Partitions. they hold the SRV records.


Thanks... found this
checked again and note that it says we are running it... see screenshotDCDNS2.jpg


and yes I see the Application Directory partitions mentioned that hold the SRV records. DOH! LOL!
Shaun VermaakTechnical Specialist
Awarded 2017
Distinguished Expert 2018

Assuming that you have to give it a new name and IP and that is really a requirement to add the old name/IP, you can double bind the old IP and add the old hostname to the server as a secondary name via NETDOM COMPUTERNAME


thank you everyone appreciate it

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial