19

I have just purchased a new server that will be the new primary domain controller. I was wondering if anyone knew any articles or tutorials on how to do this change over? I would imagine it is just simply setting up the role and importing a backup of the Active Directory from the old domain controller. I just want to make sure I'm not missing any crucial tasks in between.

MDMarra
  • 100,183
  • 32
  • 195
  • 326
poconnor
  • 635
  • 2
  • 5
  • 13
  • 1
    I am certain this is already covered by existing questions, but I not finding a good one to mark as duplicate. – Zoredache Dec 09 '11 at 19:45
  • 3
    There is no such thing as a "Primary Domain Controller" any more. That went away with NT4. – MDMarra Dec 09 '11 at 19:48
  • @MarkM - Yes but the PDC Emulator FSMO role is still relatively important and likely still held by the first DC created. – SpacemanSpiff Dec 09 '11 at 19:50
  • 2
    @SpacemanSpiff I agree. That doesn't change the fact that people still say PDC and BDC like they're real things. A DC holding the PDC Emulator role is entirely different than what an NT4 PDC was. – MDMarra Dec 09 '11 at 19:51
  • 2
    @MarkM: That doesn't change the fact that you can't demote a DC with the PDC emulator role. And if it goes down, you'll end up having to seize the role. – surfasb Dec 09 '11 at 20:09
  • @surfasb I wasn't implying any of that. The same is true of the other roles as well, not just PDC Emulator. My point is that the notion of a Primary Domain Controller is as antiquated as classful networking. It's a history lesson. – MDMarra Dec 09 '11 at 20:10
  • @MarkM Hey! Lay off classful networking! Plenty of IP stacks still set a default subnet mask for you based on that! :-) – voretaq7 Dec 09 '11 at 20:21
  • 1
    @surfasb newer versions of dcpromo will move the FSMO roles automatically off the server you're demoting. Older versions would just error out complaining of the fact. – Chris S Dec 09 '11 at 20:21
  • I think that this might be getting a bit off-track and chatty. @surfasb If you feel like discussing the merits of using PDC and PDC Emulator interchangeably, feel free to join [chat]. Most of the others that have commented on this are regulars. – MDMarra Dec 09 '11 at 20:25

3 Answers3

26
  • Add new computer to domain
  • Promote system to a domain controller (dcpromo)
  • Transfer FSMO roles
  • Verify/Make the new system a Global Catalog.
  • Wait some time for replication to take place. Run dcdiag/repadmin and so on to make sure everything transferred
  • Demote old system (dcpromo)
  • Double check DNS zones & AD to make sure old system was removed.

Migrate any other data or services as needed.

Of course you could leave the old system up so you have another spare DC.

Community
  • 1
Zoredache
  • 128,755
  • 40
  • 271
  • 413
  • What about having multiple global catalogs? – Tim Brigham Dec 09 '11 at 19:53
  • @timbrigham, sorry, I am not sure I understand what you are asking. – Zoredache Dec 09 '11 at 19:56
  • GC is an option during DCPromo, you don't have to do it separately. – Chris S Dec 09 '11 at 20:04
  • Microsoft frowns on having multiple GCs in the same network. I've seen some replication conflicts occur because of doing such. You can in a fairly small environment with few concerns... but in larger environments... that can be a big headache. – TheCompWiz Dec 09 '11 at 20:06
  • @TheCompWiz - Are you referring to multiple GCs in the same AD site? – smassey Dec 09 '11 at 20:11
  • 1
    @TheCompWiz: I believe that's only the case in a multiple domain forest but isn't applicable in a single domain forest. I believe that the MS best practice for a single domain forest is for all DC's to also be GC's. – joeqwerty Dec 09 '11 at 20:12
  • 7
    @TheCompWiz, http://technet.microsoft.com/en-us/library/cc732877(WS.10).aspx - `In a single-domain forest, configure all domain controllers as global catalog servers. Because every domain controller stores the only domain directory partition in the forest, configuring each domain controller as a global catalog server does not require any additional disk space usage, CPU usage, or replication traffic`. – Zoredache Dec 09 '11 at 20:13
  • @CompWiz - pretty certain that you're wrong. The scenario you don't want is with multiple domains in a forest, the Infrastructure Master in each domain should not be a GC. – mfinni Dec 09 '11 at 20:23
  • @TheCompWiz Like everyone else has mentioned, you're wrong. The Infrastructure Master role is only useful when you have multiple domains in the same forest. In a single domain situation, IM does nothing, so there is no benefit to putting it on a server that doesn't hold a GC. – MDMarra Dec 09 '11 at 20:28
  • 1
    @all. I stand 100% corrected... severely... and repeatedly. I honestly remember reading a technet article a while ago (5+ years ago maybe?) that cautioned against having multiple GCs in the same subnet/domain... but thanks for the correction. – TheCompWiz Dec 09 '11 at 21:24
  • @TheCompWiz: No harm, no foul. I certainly appreciate your input (I'm sure everyone else does as well). – joeqwerty Dec 09 '11 at 21:27
  • Agree, GCs on all DCs - which happens by default when you do DCPROMO, by the way - and if all the DCs are GCs, the Infrastructure Master role can be anywhere. Also, to be honest, if you don't understand that AD is a multi-master system, and that "restoring the database from backup" to deploy a new DC does not apply, doing the MSCA training or equivalent for Windows Server/AD is highly recommended. – LeeM Mar 29 '19 at 00:10
7

In addition to what Zoredache stated in his answer, make sure to update all of the domain clients to use the new DC for DNS.

On a side note, if the original DC you're replacing is the only DC in the domain, then running DCPROMO on the original DC will transfer the FSMO roles to the new DC without the need to manually transfer them. If it's not the only DC in the domain, then DCPROMO will transfer the FSMO roles to another DC, I'm just not sure how it selects the DC to assume the roles.

joeqwerty
  • 108,377
  • 6
  • 80
  • 171
  • 1
    to be sure... I'd still suggest moving the FSMO + GC roles manually and verify they've been completed rather than relying on dcpromo to transfer the roles. dcpromo silently fails quite often and does a very poor job of documenting those failures. – TheCompWiz Dec 09 '11 at 20:08
  • 2
    @TheCompWiz Could you elaborate on a time when you had dcpromo silently fail? I've never once had it leave AD in any obscure state. I've had plenty of times where it refuses to actually do anything because something I fed it was garbage... – Chris S Dec 09 '11 at 20:19
  • @ChrisS I would... but this is neither the time/place to do such. – TheCompWiz Dec 09 '11 at 21:18
1

Something that I didn't see anyone else mention is time services. Your PDC is presumably the primary time keeper for the domain...that role/config should be redone on the new PDC.

grep65535
  • 11
  • 1