Page 1 of 2 12 LastLast
Results 1 to 15 of 18

Thread: Updating/replacing Primary Domain Controller

  1. #1
    Join Date
    Mar 2009
    Kent, England

    Updating/replacing Primary Domain Controller

    OK, first and foremost I'm not a networking/hardware specialist, so please be patient :-) Here's my current worry...

    For the past four years I've been running a small network with one Windows 2003 Server (with Active Directory, DNS and DHCP services - I'm guessing this is the Primary Domain Controller...) and between three and four attached workstations (Windows XP and Windows Vista) and a couple of network printers. I guess you could call the installation basic, but it does what we want it to do - we're a small web development company so the server provides general data storage and also IIS so we can give our customers extarnal access to 'work in progress' web sites through the development. The server also runs SQL 2000 and SQL 2005.

    The time has come to upgrade the physical server (it's 5 years old and realtively low spec. hardware wise) and whilst we're at it would like to update the OS to Windows Server 2008 64-bit edition - seems to make sense, but correct me if you disagree.

    My initial thoughts were to build the new server, turn the old server off, attach the new server and then attach the workstations to the new server/domain. Whilst I guess this would work, I do know enough to know it's a bit messy and there's probably a better way to do it.

    From searching around (particularly in this forum) I believe you can add a second server to the network, and somehow get it to mirror the services on the original server (the Primary Domain Controller), but I have only a vague idea of how to do this and the one thing I want to avoid is killing the existing functional network - we need to be able to work!

    Can anyone point me in the right direction - a step by step guide would be a help as, as I say, I'm no network specialist (as you probably have gathered!).

    Thanks - sorry for the tome!

  2. #2
    Isaac Oben -MCSE, MCITP Guest

    Re: Updating/replacing Primary Domain Controller

    Hello Neilski,

    Here are my suggestions:

    1- Build your new Windows Server 2008, configure the RAID, hard drive etc,
    to your needs (Donot add to domain yet) and give it a fix IP address.
    2- Make sure you have a current and valid backup for your data, just in case
    something goes wrong.
    3 -Make sure your current Active Directory Environment is healthy and
    functioning right by running a dcdiag /q at the command prompt, look for any
    3- Prepare your current environment for W2K8. On you current Windows Server
    2003 Domain controller, logon with an account that is a member of the schema
    Admin, insert the W2K8 disk and run adprep /forestprep and adprep
    /domainprep. This will upgrade your schema to w2k8 verion 44.
    4- Add the new w2k8 machine as a member server to your domain
    5- Make the W2K8 a domain controller in your exiting domain by running
    dcpromo and follow the prompts, Also recommended to install DNS at this
    stage if prmpted to d so, if not then install DNS immediately after DC promo
    is complete. After w2k8 have been promoted as a domain controller, wait for
    replication to complete, do a dcdiag /q and look for any errors. At this
    time, make W2K8 DC to point to itself for DNS
    6- Transfer FSMO Roles to W2K8. If no errors, then move all the FSMO roles
    from the W2K3 domain controller to the new W2K8 domain controller.
    Instructions to do this can be found here:
    7- Migrate your DHCP from W2K3 to W2K8.
    8-Migrate IIS from W2K3 to W2K8 and move web data.
    9- personnally, if your old w2k3 server is still functional, I will leave
    the SQL 2000 and 2005 on it.IF not then migrate to new w2k8
    10- At this time, proceed to demote old w2k3 as a domain controller. ( I
    will prefer you do this after about 2 weeks, just to make sure that
    everything is working as planned.)

  3. #3
    Join Date
    Mar 2009
    Kent, England
    Isaac, thank you for taking the time to post such a helpful guide - much appreciated.

    I'll post back to let you know how I get on.

    Thank you for this. I have installed the Support Tools as suggested and run the diagnostic utilities as suggested with the results being clear.

    I have one question, you say "...check that you are running Active Directory Integrated Zone...". I'm afraid I'm not quite sure how to do this. I've opened the DNS Management Console, but that's about as far I got - sorry. I gess the next likely question is if I'm not, how do I configure it?

    Thanks again.

  4. #4
    Meinolf Weber [MVP-DS] Guest

    Re: Updating/replacing Primary Domain Controller

    Hello Neilski,


    - On the old server open DNS management console and check that you are running
    Active directory integrated zone (easier for replication, if you have more
    then one DNS server)

    - run replmon from the run line or repadmin /showrepl, dcdiag and netdiag
    from the command prompt on the old machine to check for errors, if you have
    some post the complete output from the command here or solve them first.
    For this tools you have to install the support\tools\suptools.msi from the
    2003 installation disk.

    - run adprep /forestprep and adprep /domainprep and adprep /rodcprep from
    the 2008 installation disk against the 2003 schema master, with an account
    that is member of the Schema admins, to upgrade the schema to the new version
    (44), you can check the version with "schupgr" in a command prompt.

    - Install the new machine as a member server in your existing domain

    - configure a fixed ip and set the preferred DNS server to the old DNS server

    - run dcpromo and follow the wizard to add the 2008 server to an existing
    domain, make it also Global catalog.

    - if you are prompted for DNS configuration choose Yes. If not, install DNS
    role after promotion.

    - for DNS give the server time for replication, at least 15 minutes. Because
    you use Active directory integrated zones it will automatically replicate
    the zones to the new server. Open DNS management console to check that they

    - if the new machine is domain controller and DNS server run again replmon,
    dcdiag and netdiag (copy the netdiag from the 2003 to 2008, will work) on
    both domain controllers

    - Transfer, NOT seize the 5 FSMO roles to the new Domain controller (
    applies also for 2008)

    - you can see in the event viewer (Directory service) that the roles are
    transferred, also give it some time

    - reconfigure the DNS configuration on your NIC of the 2008 server, preferred
    DNS itself, secondary the old one

    - if you use DHCP do not forget to reconfigure the scope settings to point
    to the new installed DNS server

    - export and import of DHCP database for 2008 choose "netshell dhcp backup"
    and "netshell dhcp restore" command (

    - for printer migration see here:;938923and

    - for moving IIS see here:

    - for the SQL part, maybe post to SQL newsgroups, also see here:

  5. #5
    Join Date
    Mar 2009
    Kent, England

    Re: Updating/replacing Primary Domain Controller

    And it was all going so well! Windows Server 2008 - 64 bit running nicely, but I have run into a couple problems.

    To be fair, I've been a complete idiot, I should have checked compatability much more closely. I still need to be able to run Windows SQL 2000 and 1.1 on this server, and of course, it won't at least not easily, if at all. The stupid thing is that it never ocurred to me to check, I just thought that it would, well, work.

    I think I now have three options:

    1) Install Windows Server 2003 32-bit on the new hardware (same as the old server).

    2) Buy a second, lower-spec server and run Windows Server 2003 32-bit on that.

    3) Install VMWare ESXi and run two guest servers - this sounds good (but what do I know), but am concerned how possible/practical this is with my networking experience.

    I could do with some pointers if possible.


  6. #6
    Isaac Oben [MCITP,MCSE] Guest

    Re: Updating/replacing Primary Domain Controller

    Hello Neilski,
    We all sometime get caught in the compartibility issues, so don't blame
    yourself too bad on that. Before you start thinking of addittional hardware,
    here are some other options.

    I know you can run ASP 1.1 on w2k8 but SQL2000 is a no no. So how about you
    still run your web using asp 1.1 on w2k8 and leave the sql2000 on your
    existing hardware(I am not sure about the condition of the old w2k3, but if
    you migrate everything but the sql2000 that mayreduce the workload on that
    server for it to be able to handle just sql200 stuff) .

    Option 2: If you have enough hard disk space and memory on your new w2k8,
    you can use virtualization with Hyper- V (new feature in w2k8) and install
    w2k3 and sql2000 on it. That way you don't have to buy any new hardware. You
    can read more on Virtualization here:

  7. #7
    kj [SBS MVP] Guest

    Re: Updating/replacing Primary Domain Controller

    4) Install the already included Hyper-V role on your (hopefully)
    Hyper-Vcapable server and install a Virtual Machine running Server 2003 with
    the SQL and

    You didn't mention, but if you had bought the Enterprise version of Server
    2008, you get up to four full licensed versions of Sever 2008 to run in

  8. #8
    Join Date
    Mar 2009
    Kent, England

    Re: Updating/replacing Primary Domain Controller

    Thanks Guys,

    I had not heard of Hyper-V so will investigate - presumebaly it's another package I need to buy. I had been looking at VMWare ESXi, but I like the idea of keeping the same family of products. I only have the Standard Edition Windows Server 2008.

    I don't think keeping the old machine in service is practical. I think it has a 'mechanical' problem on the Motherboard, as it can be fine for weeks and then suffers a complete hard disk read/write failure (as a result I have become quite good at restore and rebuild!).

    The new machine is an HP ML350 G5 (quad-core Xeon with 10GB of RAM) and 4 x 250GB SATA drives running as a logical pair in RAID 1+0 configuration.

    Thanks again.


  9. #9
    kj [SBS MVP] Guest
    It's Included, you just need the hardware capable of running it and aquire
    the knowledge and skills to use it.

    I run several hyper-v VM instances in my dev & demo server with a lot less
    horsepower than yours.

    Fast disks, lots-o-ram, and an extra NICs should easily accomodate an extra
    server or two for your ML350

    I think your new machine have enough RAM and disk space to handle
    virtualization. I think your current license of w2k8 cames with hyper-v
    included, not sure but you can verify with microsoft. If that is the case
    you may not have to buy anything else

  10. #10
    kj [SBS MVP] Guest

    Re: Updating/replacing Primary Domain Controller

    Server 2008 *Standard* Edition does come with 1+1 licensing. But the first
    "one" must be for virtualization services and manageing the virtual machines
    only. The second "one" is a license for installing a full function instance
    of Sevrer 2008 in a Virtual Machine.

    With the first instance already running AD and other roles *not* just
    limited for Hyper-V services and VM management, he'd still need another
    license for his 2003 SQL and IIS VM instance. If the original licensing
    allows, he could move it from physcial to virtual though.

  11. #11
    oz.Casey Dedeal Guest

    Re: Updating/replacing Primary Domain Controller

    I a nutshell use steps below as guidelines

    Step 1
    Purchase new HW and OS license windows 2008
    configure RAID per your requirements
    Install the OS on the new HW and name the server as you wish , Assign static
    IP to the new server
    Add server to existing domain ( now you have member server)
    reboot log into domain ( not to local Server) with correct privileges
    click run, type DCpromo and start promoting this server to be the second
    domain controller, finish the DCPromo process and reboot
    make sure this is DC/GC/DNS ( use AD integrated DNS) and configure the
    server TCP/IP correctly. DG/DNS servers to be the
    Start transferring all roles from DC one to new 08DC, this includes, DHCP,
    WINS, and other services running on top of the fist DC
    I don't like the idea installing anything on the DC such as SQL to be honest
    if budged is allowing you use member server for SQL and leave DC alone by
    itself, if not
    go for it )-:

    Step 2
    After moving all the services from old DC to newDC you will be ready to run
    DCpromo on the old server to "un-install" active directory.
    Make sure you change the DHCP scope options, reflecting with new DC IP
    address and DNS WINS etc.

    Move al the FSMO roles , it is very easy and being done from GUI
    when you are done first thing you need to do is shut down old DC to make
    sure nothing is complaining, broke etc.
    Turn the DC back and allow the replication to catch up
    Run DCPromo uninstall the AD from old server, delete the server object for
    the old server from site and services.
    reboot the old DC , now it is member server disjoin from domain and do
    whatever you want with it.

  12. #12
    Join Date
    Mar 2009
    Kent, England

    Re: Updating/replacing Primary Domain Controller

    At last I have my Windows Server 2008 64 bit operating system running as a Domain Controller on my network. It is actually installed as a virtual machine on my server running VMWare ESXi.

    By following all of your helpful advice and suggestions, the process was fairly painless. This morning I ran DCPROMO on the new 2008 server and all seemed to go well, but it I did notice a message that said something about not having an 'authoratative DNS'. The process completed and I assumed that since I only had one previous DNS server (running on the old 2003 server it must be ok - wrongly I suspect!).

    After the DCPROMO completed, I opened the DNS manager and noted that the domains appear to have replcated from the w2k3 server. I than ran DCDIAG and DCDIAG /q as suggested in your comments, and I appear to have some problems. I am hoping that someone might steer me in the right direction. The logs are listed below.

    Thank you.

    DCDIAG /q
    Warning: DsGetDcName returned information for \\primus.abl.local, when

    we were trying to reach ZEUS.


    ......................... ZEUS failed test Advertising


    Replicating Directory Changes In Filtered Set
    access rights for the naming context:


    Replicating Directory Changes In Filtered Set
    access rights for the naming context:

    ......................... ZEUS failed test NCSecDesc

    Unable to connect to the NETLOGON share! (\\ZEUS\netlogon)

    [ZEUS] An net use or LsaPolicy operation failed with error 67,

    Win32 Error 67.

    ......................... ZEUS failed test NetLogons


    Directory Server Diagnosis

    Performing initial setup:

    Trying to find home server...

    Home Server = Zeus

    * Identified AD Forest.
    Done gathering initial info.

    Doing initial required tests

    Testing server: Default-First-Site\ZEUS

    Starting test: Connectivity

    ......................... ZEUS passed test Connectivity

    Doing primary tests

    Testing server: Default-First-Site\ZEUS

    Starting test: Advertising

    Warning: DsGetDcName returned information for \\primus.abl.local, when

    we were trying to reach ZEUS.


    ......................... ZEUS failed test Advertising

    Starting test: FrsEvent

    There are warning or error events within the last 24 hours after the

    SYSVOL has been shared. Failing SYSVOL replication problems may cause

    Group Policy problems.
    ......................... ZEUS passed test FrsEvent

    Starting test: DFSREvent

    ......................... ZEUS passed test DFSREvent

    Starting test: SysVolCheck

    ......................... ZEUS passed test SysVolCheck

    Starting test: KccEvent

    ......................... ZEUS passed test KccEvent

    Starting test: KnowsOfRoleHolders

    ......................... ZEUS passed test KnowsOfRoleHolders

    Starting test: MachineAccount

    ......................... ZEUS passed test MachineAccount

    Starting test: NCSecDesc


    Replicating Directory Changes In Filtered Set
    access rights for the naming context:


    Replicating Directory Changes In Filtered Set
    access rights for the naming context:

    ......................... ZEUS failed test NCSecDesc

    Starting test: NetLogons

    Unable to connect to the NETLOGON share! (\\ZEUS\netlogon)

    [ZEUS] An net use or LsaPolicy operation failed with error 67,

    Win32 Error 67.

    ......................... ZEUS failed test NetLogons

    Starting test: ObjectsReplicated

    ......................... ZEUS passed test ObjectsReplicated

    Starting test: Replications

    ......................... ZEUS passed test Replications

    Starting test: RidManager

    ......................... ZEUS passed test RidManager

    Starting test: Services

    ......................... ZEUS passed test Services

    Starting test: SystemLog

    ......................... ZEUS passed test SystemLog

    Starting test: VerifyReferences

    ......................... ZEUS passed test VerifyReferences

    Running partition tests on : ForestDnsZones

    Starting test: CheckSDRefDom

    ......................... ForestDnsZones passed test CheckSDRefDom

    Starting test: CrossRefValidation

    ......................... ForestDnsZones passed test


    Running partition tests on : DomainDnsZones

    Starting test: CheckSDRefDom

    ......................... DomainDnsZones passed test CheckSDRefDom

    Starting test: CrossRefValidation

    ......................... DomainDnsZones passed test


    Running partition tests on : Schema

    Starting test: CheckSDRefDom

    ......................... Schema passed test CheckSDRefDom

    Starting test: CrossRefValidation

    ......................... Schema passed test CrossRefValidation

    Running partition tests on : Configuration

    Starting test: CheckSDRefDom

    ......................... Configuration passed test CheckSDRefDom

    Starting test: CrossRefValidation

    ......................... Configuration passed test CrossRefValidation

    Running partition tests on : abl

    Starting test: CheckSDRefDom

    ......................... abl passed test CheckSDRefDom

    Starting test: CrossRefValidation

    ......................... abl passed test CrossRefValidation

    Running enterprise tests on : abl.local

    Starting test: LocatorCheck

    ......................... abl.local passed test LocatorCheck

    Starting test: Intersite

    ......................... abl.local passed test Intersite

    *** End ***

  13. #13
    Meinolf Weber [MVP-DS] Guest

    Re: Updating/replacing Primary Domain Controller

    Hello Neilski,

    The complete error message would be fine. Additional post an unedited ipconfig
    /all from the new DC and the old one. And please post an unedited dcdiag,
    netdiag and repadmin /showrepl from both DC's.

    Best regards

  14. #14
    Join Date
    Mar 2009
    Kent, England

    Re: Updating/replacing Primary Domain Controller

    I've attached to zip files with the requested log files from each machine: - contains the log files from the original Windows 2003 Server (32-bit) - contains log files from the new, virtual Windows 2008 Server (64-bit)

  15. #15
    Meinolf Weber [MVP-DS] Guest

    Re: Updating/replacing Primary Domain Controller

    Hello Neilski,

    As you can see in the error from netrdiag and dcdiag your new DC is not working
    properly in the domain. It has connectivity problems with "primus".

    Can you ping the existing DC/DNS with ip address, computer name and FQDN?

    Before promoting it, did you add the 2008 as member to the domain?

    Did you only use the existing DC/DNS as the preferred DNS on the NIC during

    Is the server listed correct in the DNS zones? When running ipconfig /registerdns
    does it succeed, or do you get any kind of error message?

    Are the sysvol and netlogon shares existing and can you access them, content
    should be the same as on the existing DC?

    Best regards

Page 1 of 2 12 LastLast

Similar Threads

  1. How i can backup windows 2008 domain controller (primary and secondary)
    By jeddah_1981 in forum Networking & Security
    Replies: 1
    Last Post: 04-01-2010, 09:54 PM
  2. Replies: 2
    Last Post: 08-12-2008, 07:03 PM
  3. Replacing Domain Controller
    By shakhz in forum Operating Systems
    Replies: 4
    Last Post: 21-10-2008, 06:53 PM
  4. Replies: 18
    Last Post: 03-09-2008, 11:44 AM
  5. How to know the Primary Domain Controller.
    By sayeed in forum Active Directory
    Replies: 3
    Last Post: 18-02-2008, 11:44 PM

Tags for this Thread


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
Page generated in 1,726,954,136.23169 seconds with 17 queries