How to Transfer a Windows Domain Controller to New Hardware (DC FORKLIFT)

Howto

I wrote this whitepaper up for use at work and thought the community at large could benefit from it. It’s all kind of dated information now with Server 2008 coming into the mainstream but I figure it can’t hurt to have it out there.
Click here for the document in Microsoft Word format: dcforklift-updated.doc

Update December 11, 2010: See the updated version to transfer your domain controller to Server 2008 R2 x64 from Server 2003.

How to Transfer a Windows 2000 or 2003 Domain Controller to New Hardware

This document details the procedure for replacing an original domain controller running Windows 2000 Server or higher (referred to in this document as SOURCE) with another server running Windows 2000 Server or higher (referred to in this document as DESTINATION). During this procedure you will need a third server for temporary use (referred to in this document as TRANSITIONAL) – normally, this server is introduced in the form of a virtual machine, but a physical machine is also acceptable.

NOTE: if you experience replication problems you can track replication process using REPLMON

NOTE: this document assumes that all forest operations will be performed by a member of the Schema Admins group, all domain operations will be performed by a member of the enterprise admins group, and that all local operations will be performed by a member of the Administrators group local to the targets in question.

Pre-migration Tasks

  • Create a standalone server running the same OS version as the replacement server. This server will be TRANSITIONAL

  • On SOURCE and DESTINATION servers, install the Windows Support Tools from the SUPPORTTOOLS folder on the respective operating system CDs.

  • Test the SOURCE server for problems

    • Click Start, Programs, Windows Support Tools, and click Command Prompt.

    • From the command line, enter the command netdiag, and address any problems that are listed

    • From the command line, enter the command dcdiag, and address any problems that are listed

  • Fill out FILE SHARE and PRINTER worksheets using information from SOURCE

Migration Tasks

  • Install the DHCP and DNS service on DESTINATION

    • start, run, appwiz.cpl

    • select Windows Components (varies by OS version)

    • select Networking Services

    • select DHCP services or Dynamic Host Configuration Protocol service

    • select DNS services or Domain Naming Server service

    • finish the setup wizard and supply the OS CD if prompted

  • If upgrading to a higher operating system version or revision, prepare the Schema in the existing Forest/Domain for the introduction of the new OS

    • If upgrading from 2000 to 2003, put the 2003 CD in one of the 2000 DCs and go to a command line.

      • switch to the CD drive, and change to the i386 directory

      • enter the command adprep /forestprep

      • enter the command adprep /domainprep

      • if upgrading to 2003 R2, put the 2003 R2 Disc 2 CD into one of the 2000 DCs and go to a command line.

        • switch to the CD drive, and change to the CMPNENTSR2ADPREP directory

        • enter the command adprep /forestprep

        • enter the command adprep /domainprep

    • if upgrading from 2003 to 2003 R2, put the 2003 R2 Disc 2 CD into one of the 2003 DCs and go to a command line

      • switch to the CD drive, and change to the i386 directory

      • enter the command adprep /forestprep

      • enter the command adprep /domainprep

    • perform another netdiag and dcdiag from the original domain.

  • join TRANSITIONAL to the domain, reboot

  • Export the DHCP database on SOURCE

    • consult MS KB article 325473 for exact documentation on how to move the database to a dissimilar OS version.

    • if you are moving to the same OS version:

      • on SOURCE, net stop “dhcp server”

      • on SOURCE, copy %systemroot%dhcp to %systemroot%dhcp on DESTINATION

      • on DESTINATION, net start “dhcp server”

  • run DCPROMO on TRANSITIONAL to promote to a domain controller, and reboot

  • on TRANSITIONAL, go to start, run, dssite.msc

    • browse sitesdefault-first-site-nameserversTRANSITIONALNTDS Settings

    • right-click NTDS Settings in the tree, and click properties

    • check the box next to Global Catalog

    • click start, run eventvwr

      • browse to the Directory Services log and watch for event reporting “THIS SERVER IS NOW A GLOBAL CATALOG” you occasionally will see an event reporting that the process will be delayed 5 minutes. if you see this, wait 5 minutes and check for the above message

  • transfer FSMO roles to TRANSITIONAL

    • on TRANSITIONAL, go to a command line and enter the command NTDSUTIL

    • in NTDSUTIL, enter roles

    • enter connections

    • enter connect to domain [yourdomain.tld] (where yourdomain.tld represents your actual fully qualified domain name)

    • enter connect to server [TRANSITIONAL.yourdomain.tld]

    • enter quit

    • enter transfer pdc

    • enter transfer schema master

    • enter transfer infrastructure master

    • enter transfer rid master

    • enter transfer domain naming master

    • enter quit

    • enter quit

  • on both SOURCE and TRANSITIONAL, enter NETDOM query fsmo from the command line, and verify that both servers report that all roles now reside on TRANSITIONAL. it is a good idea to force replication and follow replication process using AD Sites and Services, and REPLMON.

  • DO NOT PROCEED UNTIL YOU ARE CERTAIN THAT ALL DCs ARE AWARE OF THE ROLE TRANSFER

  • on SOURCE, go to start, run dssite.msc

    • browse to sitesdefault-first-site-nameserversSOURCENTDS Settings

    • right-click NTDS Settings in the tree, and click properties

    • uncheck the box next to Global Catalog

    • click start, run eventvwr

    • watch for indications that the server is no longer a Global Catalog

    • Force replication between domain controllers and make sure the process completes successfully.

  • Run netdiag and dcdiag on SOURCE, verify there are no failures

  • Run DCPROMO on SOURCE and demote the server (DO NOT CHECK “THIS IS THE LAST DOMAIN CONTROLLER…”), and reboot

  • Rename SOURCE to OLD

  • change the IP address of the SOURCE server

  • Reboot SOURCE (if not done during the rename from SOURCE to OLD)

  • On TRANSITIONAL, start, run dnsmgmt.msc

    • clean up DNS zone for any records referencing SOURCE

  • on TRANSITIONAL, start, run adsiedit.msc

    • clean up references to SOURCE in CN=ConfigurationCN=SitesCN=Default-First-Site-NameCN=Servers

    • you may prefer to use NDTSUTIL to clean up metadata. See Microsoft support online for details on how to use this feature of Windows

    • Be sure that site replication takes place

  • Bring up DESTINATION and give it the name of the SOURCE server

  • change the IP address of DESTINATION to the same address previously used by SOURCE

  • install DNS and DHCP on DESTINATION

  • On DESTINATION, restore the DHCP database from the backed-up files in the earlier steps

    • if moving DHCP to the same OS version, you can simply copy the DHCP data to %systemroot%dhcp and net start “dhcp server”

    • if moving DHCP between two different versions or revisions, you can use the net sh import dhcp command (see ms KB article 325473)

  • on DESTINATION, promote to DC using DCPROMO, and reboot

  • on DESTINATION, start, run, dssite.msc

    • browse to sitesdefault-first-site-nameserversDESTINATIONNTDS Settings

    • Right-click NTDS Settings, and click properties

    • check the Global Catalog box

    • Watch the event log for signals that the server has become a global catalog

  • On DESTINATION, open a command prompt, and enter the following: net time /setsntp:[fqdn of NTP server]. Several reliable ntp servers can be used. To use one of the Naval Observatory servers, go to http://tycho.usno.navy.mil and click the NTP link. There you can find a listing for the appropriate server for you time zone and location.

  • run netdiag and dcdiag on the TRANSITIONAL server to make sure all things are still working properly.

  • on DESTINATION, go to a command prompt

    • enter ntdsutil

    • enter roles

    • enter connections

    • enter connect to domain [yourdomainname.tld]

    • enter connect to server [DESTINATION.yourdomainname.tld]

    • enter quit

    • enter transfer schema NOTE: you must confirm using a graphical dialog for each transfer operation

    • enter transfer domain naming master

    • enter transfer infrastructure master

    • enter transfer rid master

    • enter transfer pdc

    • enter quit

    • enter quit

    • enter netdom query fsmo

  • on TRANSITIONAL go to a command line

    • enter netdom query fsmo and verify that the same info is reported

    • allow time for site replication to take place

  • demote TRANSITIONAL, reboot

  • disjoin TRANSITIONAL, reboot or shutdown

  • on DESTINATION, open dnsmgmt.msc and clean up any references to TRANSITIONAL

  • on DESTINATION, open clean metadata using ntdsutil or adsiedit.msc

  • Transfer data back from backup or OLD (formerly SOURCE) server to DESTINATION

  • Set up printer shares on DESTINATION as noted in the worksheets

  • set up file shares (after file copy is complete) on DESTINATION as noted in the worksheets

File Shares Worksheet

SHARE NAME LOCATION ON DISK

SHARE PERMISSIONS

NTFS PERMISSIONS

COMMENT CACHING
SHARE NAME LOCATION ON DISK

SHARE PERMISSIONS

NTFS PERMISSIONS

COMMENT CACHING
SHARE NAME LOCATION ON DISK

SHARE PERMISSIONS

NTFS PERMISSIONS

COMMENT CACHING
SHARE NAME LOCATION ON DISK

SHARE PERMISSIONS

NTFS PERMISSIONS

COMMENT CACHING

Printer Shares Worksheet

PRINTER NAME DRIVER
IP ADDRESS PORT
SHARE NAME COMMENTS
PRINTER OPTIONS
PRINTER NAME DRIVER
IP ADDRESS PORT
SHARE NAME COMMENTS
PRINTER OPTIONS
PRINTER NAME DRIVER
IP ADDRESS PORT
SHARE NAME COMMENTS
PRINTER OPTIONS
PRINTER NAME DRIVER
IP ADDRESS PORT
SHARE NAME COMMENTS
PRINTER OPTIONS