Migrating a Domain Controller

Migrating a Domain Controller

28 August 2025 0 By Rached Chader

Welcome to Chader.fr!

In this step-by-step guide, we will walk through how to safely migrate an Active Directory Domain Controller, including FSMO role transfer, configuration via PowerShell, and the demotion of the old DC.

Contenus masquer
1 What to Prepare Beforehand
2 Prepare the New Server (NEWDC.chader.fr)
2.1 Rename the Server
2.2 Static IP & Primary DNS (Before Promotion)
2.3 Join the Domain
2.4 Install AD DS Role
2.5 DNS After Promotion
2.6 Quick Checks
3 Promote the New DC (replica + DNS + GC)
3.1 Promotion Wizard (GUI)
3.2 PowerShell (optional)
3.3 Post-Reboot Checks
4 Transfer FSMO Roles to NEWDC
4.1 GUI Method
4.2 PowerShell Quick Method
4.3 NTP Configuration (on NEWDC)
5 SYSVOL Migration: FRS → DFSR
6 Decommission the Old DC (OLDDC)
6.1 GUI (recommended)
6.2 PowerShell
7 Final Validation & Common Pitfalls
8 Required Network Flows

What to Prepare Beforehand

  • System state backup of the old DC (and DNS if applicable).

  • If virtual machine: take a snapshot (to be deleted after migration validation).

  • Open required network flows between the new DC and the domain.

  • Ensure DNS is healthy and AD time synchronization is correct.

Health check (run on an existing DC):

Capture 01 — repadmin propre : ‘Fails = 0’ sur toutes les lignes.

Prepare the New Server (NEWDC.chader.fr)

Rename the Server

  • Open Server Manager → Local Server → Computer Name.

  • System Properties → Computer Name tab → Change….

  • Enter new name (e.g., NEWDC) and domain suffix (chader.fr) → restart.

Static IP & Primary DNS (Before Promotion)

  • Network & Sharing Center → Adapter settings → Properties → IPv4 → Properties.

  • Example: IP = 10.0.0.50, Mask = 255.255.255.0, Gateway = 10.0.0.1.

  • Preferred DNS = existing DC (10.0.0.10), Alternate = another DC (10.0.0.11).

  • Ensure Register this connection’s addresses in DNS is checked.

  • Do not set public DNS or 127.0.0.1 at this stage. Keep IPv6 enabled.

Join the Domain

  • Local Server → WorkgroupChange… → enter chader.fr + credentials → restart.

Install AD DS Role

  • Server Manager → ManageAdd Roles and Features → select Active Directory Domain Services → Install.

  • Then click the notification “Promote this server to a domain controller”.

DNS After Promotion

  • IPv4 Preferred DNS = NEWDC’s IP.

  • Alternate DNS = another DC.

  • Never configure public DNS on a DC.

Quick Checks

  • Confirm: Computer name = NEWDC, Domain = chader.fr, Static IPv4, No DNS errors.

  • Time sync < 5 minutes difference.

  • If VM: snapshot now.

Promote the New DC (replica + DNS + GC)

Promotion Wizard (GUI)

  • Server Manager → Promote this server to a domain controller

    • Add to existing domain chader.fr, Site = Default-First-Site-Name

    • Check DNS + GC, leave RODC unchecked

    • Enter DSRM password → Next → Install → Reboot.

PowerShell (optional)

Post-Reboot Checks

  • Ensure replication errors = 0.

  • dcdiag passes.

  • SRV records visible in DNS.

Transfer FSMO Roles to NEWDC

GUI Method

  • ADUC → Domain → Operations Masters → transfer RID, PDC, Infrastructure.

  • AD Domains and Trusts → change Domain Naming Master.

  • AD Schema MMC (after regsvr32 schmmgmt.dll) → transfer Schema Master.

PowerShell Quick Method

NTP Configuration (on NEWDC)


Validation

  • netdom query fsmo → les 5 rôles on NEWDC

  • w32tm /query /statusSource = pool.ntp.org, Référent (reliable) = True

SYSVOL Migration: FRS → DFSR

Attention
Do not chain the states in one go. Wait for “State achieved across all DCs” at each step before moving to the next.

Decommission the Old DC (OLDDC)

GUI (recommended)

Server Manager → Remove Roles and FeaturesDemote this domain controller → set local admin password → uninstall → reboot.

PowerShell

Cleanup: remove OLDDC from Sites and Services, purge stale DNS A/SRV records. If the DC is dead, use NTDSUtil to clean metadata.

Final Validation & Common Pitfalls

Common pitfalls

  • Forgetting NTP (Kerberos fails with >5 min skew).

  • Blocking RPC dynamic ports (49152–65535/TCP) between DCs.

  • Removing the last Global Catalog in a site.

  • DNS SRV records not replicated before demotion.

  • DFSR migration not fully converged (see Attention above).

Required Network Flows

From/ToServicePortsPurpose
DC ↔ DCLDAP389 TCP/UDPReplication & binds
LDAPS636 TCPEncrypted LDAP
GC3268 / 3269 TCPGlobal Catalog
Kerberos88 TCP/UDPAuthentication
DNS53 TCP/UDPName resolution & SRV
RPC EM135 TCPEndpoint Mapper
RPC Dyn49152–65535 TCPAD replication
SMB445 TCPSYSVOL / NETLOGON
DFSR5722 TCPSYSVOL replication (DFSR)
Clients → NEWDCDNS/KRB/LDAP53/88/389/3268/445Auth, queries, GPOs, scripts
NEWDC ↔ InternetNTP123 UDPTime sync (from reliable external source)

Views: 0

CategoryActive Directory System administration Windows 2012 Windows 2016 Windows 2019 Windows servers
TagsActive Directory FRS System administration Windows servers

Leave a Reply

Your email address will not be published. Required fields are marked *