Migrating Domain Controllers: Taking Over a Domain with a New Controller

When replacing an old domain controller with a new one, you need to transfer all FSMO (Flexible Single Master Operations) roles to the new server and properly clean up the old domain controller from Active Directory. This process is critical for maintaining domain health and ensuring proper AD replication.

This guide walks through the complete process of taking over a domain with a new controller, including transferring FSMO roles, cleaning up the old server, upgrading functional levels, and performing DFSR migration.

What Are FSMO Roles?

FSMO roles are special roles in Active Directory that can only be held by one domain controller at a time. There are five FSMO roles:

• Schema Master: Controls schema modifications
• Domain Naming Master: Manages domain additions and removals
• PDC Emulator: Provides backward compatibility, time synchronization, password changes
• RID Master: Allocates RIDs (Relative Identifiers) to domain controllers
• Infrastructure Master: Updates cross-domain object references

All five roles must be transferred to the new domain controller before decommissioning the old one.

Prerequisites

Before starting, ensure you have:

• New domain controller already promoted and operational
• Administrative access to both old and new domain controllers
• CRITICAL: Full Active Directory backups that can be restored - This is non-negotiable. You need a known good restore point before making any changes.
• Network connectivity between domain controllers
• Replication is healthy between all domain controllers
• A maintenance window for the migration

Step 1: Verify Current FSMO Role Holders

First, verify which domain controller currently holds the FSMO roles. Run this PowerShell command:

Get-ADForest | Select-Object SchemaMaster, DomainNamingMaster
Get-ADDomain | Select-Object PDCEmulator, RIDMaster, InfrastructureMaster

This shows you the current role holders. Make a note of which server currently holds each role.

Step 2: Transfer FSMO Roles to New Domain Controller

Transfer all five FSMO roles to your new domain controller using PowerShell. Replace NEWSERVERHOSTNAME with the actual hostname of your new domain controller:

Move-ADDirectoryServerOperationMasterRole -Identity NEWSERVERHOSTNAME -OperationMasterRole SchemaMaster,DomainNamingMaster,PDCEmulator,RIDMaster,InfrastructureMaster -Force

This single command transfers all five FSMO roles at once. The -Force parameter suppresses confirmation prompts.

What This Command Does

The Move-ADDirectoryServerOperationMasterRole cmdlet:

• Transfers the specified FSMO roles from the current holder to the target server
• Ensures proper replication before completing the transfer
• Updates Active Directory with the new role holders

Verifying the Transfer

After running the command, verify the roles were transferred successfully:

Get-ADForest | Select-Object SchemaMaster, DomainNamingMaster
Get-ADDomain | Select-Object PDCEmulator, RIDMaster, InfrastructureMaster

All roles should now show your new domain controller as the holder.

Step 3: Properly Decommission the Old Domain Controller

CRITICAL: Before doing any manual cleanup, you MUST properly decommission the old domain controller. This is the correct way to remove a domain controller and ensures all Active Directory references are cleaned up properly.

Method 1: Using Server Manager (Windows Server 2012 R2 and later)

1. Log into the old domain controller
2. Open Server Manager
3. Click on Manage → Remove Roles and Features
4. Navigate through the wizard
5. When prompted, select Remove Active Directory Domain Services
6. Follow the wizard - it will automatically demote the server
7. When prompted, choose whether to remove DNS role (usually yes)
8. Provide administrator credentials when prompted
9. Restart the server when prompted

Method 2: Using dcpromo /demote (Command Line)

On the old domain controller, open an elevated Command Prompt and run:

dcpromo /demote

Follow the prompts to demote the domain controller. This will remove Active Directory Domain Services and properly clean up AD references.

After Decommissioning

After the old domain controller has been properly decommissioned:

• The server is no longer a domain controller
• Active Directory references are automatically cleaned up
• DNS records should be cleaned up automatically
• The server can be removed from the domain or repurposed

Note: If the old domain controller is no longer accessible or was force-removed, you'll need to perform metadata cleanup (see Step 4). However, this should only be done if proper decommissioning is impossible.

Step 4: Manual Cleanup (Only if Proper Decommissioning Wasn't Possible)

Warning: Only perform these steps if the old domain controller was not properly decommissioned (e.g., hardware failure, inaccessible server). If you properly decommissioned the server in Step 3, most of these steps should already be done automatically. You may still need to verify cleanup is complete.

Remove Old Server from AD Sites and Services

If the old domain controller wasn't properly decommissioned, you'll need to manually remove it from Active Directory Sites and Services:

1. Open Active Directory Sites and Services (dsa.msc or from Server Manager)
2. Navigate to: Sites → Default-First-Site-Name (or your site name) → Servers
3. Expand the old server name
4. Right-click on NTDS Settings and select Delete
5. Confirm the deletion
6. Right-click on the old server name and select Delete
7. Confirm the deletion

This removes the old domain controller from Active Directory Sites and Services. The NTDS Settings must be deleted before you can delete the server object.

Why This Step Is Important

Removing the old server from AD Sites and Services:

• Prevents replication attempts to a non-existent server
• Cleans up Active Directory metadata
• Removes stale references that can cause issues
• Maintains clean AD topology

Step 4: Upgrade Forest and Domain Functional Levels

After transferring roles and cleaning up the old server, upgrade your forest and domain functional levels if needed. Higher functional levels provide additional features and better security.

Check Current Functional Levels

First, check your current functional levels:

Get-ADForest | Select-Object ForestMode
Get-ADDomain | Select-Object DomainMode

Upgrade Domain Functional Level

Upgrade the domain functional level using PowerShell:

Set-ADDomainMode -Identity yourdomain.com -DomainMode Windows2016

Replace yourdomain.com with your domain name and Windows2016 with your target functional level (Windows2012R2, Windows2016, Windows2019, Windows2022, etc.).

Upgrade Forest Functional Level

Upgrade the forest functional level:

Set-ADForestMode -Identity yourdomain.com -ForestMode Windows2016

Again, replace with your domain and target functional level. Note that you must upgrade the domain functional level first before upgrading the forest level.

Functional Level Requirements

Important considerations for functional levels:

• All domain controllers must be running a Windows Server version that supports the target functional level
• You cannot downgrade functional levels (one-way operation)
• Higher functional levels provide additional features but require newer Windows Server versions
• Check Microsoft documentation for supported functional levels and their requirements

Step 5: Perform DFSR Migration (If Required)

Important: This step is only required if you're migrating from Windows Server 2008 or earlier, or if your domain is still using FRS (File Replication Service) for SYSVOL replication.

When DFSR Migration Is Required

You must perform DFSR migration if:

• Your domain was created on Windows Server 2008 or earlier: These versions used FRS for SYSVOL replication. FRS is deprecated and not supported on Windows Server 2016 and later.
• You're introducing Windows Server 2016+ domain controllers: If your domain still uses FRS, you cannot promote a Windows Server 2016+ domain controller until you migrate to DFSR. The promotion will fail with an error indicating FRS is deprecated.
• You're upgrading to Windows Server 2016+: Before upgrading domain controllers, you must complete the FRS to DFSR migration.

When DFSR Migration Is NOT Required

You can skip this step if:

• Your domain was created on Windows Server 2012 R2 or later: These versions default to DFSR, so no migration is needed.
• You're already on Windows Server 2016+: These versions only support DFSR, not FRS. If you're already on these versions, you're likely already using DFSR.
• You've already completed the migration: If you previously migrated from FRS to DFSR, you don't need to do it again.

How to Check If Migration Is Needed

To check if your domain is using FRS or DFSR, run this command on a domain controller:

dfsrmig /getglobalstate

If the output shows you're using FRS or indicates migration is needed, proceed with the DFSR migration. If it shows you're already using DFSR or the command indicates DFSR is active, you can skip this step.

Performing the Migration

If migration is required, follow the complete process in the DFSR Migration Guide. The basic process involves:

1. Checking current migration state: dfsrmig /getglobalstate
2. Progressing through migration states (1, 2, 3) using dfsrmig /setglobalstate
3. Verifying each state with dfsrmig /getmigrationstate
4. Completing the migration process

Critical: Complete the DFSR migration before promoting Windows Server 2016+ domain controllers. Failure to do so will prevent the new domain controller from being promoted successfully.

Additional Cleanup Tasks

Remove Old DC from DNS

Remove any remaining DNS entries for the old domain controller:

• Check _msdcs.yourdomain.com zone for old server references
• Remove old DC's A records
• Remove old DC's SRV records
• Verify DNS replication

Remove Old DC Computer Account

If the old domain controller computer account still exists in Active Directory Users and Computers, remove it:

1. Open Active Directory Users and Computers
2. Navigate to Domain Controllers OU
3. Delete the old domain controller computer account (if present)

Check for Remaining References

Search for any remaining references to the old domain controller:

• Check Active Directory Sites and Services (already done above)
• Check DNS zones
• Check Group Policy Management Console for any DC-specific policies
• Review event logs for errors related to the old server

Verification Steps

After completing the migration, verify everything is working correctly:

1. Verify FSMO Roles

Get-ADForest | Select-Object SchemaMaster, DomainNamingMaster
Get-ADDomain | Select-Object PDCEmulator, RIDMaster, InfrastructureMaster

All roles should show your new domain controller.

2. Verify Replication

repadmin /showrepl
repadmin /replsummary

Check that replication is healthy and there are no errors.

3. Verify DNS

dcdiag /test:dns

Run DNS diagnostics to ensure DNS is functioning correctly.

4. Verify Domain Controller Health

dcdiag /v

Run comprehensive domain controller diagnostics to check for any issues.

5. Test Client Authentication

Test that clients can:

• Authenticate to the domain
• Access domain resources
• Receive Group Policy updates
• Resolve DNS queries

Common Issues and Solutions

FSMO Role Transfer Fails

If FSMO role transfer fails:

• Verify network connectivity between domain controllers
• Check that replication is working: repadmin /showrepl
• Ensure the new DC is fully synchronized
• Check event logs for specific errors
• Verify you have proper permissions (Domain Admins, Enterprise Admins for Schema/Domain Naming)

Cannot Delete NTDS Settings

If you cannot delete NTDS Settings:

• Ensure the old domain controller is completely offline
• Wait for replication to complete after FSMO transfer
• Try using ntdsutil for metadata cleanup if needed
• Check that the server is not holding any FSMO roles

Replication Errors After Migration

If you see replication errors:

• Verify the old server is completely removed from AD
• Check DNS for stale SRV records
• Run repadmin /syncall to force replication
• Review event logs on remaining domain controllers

Functional Level Upgrade Fails

If functional level upgrade fails:

• Verify all domain controllers support the target functional level
• Check for domain controllers that haven't been updated
• Ensure you're running the command from a DC that supports the target level
• Review prerequisites for the target functional level

Best Practices

• CRITICAL: Always have backups you can restore: Create full Active Directory backups before starting. Test that you can restore from these backups. This is your safety net if something goes wrong.
• ALWAYS decommission properly: Use dcpromo /demote or Server Manager to properly decommission the old DC. Never force-delete or skip the decommission process.
• Test in non-production first: If possible, practice in a lab environment
• Document everything: Keep records of what was done and when
• Maintain maintenance windows: Schedule migrations during low-usage periods
• Monitor after migration: Watch event logs and replication for issues
• Verify before cleanup: Don't decommission the old server until everything is verified and roles are transferred
• Keep old server available initially: Don't wipe the old server immediately - keep it available for rollback if needed
• Follow proper sequence: Transfer roles, verify, decommission properly, then perform additional cleanup if needed

Complete Process Summary

Here's the complete process in order:

1. CRITICAL: Create full AD backups that you can restore from
2. Verify new domain controller is operational and replicating
3. Transfer all FSMO roles to new domain controller
4. Verify FSMO roles were transferred successfully
5. Wait for replication to complete
6. Properly decommission the old domain controller using dcpromo /demote or Server Manager
7. After decommission, verify cleanup and remove any remaining references from AD Sites and Services if needed
8. Upgrade domain functional level
9. Upgrade forest functional level
10. Perform DFSR migration (if required - only needed when migrating from Server 2008 or earlier, or introducing Server 2016+ DCs)
11. Clean up DNS entries for old server (if not done automatically during decommission)
12. Remove old DC computer account if present (usually done automatically during decommission)
13. Run verification checks (FSMO, replication, DNS, dcdiag)
14. Test client connectivity and authentication
15. Monitor for issues and address any problems

When to Use This Process

Use this process when:

• Replacing an old domain controller with a new one
• Upgrading to newer Windows Server versions
• Consolidating domain controllers
• Decommissioning old hardware
• Moving to new server infrastructure

Conclusion

Taking over a domain with a new controller requires careful execution of several steps. Transferring FSMO roles, cleaning up the old server, upgrading functional levels, and performing DFSR migration ensures a smooth transition and maintains Active Directory health.

Follow the steps in order, verify each step completes successfully, and monitor the environment after migration. With proper planning and execution, you can successfully migrate to a new domain controller with minimal disruption.