What Command Do You Issue To Convert A Server To A Domain Controller?

In this post, I will demonstrate how to modify the IP address on a domain controller.

Earlier you change the IP address information technology is very of import to run through a checklist. Any changes to a domain controller can disrupt services and impact concern operations. Meet my checklist beneath.

For this demonstration, I accept the post-obit settings.

DC1, IP Accost 192.168.100.10
DC2, IP Address 192.168.100.eleven
DC3, IP Accost 192.168.100.12

I'm going to change the IP on DC2 to 192.168.100.15. If you are irresolute to a unlike subnet there are additional things to consider that I go over in the checklist.

Pre-Change Checklist

I recommend reviewing each item on this checklist earlier making changes. I've migrated many domain controllers from small to large networks and these steps have been a lifesaver. If you practice this oftentimes yous will probably come upwards with your own checklist.

Practice You lot Have Multiple Domain Controllers?

It is best practice to have multiple domain controllers and backup Agile Directory for disaster recovery reasons. I practise not recommend making major changes to domain controllers if you have a single domain controller. If you have multiple DCs and the modify breaks the server you can nonetheless operate from a secondary DC.

You tin can listing all domain controllers in the domain with this command:

Get-ADDomainController -filter * | select hostname, domain, forest

Check FSMO Roles

Does the DC hold any FSMO roles? Easily cheque with this command:

netdom query fsmo

Below you tin can see all my FSMO roles are on DC1.

To help avert disruption to authentication services y'all could move the FSMO roles to another domain controller that is on the same site. Keep in listen you would need to move whatsoever services that are manually configured to the server.

I'm making changes to DC2 which has no FSMO roles running on it.

Bank check Installed Roles and Features

I recommend checking what services are running on the server, you lot don't want to alter the IP and then have something suspension because you didn't know it was a DHCP server or a spider web server.

Check the command panel for installed software
Check the installed roles and features

You can quickly check the installed roles and features with this command:

Get-WindowsFeature | Where-Object {$_. installstate -eq "installed"}

Below you tin meet my DC2 server has some critical services running on information technology including DHCP and DNS. I'll need to consider this when changing IP addresses.

Notice Devices Pointing to the Domain Controller with Wireshark

Wireshark can aid you identify what systems are pointing to your domain controller for various services like DNS, DHCP, and and so on. This might be the most important pre-change step.

Useful Wireshark filters:

dns
dhcp
ldap
DCERPC

Here is an case:

The package capture shows that system 192.168.100.22 is using DC2 for DNS. I've done a large migration of domain controllers before and used Wireshark to help identify systems that are still pointing to former domain controllers. From experience, you volition probably exist surprised at how many systems are hardcoded to your DCS.

Check Domain Controller Wellness

Yous need to check that your domain controller is healthy before making the change. Whatever issues could result in replication issues, DNS problems, and and so on. I've got a consummate guide on how to utilize dcdiag its really very easy to utilise. Just open the command prompt on your server and run the control.

dcdiag

Check The Wellness of DNS

By default, dcdiag does non test DNS. Use this control to run a consummate test on DNS.

dcdiag /test:dns /v

Brand sure the server passes all tests and the name resolution SRV tape is registered.

Run Best Do Analyzer

The best practice analyzer tin find configuration problems according to Microsoft best practices. The BPA tool is not always accurate so you lot need to double check its findings. Also, any errors or warnings practice not mean your migration will fail. It tin can just assistance you lot find whatsoever major misconfigurations according to Microsoft best practices.

Here is a scan from my DC2.

I've got a alert that the loopback address is not included on the ethernet adapter settings. The all-time practice is to bespeak the preferred DNS server to another DNS server (not itself).

Here is an example of how it should be configured:

My DC2 IP address is 192.168.100.11. You can see I set up the preferred DNS to another domain controller (DC1) and the alternating is set to the loopback address. This is Microsoft'due south all-time practice.

Once more whatever warnings or errors the all-time practice analyzer finds doesn't mean your migration will fail. But to help avoid whatever potential migration issues I recommend running this tool and reviewing the scan results. Information technology might even fix some issues y'all weren't enlightened of.

Are Y'all Changing Subnets?

If you lot will be changing to a new subnet then consider the following:

If the server also runs DHCP you volition need to update the helper address on your switch or firewall.
Add the new subnet to Active Directory sites and services.

Cheque Firewall Rules

Are in that location any firewall rules that will demand to be updated? This could be your network firewall and windows based firewalls. I typically take rules on the network firewall that limit network access for critical servers similar domain controllers. I would demand to update the firewall rules to permit traffic to the new DC IP.

Program & Schedule the IP Alter

I recommend making this type of modify during your maintenance window. No matter how much you prepare for changes there is always a potential for something going incorrect. Y'all demand to have a maintenance window to let time to resolve whatever issues. Don't forget to communicate these changes with your team ahead of time.

How to Change the IP Address of a Domain Controller:

Hither are the steps to changing the IP Address on a domain controller.

Log on locally to the server (console access, don't RDP or use remote access).
Change NIC TCP/IP settings
1. Modify IP Address
2. Modify subnet mask (if required)
3. Change Default gateway (if required)
4. Preferred DNS server (should bespeak to another DC in the same site)
5. Alternate DNS server (should be the loopback accost 127.0.0.i)
After irresolute the IP run ipconfig /flushdns to remove local cache
Run ipconfig /registerdns to ensure the new IP is registered by the DNS server
Run dcdiag /prepare to ensure service records are registered.

Video Tutorial

Done. Squeamish piece of work!

Post Alter Checklist:

Update DHCP settings if DC server is also DNS server
If subnet address inverse then make sure AD Sites and services is updated
Update clients that employ static ip address
Update other DCs nic settings (if needed)
Run commands dcdiag and dcdiag /test:dns /v to check for issues.
Verify DNS is working, yous tin do this with nslookup.
Test authenticating to the DC. You can do this by manually settings a client IP DNS settings to the IP of the DC or using PowerShell and specify the authentication server.
Go along to monitor sometime IP with wireshark – This tin can be done past a span port or assign the DCs sometime IP to a computer with wireshark installed. This is useful to help find systems that are still using the old IP of the DC.
Update firewall rules if needed.
If a client arrangement is having bug try to flush the local dns enshroud with ipconfig /flushdns control
Irresolute the IP address on the DC should non effect whatsoever shares on the server every bit long equally DNS is updated.

Summary

In this post, I showed you lot how to modify the IP address on a domain controller. I besides showed yous a checklist I go through before changing the IP accost. Authentication, DNS, and DHCP services are critical so information technology's very important to plan and review every bit much as you can before making changes to these critical services. Also, all organizations and networks are different so over time you lot may have a different checklist than mine.