Moving FSMO roles, DNS and DHCP from one Domain Controller to another Domain Controller machine.

Sometimes you may need to move your DNS, DHCP and AD to another machine. You can follow the steps outlined below to make this happen:

Scenario: You want to move everything on DC3.

If your DNS zone is AD-Integrated:

1. On DC3 install DNS > make it AD-Intergrated > wait for Active Directory replication or force replication from AD sites snap-in so that all DNS records and SRVs are replicated to this DNS server (DC3).

2. Next transfer FSMO Roles.

The reason why you need to transfer FSMO roles in second step is: All AD Tools, clients and Windows built-in Services that rely on FQDN will always query authoritative DNS server for this zone (domain_name.com) to find FSMO roles or domain controllers.

3. Finally install DHCP on DC3 > and follow the article given below to transfer DHCP database. DHCP is not an issue with DNS+ADS.

Make sure you follow the basic guidelines on DC3 for DNS Setup:

1. On DC3 for DNS server: Make sure DNS server is pointing to server IP address in TCP/IP Property so that it can register its SRV and A records.

2. Client machines must use this IP address (As a Primary DNS server) to locate domain controllers and receive Group Policy settings.

3. Configure Forwarders on DNS server to forward DNS query requests to other DNS servers such as ISP DNS Server or any other DNS server in your domain or forest. Do not put ISP DNS Server in TCP/IP Property. You need to delete root zone (“.”) to configure forwarders.

4. Make sure Dynamic or Secure Dynamic update is enabled on authoritative Zone.

5. Make sure SOA record in DNS zone is pointing to correct DNS server IP Address.

6. Issue Ipconfig /registerdns from command prompt to register A records of server in zone.

7. If there are two LAN cards make sure Internal NIC of the server is listed first in Binding Order.

Moving DHCP Database:

How to move DHCP database from one server to another:
http://support.microsoft.com/default.aspx?scid=kb;en-us;130642

6 thoughts on “Moving FSMO roles, DNS and DHCP from one Domain Controller to another Domain Controller machine.”

  1. Do NOT use forwarders in most cases! Your information is wrong. By using forwarders, you are not building a DNS cache on your server, and you’re just redirecting your clients to an external DNS server, instead of using your AD server.

    The only time to use forwarders is if you have a secure DNS server internally, and you own another DNS server in your DMZ. Then you forward your internal DNS to the DMZ DNS server.

    Please correct this erroneous information.

  2. Comment above is completely wrong.. he forwarder are for ISP’s DNS resolution (everything not the AD dNS)

    please be sure and informed before commenting..

  3. Both answers are correct… kinda.

    If you want your DNS server to resolve all external domains directly from the root DNS servers (Recommended), do not setup forwarding.

    If you want to rely on your ISP to resolve all external domains for you, turn on forwarding. If your ISP has issues or changes it’s server IPs, you may/will have issues resolving external domains.

Leave a Reply

Your email address will not be published. Required fields are marked *