How to replace single domain controller in domain with a single domain controller?

Question
How to replace single domain controller in domain with a single domain controller?

Answer
The following article describe a guidelines to replace existing Windows 2003 Domain Controller with a new server.

The article assume the following pre-requirement settings.

1. There no Exchange/SQL server etc. on the current Domain Controller.
2. There only one domain, and there only one domain controller function as:DHCP/WINS/DNS/File Server/Print Server.
3. The source server using regular (No SBS) Windows 2003 Standard or higher.
   

The following steps need to be taken to replace the exiting Domain Controller.

1. Install the Windows 2003 Standard or higher on a new server.
   Tip: You will need to setup the current Domain Controller as DNS server.
2. Promote the new server to become Domain Controller (in the same domain).
   Step-by-Step Guide to Setting Up Additional Domain Controllers
   http://www.microsoft.com/technet/prodtechnol/
   windowsserver2003/technologies/directory/activedirectory/
   stepbystep/addomcon.mspx
3. Promote the new Domain Controller to be "Global Catalog" and reboot the server.Enable or disable a global catalog http://www.microsoft.com/technet/prodtechnol/
   windowsserver2003/library/ServerHelp/7b1c3e1c-ef32-4b8e-b4c4-e73910575f61.mspx
4. Install DNS server on the new Domain Controller.
   How To Integrate Windows Server 2003 DNS with an Existing DNS Infrastructure in Windows Server 2003
   http://support.microsoft.com/kb/323417
   How To Install and Configure DNS Server in Windows Server 2003
   http://support.microsoft.com/default.aspx?scid=kb;en-us;814591
5. Set the local IP of the new Domain Controller as DNS server.
6. Option - Install WINS service on the new Domain Controller and change the Domain Controller IP settings to point on the local IP as WINS server IP.
   Tip: You can migrate the current WINS database to the new server.How to migrate a WINS Database from Windows 2000-based WINS server to a Windows 2003-based WINS server
   http://support.microsoft.com/default.aspx?scid=kb;en-us;875419
7. Move FSMO rules to the new Domain Controller.
   How to view and transfer FSMO roles in the graphical user interface
   http://support.microsoft.com/default.aspx?scid=kb;en-us;255690
8. Demote the original Domain Controller from using as "Global Catalog" and reboot the server.
   Enable or disable a global catalog
   http://www.microsoft.com/technet/prodtechnol/
   windowsserver2003/library/ServerHelp/
   7b1c3e1c-ef32-4b8e-b4c4-e73910575f61.mspx
9. Demote the original Domain Controller from using as "Domain Controller".
10. Migrate printer settings from the old server to the new one by using "Windows Print Migrator 3.1" tool.
    Microsoft Windows Server 2003 Print Migrator 3.1
    http://www.microsoft.com/WindowsServer2003/
    techinfo/overview/printmigrator3.1.mspx
11. Migrate File Server settings from the old server to the new one by using "Microsoft File Server Migration Toolkit".
    Microsoft File Server Migration Toolkit
    http://www.microsoft.com/windowsserver2003/upgrading/
    nt4/tooldocs/msfsc.mspx
12. Install DHCP server on the Domain Controller and migrate the DHCP settings from the old server.
    How to move a DHCP database from a computer that is running Windows NT Server 4.0, Windows 2000, or Windows Server 2003 to a computer that is running Windows Server 2003
    http://support.microsoft.com/default.aspx?scid=kb;en-us;325473
    Tip: Don’t forget to set the new Domain Controller as DNS & WINS (Optionally) for the DHCP scope/s.
13. Edit users profiles and/or user logon scripts to point to the new Domain Controller as File Server and Printer server.
14. Uninstall unnecessary services from the old Domain Controller.
15. Install third party tools on the new Domain Controller (Backup Software, Antivirus etc.)
16. Re-register users computers in the new DHCP by using ipconfig /release and ipconfig /renew.

Replacing Root Hints with the Cache.dns File. Q249868

Replacing Root Hints with the Cache.dns File. Q249868
http://support.microsoft.com/default.aspx?scid=kb;EN-US;249868

Taken from http://mss.net/TechNotes/TechNotes.htm

dcpromo /forceremoval

If you have removed a DC from the domain, dcpromo w/out the /forceremoval switch will fail since it cannot contact the domain to notify of its demotion.
Don't forget after you do a /forceremoval you have to clean up your Active directory.
Also if that DC held any roles you will have to seize them to another DC.

332199 Using the DCPROMO /FORCEREMOVAL Command to Force the Demotion of Activehttp://support.microsoft.com/?id=332199

251307 HOW TO: Remove Orphaned Domains from Active Directory Without Demotinghttp://support.microsoft.com/?id=251307

216498 How To Remove Data in Active Directory After an Unsuccessful Domainhttp://support.microsoft.com/?id=216498

Also see http://www.petri.co.il/delete_failed_dcs_from_ad.htm

255504 Using Ntdsutil.exe to seize or transfer FSMO roles to a domain controllerhttp://support.microsoft.com/?id=255504

Minime

Dcpromo.exe - "Failed to modify the necessary properties for the machine account. Access is denied."

When you run Dcpromo.exe to create a replica domain controller, you receive the "Failed to modify the necessary properties for the machine account. Access is denied." error message.

SYMPTOMS
When you run Dcpromo.exe to create a replica domain controller, you may receive the following error message in Dcpromo.exe: Failed to modify the necessary properties for the machine account. Access is denied.

Examination of the Dcpromoui.log file indicates that the initial part of the promotion was successful (this is also verified because the computer becomes a member server in the domain), but that the promotion to domain controller did not succeed because Dcpromo.exe could not modify the machine account.

CAUSE
This problem can occur if the account that is used for the promotion operation has not been assigned the "Delegation Privilege" right. Or, if this right has been assigned, the policy has not propagated yet, possibly because of replication latency. By default, only members in the Administrators group have the "Delegation Privilege" right.

RESOLUTION

To resolve this problem, use an account in the Administrators group, or add the appropriate account to the Administrators group. To grant this right to another user or group, set the delegation privilege on the Group Policy object:

1. In the Active Directory Users and Computers snap-in, edit the Default Domain Controllers Policy on the Domain Controllers Organizational Unit.
2. Double-click Computer Configuration, click Windows Settings, click Security Settings, click Local Policies, and then click User Rights Assignment.
3. Under Enable Computer and User Accounts to be trusted for Delegation, add the appropriate account or group.
4. Apply the policy using one of the following methods:

• At a command prompt, type gpupdate /force (Windows 2000 Server - secedit /refreshpolicy machine_policy /enforce).
• In the Sites and Services snap-in (Dssite.msc), use the Replicate Now feature to force replication from the domain controller on which the policy was changed to the other domain controllers in the domain.
  

To apply the updated policy, restart the domain controller.
http://support.microsoft.com/?kbid=232070
or
http://support.microsoft.com/?kbid=250874