You've installed a new domain controller -- now what?

Sometimes you won't be able to or won't want to repair a failed domain controller, and will instead elect to install a new one. You can install a new domain controller either by promoting an existing member server so that it is a domain controller, or by installing a new computer and then promoting it. Either way, the domain controller will get its directory information from another domain controller.

Installing a new domain controller is the easy part. Once you've done that, you need to clean up references to the old domain controller so that other computers in the domain don't try to connect to it anymore. You need to remove references to the server in DNS, and you need to examine any roles that the failed server played.

If the failed server was a global catalog server, you should designate another domain controller as a global catalog server. If the failed server held an operations master role, you will need to seize the role and give it to another domain controller.

Let's start with DNS and roles. To clean up DNS, you need to remove all records for the server in DNS. This includes SRV records that designate the computer as domain controller and any additional records that designate the computer as a global catalog server or PDC emulator if applicable.

To clean up references to the failed domain controller in Active Directory, you'll need to use Ntdsutil. You must use an account with Administrator privileges in the domain. However, you can run Ntdsutil from

    Requires Free Membership to View

any computer running Windows 2000 or later. The cleanup process is as follows:
  • Click Start, click Run, type cmd in the Open field, and then click OK.
  • At the command prompt, type ntdsutil. This starts the Directory Services Management Tool.
  • At the Ntdsutil prompt, type metadata cleanup. You should now be at the Metadata Cleanup prompt.
  • Access the Server Connections prompt so that you can connect to a domain controller. To do this, type connections and then type connect to serverDCName where DCName is the name of a working domain controller in the same domain as the failed domain controller.
  • Exit the Server Connections prompt by typing quit. You should now be back at the Metadata Cleanup prompt.
  • Access the Select Operation Target prompt so that you can work your way through Active Directory from a target domain to a target site to the actual domain controller you want to remove. Type select operation target.
  • List all the sites in the forest by typing list sites and then type select siteNumber, where Number is the number of the site containing the failed domain controller.
  • List all the domains in the site by typing list domains in site and then type select domainNumber, where Number is the number of the domain containing the failed domain controller.
  • List all the domain controllers in the selected domain and site by typing list servers in site and then type select serverNumber, where Number is the number of the server that failed.
  • Exit the Select Operation Target prompt by typing quit. You should now be back at the Metadata Cleanup prompt.
  • Remove the selected server from the directory by typing remove selected server. When prompted, confirm that you want to remove the selected server.
  • Type quit twice to exit Ntdsutil. Next, remove the related computer object from the Domain Controllers OU in Active Directory Users And Computers. Finally, remove the computer object from the Servers container for the site in which the domain controller was located, using Active Directory Sites And Services.

About the author: Rahul Shah currently works at a software firm in India, where he is a systems administrator maintaining Windows servers. He has also worked for various software firms in testing and analytics, and also has experiences deploying client/server applications in different Windows configurations.

This was first published in June 2006

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.