The domain controller (DC) is an integral part of your IT infrastructure. Due to its role within the domain, it’s crucial that any change to its IP is done correctly.
The DC’s address is statically assigned to the server. However, you might be required to change the DC’s IP address at times—when there’s a change of the IP addressing scheme on the local subnet, for instance.Any changes to the DC can disrupt services and affect your operations, so there are a few things you need to ensure before changing the IP address. Here’s a checklist to make it easier.
Pre-change checklist
Have multiple domain controllers
It is recommended to have multiple domain controllers and a backup of Active Directory. This is so that if something happens to the primary DC, you can still operate from the secondary DC. Major changes are not recommended if you have a single DC. You can check for other DCs in your domain with this command:
Get-ADDomainController -filter * | select hostname, domain, forest
Check FSMO roles
Another thing to look out for is if the primary DC is running Flexible Single-Master Operation (FSMO) roles. To check this, run the following command:
netdom query fsmo
If the primary DC is running FSMO roles, you will have to move the FSMO roles to another DC that is on the same site to avoid any disruptions to authentication services. Any other services that are manually configured on the server will also have to be moved to the secondary DC.
Check the installed roles and features
It is recommended to check what services are running on your DC before changing its IP address. If the DC is running services like that of the DHCP server or web server, any changes to the IP address can cause a break. To avoid this, you can run the following command to check the established roles and features:
Get-WindowsFeature | Where-Object {$_. installstate -eq "installed"}
Ensure the health of the DC and DNS
It is best to ensure that your DC is healthy before making any IP changes to avoid encountering any replication issues or DNS issues. You can check the health of your DC using the following command:
dcdiag
By default, the dcdiag command doesn’t test the DNS, so you can run the following command to check on DNS health:
dcdiag /test:dns /v
Run Windows Best Practices Analyzer
To avoid the risk of any potential issues during migration, you can use the Best Practices Analyzer tool to find any misconfigurations according to Microsoft’s best practices. The tool may not always be accurate, so make sure to double-check the findings when reviewing the scan results.
Change subnets
If the server also runs DHCP, and you’re going to be changing the subnet, you will need to update the helper address on your switch or firewall. You will also have to add the new subnet to Active Directory Sites and Services.
Update the firewall rules
Before you change the IP address of a domain controller, you may need to update the rules of your network firewalls and Windows-based firewalls to permit traffic to the DC’s new IP address.
Schedule the IP change
This is a good practice to follow when you change the domain controller’s IP address. There is always the potential for something to go wrong when changing the IP, no matter how much you prepare. Scheduling the IP change gives you a maintenance window to resolve any issues that may occur.
How to change the IP address of a domain controller
Once you’re done with the pre-change checklist, you can go ahead and change the domain controller’s IP address. Here’s how:
- Log on locally to the server using console access. Don’t use RDP or remote access.
- Right-click the network icon in the bottom-right corner of the taskbar.
- Select Open Network and Sharing Center > Change adapter settings. Alternatively, you can press the Windows key + R, type ncpa.cpl into the box, and hit Enter.
- On the Network Connections screen, right-click the network adapter for which you want to change the IP address and select Properties from the menu.
- In the Ethernet Properties dialog box, scroll down the list and double-click Internet Protocol Version 4 (TCP/IPv4).
- In the Internet Protocol Version 4 (TCP/IPv4) Properties dialog box, change the IP address.
- If required, change the subnet mask and default gateway.
- Change the primary DNS server entry to the new IP address for the DC, especially if the DC is the only DNS server in the domain. The Preferred DNS server should point to another DNS on the same site, while the Alternate DNS server should be the loopback address (127.0.0.1).
How to register the domain controller’s new IP address
Once you’ve changed the IP address of the domain controller, you will need to register the new IP address. To do so, run the following commands in elevated Command Prompt or PowerShell one after the other:
- ipconfig /flushdns
- This will clear any cached DNS entries.
- ipconfig /registerdns
- This ensures that the new IP address is registered by the DNS server.
- dcdiag /fix
- This ensures that the Service Principal Name (SPN) records are registered and that all tests are passed successfully.
Post-change checklist
After you’ve successfully changed the IP address of your domain controller, here are a few things you need to ensure:
- Update services, servers, and client machines, such as:
- DHCP settings if the DC is also a DNS server.
- Active Directory Sites and Services if the subnet address was changed.
- Clients that use a static IP address.
- The DC’s network interface controller settings, if required.
- Firewall rules.
- Check for any issues: Run the dcdiag and dcdiag /test:dns /v commands.If a client system seems to be having issues, you may need to flush the ipconfig /flushdns command.
- Verify that the DNS is working: Use nslookup or other DNS lookup tools.
- Test authenticating to the DC: Manually set a client’s IP DNS setting to the IP of the DC or specify the authentication server using PowerShell.
Final thoughts
If you’re looking to change domain controller IPs, there are a few things to ensure before you do so. Since the DC is an integral part of your IT infrastructure, it’s essential that this process is done correctly to avoid any breaks or other issues. Scheduling the IP change is also highly recommended because it will give you a maintenance window to sort out any other issues that could potentially arise.