As an IT administrator, you may be faced with the problem of changing the IP address of a domain controller on your network. DC is a mission critical IT infrastructure, you may be looking for guidance on how to complete this task – this post provides a step by step overview of the process involved before, during and after.
How to change the IP address of a domain controller
Although domain controllers can be configured to obtain an IP address from DHCP, we recommend that you configure a static IP address so that it can be reliably discovered on the network. You may need to change the IP address of a domain controller for one reason or another, such as when the IP addressing scheme has changed on the local subnet. Be aware that any changes to the domain controller can disrupt services and affect business operations.
However, assuming the domain controller is not hosting any other server roles, changing the IP address is a fairly simple and straightforward process, as is assigning a static IP address to a Windows 11/10 client computer. We will discuss this topic in the following subheadings:
- Checklist before change
- Change the IP address of a domain controller
- Register a new domain controller IP address
- Checklist after change
Let’s look at a description of the four-step process required to successfully complete this task.
1]Checklist before change
It’s important to plan and schedule an IP address change during a maintenance window, as there’s always the possibility that something could go wrong. Also, make sure any proposed changes are communicated well in advance. Before you proceed to properly change the IP address of a domain controller, you may need to complete this pre-change checklist and make sure you check all boxes. Depending on your scenario or setup, you may have other tasks to add as this is not an exhaustive list. The following are basic and general guidelines for most settings.
- Check for multiple domain controllers. For disaster recovery purposes, it is recommended to have multiple domain controllers, because making major changes to the domain controllers if you have a single domain controller can break the server. In this case, you can still work from the secondary DC. Also don’t forget to back up your Active Directory. To get a list of all domain controllers in your domain, run the following command:
Get-ADDomainController -filter * | select hostname, domain, forest
- Check FSMO roles. You need to check if the intended domain controller is hosting any Flexible Single Master Operations (FSMO) roles. To do this, run the command below:
netdom query fsmo
If from the output the DC is running FSMO roles, you will have to move the FSMO roles to another domain controller that is in the same site. This action will help avoid failures in the authentication services. You will also need to move any manually configured services to the server.
- Check installed roles and features. You can check if services such as DHCP server or web server are running on the domain controller. You can check the control panel for installed software and also check installed roles and features on the server by running the following command:
Get-WindowsFeature | Where-Object $_. installstate -eq "installed"
If the output shows that some important services, such as DHCP and DNS, are running on the domain controller, this must be taken into account when changing the IP address. You can use Wireshark to determine which systems are pointing to your DC for various services like DNS, DHCP, etc.
- Check the health of the domain controller and DNS: Before changing the IP address, you need to make sure that the domain controller is healthy. Otherwise, you may run into DNS or replication issues. To check the health of a domain controller, run the following command:
With DCDiag, you can run about 30 different health checks on a domain controller and test DNS settings, replication health, errors, and more. By default, dcdiag does not check DNS. So, to run a full DNS test, run the command below and verify that the server has passed all tests and that the name resolution SRV record is registered.
dcdiag /test:dns /v
- Run Recommendation Analyzer: to avoid possible migration issues. you can run the Recommendation Analyzer (BPA) which can help find configuration issues according to Microsoft’s recommendations. After running the BPA tool, review the scan results, but be aware that the tool is not always accurate, so you need to double-check its results. Also, any errors or warnings do not mean that the migration will fail. This tool is available for download at Microsoft.com.
- Change subnet and firewall rules. If you are going to move to a new subnet and the DC server is also running DHCP, you will need to update the helper address on the switch or firewall. And add a new subnet to Active Directory Sites and Services. You may need to update your network firewall and Windows firewall rules. For example, you might have network firewall rules that restrict network access to critical servers such as domain controllers. In this case, you may need to update your firewall rules to allow traffic to the new IP address of the domain controller.
2]Change Domain Controller IP Address
Now that you’ve completed the pre-change checklist, you can proceed to change the IP address on the domain controller by doing the following:
- Log in locally to the server to access the console (do not use RDP or remote access).
- Right click network in the lower right corner of the taskbar.
- Choose open network And Sharing Center from the menu.
- In the Network and Sharing Center, click change adapter settings.
- Also, you can click Windows key + Renter ncpa.cpl in the box and click Enter.
- In the Network Connections section, right-click on the network adapter for which you want to change the IP address.
- Choose Properties from the menu.
- In the Ethernet Properties dialog box, scroll down the list and double-click Internet Protocol Version 4 (TCP/IPv4).
- In the TCP/IPv4 dialog box, change the IP address.
- Change the subnet mask and default gateway if necessary.
Note. Change the primary DNS server entry to the new static IP address of the domain controller if the domain controller is also the only DNS server in the domain. And according to Microsoft best practice, the first entry for the DNS server, i.e. the IP address of the preferred DNS server, should point to another DNS server in the same site, while the IP address of the alternate DNS server should indicate a loopback address or localhost address.
- Click OK continue.
- Click OK in the Ethernet Properties dialog box.
- Close the Network and Sharing Center.
3]Register a new domain controller IP address.
After the domain controller’s IP address has changed, the next step is to flush the local DNS cache and register the new domain controller’s IP address in DNS. Do the following:
- From an elevated command prompt or PowerShell, run the following commands one after the other:
This command will remove all cached DNS entries created by the local DNS resolver.
This command ensures that the new IP address will be registered by the DNS server.
This command will update the Service Principal Name (SPN) records and verify that all tests pass.
- Exit the Windows Terminal when you’re done.
4]Checklist after change
Since you have successfully changed the domain controller’s IP address, you can complete the following tasks.
- Update services, servers, and client machines: DHCP settings will need to be changed if the domain controller is also a DNS server to ensure that domain members receive the new DNS server IP address. If the subnet address changes, make sure the AD sites and services are up to date. Update clients using a static IP address. Update other domain controllers’ NIC settings and firewall rules (if necessary). Changing the IP address on the domain controller should not affect any shares on the server while the DNS is being updated.
- Check for problems and clear the local DNS cache: You can run the dcdiag and dcdiag /test:dns /v commands to check for problems. You may need to run the ipconfig /flushdns command to flush the local DNS cache on all domain-joined member servers and clients or reboot them so that they resolve the new IP address to discover the domain controller. You may need to resolve DNS issues on Windows 11/10 client computers.
- Test the authentication on the domain controller and make sure DNS is working. You can test authentication on a domain controller by manually setting the DNS client IP address parameter to the IP address of the domain controller, or by specifying the authentication server using PowerShell. To check if DNS is working, you can use any free DNS lookup tools and online services.
- Monitoring the old IP address with Wireshark: You can continue monitoring to find systems that are still using the old DC IP address so you can take the necessary action. You can do this with port mirroring (SPAN switch port sniffer) or assign an old domain controller IP address to a computer with Wireshark installed.
These posts may interest you:
How to change domain IP address on Windows 10?
To change the domain IP address in Windows 11/10, simply change the IP address to DC and run the following command for the changes to take effect: Type ipconfig /flushdns and click Enter. Enter Net Stop DNS and click Enter. Finally, type in Net Start DNS and click Enter.
Does a domain controller need a static IP?
Domain controllers can be configured to obtain an IP address from DHCP, but it is recommended to configure a static IP address. You can configure the machine to use a DNS server. If you are creating a new domain or forest, you may not need this step if the system becomes a DNS server as well as a domain controller.
Should DHCP be on a domain controller?
Domain controllers do not require the DHCP Server service to function, and to improve server security and protection, we recommend that you do not install the DHCP Server role on domain controllers, but instead install the DHCP Server role on member servers.
The information above is about how to change the IP address of a domain controller. Let useguide.net find out in the comments which one worked for you. Also, all your questions are welcome in the comments section below.