How to change the IP Address of Domain Controller
Although domain controllers can be configured to obtain an IP address from DHCP, it’s best practice to configure a static IP address so that it can be reliably discovered across the network. You may need to change the IP address of a DC for one reason or another – for example, when there’s a change of IP addressing scheme on the local subnet. Keep in mind that any changes to a domain controller can potentially disrupt services and impact business operations. That said, assuming the DC is not hosting any other server roles, changing the IP address is fairly a straightforward and unchallenging process just like assigning a static IP to a Windows 11/10 client machine. We will discuss this topic under the following subheadings: Let’s see the description of the 4-step process involved in successfully carrying out this task.
1] Pre-change Checklist
It’s important to plan & schedule the IP change during your maintenance window, as there is always a potential that things might go awry. Also, make sure any intended changes are communicated ahead of time. Before you proceed with the domain controller IP address change proper, you may need to run through this pre-change checklist and make sure you tick all the boxes. Depending on your case scenario or setup, you may have other tasks to add as this is not an exhaustive list. The following outlines the basic and general guidelines for most setups.
Check for multiple Domain Controllers: For disaster recovery reasons, it is best practice to have multiple domain controllers as making major changes to domain controllers if you have a single domain controller can break the server. In this case, you can still operate from a secondary DC. Also, make sure to back up the Active Directory. To get a list of all domain controllers in your domain, run the command below:
Check FSMO Roles: You need to check if the intended DC hosts any Flexible Single Master Operations (FSMO) roles. To do this, run the command below:
If from the output, the DC is running FSMO roles, you will have to move the FSMO roles to another domain controller that is on the same site. This action will help avoid disruption to authentication services. You would also need to move any services that are manually configured to the server.
Check Installed Roles and Features: You can check if the DC is running services like a DHCP server or a web server. You can check the Control Panel for installed software, and you can check the established roles and features on the server by running the command below:
If the output shows the DC is running some critical services like DHCP and DNS, you will need to consider this when changing the IP address. You can use Wireshark to identify what systems are pointing to your domain controller for various services like DNS, DHCP, and so on. Read: How to remove Roles and Features in Windows Server
Check the health of the Domain Controller and DNS: You need to make sure that your domain controller is healthy before making the IP change. Otherwise, you may encounter DNS or replication issues. To check the health of the DC, run the command below:
With the DCDiag, you can run about 30 different health checks on a domain controller and test DNS settings, replication health, errors, and more. By default, dcdiag does not test DNS. So, to run a complete test on DNS, execute the command below and make sure the server passes all tests and the name resolution SRV record is registered. Read: An error occurred while trying to configure this machine as a DC
Run Best Practices Analyzer: To avoid any potential migration issues. you can run the Best practices Analyzer (BPA) which can help find configuration issues according to Microsoft best practices. After you run the BPA tool, review the scan results, but keep in mind that the tool is not always accurate, so you need to double-check its findings. Also, any errors or warnings do not mean your migration will fail. This tool is available for download at Microsoft.com.Changing Subnets and Firewall rules: If you will be changing to a new subnet and the DC server also runs DHCP, you will need to update the helper address on your switch or firewall. And add the new subnet to Active Directory Sites and Services. You may need to update the rules for your network firewall and Windows-based firewalls. For example, you may have rules on the network firewall that limit network access for critical servers like domain controllers. In this case, you might need to update the firewall rules to permit traffic to the new DC IP.
Read: What is Next-Generation Firewall (NGFW)?
2] Change the IP Address of a Domain Controller
Now that you have completed the pre-change checklist, you can proceed to change the IP Address on the domain controller by following these steps:
Log on locally to the server for console access (don’t RDP or use remote access).Right-click the network icon in the bottom right of the taskbar.Select Open Network and Sharing Center from the menu.In the Network and Sharing Center, click Change adapter settings.Alternatively, you can press the Windows key + R, and type ncpa.cpl into the box and hit Enter.On the Network Connections screen, right-click the network adapter for which you want to change the IP address.Select Properties from the menu.In the Ethernet Properties dialog box, scroll down the list and double-click Internet Protocol Version 4 (TCP/IPv4).In the TCP/IPv4 dialog box, change the IP address.Change the Subnet mask and Default gateway if required.
Note: Change the primary DNS server entry to the DC’s new static IP address if the DC is also the only DNS server in the domain. And as per Microsoft best practice, the first entry for the DNS server, that is the Preferred DNS server IP address should point to another DNS server on the same site, whereas the Alternate DNS server IP should specify the loopback or LocalHost address.
Click OK to continue.Click OK in the Ethernet Properties dialog box.Close the Network and Sharing Center.
Read: Cannot change Static IP address & DNS server on Windows 11/10
3] Register the Domain Controller’s new IP Address
Once done with the DC IP address change, your next step is to empty the local DNS cache and register the DC’s new IP address in DNS. Do the following:
In elevated Command Prompt or PowerShell, run the following commands one after the other:
This command will remove any cached DNS entries created by the local DNS resolver. This command will ensure the new IP address is registered by the DNS server. This command will update Service Principal Name (SPN) records and check that all the tests are passed successfully.
Exit Windows Terminal when done.
Read: RSAT install failed on Windows 11/10
4] Post-change Checklist
As you have successfully changed the IP address of your domain controller, you can complete the following tasks.
Update services, servers, and client machines: DHCP settings will need to be changed if the DC is also a DNS server to make sure domain members pick up the DNS server’s new IP address. If the subnet address changes then make sure AD Sites and Services are updated. Update clients that use the static IP address. Update other DC’s NIC settings and firewall rules (if needed). Changing the IP address on the DC should not affect any shares on the server as long as DNS is updated.Check for issues and flush the local DNS cache: You can run the commands dcdiag and dcdiag /test:dns /v to check for issues. You may need to run the command ipconfig /flushdns to clear the local DNS cache on all member servers and clients joined to the domain or reboot them so that they resolve the new IP address to locate the DC. You may have to resolve DNS issues on the Windows 11/10 client machines.Test authenticating to the DC and verify DNS is working: You can test authenticating to the DC by manually setting a client IP DNS setting to the IP of the DC or specify the authentication server using PowerShell. To verify if DNS is working, you can use any of the free DNS Lookup Tools & Online services.
Read: Fix Nslookup works but Ping fails in Windows 11/10
Monitor old IP with Wireshark: You can continue to monitor to find systems that are still using the old IP of the DC so that you can take necessary actions. You can do this by Port Mirroring (SPAN Switch Port Analyzer) or assign the DCs old IP to a computer with Wireshark installed.
That’s it! These posts might interest you:
Active Directory Domain Controller for the domain could not be contactedThe specified domain either does not exist or could not be contacted
How do I change my domain IP address to Windows 10?
To change the domain IP address on your Windows 11/10, simply change the IP address on DC and run the following command to make the changes take effect: Type ipconfig /flushdns and hit Enter. Type Net Stop DNS and click Enter. Finally, type Net Start DNS and click Enter.
Does Domain Controller need static IP?
Domain controllers can be configured to obtain an IP address from DHCP, but it’s best practice to configure a static IP address. You can configure the machine to use a DNS server. If you’re creating a new domain or forest, you may not need this step if the system will become a DNS server as well as a domain controller.
Should DHCP be on Domain Controller?
Domain controllers do not require the DHCP Server service to operate and for higher security and server hardening, it is recommended not to install the DHCP Server role on domain controllers, but to install the DHCP Server role on member servers instead. Read: Fix Unable to contact your DHCP Server error on Windows.