Windows OS Hub
  • Windows
    • Windows 11
    • Windows Server 2022
    • Windows 10
    • Windows Server 2019
    • Windows Server 2016
  • Microsoft
    • Active Directory (AD DS)
    • Group Policies (GPOs)
    • Exchange Server
    • Azure and Microsoft 365
    • Microsoft Office
  • Virtualization
    • VMware
    • Hyper-V
  • PowerShell
  • Linux
  • Home
  • About

Windows OS Hub

  • Windows
    • Windows 11
    • Windows Server 2022
    • Windows 10
    • Windows Server 2019
    • Windows Server 2016
  • Microsoft
    • Active Directory (AD DS)
    • Group Policies (GPOs)
    • Exchange Server
    • Azure and Microsoft 365
    • Microsoft Office
  • Virtualization
    • VMware
    • Hyper-V
  • PowerShell
  • Linux

 Windows OS Hub / Active Directory / Add an Additional Domain Controller to an Existing AD Domain

March 15, 2024

Add an Additional Domain Controller to an Existing AD Domain

To build a fault-tolerant Active Directory infrastructure and to load balance client requests you need at least two domain controllers. Creating additional domain controllers at remote sites is also recommended. In this article, we’ll look at how to add an additional (secondary, third, and so on) domain controller to an existing AD domain.

Contents:
  • Preparing Windows Server for Domain Controller Deployment
  • Install the Active Directory Domain Services (ADDS) Role on Windows Server
  • Add a New Domain Controller to an Existing Active Directory Domain
  • How to Check the New Domain Controller Health

Preparing Windows Server for Domain Controller Deployment

Deploy a new host (physical or virtual) running Windows Server. It is recommended that the same versions of Windows Server be used on all DCs in Active Directory. This is Windows Server 2019 in my example.

Start with the initial configuration of the new Windows Server host.

Use Server Manager or a PowerShell command to set the name of the domain controller that corresponds to your infrastructure (for example, mun-dc02):

Rename-Computer -NewName mun-dc02

Set a static IP address for the server and provide the DNS settings. As a preferred DNS server, type in 127.0.0.1 (for your DNS queries to run faster). Then enter the IP address of the nearest domain controller in the same AD site as the alternate DNS. You can use PowerShell to set IP and DNS settings in Windows:

Get-NetAdapter
New-NetIPAddress -IPAddress 192.168.13.14 -DefaultGateway 192.168.13.1 -PrefixLength 24 -InterfaceIndex 6
Set-DNSClientServerAddress -InterfaceIndex 6 -ServerAddresses ("127.0.0.1","192.168.10.14")

PowerShell: configure network and DNS settings on Windows Server

Set the time zone and make sure that the correct time has been set on the server.

Install the latest security updates (you can install updates from a local WSUS server or Windows Update). Another way that you can install Windows updates is by using the PSWindowsUpdate PowerShell module.

Then enable Remote Desktop (RDP) access, join your Windows Server computer to an Active Directory domain, and restart Windows:

Add-Computer -DomainName woshub.loc
Restart-Computer -force

If you are deploying a DC for a new remote site, open the Active Directory Sites & Services console (dssite.msc), create a new site, and bind to it the IP client subnets to be served by your DC.

Add IP subnet to AD site

Install the Active Directory Domain Services (ADDS) Role on Windows Server

You can install the Active Directory Domain Services (ADDS) role on your Windows Server once you’ve prepared it. Open Server Manager, go to Manage -> Add Roles and Features -> Server Roles -> and check Active Directory Domain Services.

Install ADDS role on Windows Server

You can also install the ADDS role with PowerShell:

Install-WindowsFeature AD-Domain-Services –IncludeManagementTools -Verbose

Make sure that the AD Domain Services role has been installed:

Get-WindowsFeature -Name *AD-Domain*

Add a New Domain Controller to an Existing Active Directory Domain

After installing the ADDS role, you can promote your Windows Server host from a member server to a domain controller.

In the Server Manager console, click Promote this server to a domain controller.

Promote Windows Server to a domain controller

Then select Add a domain controller to an existing domain.

Add a new domain controller to an existing domain

Select that you want to install a DNS server on this server and enable the Global Catalog role.

Then set the password for Directory Services Restore Mode (DRSM).

In DSRM mode, you can restore an AD Domain Controller from a backup copy.

Enable the option if you plan to deploy a read-only domain controller. In this case, we won’t use this option because we need to deploy a normal (read/write, RW) DC.

Select the AD site where you would like to place the new DC (in our example, we have selected the MUN site that we have just created).

DC: install DNS, global catalog

Please skip the DNS server delegation step.

You can then select the closest domain controller to use for replicating the AD database to your new DC. In case you have all the DCs nearby and connected by fast links, select Any domain controller. Note that the initial replication of the directory and SYSVOL to the new DC may cause excessive load on the WAN links.

When deploying a new DC on a remote site with a poor or unstable connection, you can use the IFM (Install from media) mode. This requires you to take a snapshot of the domain partition and SYSVOL on an existing DC, copy it to a physical media, and pass it over to the branch for the new DC to be deployed.

New AD domain controller - initial replication

Then provide paths to the ADDS database (ntds.dit) and sysvol directories. The default paths will work fine in most cases:

  • C:\Windows\NTDS
  • C:\Windows\SYSVOL

This is when the verification procedure should start. The following message should appear if you have met all the prerequisites:

All prerequisite checks passed successfully.

All that’s left to do now is click Install and promote your server to a DC.

Promote Windows Server to a new domain controller

You can also use PowerShell to deploy a new domain controller. Thus, all the settings described above can be configured with a single command:

Import-Module ADDSDeployment
Install-ADDSDomainController -NoGlobalCatalog:$false -CreateDnsDelegation:$false -CriticalReplicationOnly:$false -DatabasePath "C:\Windows\NTDS" -DomainName "woshub.loc" -InstallDns:$true -LogPath "C:\Windows\NTDS" -NoRebootOnCompletion:$false -SiteName "MUN" -SysvolPath "C:\Windows\SYSVOL" -Force:$true

When the installation is complete, the server will automatically restart.

How to Check the New Domain Controller Health

After the installation of a new DC, you will need to check its status and the correctness of the replication in the Active Directory.

First, check that the new domain controller is listed under the Domain Controllers container in the ADUC console.

Check for existing domain controllers in AD

You can also use an AD PowerShell module to get information about your new DC:

Get-ADDomainController -Identity MUN-DC02

Here’s how you can check the status of replication between the domain controllers:

repadmin /showrepl *
repadmin /replsummary

And get details on replication partners for a particular DC:

repadmin /replsummary mun-dc02

repadmin - unknown replication status

In my case, the largest delta value was unknown. This is usually because replication has not yet been completed. You can force the replication using the Active Directory Sites and Services console. To do this, expand your site, select your DC, expand NTDS Settings, then click on the link and select Replicate All.

Also, you can initiate a full replication with the command:

repadmin /syncall

Replicate AD now

Check that there are no replication errors.

repladmin replsummary health

You can use the script at the link to check the health of domain controllers and AD replication.

Your new DC is now ready to serve clients and act as a logonserver for computers from IP subnets/sites connected to it.

Finally, I leave you with a few more links to articles that AD administrators will find useful:

  • How to move/seize FSMO roles
  • How to demote (remove) a domain controller
  • Managing GPOs in Active Directory
  • Rename Active Directory domain
  • Reset the AD domain administrator’s password
1 comment
5
Facebook Twitter Google + Pinterest
Active DirectoryWindows Server 2016Windows Server 2019Windows Server 2022
previous post
How to Install an SSL Certificate on IIS (Windows Server)
next post
Redirect HTTP to HTTPS in IIS (Windows Server)

Related Reading

Refresh AD Groups Membership without Reboot/Logoff

March 15, 2024

How to Find the Source of Account Lockouts...

March 12, 2024

Allow Non-admin Users RDP Access to Windows Server

March 16, 2024

Configuring Windows Firewall Rules Using Group Policy

March 15, 2024

How to Disable NTLM Authentication in Windows Domain

March 16, 2024

Configure Windows LAPS (Local Administrator Passwords Solution) in...

March 15, 2024

Copy Files and Folders to User Computers via...

March 15, 2024

How to Install the PowerShell Active Directory Module...

March 15, 2024

1 comment

dk September 21, 2023 - 11:44 am

The two prerequisites to introducing the first 2019 or 2022 domain controller are that domain functional level needs to be 2008 or higher and older sysvol
use dcdiag / repadmin tools to verify health correcting all errors found before starting any operations

Reply

Leave a Comment Cancel Reply

join us telegram channel https://t.me/woshub
Join WindowsHub Telegram channel to get the latest updates!

Recent Posts

  • Map a Network Drive over SSH (SSHFS) in Windows

    May 13, 2025
  • Configure NTP Time Source for Active Directory Domain

    May 6, 2025
  • Cannot Install Network Adapter Drivers on Windows Server

    April 29, 2025
  • Change BIOS from Legacy to UEFI without Reinstalling Windows

    April 21, 2025
  • How to Prefer IPv4 over IPv6 in Windows Networks

    April 9, 2025
  • Load Drivers from WinPE or Recovery CMD

    March 26, 2025
  • How to Block Common (Weak) Passwords in Active Directory

    March 25, 2025
  • Fix: The referenced assembly could not be found error (0x80073701) on Windows

    March 17, 2025
  • Exclude a Specific User or Computer from Group Policy

    March 12, 2025
  • AD Domain Join: Computer Account Re-use Blocked

    March 11, 2025

Follow us

  • Facebook
  • Twitter
  • Telegram
Popular Posts
  • Configure Google Chrome Settings with Group Policy
  • Allow Non-admin Users RDP Access to Windows Server
  • How to Find the Source of Account Lockouts in Active Directory
  • How to Disable or Enable USB Drives in Windows using Group Policy
  • Get-ADComputer: Find Computer Properties in Active Directory with PowerShell
  • Adding Domain Users to the Local Administrators Group in Windows
  • Configure Windows LAPS (Local Administrator Passwords Solution) in AD
Footer Logo

@2014 - 2024 - Windows OS Hub. All about operating systems for sysadmins


Back To Top