Having one Domain Controller is not recommended because it creates a single point of failure. If the only Domain Controller goes down in the organization, big outages will occur resulting in a loss of operations. To avoid this single point of failure you need to have a secondary Domain Controller. A second DC will load balance the services and minimize the risk of critical services going down. In this article, I will walk through the steps to add a second Domain Controller to an existing domain.
Steps to Add a Secondary Domain Controller
If you are using Windows Server 2012, 2016, or 2019 the steps to add a secondary domain controller is the same.
Step 1. Configure Basic Server Settings
Before promoting the server to a secondary domain controller you need to make sure you have these settings configured.
- Computer name – You want to set the computer name before promoting it to a domain controller.
- IP settings – Set a static IP address on the server and make sure the DNS is pointing to an existing domain controller or DNS server. You will not be able to join the server to the domain if this is not set.
- Date and Time – Make sure the time zone is correct. Your domain can have weird issues if the date and time are off.
Step 2. Open Server Manager & Install AD DS Role
1. Click on Add roles and features
2. Click “Next” on the Before you begin page.
3. Select “Role-based or featured-based installation and click next.
4. Select a server from the server pool. Select your server and click next.
5. Select Active Directory Domain Services, you will get a popup to add features that are required for Active Directory Domain Services, click Add features. Click Next.
6. Click next on the features page. Nothing additional needs to be selected on this page.
7. Click next on the AD DS page. This page is just informational.
8. Click Install on the confirmation page.
When the installation is complete it will say “Configuration required. Installation succeeded on”. When you see this move to step 3.
Step 3. Promote this server to a domain controller
1. In the server manager click the yellow icon at the top and click “Promote this server to a domain controller”.
2. Select “Add a domain controller to an existing domain”. Next, enter or select the existing domain you want to add the secondary domain controller to. You will need to click the change button to enter in administrator credentials. Click Next.
3. On the Domain Controller Options page, Domain Name System (DNS) server and Global Catalog (GC) should be checked. The Default First Site name should be selected for the site name unless you have created a new one. I would recommend leaving it as the default. Enter a password for the Directory Services Restore mode and click “Next”.
NOTE: Directory Services Restore MODE (DSRM) allows an administrator to repair or recover an Active Directory Database.
4. DNS Options
You will most likely receive the error below that says “A delegation for this DNS server cannot be created….” This is common. The wizard is trying to contact the nameservers for the domain I entered winadpro.com and is unable to create a delegation for the sub-domain ad.winadpro.com. This message can be ignored if you don’t need computers from outside of the network to be able to resolve names within your domain. More info on this error https://technet.microsoft.com/en-us/library/cc754463(WS.10).aspx
5. On the Additional Options page, select where you want this server to replicate from. In my environment, I want it to be able to replicate from any domain controller. The replication depends on how you installed the first DC and where it is located. If the DC’s are all in the same site, then replicate from any will work. If you have multiple sites, then you would have a different replication strategy. For my organization, we have 4 domain controllers all in the same site, so I have set them up to replicate from any.
6. For the paths I always leave them the defaults.
7. Click next on the Review options page.
8. On the Prerequisites Check page you may see two warnings (cryptography algorithm and the delegation for DNS) this is typical. If the prerequisite passed click install.
The server will automatically reboot when it is finished.
Step 4. Verify Secondary Domain Controller
At this point, you have completed the steps for adding a secondary domain controller to an existing domain. Now log into the DC and let’s verify a few things.
1, Open Active Directory Users and Computers (ADUC) and spot check some user and computer accounts. Make sure ADUC is connected to your new DC. During the installation everything should have replicated to your secondary DC.
2. It’s also a good idea to check ad replication to make sure there are no replication errors. From another domain controller open the command prompt and enter repadmin /replsummary computername. In this example, I’m using DC3. You can see there are no fails or errors.
3. You can also run an Active Directory health check on your domain controller using the dcdiag command. From the command prompt run the command dcdiag /v. This will display a lot of details but is one of the best ways to check the health of a domain controller.
Summary
In this article, we walked through how to add an additional domain controller to an existing domain. It is highly recommended to have multiple DCs in your organization. The benefit to this is it will load balance the services and minimize the risk of a complete network outage. Feel free to leave your comments or questions in the comment section.
I need to join a Windows 2012 server as an ADC on a 2008 domain, however the physical server where 2008 is installed has problems and will be deactivated. Will using 2012 as the main server continue to work normally?
is there rollback plan if something wrong when adding the active directory, especially for windows 2019 ?
i have done many time add secondary domain controller but always success and never done a rollback, just wondering do you have best practice or article from Microsoft for rollback plan if something goes wrong.
I was configured secondary DC using the same steps that you ‘we provided here. Replication is successful but when I check the thing that you’re mentioned in step 4, its connected to the Main DC instead of its own. All the users and computer are available, but it’s connected to the main AD. How can I change it?
Right click the very top (Active Directory Users and Computers) and select “Change Domain Controller”.
Hi,
Once I’ve completed these steps, will the 2nd controller automatically inherit the roles of the primary?
i.e. print, dns, dhcp, etc?
Thanks,
Dan
No, you would need to install the additional roles on the 2nd DC.
Print? Always disable the print spooler and definitely do not install the print server module on ad Domain Controller.
Hi bro,
I have 1 DC and 1 ADC (additional domain) running server 2008R2. Now I want to upgrade to server 2022.
Can I build 1 server 2022 (DC2022) and join to DC2008 as Additional Domain. After, transfer 5 roles from DC2008 to DC2022?!
Thanks bro!
Yes. Here is an in depth guide on migrating from 2008 R2 to Server 2022.
https://techcommunity.microsoft.com/t5/itops-talk-blog/step-by-step-guide-active-directory-migration-from-windows/ba-p/2888117
It works!, thank you very much
Great howto. Works very fine!
Thanks
This worked out great for me thank you!
About credentials for enrolling into existing domain.
Username must be the following format(atleast for s2022) DOMAINADMINUSERNAME@AD.DOMAIN.COM
I tried all other standard ways and it doesn’t work as standard e.g ad\
Thanks for posting this! It was well done, easy to follow, and worked.
You’re welcome.
Do the above steps apply if my Secondary Domain Controller is Windows 2022? cloud you share kb for windows 2022. Many thanks!
If the system version of the Primary Domain Controller is later than that of the Secondary domain controller, Is it compatible?
Hi,
Yes, the steps are the same for Windows 2022.
A correction needs to be made.
4. Select Active Directory Certificate Services, you will get a popup to add features that are required for Active Directory Domain Services, click Add features. Click Next.
You put Active Directory Certificate Services where it should be Active Directory Domain Services.
Maybe its petty, and if you got this far, you should know, but just thought I would bring it up.
Thanks for pointing this out. I have updated it.