Adding additional Domain Controller (Windows Server 2012)

 

Why do we need to add additional Domain Controller? This answer is very simple: “for services redundancy” or “for domain authentication improvement in remote Site”.

In case of server failure, we still have another one which can provide necessary services in our network, which avoids business discontinuity.

First of all, we need to install new box or virtual machine with a server operating system that is supported in domain environment. To check what Windows Server versions can be installed and promoted as Domain Controller, we need to check Domain Functional Level.

To determine Domain Functional Level, please follow my another article on the blog titled: Determine DFL and FFL using PowerShell

You may find one of these Domain Functional Levels supported by Windows Server 2012 Domain Controllers:

  • Windows Server 2003 – supports Windows Server 2003 and above
  • Windows Server 2008 – supports Windows Server 2008 and above
  • Windows Server 2008 R2 – supports Windows Server 2008 R2 and above
  • Windows Server 2012 – only Windows Server 2012 is supported

When you already know you Domain Functional Level, you can start adding additional Domain Controller

First of all, you need to install new machine based on Windows Server 2012. When server is already installed, you have to configure its network card properties to be able to start promotion process. As it is Domain Controller, server requires static IP address from the same subnet or subnet which is routable within a network. As directory services rely on DNS server, you need to properly point where the service is running. In this example additional server is using 192.168.1.1 DNS IP address (a forest root domain DC).

IPv4 settings

After IP address verification and server name change, you can simply start Active Directory: Directory Servicesrole installation. As you already know, Windows Server 2012 does not support server promotion over dcpromo, you need  to do that in post-installation steps.

Open Server Manager and click on “Add roles and features” under Dashboard screen

Active Directory: Directory Services role installation

Using default settings in a wizard go up to “Server roles” step (in this article those steps are not described. You may expect their description in another article) and select Active Directory Directory Services role. Accept also default features which are required during installation. Verify if check box is in proper place and go to the next step

Active Directory: Directory Services role installation

On “Features” screen also go to the next step as we do not need more at this step to be installed. All required features will be installed as you accepted them a little bit earlier

Active Directory: Directory Services role installation

Read information about role you are installing and go to confirmation screen to install it

Active Directory: Directory Services role installation

Wait some time until selected role is being installed before you will be able to promote server to Domain Controller

Active Directory: Directory Services role installation

Active Directory: Directory Services role installation

Now, when role is installed, you can see in notification area an exclamation mark. It tells you that post-installation steps might be required

Notification area

Click on it to see what can be done. You will see that now, you can promote your server to Domain Controller and information that features were installed successfully

Notification area

OK, let’s start server promotion to Domain Controller! Click on “Promote this server to a domain controller” and you will see a wizard.

As we are adding Domain Controller into existing domain, we need to select proper option. It is selected by default, however, please ensure if you can see that “Add a domain controller to an existing domain” is selected

Domain Controller promotion

When you verified that, place in field with red star DNS domain name to which you are promoting DC. Provide Enterprise Administrator credentials and go to the next step

Domain Controller promotion

Domain Controller promotion

Domain Controller promotion

Define if server should be DNS server and Global Catalog. I would strongly recommend installing both roles on each Domain Controller in your environment. Select a Site to which this DC should belongs to and define Directory Services Restoration Mode (DSRM) password for this DC

Domain Controller promotion

Do not worry about DNS delegation as this server is not DNS already. Go to the next step

In”Additional options” you can define if you want to install this Domain Controller from Install From Media (IFM) (if you have it) and point from which DC replication should be done. When you do not specify, server will choose the best location for AD database replication. If you have no special requirements for that, just leave “Any domain controller”

Domain Controller promotion

Specify location for AD database and SYSVOL (if you need different that suggested) and go to the next step

Domain Controller promotion

You will see a summary screen where you can check all selected options for server promotion. As in Windows Server 2012 everything done over Server Manager is translated into PowerShell code and it is executed in a background, you can check code by clicking on “View script” button. You will see what exactly will be run. This is transparent process and you cannot see PowerShell window in front of you

Domain Controller promotion

PowerShell code for adding Domain Controller

 #
 # Windows PowerShell script for AD DS Deployment
 #
 Import-Module ADDSDeployment
 Install-ADDSDomainController `
 -NoGlobalCatalog:$false `
 -CreateDnsDelegation:$false `
 -Credential (Get-Credential) `
 -CriticalReplicationOnly:$false `
 -DatabasePath "C:WindowsNTDS" `
 -DomainName "testenv.local" `
 -InstallDns:$true `
 -LogPath "C:WindowsNTDS" `
 -NoRebootOnCompletion:$false `
 -SiteName "Default-First-Site-Name" `
 -SysvolPath "C:WindowsNTDS" `
 -Force:$true

If all prerequisites will pass and you are sure that all setting you have set up properly, you can start installation

Domain Controller promotion

After you clicked on “Install” button, wait until wizard will do its job and after server restart you will have additional Windows Server 2012 Domain Controller.

Additional Domain Controller logon screen

Give DC some time to replicate Directory Services data and you can enjoy with new DC.

Author: Krzysztof Pytko

Facebooktwittergoogle_plusredditpinterestlinkedinmail

53 responses to “Adding additional Domain Controller (Windows Server 2012)”

  1. Patrick says :

    Great Post, used it to setup our 2nd dc.

     
  2. Joe says :

    Great post!
    I have setup a primary DC (DC1) and followed by another DC (DC2), just like the example. Now I would like to have the latest addition (DC2) to be the primary controller and DC1 to be the secondary controller. How is this accomplished? How can I verify which DC is being used first?

    Thanks in advance.
    Joe

     
    • iSiek says :

      Hi Joe,

      you cannot decide to which DC users/computers would be authenticated. If you have DCs in the same Site, all of them are used for authentication. In case you wish to separate authentication traffic, you need to create separate Site and subnet for it then configure your network with new subnet and traffic will be split between DCs.

      Regards,
      Krzysztof

       
      • Johnatan says :

        Can you show us an example of how créate, for example, two sites and let authenticate users depending on the subnet? Our DCs have the default-site created but now We would like to Split them: users on site A, authenticate at 192.168.1.1 and users on site B at 192.168.2.1. It’s not a new windows installation, DC already exits. Thanks in advance.

         
        • iSiek says :

          Hello Johnatan,

          yes of course, this is really good topic for post. Thank you very much for that. I will try to prepare this article in the next few days and publish it. I hope you still would need this guide.

          Thank you in advance for your patience.

          Regards,
          Krzysztof

           
          • marco says :

            Where is this article? I would like to see the answer 🙂

             
          • kpytko says :

            Could you tell me more about the problem? I cannot find exact reference to it. What kind of article title you are asking for? 🙂

            Thank you in advance.

            Regards,
            Krzysztof

             
    • Nikola says :

      You have to configure the priority of the SRV records for your domain controllers on your primary DNS server

       
  3. Muditha Gayan says :

    hi iSiek,
    You blob is great. I follow every steps and at the last steps (when installing ) I got a error . I could not understand the reason.

    ==================================
    The operation failed because:

    The attempt to join this computer to the “windowslab.local” domain failed.

    “The request is not supported.”
    ====================================
    please give some advises,
    thanks ,
    Muditha

     
  4. Derek says :

    Pretty element of content. I just stumbled upon your blog
    and in accession capital to claim that I get actually loved account your weblog posts.
    Any way I’ll be subscribing on your augment and even I success you get entry to persistently quickly.

     
  5. Senthil says :

    After added the additional domains do I need to setup DNS service (forward /reveres) separately for every domain?

     
  6. Andrew says :

    I don’t have an option to ignore DNS delegation and it fails on verification. How do you avoid this?

     
  7. Purpleturtle99 says :

    when you say: Provide Enterprise Administrator credentials and go to the next step and you used: administrator@blah.local. Is the Blah part the existing domain control’s name? or could I just use administrator for the credentials?

     
  8. Tai says :

    Thank for your Great video. please i just want ask if it possible to add server 2012 as secondary domain to my sbs 2011 primary domain. thanks

     
  9. Dan Goldsmith says :

    Hi Krsysztof,

    I followed your excellent Configuring a forest root domain on a fresh install of Server2012r2 and it went perfectly. I’m now following this guide to add a 2nd DC to the existing forest, but I can get past this error ‘An Active Directory domain controller for “test.local” could not be found’
    I’ve configured the DNS as exactly as instructed on both servers but no matter what i try I always get stuck at the same point.

    I’m using 2x Server 2012R2 standard VMs on ESXi5.0. each O/S has been freshly installed and updated from an MSDN ISO (5 attempts for each now!)

    The weird thing is, if I put the IP of the first DC into the Domain field when triing to add it to the existing forest and hit select, it displays test.local, so the DNS looks like its working.

    Any ideas, I might try 2012 rather than 2012r2 next ?
    thanks
    Dan

     
    • iSiek says :

      Hi Dan,

      thank you for reading my blog and following the article. Your case is really curious 🙂

      I’m really surprised that you were able to set up Windows Server 2012 R2 on ESXi 5.0 ! VMWare recommends for 2012 at least ESXi 5.0 Update 3 (earlier versions have serious bug) and for 2012 R2 at least ESXi 5.1

      Please check below requirements and tell me if all of them are applied:
      – both VMs are using the same vNIC
      – both VMs are within the same VLAN
      – ports required for AD replication are opened (see this MS article about that at http://social.technet.microsoft.com/wiki/contents/articles/584.active-directory-replication-over-firewalls.aspx)
      – Windows advance firewall allows for communication on the same ports as above
      – VMWare guest tools are installed on both servers
      – Under VMWare guest tools, time synchronization with host is disabled on both Windows servers
      – system time is the same on both servers (difference lower than 5 mins!)

      To verify ports, you may use portqry 2.0 toola available at http://www.microsoft.com/en-us/download/details.aspx?id=17148 or use a graphical version portqry UI at http://www.microsoft.com/en-us/download/details.aspx?id=24009

      I would suppose this issue may be related with an environment (ESXi) rather than broken ISO image.

      and please let me know if this is still an issue for you? Then we’ll try to find another way to discover what’s wrong.

      Regards,
      Krzysztof

       
  10. ghuffar malik says :

    thank you very much it is very simple way for make adc ……………..ghuffar malik

     
  11. Jan says :

    Thank You! Very well explained

     
  12. Guest says :

    Thank you! very good manual, made it easy.

     
  13. Ross says :

    Thanks for the great article.
    I am still a little confused when it comes to adding a 2012 DC to an existing Domain with legacy trusts and members. I have Two DCs 2003R2 in a 2003 FFL and DFL domain. This domain has 2000 and NT 4 members and a trust to a nt4 domain. If I introduce a 2012R2 DC and keep the FFL, DFL and FMSO role as they are. Will the trust and member function as normal? is it possible to have the legacy members still authenticate on the 2003 DCs and maintain the external trust? Without any of the “Allow cryptography algorithms compatible with Windows NT 4.0” stuff.
    Thanks

     
    • iSiek says :

      Yes, trusts would work without changes. However, I’m not sure if you would be able to authenticate using NT4 domains when you remove Windows Server 2003 Domain Controllers

       
  14. CJJ says :

    I just inherited a Windows 2000 PDC, there is no secondary controller at the moment. Could I install a windows 2008 R2 as secondary controller, then power off the old 2000 box and turn the 2008 into the primary? Not sure if anyone has done that or if there are steps on how to get this done but I have a few weeks to figure a way to make this work.

    Thanks for the help and support
    CJ

     
  15. Rakesh S says :

    i;ve three sites configured for AD Replication , but unfortunately it is not working..

    ntfrs error 13508
    how should i keep dns settings in all ADC and main root DC ?

    root dns : 192.168.0.1
    192.168.0.2
    192.168.0.3

    2 site : 192.168.197.5
    192.168.197.6
    192.168.197.7

    3 site :
    192.168.29.31
    192.168.29.32
    192.168.29.33

     
    • kpytko says :

      Hi,

      this is quite good configuration. There’s nothing wrong. However, you are pointing out to DNS infrastructure but NtFRS error is for SYSVOL replication issue only. Looks like you AD database is replicating fine, just only problem with SYSVOL based on FRS.

      Please try to follow this article on my blog for non-authoritative SYSVOL restore on FRS at http://kpytko.pl/active-directory-domain-services/non-authoritative-sysvol-restore-frs/

      In the meantime, please check your AD condition using

      dcdiag /e /c /v /f:c:\dcdiag.log
      and
      repadmin /showrepl /intersite /all /verbose >c:\repadmin.log

      If you need further help, do not hesitate to ask or please open a new thread on my froum at http://kpytko.pl/forum under Active Directory -> Domain Services category

      Regards,
      Krzysztof

       
  16. Rahul says :

    himy question is,
    can we promote 1 DC to another DC both are on different OS.
    means one of windows server 2012 and other one of windows server 2003.
    its possible or not.
    if possible, so how.
    Thanks in advance.

     
    • kpytko says :

      Do you mean in-place upgrade? Where you have Domain Controller based on Windows Server 2003 and you wish to upgrade it to 2012/2012R2?
      If so, no, you cannot do in-place upgrade between these OSes.

      If you mean to have 1 DC based on 2003 and the second on 2012/2012R2 then you can. But since Windows Server 2012 was released, you cannot deploy new forest/domain and use it with mix of Windows Server 2003 DCs. The lower possible FFL is Windows Server 2008.

      But… when you have deployed forest/domain on Windows Server 2003 and your FFL is at this level, you will be able to promote additional DC based on Windows Server 2012/2012R2 operating system. That means, you need to have at least one running Windows Server 2003 DC in a domain where you wish to promote new 2012/2012R2 DC.

      Regards,
      Krzysztof

       
  17. Abbas Sharifi says :

    very nice
    and
    tankyou

     
  18. Jhanson says :

    Great article! I used it to add the roles and features I will need for a backup DC. Then I started reading the replies and came across the reply regarding promoting a DC from 2003 server to a 2012R2 server. So, the issue is obvious, 2003 is not going to have support so we are planning to migrate the primary DC to a new server. We already have the back up DC on Windows 2008 R2 Server but we have a new 2012 r2 server as well. Can we promote the 2008R2 as the primary DC and make the 2012R2 the back up since the 2012 cant be the primary?
    Thank you

     
    • kpytko says :

      Thank you!

      yes of course, this scenario would work without any issues.
      You may consider transferring FSMO roles to 2012R2 and use some of the new features introduced with that Windows version like:

    • possibility to clone Windows Server 2012/2012R2 Domain Controllers
    • or

    • extended RID pool
    • But if you won’t do that nothing wrong would happen. 2008R2 and 2012R2 DCs will work together.

      Regards,
      Krzysztof

       
  • Abhishek Bula says :

    Hi,

    I have 6 DC in different Location all are replicated to each other,
    DNS is also replicated.if i create any A record it is replicated to another DC

    I just want separate some DNS entries, cause of all are replicated VIA IPsec. If I change DNS entry from one dns server, it is automatically replicated to all another DC.
    Suppose I want resolve mail server DNS entry internal IP 192.168.1.2 to mail.abc.com at my DC1
    but I want to resolve DC-2 should be resolve external IP of my mail server

    Please suggest, it is possible or not if yes then how we can achieve this task

    Thanks
    Abhishek

     
  • Om Shivhare says :

    Hello,

    You can watch a video here

    https://www.youtube.com/watch?v=Jmx3upCNuFo

     
  • akhil says :

    Thanks for provide us adc information….

    I have dc server 2012 and also exchange server .I wand to add additional domain controller. Can I follow above mention steps or need any prevention before install ADC

     
  • John ful says :

    good stuff, thank you

    I have a 2003 dc and I have upgraded to 2012 standard. have gone through all the steps but have stopped as I am unclear about the removal of 2003.

    My want is to shutdown 2003 and use it’s ip address in 2012 system (both have static) so not to change settings on local users.

    also does Option 006 do this for me

     
  • David says :

    Thank you for this informational post. I found it very helpful in setting up a 2012R2 BDC in my home.

    I did get a warning message that prompted me to do another Google search, and perhaps other users might receive the same warning message during the configuration process (especially those in a closed-lab or home environment):

    “A delegation for this DNS server cannot be created because the authoritative parent zone cannot be found or it does not run Windows DNS server.”

    If you receive this message, not to worry – it can safely be ignored if you don’t need computers from outside of the domain to be able to resolve names within your domain. I ignored the message and finished the installation, and after a reboot I now have a backup domain controller.

    Thanks again!

    David from Nebraska

     
  • Lindsey Doyle says :

    My effort to add a 2nd domain controller failed repeatedly when run on the machine being promoted. However, when I went to the first DC and looked at the Server Manager list, it showed that the new server running Active Directory needed to be promoted. The same sequence (shown in this article) worked perfectly to promote the remote server but would not succeed when logged on locally to that server.

     
  • Dan says :

    My Primary Domain Controller is 2003 and I have a 2012 HyperV server with DHCP, AD, DNS roles installed. Can I transfer the FSMO roles from the 2003 to the 2012 server?

    Or could I keep the 2003 running and activate the 2012 DHCP scope?

     
  • balis says :

    Nice post!
    Worked for me…

    Thank you

     
  • Joe says :

    After looking at post after post this is the only one that was clear and concise! Thank you so much!

     
  • Kristian says :

    Hi. Novice SysAdm trying to promote a secondary Windows Server to Secondary DC. I would like to be able to have DNS working if PDC goes down. The article skipped some things with regard to DNS. If PDC goes down, will the SDC be able to fulfill DNS requests? Is there another article you have that would be able to help me?

     
  • Brenden Ward says :

    Hi, have a domain controller of server 2008 r2 and looking to firstly add a new dc on server 2012 r2, once added and replicated make the server 2012 r2 one the master and then make the server 2008 the slave is this possible? ideally once the server 2012 r2 version is running to eventually stop the server 2008 r2 server leaving just the new one running.
    Is this possible? is there any risks or problem I might have.

    Thanks

     
  • COCL says :

    Hi,

    What the best practise for Preferred DNS server and Alternate DNS Server ip address in DC01 and DC02

     
    • iSiek says :

      Hi,

      everything depends on your infrastructure and company requirements.
      If there is no restrictions and you are using Windows Server DNS servers, it is good to point as a primary DNS server to DC1 IP itself, then as alternative for remote DNS (DC2) and as a third a loopback interface IP address (127.0.0.1)

      This order should allow your Domain Controllers to be able to resolve DNS names properly.

      Krzysztof

       
  • Leave a Reply

    Your email address will not be published. Required fields are marked *