Adding additional Domain Controller


Why do we need to add additional Domain Controller? This answer is very simple: “for services redundancy” or “for domain authentication improvement in remote Site”.

In case of server failure, we still have another one which can provide necessary services in our network, which avoids business discontinuity.

First of all, we need to install new box or virtual machine with a server operating system that is supported in domain environment. To check what Windows Server versions can be installed and promoted as Domain Controller, we need to check Domain Functional Level.

To do that, we have to open Active Directory Users and Computers on existing DC from Administrative Tools and then select domain name. Click on it right mouse button and choose “Raise domain functional level”

Domain Functional Level

Important! Be careful there, do not change anything in configuration. We need to only check what Domain Functional Level is set up. Changes cannot be reverted!

When you choose this option, you will see a window with information about current Domain Functional Level. If the highest possible DFL will be selected, then you cannot change anything. In case that DFL is lower than the highest possible, you will see a dropdown box, where you can select higher DFL modes. Do not do that! You may disrupt your domain environment.

Check Domain Functional Level

Domain Functional Level

This information tells us that only Windows Server 2008 R2 can be promoted as Domain Controller.

You may find one of these Domain Functional Levels:

  • Windows 2000 mixed – this mode supports NT4, Windows 2000 Server, Windows Server 2003
  • Windows 2000 native – it doesn’t support NT4 but additionally supports Windows Server 2008 and Windows Server 2008 R2
  • Windows Server 2003 – supports Windows Server 2003 and above
  • Windows Server 2008 – supports Windows Server 2008 and above
  • Windows Server 2008 R2 – only Windows Server 2008 R2 is supported

In this scenario we see that only Windows Server 2008 R2 can be promoted, so we need to use this OS version.

When server is already installed, you have to configure its network card properties to be able to start promotion process. As it is Domain Controller, server requires static IP address from the same subnet or subnet which is routable within a network. As directory services rely on DNS server, you need to properly point where the service is running. In example this server is (a forest root domain DC).

Network card configuration

Accept NIC changes and start dcpromo from run box

Running dcpromo

and follow with Active Directory Installation wizard (use advance mode)

Active Directory Installation wizard

Skip a screen with information about NT4 and 2008 R2 security incompatibility

NT4 security incompatibility warning

We are adding new Domain Controller into existing forest and existing domain, so in this case we need to choose the first option

Adding DC into existing forest

Provide DNS domain name to which you want to add new Domain Controller and specify domain administrator credentials to be able to do that.

Choosing domain

Select domain and click “Next”

Choosing domain

Point in which Site this DC should be placed (if you are not sure, leave default, you can change it later)

Selecting a Site for DC

Choose additional roles which should be installed on this DC (leave defaults). If you don’t want to use any of them, you can add them later (but I suggest installing them now). The last unchecked option is only for Read-Only Domain Controller which is not an option of this article, so do not check it.

Additional roles on a DC

This DNS server is a part of testenv.local (existing DNS zone), so no action is required. Choose “Yes” and continue

DNS delegation warning

Choose default option to replicate data from other existing DC in a network.

Active Directory data replication

You can select from which Domain Controller data will be replicated, but leave defaults if you don’t need specific one.

At this stage, you have to point where Active Directory database, logs and other AD related data will be stored. You can choose separate drive(s) for that but it’s not necessary.

Active Directory database location

Set up Directory Services Restoration Mode password. It doesn’t have to be the same as Domain Administrator account or DSRM on other Domain Controller(s). This password is used when you need to boot a server in Directory Services Restoration Mode to do non-authoritative/authoritative restore or Active Directory database maintenance.

DSRM password

and start server promotion by clicking on “Next” button

Summary screen

select “reboot on completion” checkbox to reboot server after AD installation and wait until it will be up and running.

Congratulations! Your additional Domain Controller is ready.

Additional Domain Controller

It’s done.

Author: Krzysztof Pytko


11 responses to “Adding additional Domain Controller”

  1. kflabs says :

    Did you try to solve errors (if some) or warnings (I think, there are some) shown by “Best Practices Analyzer” after scanning “AD: DS” and “DNS Server” roles?

    It may be good topic for your next posts if you want to write something to beginners.

    • iSiek says :

      No, I don’t, becuase it’s reserved for another article about BPA 🙂
      So, please be patient and you would see post about BPA
      Thank you for interesting in that topic.

  2. kflabs says :

    And one mistake:

    “In case of server failure, we still have another one which can provide necessary services in our network, which avoids business continuity.”

    I think you thought about “business discontinuity” in this sentence, didn’t you? 🙂

  3. Jay says :

    In my environment PDC and BDC in place but when i shutdown the pdc, user is not able to login to their machines using domain credentials.
    Please let us know the cause of the issue.

    • iSiek says :

      Please check if your clients have configured alternate DNS server in NIC’s properties. If they are DHCP clients then go to DHCP management console (dhcpmgmt.msc) and under server/scope options (depends on your configuration) check option no. 006 This option is responsible for issuing DNS servers list to clients. Probably there is set up the only one DNS IP address or the second one is inappropriate. Make sure that those IP address are only the internal ones. Public DNS servers should be added in DNS server under Forwarders tab. After that change make sure if your clients got new confiuration and check again if the problem exists.

  4. Frank says :

    Very clear description !
    I will use this to upgrade an old SBS 2003 (functional level Windows Server 2003 native) to a new physical machine Windows Server 2008 R2.
    I have a question. After finishing this procedure, can I then safely remove the old machine from the network and add another machine w2008 server R2 following this same method? In this way I would have a running backup domain controller on the network.

  5. Frank says :

    Perfect ! So to be sure, decomission of the old DC is just removing the machine from the network and no other procedure to follow ?
    The link you added is the same as the one I followed in the first place. But maybe this is what you meant it to be? 🙂
    Tnx for sharing your knowledge ! I appreciate.
    Best regards,

    • kpytko says :

      No, decommissioning means other action but to be sure that new DC was implemented properly and there are no issues after that, it is strongly recommended to shut down the old DC for a week or two. If everything is working fine, you can turn it on and then decommission.

      About the link I provided 🙂 it is for addind additional Domain Controller but in case if your environment was prepared for that earlier. If you want to add Windows Server 2008/2008R2/2012/2012R2 Domain Controller within your SBS 2003 environment, then you need to follow other steps first 🙂

      Please check these articles on my blog explaining that much more detailed:

      For adding Windows Server 2008/2008R2

      For adding Windows Server 2012/2012R2

      but before you transfer FSMO roles from your SBS to any other Domain Controller, you need to know that after 7 days, your SBS will be rebooting automatically as it is not allowed to use SBS with other DC when FSMO roles are transferred 🙂 Please do not be surprised when you see that 🙂 You have one week to prepare DC migration before SBS reboots regularly. When you remove DC from SBS you would be able to use it as a domain member server.

      I’m glad I can share my knowledge to others who need that 🙂

      If you have any other question, do not hesitate to write!


  6. kpmayannur says :

    nice and descriptive


Leave a Reply to Jay Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.