Adding additional Domain Controller
Why do we need to add additional Domain Controller? This answer is very simple: “for services redundancy” or “for domain authentication improvement in remote Site”.
In case of server failure, we still have another one which can provide necessary services in our network, which avoids business discontinuity.
First of all, we need to install new box or virtual machine with a server operating system that is supported in domain environment. To check what Windows Server versions can be installed and promoted as Domain Controller, we need to check Domain Functional Level.
To do that, we have to open Active Directory Users and Computers on existing DC from Administrative Tools and then select domain name. Click on it right mouse button and choose “Raise domain functional level”
Important! Be careful there, do not change anything in configuration. We need to only check what Domain Functional Level is set up. Changes cannot be reverted!
When you choose this option, you will see a window with information about current Domain Functional Level. If the highest possible DFL will be selected, then you cannot change anything. In case that DFL is lower than the highest possible, you will see a dropdown box, where you can select higher DFL modes. Do not do that! You may disrupt your domain environment.
Check Domain Functional Level
This information tells us that only Windows Server 2008 R2 can be promoted as Domain Controller.
You may find one of these Domain Functional Levels:
- Windows 2000 mixed – this mode supports NT4, Windows 2000 Server, Windows Server 2003
- Windows 2000 native – it doesn’t support NT4 but additionally supports Windows Server 2008 and Windows Server 2008 R2
- Windows Server 2003 – supports Windows Server 2003 and above
- Windows Server 2008 – supports Windows Server 2008 and above
- Windows Server 2008 R2 – only Windows Server 2008 R2 is supported
In this scenario we see that only Windows Server 2008 R2 can be promoted, so we need to use this OS version.
When server is already installed, you have to configure its network card properties to be able to start promotion process. As it is Domain Controller, server requires static IP address from the same subnet or subnet which is routable within a network. As directory services rely on DNS server, you need to properly point where the service is running. In example this server is 192.168.1.1 (a forest root domain DC).
Accept NIC changes and start dcpromo from run box
and follow with Active Directory Installation wizard (use advance mode)
Skip a screen with information about NT4 and 2008 R2 security incompatibility
We are adding new Domain Controller into existing forest and existing domain, so in this case we need to choose the first option
Provide DNS domain name to which you want to add new Domain Controller and specify domain administrator credentials to be able to do that.
Select domain and click “Next”
Point in which Site this DC should be placed (if you are not sure, leave default, you can change it later)
Choose additional roles which should be installed on this DC (leave defaults). If you don’t want to use any of them, you can add them later (but I suggest installing them now). The last unchecked option is only for Read-Only Domain Controller which is not an option of this article, so do not check it.
This DNS server is a part of testenv.local (existing DNS zone), so no action is required. Choose “Yes” and continue
Choose default option to replicate data from other existing DC in a network.
You can select from which Domain Controller data will be replicated, but leave defaults if you don’t need specific one.
At this stage, you have to point where Active Directory database, logs and other AD related data will be stored. You can choose separate drive(s) for that but it’s not necessary.
Set up Directory Services Restoration Mode password. It doesn’t have to be the same as Domain Administrator account or DSRM on other Domain Controller(s). This password is used when you need to boot a server in Directory Services Restoration Mode to do non-authoritative/authoritative restore or Active Directory database maintenance.
and start server promotion by clicking on “Next” button
select “reboot on completion” checkbox to reboot server after AD installation and wait until it will be up and running.
Congratulations! Your additional Domain Controller is ready.
Author: Krzysztof Pytko