Windows Active Directory – Adding Second Controller to an Existing Domain

Purpose

There are two main reasons for adding second Domain Controller to an existing Windows Active Directory Domain. The first most popular reason is for High Availability via replication. The second reason is to subsequently decommission an older Domain Controller after a newer one as been added and has had a chance to replicate.

Prerequisites

  • An existing Domain Controller
  • New hardware or Virtual Machine with a freshly installed version of the Windows Server OS
  • The Windows Server installer media, typically in the form of an ISO

Solution

The most important question to answer is will the new Domain Controller be running on a newer version of the Windows Server OS?
If the answer is NO then you can go right to Adding New Domain Controller
If the answer is YES then you must start by updating the Active Directory Schema.

Updating the Active Directory Schema

Schema Chart

 Server Version objectVersion
 Windows Server 2012 R2 69
 Windows Server 2016 87
 Windows Server 2019 88
 Windows Server 2022 88

If schema version is the same, like when adding a Windows Server 2022 Active Directory controller to an existing Windows 2019 Active Directory Domain, then you can skip to Adding New Domain Controller

Verify Proper Administrator Rights

Open Active Directory Users and Computers
Locate and open the properties of the administrative user you are signed in as

Click on the Member Of tap and verify that Domain Admins, Enterprise Admins and Schema Admins are listed (if not, then add them)

Locate Server with FSMO Role

Check the availability of the necessary Flexible Single Master Operation (FSMO) roles in Active Directory.
Open an elevated PowerShell session and run the following commands:
Get-ADDomain | FL InfrastructureMaster, RIDMaster, PDCEmulator
Get-ADForest | FL DomainNamingMaster, SchemaMaster

Verify Current AD Schema Version

In an elevated PowerShell session and run the following command:
Get-ADObject (Get-ADRootDSE).schemaNamingContext -Property objectVersion

Notate the version number for comparison.

Update Schema on Preexisting Domain Controller

In the preexisting Domain Controller mount the media of the Server OS for the new DC typically found as an ISO file
In an elevated PowerShell session navigate to the execute adprep
cd D:\support\adprep
.\adprep /forestprep

You will be asked to type “C” and then press the Enter key to continue with the upgrade process

In an elevated PowerShell session navigate to the execute adprep
cd D:\support\adprep
.\adprep /domainprep

You will be asked to type “C” and then press the Enter key to continue with the upgrade process

Verify AD Schema Version Update

In an elevated PowerShell session and run the following command:
Get-ADObject (Get-ADRootDSE).schemaNamingContext -Property objectVersion

The new version listed should be higher than the initial version you noted

Adding New Domain Controller

Configure a Static IP

Find a place on your local area network where you wish to place the new controller (a sequential IP to your existing AD controller is desirable)
Login to your DHCP server or router and create a static IP reservation for your new server
Login to your DNS server and create an A record with with associated PTR record
Login to your new server with your admin credentials
Navigate to Control Panel > Network and Internet > Network and Sharing Center and on the left side click on Change Adapter Settings
Double-click on the Network Interface Controller (NIC) that you wish to use to view its status
Click on the Properties button to view the connection items
Select Internet Protocol Version 4 (TCP/IPv4) and click on the Properties button
Click on the radio-button next to Use the following IP address
Enter the static IP address for your new server, the associated Subnet mask and the Default gateway for your LAN
Click on the radio-button next to Use the following DNS Server
For the Preferred DNS server enter the IP of your FSMO Domain Controller
For the Alternate DNS server enter the IP address of your router and click on the OK button
Click on the Advanced button and select the DNS tab
Click on the radio-button next to Append these DNS suffixes (in order)
Click on the Add button, in the Domain suffix field type <yourdomain.com>, click the Add button and click on the OK button
Close the underlying windows by clicking on the OK button, then the OK button and finally the Close button
Click on the Windows button and select settings
Click on Network & Internet, on the left-hand pane click on Ethernet
On the right-hand pane click on the network name i.e. <Network 2>
Under Network profile click on the radio-box next to Private then close the window

Windows Activation

Click on the Windows button and select Settings
Click on System and in the left-hand column select About
In the right-hand pain click on the Change product key or upgrade your Windows edition link
In the right-hand window pane click on the Change product key link
At the Enter your product key pop-up dialog box enter your Windows product key and press the Enter button
At the Activate Windows pop-up dialog box click on the Activate button
Once your Windows server OS has been activated click on the close button

Rename the Server and add to Active Directory

Open Server Manager and click on the existing name link across from Computer name
In the Computer description field type a descriptive name i.e. Dell PE R250 Win 2022 Svr Std DC and click on the Apply button
Click on the Change button and in the Computer name field type something like <company initials>-win2022-dc
Under Member of click on the radio-button next to Domain
In the Domain field type <yourdomain.com>
At the prompt enter your Domain Admin credentials and click the OK button
At the Welcome pop-up dialog box click the OK button
At the Restart pop-up dialog box click the OK button
At the System Properties window click on the Close button
In the popup dialog box click on the Restart Now button

Verify DNS

Log back into your new Domain Controller with your admin credentials
Open an elevated PowerShell session and run the following command:
nslookup <yourdomain.com>
nslookup <dc2.yourdomain.com>

In the first lookup verify that your query results point to the FSMO Domain Controller and in the second lookup verify that your query results point to the IP address of your new Domain Controller.

Configure Remote Access

Open Server Manager and in the left-hand pane click on Local Server
Click on the Disabled link to the right of Remote Desktop
Click on the radio-box next to Allow remote connections to this computer, click the Apply button then click the OK button
Log out of the new Domain Controller

Update the Operating System

Using Remote Desktop log back in to the new Domain Controller using your admin credentials
Click on the Windows button and select Settings
Click on Update & Security and click on the Install Now button to run current updates
Click on the Restart now button once all of the updates have been completed or are awaiting restart
Remote back in to your new Domain Controller and repeat the update process until no more updates are available

Add Active Directory Server Role

Log back into your new Domain Controller with your Administrator credentials
Open Server Manager, at the top right-hand menus click on Manage and select Ad Roles and Features
Click on the Next button
With the radio-box selected next to Role-base of feature-based installation click on the Next button
With the server automatically selected click on the Next button
Click on the check-box next to Active Director Domain Services and click on the Next button
At the Add Features popup window click on the Add Features button
Click on the Next button
At the Select Features window click on the Next button
At the Active Directory Domain Services window click on the Next button
At the Confirm installation selections window click on the Install button
Inside the Installation progress window click on the Promote this server to a domain controller link
At the Deployment Configuration window select the radio-button next to Add a domain controller to an existing domain
Click on the Change button
At the Security popup dialog box enter your admin credentials and click the OK button
Click on the Next > button
At the Domain Controller Options window leave the check-boxes checked for Domain Name System and Global Catalog
In the DSRM password field type in the desired password and recorded for future recovery needs and click on the Next button
At the DNS Options window ignore the alert and click the Next button
At the Additional Options window Replicate from Any domain controller is selected by default so click the Next button
At the Paths window continue with the default paths and click the Next > button
At the Review Options window click on the Next > button
At the Prerequisites Check window ignore the few warnings and click on the Install button
(Once the installation is completed the server will automatically reboot)

Domain Verification

Log back into your new Domain Controller (going forward) with your domain admin credentials
Wait till Server Manager opens automatically, in the upper-right menu click on Tools and select Active Directory Sites and Services
In the left column expand Sites > Default-First-Site-Name and click on the Servers folder
In the right-hand pane both Domain Controllers should be visible and the DC Type should show GC