How to Add a New Domain Controller to an Existing Domain

Cloud Computing

As an IT Pro, it is highly likely that you’ve needed to add additional domain controllers (DCs) to your Active Directory environment. In this guide, we’ll demonstrate how to add a domain controller to an existing domain. We’ll also detail how to add a new domain controller to create a child domain in your existing forest, and how to add a new domain controller as a new forest.

You may not know that there are different high-level possible scenarios when promoting a server to a DC. The most common scenario is adding an additional DC to an existing domain.

How to add a new domain controller to an existing domain

There are several reasons you may want to add a new domain controller to an existing domain: Adding redundancy, migrating a DC from old hardware to a fresh new server, etc. I’ll take you through those different steps first.

Initial configuration

We’ll start in my Windows Server 2022 – Hyper-V Lab environment. I have 3 existing Domain Controllers (DCs) running as Hyper-V VMs on my Windows 11 host computer. I’ve built a new Windows Server 2022 Datacenter server (WS22-DC4) and added it to my domain – reinders.local.

Here, the only prerequisites are that you need to have an existing domain with domain controllers. I know… but I wanted it stated for completeness. 😉

Our new, soon-to-be domain controller...
Our new, soon-to-be domain controller…

Installation

The first step we’ll do is click the Start button, then click on Server Manager, then click the ‘(2) Add roles and features‘ link.

Using Server Manager to add the Active Directory Domain Services role
Using Server Manager to add the Active Directory Domain Services role

You can click Next three times to move through the introductory screens and choose the option to make changes to the local server.

After placing a checkmark in 'Active Directory Domain Services', you can include all the required services
After placing a checkmark in ‘Active Directory Domain Services’, you can include all the required services

On the screen that follows, put a checkmark in the 2nd option above – Active Directory Domain Services (AD DS). When the second pop-up opens, you can click ‘Add Features’ and then click Next.

On the ‘Select features‘ screen, click Next.

Learning more about the AD DS role...
Learning more about the AD DS role…

Click Next again and you’ll reach the ‘Confirm installation selections‘ screen. Go ahead and click the Install button!

Here is our summary screen before Install
Here is our summary screen before Install

We can watch the lovely Installation progress and click Close when it’s over.

Progress of our AD DS role installation
Progress of our AD DS role installation

Configuration

Next, you should notice the yellow warning symbol in the upper-right corner. Click that, and you’ll see we have a ‘Post-deployment Configuration‘ process to go through. Click the ‘Promote this server to a domain controller‘ link.

Starting the domain controller promotion wizard
Starting the domain controller promotion wizard

The AD DS Configuration Wizard will then open.

Choosing our Deployment Configuration
Choosing our Deployment Configuration

When the Active Directory Domain Services Configuration Wizard was launched, it performed a few quick queries to our environment. The wizard discovered that this server is a member server in the ‘reinders.local’ domain. It assumes we want to promote this server as another domain controller. Because this is the scenario we are describing, we can proceed and click Next.

Domain Controller Options screen - Choosing a Site and entering our DSRM password
Domain Controller Options screen – Choosing a Site and entering our DSRM password

I chose the location of this new DC to be in my ‘Reinders-HQ’ site from the dropdown and entered my Directory Services Restore Mode (DSRM) password. I then clicked Next.

DNS Options screen - this warning is common
DNS Options screen – this warning is common

On the DNS Options screen, we’ll see a warning that a delegation for this DNS server cannot be created. By default, this is very common and can be ignored. Click Next.

Additional Options screen
Additional Options screen

On the Additional Options screen, we should be able to keep the defaults and click Next.

The Paths screen - you can change the location of critical Active Directory files and log files
The Paths screen – you can change the location of critical Active Directory files and log files

Here on the Paths screen, in a more robust environment, you would want to place the Database folder, the Log files folder, and the SYSVOL folder on separate physical volumes/disks. For our demo purposes, I’ll keep the defaults and click Next.

On the Review Options screen, we can click Next after verifying all the appropriate information
On the Review Options screen, we can click Next after verifying all the appropriate information

We’re almost there – don’t worry…on the Review Options screen, you can examine the selections, use the scroll bar to view all the info, and even view the PowerShell script the wizard will run in the background.

The PowerShell script to add our new domain controller to our domain
The PowerShell script to add our new domain controller to our domain

This opens a lot of potential for more automated and robust scripting if you happen to be on a team of engineers responsible for adding dozens or even hundreds of domain controllers in your enterprise environment. The possibilities are truly endless…

Back in our wizard, click Next, and we’re at the Prerequisites Check screen. Everything passed so click Install!

On the Prerequisites Check screen, we're green
On the Prerequisites Check screen, we’re green – ready to rock!

Here is a progress screen…

Our DC is being built in front of our eyes
Our DC is being built in front of our eyes!

And, we’re done, and a forced reboot is imminent…

A forced reboot is part of the process
A forced reboot is part of the process – and away we go!

After the reboot, the login screen is different. By default, it is ready for me to log in as the Domain Administrator for my reinders.local domain (REINDERS).

The Login Screen is new - logging into the domain!
The Login Screen is new – logging into the domain!

I logged in, opened Active Directory Users and Computers from the Administrative Tools menu, and clicked on the ‘Domain Controllers‘ folder in AD. There we go!

There's our fourth DC
There’s our fourth DC!

WS22-DC4 is now officially a domain controller! See? Easy as cake… ‘PIE’… easy as pie… right.

How to add a domain controller as a new child domain in your forest

The second scenario we’ll cover in this guide is adding a new (child) domain to an existing forest. If you have, for example, contoso.com as your single forest domain, you may want to add some logical separation. You can add a child domain, corp.contoso.com, to your forest during the DC promotion wizard.

Initial status

This scenario requires you to have an existing domain/forest already in your environment. For example, reinders.local is my forest-root domain. It was built when I created (promoted) my first DC in my lab environment (We’ll go through this, in a way, in our third and final scenario).

All we need to do is build another Windows Server 2022 Datacenter server and confirm it has LAN access to our existing domain. I’ve built another one of these servers and named it WS22-CHILD-DC01. (Phew, JUST made it at the 15-character NetBIOS limit…) 🙂

The next contestant on the domain controller train
The next contestant on the domain controller train

Configuration

I already went through the process of adding the Active Directory Domain Services (AD DS) role in the previous example, so I won’t go through it in detail here. I added the role and I am starting at the wizard for promoting the server as a domain controller.

Putting in the details of our existing and new domain
Putting in the details of our existing and new domain

I chose the second option – ‘Add a new domain to an existing forest.’ I then typed in my existing forest domain – ‘reinders.local‘ and named our new child domain – ‘corp‘.

Remember, the wizard is only asking for the beginning of the new domain. If you type in ‘corp.reinders.local,’ it will give you an error. It only wants the beginning part. It will automatically make the DNS name – ‘corp.reinders.local’.

On the Domain Controller Options screen, the Domain functional level can only be ‘Windows Server 2016‘ in my lab. You will undoubtedly need to make a choice in your test and/or production environments. My advice – choose a level as high as you can. (Note – Windows Server 2016 is the highest possible level at this time. Another side note – there have been very few changes to the AD DS role since Windows Server 2012 R2…). I entered my DSRM password and clicked Next.

Choosing our Domain Controller Options
Choosing our Domain Controller Options

On the DNS Options screen, the wizard will automatically create a DNS delegation in our parent zone (reinders.local).

DNS Options - DNS delegation to be created
DNS Options – DNS delegation to be created

On the Additional Options screen, we verify that ‘CORP’ is the NetBIOS domain name. Click Next.

Verifying 'CORP' as our NetBIOS domain name
Verifying ‘CORP’ as our NetBIOS domain name

I clicked Next on the Paths screen and got to the Review Options section. I clicked View script to show you the script for this scenario. I then clicked Next. (Did you notice the ‘DomainMode’ attribute? “Threshold” was the Microsoft codename for several of the Windows 10 versions. Windows Server 2016 is based on Windows 10 version 1607).

On the Review Options screen and the PowerShell script for our scenario
On the Review Options screen and the PowerShell script for our scenario!

We can verify everything on the Prerequisites Check screen, and after doing that we’re ready for launch! Click Install. (The server will automatically reboot as it warns you at the bottom of the window.)

Prerequisites Check is complete. We are ready for launch!
Prerequisites Check is complete. We are go for launch!

During the progress, we can see the replication of objects from reinders.local to our new child domain, corp.reinders.local.

The domain controller is being configured and installed
The domain controller is being configured and installed

After the server rebooted, I logged into WS16-DC1, one of my DCs in our parent domain – reinders.local. I opened Active Directory Users and Computers (ADUC), right-clicked on the reinders.local domain tree, and clicked Change Domain…

Changing the domain to view in ADUC
Changing the domain to view in ADUC

I clicked the ‘Browse…‘ button and expanded ‘reinders.local’. There’s our new child domain, corp.reinders.local!

Accessing corp.reinders.local!
Accessing corp.reinders.local!

To verify a few more things, I clicked the Domain Controllers folder and there’s our new domain controller – WS22-CHILD-DC01. Very good!

Now, I won’t go through it here, but make sure you add at least one more domain controller to this new domain. This needs to be a separate domain with its own Group Policies, password policies, groups, users, computers, printers, etc. If this DC goes down, your domain is toast. Just a friendly reminder. 😉

How to add a new domain controller into a new forest

The third scenario we’ll go through in this guide is adding a new forest to your existing environment. There may be compliance or security requirements dictating you to add a new forest.

However, just a note, you can add forest trusts, too. If you have an existing forest, contoso.com, you can add another forest, northwindtraders.com, and optionally build a trust between them, all within your LAN environment.

Initial status

In our final scenario will be adding a new forest to an environment. There are several logical designs that dictate this option. If you are starting out completely from scratch, this is the only option you will have – adding your first domain controller and creating your very first (forest-root) domain.

Another scenario would be if you need a more defined separation of domains. If you are merging with another corporation, you may want to add a new forest in a test setting – this will allow complete separation between your forest domain structure and your testing. However, as I stated previously, you’ll be able to create forest trusts that will allow users in one forest to log in (seamlessly) to computers in the other forest.

I have built another Windows Server 2022 Datacenter Hyper-V VM and named it WS22-FOREST-DC1.

image 70
Our 3rd and final server, ready for promotion – WS22-FOREST-DC1

Again, I went and added the Active Directory Domain Services role and started the wizard to promote the server to a domain controller.

Configuration

Choosing to create a whole new, independent forest
Choosing to create a whole new, independent forest – reinderscorp.local

I chose the third option – ‘Add a new forest‘ and entered ‘reinderscorp.local’ as the domain name. I clicked Next.

Choosing our functional levels and entering our DSRM password again
Choosing our functional levels and entering our DSRM password…again… 🙂

Here, you can see you have options with the forest functional level. If you have a requirement to include domain controllers running older versions of Windows Server, you need to make that adjustment now: You can’t go back after the fact and lower the level. You can only raise these levels. I will keep mine at the Windows Server 2016 level, enter my DSRM password and click Next.

On the DNS Options screen, as in previous scenarios, it will give you the common warning about not being able to create a DNS delegation. That’s because there is no parent (DNS) domain name to contact. The Additional Options screen only shows the NetBIOS domain name for us – ‘REINDERSCORP’. And on the Paths screen, I accepted the defaults and clicked Next.

The Review Options screen shows our new forest in all its glory - including the PowerShell script!
The Review Options screen shows our new forest in all its glory – including the PowerShell script!

On the Review Options screen, we can see all the planned configurations of our new forest. I clicked the View script button again to see the PowerShell script that will run in the background momentarily. Then I clicked Next.

The Prerequisites Check screen says we're good to go!
The Prerequisites Check screen says we’re good to go!

We can now click the Install button on the Prerequisites Check screen as we are approved to proceed by the trusted Microsoft engineers. 🙂

Setup completed successfully - a Reboot is coming right up
Setup completed successfully – Reboot coming right up!

After the server reboots, I log in as the Administrator and confirm all is as expected.

image 77
Our new forest is ‘fully operational and all of its circuits are functioning perfectly’ – 🙂

Conclusion

Well, there you have it. I hope this Ultimate Guide to installing domain controllers in your Active Directory environment was helpful to you and your team. If you have any questions or comments, please feel free to leave a comment below.

Thank you!