As an IT Pro, it is highly likely that you’ve needed to add additional domain controllers (DCs) to your Active Directory environment. In this guide, we’ll demonstrate how to add a domain controller to an existing domain. We’ll also detail how to add a new domain controller to create a child domain in your existing forest, and how to add a new domain controller as a new forest.
You may not know that there are different high-level possible scenarios when promoting a server to a DC. The most common scenario is adding an additional DC to an existing domain.
There are several reasons you may want to add a new domain controller to an existing domain: Adding redundancy, migrating a DC from old hardware to a fresh new server, etc. I’ll take you through those different steps first.
We’ll start in my Windows Server 2022 – Hyper-V Lab environment. I have 3 existing Domain Controllers (DCs) running as Hyper-V VMs on my Windows 11 host computer. I’ve built a new Windows Server 2022 Datacenter server (WS22-DC4) and added it to my domain – reinders.local.
Here, the only prerequisites are that you need to have an existing domain with domain controllers. I know… but I wanted it stated for completeness. 😉
The first step we’ll do is click the Start button, then click on Server Manager, then click the ‘(2) Add roles and features‘ link.
You can click Next three times to move through the introductory screens and choose the option to make changes to the local server.
On the screen that follows, put a checkmark in the 2nd option above – Active Directory Domain Services (AD DS). When the second pop-up opens, you can click ‘Add Features’ and then click Next.
On the ‘Select features‘ screen, click Next.
Click Next again and you’ll reach the ‘Confirm installation selections‘ screen. Go ahead and click the Install button!
We can watch the lovely Installation progress and click Close when it’s over.
Next, you should notice the yellow warning symbol in the upper-right corner. Click that, and you’ll see we have a ‘Post-deployment Configuration‘ process to go through. Click the ‘Promote this server to a domain controller‘ link.
The AD DS Configuration Wizard will then open.
When the Active Directory Domain Services Configuration Wizard was launched, it performed a few quick queries to our environment. The wizard discovered that this server is a member server in the ‘reinders.local’ domain. It assumes we want to promote this server as another domain controller. Because this is the scenario we are describing, we can proceed and click Next.
I chose the location of this new DC to be in my ‘Reinders-HQ’ site from the dropdown and entered my Directory Services Restore Mode (DSRM) password. I then clicked Next.
On the DNS Options screen, we’ll see a warning that a delegation for this DNS server cannot be created. By default, this is very common and can be ignored. Click Next.
On the Additional Options screen, we should be able to keep the defaults and click Next.
Here on the Paths screen, in a more robust environment, you would want to place the Database folder, the Log files folder, and the SYSVOL folder on separate physical volumes/disks. For our demo purposes, I’ll keep the defaults and click Next.
We’re almost there – don’t worry…on the Review Options screen, you can examine the selections, use the scroll bar to view all the info, and even view the PowerShell script the wizard will run in the background.
This opens a lot of potential for more automated and robust scripting if you happen to be on a team of engineers responsible for adding dozens or even hundreds of domain controllers in your enterprise environment. The possibilities are truly endless…
Back in our wizard, click Next, and we’re at the Prerequisites Check screen. Everything passed so click Install!
Here is a progress screen…
And, we’re done, and a forced reboot is imminent…
After the reboot, the login screen is different. By default, it is ready for me to log in as the Domain Administrator for my reinders.local domain (REINDERS).
I logged in, opened Active Directory Users and Computers from the Administrative Tools menu, and clicked on the ‘Domain Controllers‘ folder in AD. There we go!
WS22-DC4 is now officially a domain controller! See? Easy as cake… ‘PIE’… easy as pie… right.
The second scenario we’ll cover in this guide is adding a new (child) domain to an existing forest. If you have, for example, contoso.com as your single forest domain, you may want to add some logical separation. You can add a child domain, corp.contoso.com, to your forest during the DC promotion wizard.
This scenario requires you to have an existing domain/forest already in your environment. For example, reinders.local is my forest-root domain. It was built when I created (promoted) my first DC in my lab environment (We’ll go through this, in a way, in our third and final scenario).
All we need to do is build another Windows Server 2022 Datacenter server and confirm it has LAN access to our existing domain. I’ve built another one of these servers and named it WS22-CHILD-DC01. (Phew, JUST made it at the 15-character NetBIOS limit…) 🙂
I already went through the process of adding the Active Directory Domain Services (AD DS) role in the previous example, so I won’t go through it in detail here. I added the role and I am starting at the wizard for promoting the server as a domain controller.
I chose the second option – ‘Add a new domain to an existing forest.’ I then typed in my existing forest domain – ‘reinders.local‘ and named our new child domain – ‘corp‘.
Remember, the wizard is only asking for the beginning of the new domain. If you type in ‘corp.reinders.local,’ it will give you an error. It only wants the beginning part. It will automatically make the DNS name – ‘corp.reinders.local’.
On the Domain Controller Options screen, the Domain functional level can only be ‘Windows Server 2016‘ in my lab. You will undoubtedly need to make a choice in your test and/or production environments. My advice – choose a level as high as you can. (Note – Windows Server 2016 is the highest possible level at this time. Another side note – there have been very few changes to the AD DS role since Windows Server 2012 R2…). I entered my DSRM password and clicked Next.
On the DNS Options screen, the wizard will automatically create a DNS delegation in our parent zone (reinders.local).
On the Additional Options screen, we verify that ‘CORP’ is the NetBIOS domain name. Click Next.
I clicked Next on the Paths screen and got to the Review Options section. I clicked View script to show you the script for this scenario. I then clicked Next. (Did you notice the ‘DomainMode’ attribute? “Threshold” was the Microsoft codename for several of the Windows 10 versions. Windows Server 2016 is based on Windows 10 version 1607).
We can verify everything on the Prerequisites Check screen, and after doing that we’re ready for launch! Click Install. (The server will automatically reboot as it warns you at the bottom of the window.)
During the progress, we can see the replication of objects from reinders.local to our new child domain, corp.reinders.local.
After the server rebooted, I logged into WS16-DC1, one of my DCs in our parent domain – reinders.local. I opened Active Directory Users and Computers (ADUC), right-clicked on the reinders.local domain tree, and clicked Change Domain…
I clicked the ‘Browse…‘ button and expanded ‘reinders.local’. There’s our new child domain, corp.reinders.local!
To verify a few more things, I clicked the Domain Controllers folder and there’s our new domain controller – WS22-CHILD-DC01. Very good!
Now, I won’t go through it here, but make sure you add at least one more domain controller to this new domain. This needs to be a separate domain with its own Group Policies, password policies, groups, users, computers, printers, etc. If this DC goes down, your domain is toast. Just a friendly reminder. 😉
The third scenario we’ll go through in this guide is adding a new forest to your existing environment. There may be compliance or security requirements dictating you to add a new forest.
However, just a note, you can add forest trusts, too. If you have an existing forest, contoso.com, you can add another forest, northwindtraders.com, and optionally build a trust between them, all within your LAN environment.
In our final scenario will be adding a new forest to an environment. There are several logical designs that dictate this option. If you are starting out completely from scratch, this is the only option you will have – adding your first domain controller and creating your very first (forest-root) domain.
Another scenario would be if you need a more defined separation of domains. If you are merging with another corporation, you may want to add a new forest in a test setting – this will allow complete separation between your forest domain structure and your testing. However, as I stated previously, you’ll be able to create forest trusts that will allow users in one forest to log in (seamlessly) to computers in the other forest.
I have built another Windows Server 2022 Datacenter Hyper-V VM and named it WS22-FOREST-DC1.
Again, I went and added the Active Directory Domain Services role and started the wizard to promote the server to a domain controller.
I chose the third option – ‘Add a new forest‘ and entered ‘reinderscorp.local’ as the domain name. I clicked Next.
Here, you can see you have options with the forest functional level. If you have a requirement to include domain controllers running older versions of Windows Server, you need to make that adjustment now: You can’t go back after the fact and lower the level. You can only raise these levels. I will keep mine at the Windows Server 2016 level, enter my DSRM password and click Next.
On the DNS Options screen, as in previous scenarios, it will give you the common warning about not being able to create a DNS delegation. That’s because there is no parent (DNS) domain name to contact. The Additional Options screen only shows the NetBIOS domain name for us – ‘REINDERSCORP’. And on the Paths screen, I accepted the defaults and clicked Next.
On the Review Options screen, we can see all the planned configurations of our new forest. I clicked the View script button again to see the PowerShell script that will run in the background momentarily. Then I clicked Next.
We can now click the Install button on the Prerequisites Check screen as we are approved to proceed by the trusted Microsoft engineers. 🙂
After the server reboots, I log in as the Administrator and confirm all is as expected.
Well, there you have it. I hope this Ultimate Guide to installing domain controllers in your Active Directory environment was helpful to you and your team. If you have any questions or comments, please feel free to leave a comment below.