How to Install a Replica DC in an Existing AD Domain on Windows Server 2003
How do I install a second Domain Controller in my Active Directory domain on my Windows 2003 Server?
First make sure you read and understand Active Directory Installation Requirements. If you don’t comply with all the requirements of that article you will not be able to set up your AD (for example: you don’t have a NIC or you’re using a computer that’s not connected to a LAN).
Note: This article is only good for understanding how to install the SECOND DC in an EXISTING DOMAIN in and EXISTING AD FOREST.
Passwords Haven’t Disappeared Yet
123456. Qwerty. Iloveyou. No, these are not exercises for people who are brand new to typing. Shockingly, they are among the most common passwords that end users choose in 2021. Research has found that the average business user must manually type out, or copy/paste, the credentials to 154 websites per month. We repeatedly got one question that surprised us: “Why would I ever trust a third party with control of my network?
Note: For the installation of the FIRST DC in the AD Domain read How to Install Active Directory on Windows 2003.
Here is a quick list of what you must have:
- An NTFS partition with enough free space
- The Domain Admin’s username and password
- The correct operating system version
- A NIC
- Properly configured TCP/IP (IP address, subnet mask and – optional – default gateway)
- A network connection (to a hub or to another computer via a crossover cable)
- A persistent and un-interrupted connection with the domain’s existing DC
- An operational DNS server which holds the relevant SRV Record information for the AD domain and forest
- The Domain name for the domain that you want to join
- The Windows 2003 CD media (or at least the i386 folder)
- Brains (recommended, not required…)
This article assumes that all of the above requirements are fulfilled.
For a Windows 2000 version of this article please read How to Install a Replica DC in an Existing AD Domain on Windows 2000.
Step 1: Configuring the computer’s TCP/IP settings
You must configure the would-be Domain Controller to use the IP address of the DNS server, so it will point to it when registering SRV records and when querying the DNS database.
- Click Start, point to Settings and then click Control Panel.
- Double-click Network and Dial-up Connections.
- Right-click Local Area Connection, and then click Properties.
- Click Internet Protocol (TCP/IP), and then click Properties.
- Assign this server a static IP address, subnet mask, and gateway address (optional). Enter the DNS server’s IP address in the Preferred DNS server box.
Note: You MUST have an operational DNS server that already serves as the DNS server of the domain/forest.
- Click Advanced.
- Click the DNS Tab.
- Select “Append primary and connection specific DNS suffixes”
- Check “Append parent suffixes of the primary DNS suffix”
- Check “Register this connection’s addresses in DNS”. If this Windows 2000-based DNS server is on an intranet, it should only point to its own IP address for DNS; do not enter IP addresses for other DNS servers here. If this server needs to resolve names on the Internet, it should have a forwarder configured.
- Click OK to close the Advanced TCP/IP Settings properties.
- Click OK to accept the changes to your TCP/IP configuration.
- Click OK to close the Local Area Connections properties.
Step 2: Running DCPROMO
After completing all the previous steps and after double checking your requirements you should now run Dcpromo.exe from the Run command.
Note: In Windows Server 2003, unlike Windows 2000, you can choose to install the Replica DC from a backed-up media thus saving considerable amounts of time and bandwidth. Read Install DC from Media in Windows Server 2003 for more info.
- Click Start, point to Run and type “dcpromo”.
- The wizard windows will appear. Click Next.
- In the Operating System Compatibility window click Next.
- Choose Additional Domain Controller for an existing domain and click Next.
- In the Network Credentials window enter the username and password for a Domain Admin in the domain you’re trying to join. also enter the full DNS domain name. Click Next.
This step might take some time because the computer is searching for the DNS server.
Note: Although the wizard will let you get to the last window and begin to attempt to join the domain, if you enter the wrong username or password, because of the wrong credentials you’ll get an error message:
If you enter the domain name in a wrong way you’ll get this error message:
The wizard will not be able to continue past the domain name window.
If you have wrong DNS settings, i.e. the computer “thinks” that it should be “talking” to one DNS server, while in fact it should be using another DNS server, you’ll get an error message like this one:
- In the Additional Domain Controller window type or browse to select the domain to which you want to add the replica DC.
- Accept the Database and Log file location dialog box (unless you want to change them of course). The location of the files is by default %systemroot%\NTDS, and you should not change it unless you have performance issues in mind. Click Next.
- Accept the Sysvol folder location dialog box (unless you want to change it of course). The location of the files is by default %systemroot%\SYSVOL, and you should not change it unless you have performance issues in mind. This folder must be on an NTFS v5.0 partition. This folder will hold all the GPO and scripts you’ll create, and will be replicated to all other Domain Controllers. Click Next.
- Enter the Restore Mode administrator’s password. Whatever you do – remember it! Without it you’ll have a hard time restoring the AD if you ever need to do so. Click Next.
- Review your settings and if you like what you see – Click Next.
- See the wizard going through the various stages of installing AD. Whatever you do – NEVER click Cancel!!! You’ll wreck your computer if you do. If you see you made a mistake and want to undo it, you’d better let the wizard finish and then run it again to undo the AD.
- If all went well you’ll see the final confirmation window. Click Finish.
- You must reboot in order for the AD to function properly. Click Restart now.
Step 3: Checking the AD installation
You should now check to see if the AD installation went well.
- First, see that the Administrative Tools folder has all the AD management tools installed.
- Run Active Directory Users and Computers (or type “dsa.msc” from the Run command). See that all OUs and Containers are there. See that your DC is listed in the Domain Controllers Container.
- Run Active Directory Sites and Services. See that you have a site named Default-First-Site-Name, and that in it your server is listed along with the other DC in the domain/forest.
- One reason for the lack of registration of SRV records is the fact the net NETLOGON service has somehow failed to register the SRV Records in the DNS zone.
You should try to restart the NETLOGON service to force the SRV registration.
From the command prompt type “net stop netlogon”, and after it finishes, type “net start netlogon”.
Open the DNS console. See that your new DC has registered itself in the 4 SRV Record folders.
Let it finish, go back to the DNS console, click your zone and refresh it (F5). If all is ok you’ll now see the 4 SRV record folders.
- Check the NTDS folder for the presence of the required files.
- Check the SYSVOL folder for the presence of the required subfolders.
- Check to see if you have the SYSVOL and NETLOGON shares, and their location.
If all of the above is ok, I think it’s safe to say that your AD is properly installed.
If not, read Troubleshooting Dcpromo Errors.