hagjohn Posted July 22, 2014 Share Posted July 22, 2014 I have a question (probably stupid but it's not mentioned anywhere). We have just purchased a new server. When adding a 2nd controller to my existing tree (using dcpromo), does the new server have to be part of the domain first or can I just add it as a domain controller and it would know to add it the domain? Link to comment Share on other sites More sharing options...
majortom1981 Posted July 22, 2014 Share Posted July 22, 2014 You have to add the machine to the domain first Depicus 1 Share Link to comment Share on other sites More sharing options...
ToneKnee Posted July 22, 2014 Share Posted July 22, 2014 If I can remember, you need to add it to a domain then promote it to domain controller. Link to comment Share on other sites More sharing options...
sc302 Veteran Posted July 22, 2014 Veteran Share Posted July 22, 2014 you don't need to add it to the domain first, if you add dns server first and have it be a secondary dns server you can then add it as a second domain controller. It will save a reboot doing it this way. Roger H. and Brandon H 2 Share Link to comment Share on other sites More sharing options...
Roger H. Veteran Posted July 22, 2014 Veteran Share Posted July 22, 2014 Cool, didn't know that tip sc302. (y) I usually just add it to the domain first then add the role then promo but yeah, saving reboots is always a good thing :) Link to comment Share on other sites More sharing options...
hagjohn Posted July 22, 2014 Author Share Posted July 22, 2014 Thanks. I've never added a 2nd controller to a windows domain. I assume I add a user to the domain, to get it fully on the domain and then promote it, correct? Link to comment Share on other sites More sharing options...
majortom1981 Posted July 22, 2014 Share Posted July 22, 2014 you don't need to add it to the domain first, if you add dns server first and have it be a secondary dns server you can then add it as a second domain controller. It will save a reboot doing it this way. Isnt that very insecure? Doesnt the pc need to be a member of the domain first? If not couldnt anybody just add a rougue dns server to the domain? I thought you have to make the pc a member of the domain first before adding any roles to it. Usually it throws up an error message stating so. Link to comment Share on other sites More sharing options...
sc302 Veteran Posted July 22, 2014 Veteran Share Posted July 22, 2014 No.. You would have to give permission to that server to be a dns server..It isn't like you can just simply add a dns server nilly willy to the domain Here are the steps: 1st, give the new server a static ip address with the dns servers the current dns servers in the ipv4 properties 2nd go to a dns server and open up the zone that you want to add a secondary dns server to, go to the properties of the domain and the _msdcs and allow zone transfers to the ip of the new server 3rd go to the new server and setup the ad zones in the dns (you will need to install the dns server role on the server) 4th change the dns on the nic of the new server to be itself 5th run dcpromo and add server as a secondary domain controller. Once completed you can take the zone transfers out. This saves on a reboot, takes me less time to do this than it does to do a reboot. All about saving time when you don't have a lot of time to do this. Link to comment Share on other sites More sharing options...
Roger H. Veteran Posted July 22, 2014 Veteran Share Posted July 22, 2014 Thanks. I've never added a 2nd controller to a windows domain. I assume I add a user to the domain, to get it fully on the domain and then promote it, correct? You can do it the way sc302 mentioned or just do it via System - change the workgroup business and add the domain. Once you click ok it will ask you for a username for an authorized account (admin account) to add the server the domain, same way how you add a non-server to a domain. Once that's all done you just have to promo it and follow the wizard which will mention the other DC and that you are a 2nd controller in the main forest. Link to comment Share on other sites More sharing options...
Mando Posted December 10, 2014 Share Posted December 10, 2014 I have always done it the traditional way, when adding a new server, patch it up with service packs/fixes, join to domain, then add roles to the server (inc DC role) after being joined. a reboot save isn't valid if its not yet a part of the domain/DC cluster. Link to comment Share on other sites More sharing options...
Depicus Posted December 10, 2014 Share Posted December 10, 2014 No.. You would have to give permission to that server to be a dns server.. Once completed you can take the zone transfers out. This saves on a reboot, takes me less time to do this than it does to do a reboot. All about saving time when you don't have a lot of time to do this. Sounds like a recipe for disaster and I cannot believe it to be much faster than a join, reboot then promote. Kudos if that's what works for you but to me it seems a bit overly complicated. Aergan 1 Share Link to comment Share on other sites More sharing options...
sc302 Veteran Posted December 10, 2014 Veteran Share Posted December 10, 2014 Depends, have you ever waited 5-10 minutes for a server reboot to scan through raid/scsi cards or that dell lifecycle controller? Not a recipe for disaster, there is nothing that would cause an issue. Tell me what is going to screw up so bad by doing it the way I describe? DNS? no you are copying information not over writing. The process of adding a server? maybe, if you don't add the dns entries in the tcp/ip properties properly after you have copied the dns info over. I have always done it the traditional way, when adding a new server, patch it up with service packs/fixes, join to domain, then add roles to the server (inc DC role) after being joined. a reboot save isn't valid if its not yet a part of the domain/DC cluster. btw, with my method the system does not need to be a domain member prior to dcpromo. Link to comment Share on other sites More sharing options...
Depicus Posted December 10, 2014 Share Posted December 10, 2014 Depends, have you ever waited 5-10 minutes for a server reboot to scan through raid/scsi cards or that dell lifecycle controller? Yes, I call that time "coffee" time or "me" time :) Again kudos to you, and if it works for you go for it. Link to comment Share on other sites More sharing options...
binaryzero Posted January 13, 2015 Share Posted January 13, 2015 Always join the server to the domain first, then promote to DC. There shouldn't be any reason to create a secondary DNS zone, just replicate the primary DNS zone. Link to comment Share on other sites More sharing options...
Recommended Posts