adding a 2nd domain controller to existing domain


Recommended Posts

I have a question (probably stupid but it's not mentioned anywhere). We have just purchased a new server. When adding a 2nd controller to my existing tree (using dcpromo), does the new server have to be part of the domain first or can I just add it as a domain controller and it would know to add it the domain?

 

 

 

you don't need to add it to the domain first, if you add dns server first and have it be a secondary dns server you can then add it as a second domain controller. It will save a reboot doing it this way.

  • Like 2
  On 22/07/2014 at 15:53, sc302 said:

you don't need to add it to the domain first, if you add dns server first and have it be a secondary dns server you can then add it as a second domain controller. It will save a reboot doing it this way.

Isnt that very insecure? Doesnt the pc need to be a member of the domain first? If not couldnt anybody just add a rougue dns server to the domain? I thought you have to make the pc a member of the domain first before adding any roles to it. Usually it throws up an error message stating so.

No.. You would have to give permission to that server to be a dns server..It isn't like you can just simply add a dns server nilly willy to the domain

 

Here are the steps:

1st, give the new server a static ip address with the dns servers the current dns servers in the ipv4 properties

2nd go to a dns server and open up the zone that you want to add a secondary dns server to, go to the properties of the domain and the _msdcs and allow zone transfers to the ip of the new server

3rd go to the new server and setup the ad zones in the dns (you will need to install the dns server role on the server)

4th change the dns on the nic of the new server to be itself

5th run dcpromo and add server as a secondary domain controller. 

 

Once completed you can take the zone transfers out. 

 

 

This saves on a reboot, takes me less time to do this than it does to do a reboot.  All about saving time when you don't have a lot of time to do this. 

  On 22/07/2014 at 18:49, hagjohn said:

Thanks. I've never added a 2nd controller to a windows domain. I assume I add a user to the domain, to get it fully on the domain and then promote it, correct?

 

You can do it the way sc302 mentioned or just do it via System - change the workgroup business and add the domain. Once you click ok it will ask you for a username for an authorized account (admin account) to add the server the domain, same way how you add a non-server to a domain.

 

Once that's all done you just have to promo it and follow the wizard which will mention the other DC and that you are a 2nd controller in the main forest.

  • 4 months later...

I have always done it the traditional way, when adding a new server, patch it up with service packs/fixes, join to domain, then add roles to the server (inc DC role) after being joined.

 

a reboot save isn't valid if its not yet a part of the domain/DC cluster.

  On 22/07/2014 at 19:18, sc302 said:

No.. You would have to give permission to that server to be a dns server..

 

Once completed you can take the zone transfers out. 

 

This saves on a reboot, takes me less time to do this than it does to do a reboot.  All about saving time when you don't have a lot of time to do this. 

 

Sounds like a recipe for disaster and I cannot believe it to be much faster than a join, reboot then promote. Kudos if that's what works for you but to me it seems a bit overly complicated.

Depends, have you ever waited 5-10 minutes for a server reboot to scan through raid/scsi cards or that dell lifecycle controller? 

 

Not a recipe for disaster, there is nothing that would cause an issue.  Tell me what is going to screw up so bad by doing it the way I describe?  DNS?  no you are copying information not over writing.  The process of adding a server?  maybe, if you don't add the dns entries in the tcp/ip properties properly after you have copied the dns info over.

 

 

  On 10/12/2014 at 12:52, Mando said:

I have always done it the traditional way, when adding a new server, patch it up with service packs/fixes, join to domain, then add roles to the server (inc DC role) after being joined.

 

a reboot save isn't valid if its not yet a part of the domain/DC cluster.

btw, with my method the system does not need to be a domain member prior to dcpromo. 

  On 10/12/2014 at 14:05, sc302 said:

Depends, have you ever waited 5-10 minutes for a server reboot to scan through raid/scsi cards or that dell lifecycle controller? 

 

Yes, I call that time "coffee" time or "me" time :)

 

Again kudos to you, and if it works for you go for it.

  • 1 month later...
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Posts

    • AliExpress faces EU crackdown, makes promises to fight illegal products by Paul Hill The European Commission has taken two significant actions against the Chinese online marketplace AliExpress under the Digital Services Act (DSA) in a bid to enhance user and consumer safety online. The first action was to get AliExpress to commit to several legally binding commitments to address issues related to advertising and recommender systems. The second action was the publication of preliminary findings which found that AliExpress had breached obligations regarding the spread of illegal products. AliExpress can now respond to the Commission but if the broken rules are confirmed then AliExpress can expect to be fined. The Digital Services Act is a new tool that the EU has to regulate large online platforms. It aims to level the business playing field, protect fundamental rights of users, create a safer digital space, and improve transparency from businesses. AliExpress's pledges: More transparency, safer shopping As part of the pledges made by AliExpress, it will do more to monitor and detect illegal products such as medicines, food supplements, and adult material propagated through hidden links and affiliate programs. To help flag illegal items, AliExpress has promised to improve its notice and action mechanism. Other pledges include enhancements to the internal complaint handling system; more transparency for advertising and recommender systems; better traceability of traders on the platform; and improved data access for researchers. By implementing these rules, the European Commission hopes it can make AliExpress safer for registered and non-registered users by limiting the exposure to illegal content. Deep dive into AliExpress's alleged failures With regards to the preliminary findings, the Commission found that AliExpress had underestimated the risks because it had not allocated enough resources to moderation systems for illegal products. It also found that the company had failed to consistently enforce its penalty policy against those publishing illegal content. The Commission also discovered systemic failures in AliExpress’s proactive content moderation systems that allowed malicious traders to continue to operate or start operating on the platform. AliExpress is designated as a Very Large Online Platform (VLOP) which means it has to meet certain standards set out by the EU. The aforementioned violations are against the quality of operation that the EU expects from VLOPs. The company now has the right to defend itself against the EC’s findings, it can examine the documents and reply in writing, but if the findings are confirmed, AliExpress could face fines and be required to submit an action plan.
    • Author/Neowin... The title is incorrect and misleading... By the official blog post, it's not "indefinitely". There's a clear statement that development continues with a few specific target areas, and a new release date TBD and announced later. If it is later announced to be cancelled or delayed indefinitely, that's another story.
    • I hate Microsoft. My parents almost lost all drive content. As senior citizens they are unable to follow constant "improvements" Microsoft is dropping on its users. My mother's laptop is normally unlocked with a PIN. It is unexplicable for non-It person, that there is some cloud mictosoft account, that has a different password than the Pin and user ID is e-mail, but not necessarily normal Gmail addree, and even if the person knows this email address the password is not the password used for this email account. Just too much of twists. Suddenly her laptop ordered entering "decryption key" before booting. It was miracle we managed to guess email address associated with the PC that was used for Microsoft account. She would had lost everything on the drive. Why are they doing this? Privacy may be important for some people, but data loss is much more important for most of the people.
    • Yesterday I've got a notification that Windows Hello couldn't recognize me and asked if I would like to improve it after I manually entered my PIN in the dark If it weren't for an article like this, I would still think that there's something wrong with my camera. I can just imagine how many people are not reading tech news and are still confused.
  • Recent Achievements

    • First Post
      xuxlix earned a badge
      First Post
    • First Post
      Tomek Święcicki earned a badge
      First Post
    • One Year In
      carlitin86 earned a badge
      One Year In
    • Reacting Well
      Peterlll06 earned a badge
      Reacting Well
    • Week One Done
      Peterlll06 earned a badge
      Week One Done
  • Popular Contributors

    1. 1
      +primortal
      671
    2. 2
      ATLien_0
      284
    3. 3
      Michael Scrip
      223
    4. 4
      +FloatingFatMan
      192
    5. 5
      Steven P.
      145
  • Tell a friend

    Love Neowin? Tell a friend!