adding a 2nd domain controller to existing domain


Recommended Posts

I have a question (probably stupid but it's not mentioned anywhere). We have just purchased a new server. When adding a 2nd controller to my existing tree (using dcpromo), does the new server have to be part of the domain first or can I just add it as a domain controller and it would know to add it the domain?

 

 

 

you don't need to add it to the domain first, if you add dns server first and have it be a secondary dns server you can then add it as a second domain controller. It will save a reboot doing it this way.

  • Like 2
  On 22/07/2014 at 15:53, sc302 said:

you don't need to add it to the domain first, if you add dns server first and have it be a secondary dns server you can then add it as a second domain controller. It will save a reboot doing it this way.

Isnt that very insecure? Doesnt the pc need to be a member of the domain first? If not couldnt anybody just add a rougue dns server to the domain? I thought you have to make the pc a member of the domain first before adding any roles to it. Usually it throws up an error message stating so.

No.. You would have to give permission to that server to be a dns server..It isn't like you can just simply add a dns server nilly willy to the domain

 

Here are the steps:

1st, give the new server a static ip address with the dns servers the current dns servers in the ipv4 properties

2nd go to a dns server and open up the zone that you want to add a secondary dns server to, go to the properties of the domain and the _msdcs and allow zone transfers to the ip of the new server

3rd go to the new server and setup the ad zones in the dns (you will need to install the dns server role on the server)

4th change the dns on the nic of the new server to be itself

5th run dcpromo and add server as a secondary domain controller. 

 

Once completed you can take the zone transfers out. 

 

 

This saves on a reboot, takes me less time to do this than it does to do a reboot.  All about saving time when you don't have a lot of time to do this. 

  On 22/07/2014 at 18:49, hagjohn said:

Thanks. I've never added a 2nd controller to a windows domain. I assume I add a user to the domain, to get it fully on the domain and then promote it, correct?

 

You can do it the way sc302 mentioned or just do it via System - change the workgroup business and add the domain. Once you click ok it will ask you for a username for an authorized account (admin account) to add the server the domain, same way how you add a non-server to a domain.

 

Once that's all done you just have to promo it and follow the wizard which will mention the other DC and that you are a 2nd controller in the main forest.

  • 4 months later...

I have always done it the traditional way, when adding a new server, patch it up with service packs/fixes, join to domain, then add roles to the server (inc DC role) after being joined.

 

a reboot save isn't valid if its not yet a part of the domain/DC cluster.

  On 22/07/2014 at 19:18, sc302 said:

No.. You would have to give permission to that server to be a dns server..

 

Once completed you can take the zone transfers out. 

 

This saves on a reboot, takes me less time to do this than it does to do a reboot.  All about saving time when you don't have a lot of time to do this. 

 

Sounds like a recipe for disaster and I cannot believe it to be much faster than a join, reboot then promote. Kudos if that's what works for you but to me it seems a bit overly complicated.

Depends, have you ever waited 5-10 minutes for a server reboot to scan through raid/scsi cards or that dell lifecycle controller? 

 

Not a recipe for disaster, there is nothing that would cause an issue.  Tell me what is going to screw up so bad by doing it the way I describe?  DNS?  no you are copying information not over writing.  The process of adding a server?  maybe, if you don't add the dns entries in the tcp/ip properties properly after you have copied the dns info over.

 

 

  On 10/12/2014 at 12:52, Mando said:

I have always done it the traditional way, when adding a new server, patch it up with service packs/fixes, join to domain, then add roles to the server (inc DC role) after being joined.

 

a reboot save isn't valid if its not yet a part of the domain/DC cluster.

btw, with my method the system does not need to be a domain member prior to dcpromo. 

  On 10/12/2014 at 14:05, sc302 said:

Depends, have you ever waited 5-10 minutes for a server reboot to scan through raid/scsi cards or that dell lifecycle controller? 

 

Yes, I call that time "coffee" time or "me" time :)

 

Again kudos to you, and if it works for you go for it.

  • 1 month later...
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Posts

    • Microsoft reportedly planning to lay off thousands of employees, mostly in sales by Usama Jawad Back in May 2025, Microsoft decided to lay off 3% of its workforce, which amounted to roughly 6,000 employees. It claimed that this decision allowed it to implement better organizational changes in a "dynamic marketplace". Now, a new report claims that the Redmond tech firm is planning to lay off thousands more next month. Citing unnamed sources, Bloomberg reports that as the company continues investing heavily in its AI ventures, it is about to announce layoffs of thousands of workers as early as next month. This reduction in workforce will primarily affect sales teams, but they won't be the only ones affected. That said, the sources did mention that the timing for this announcement may change. This move, if true, won't be entirely surprising. In April 2025, Microsoft announced that it will be relying more on third-party firms to sell its software to small- and medium-sized customers. It's currently unclear how many employees will be impacted by this change, but even if the layoff percentage is in the single digits, it would still be significant as it would be impacting the professional careers of thousands. The May 2025 layoffs primarily impacted engineering and product teams. The other major round of layoffs prior to this was the decision to eliminate 10,000 jobs back in January 2023. Those represented 5% of the total workforce at that time, with numerous teams, including the one leading Mixed Reality (MR) efforts, being heavily impacted. It is interesting to note that if the timing of the announcement for layoffs is accurate, it would be soon after Microsoft closes its fiscal year at the end of June 2025. Although we'll get financial reports for the latest quarter soon after too, one has to wonder what the human cost of profit is, as Microsoft continues to report billions of dollars in revenue every quarter. Source: Bloomberg (paywall)
    • Ah .. lockout for suspicious activity. I bet they uploaded the SanDisk utility detected as malware
    • Microsoft 365 will soon disable outdated authentication protocols for file access by Usama Jawad On a fairly regular basis, Microsoft disables outdated protocols that are used to access its services. In the past few years, the company has deprecated Basic Auth in Exchange Online and cut access to Outlook for third-party apps relying on this protocol. Now, it has decided to get rid of old authentication protocols for file access across Microsoft 365 services. As reported by Bleeping Computer, Microsoft has posted a message on its Microsoft 365 Admin Center. Starting from mid-July 2025, the company will begin disabling legacy authentication protocols used to access files across Microsoft 365 and Office apps, SharePoint, and OneDrive. Essentially, applications or services which use the Relying Party Suite (RPS) or FrontPage Remote Procedure Call (FPRPC) will to perform browser-based authentication to perform open operations on Office files will no longer be able to do so. As expected, this is primarily being done to improve the cybersecurity posture of various services. Microsoft states that RPS can be brute-forced and phished with relative ease as it is fairly outdated. Similarly, FPRPC is typically used for remote web page authoring and it is susceptible to exploitation through various vulnerabilities too. As such, both of these protocols will be disabled by default starting from mid-July 2025, with the rollout of this change targeting completion by August 2025. The Redmond tech giant will update the protocol baseline by default without mandating any licensing changes for customers. In addition, once these modifications are rolled out, Microsoft 365 will require admin consent to get third-party access to files and sites. IT admins can view the guidance available here to configure admin consent workflows. Microsoft says that these changes align with the principles of its Secure Future Initiative (SFI). Earlier today, it announced the rollout of improved security defaults for Windows 365 citing the same reasons too.
    • This is how you kill your own business.
  • Recent Achievements

    • First Post
      Fuzz_c earned a badge
      First Post
    • First Post
      TIGOSS earned a badge
      First Post
    • Week One Done
      slackerzz earned a badge
      Week One Done
    • Week One Done
      vivetool earned a badge
      Week One Done
    • Reacting Well
      pnajbar earned a badge
      Reacting Well
  • Popular Contributors

    1. 1
      +primortal
      704
    2. 2
      ATLien_0
      283
    3. 3
      Michael Scrip
      216
    4. 4
      +FloatingFatMan
      195
    5. 5
      Steven P.
      131
  • Tell a friend

    Love Neowin? Tell a friend!