adding a 2nd domain controller to existing domain

[hagjohn]

I have a question (probably stupid but it's not mentioned anywhere). We have just purchased a new server. When adding a 2nd controller to my existing tree (using dcpromo), does the new server have to be part of the domain first or can I just add it as a domain controller and it would know to add it the domain?

 

 

 

[majortom1981]

You have to add the machine to the domain first

[ToneKnee]

If I can remember, you need to add it to a domain then promote it to domain controller.

[sc302 Veteran]

you don't need to add it to the domain first, if you add dns server first and have it be a secondary dns server you can then add it as a second domain controller. It will save a reboot doing it this way.

[Roger H. Veteran]

Cool, didn't know that tip sc302. (y)

 

I usually just add it to the domain first then add the role then promo but yeah, saving reboots is always a good thing :)

[hagjohn]

Thanks. I've never added a 2nd controller to a windows domain. I assume I add a user to the domain, to get it fully on the domain and then promote it, correct?

[majortom1981]

  On 22/07/2014 at 15:53, sc302 said:

you don't need to add it to the domain first, if you add dns server first and have it be a secondary dns server you can then add it as a second domain controller. It will save a reboot doing it this way.

Isnt that very insecure? Doesnt the pc need to be a member of the domain first? If not couldnt anybody just add a rougue dns server to the domain? I thought you have to make the pc a member of the domain first before adding any roles to it. Usually it throws up an error message stating so.

[sc302 Veteran]

No.. You would have to give permission to that server to be a dns server..It isn't like you can just simply add a dns server nilly willy to the domain

 

Here are the steps:

1st, give the new server a static ip address with the dns servers the current dns servers in the ipv4 properties

2nd go to a dns server and open up the zone that you want to add a secondary dns server to, go to the properties of the domain and the _msdcs and allow zone transfers to the ip of the new server

3rd go to the new server and setup the ad zones in the dns (you will need to install the dns server role on the server)

4th change the dns on the nic of the new server to be itself

5th run dcpromo and add server as a secondary domain controller. 

 

Once completed you can take the zone transfers out. 

 

 

This saves on a reboot, takes me less time to do this than it does to do a reboot.  All about saving time when you don't have a lot of time to do this. 

[Roger H. Veteran]

  On 22/07/2014 at 18:49, hagjohn said:

Thanks. I've never added a 2nd controller to a windows domain. I assume I add a user to the domain, to get it fully on the domain and then promote it, correct?

 

You can do it the way sc302 mentioned or just do it via System - change the workgroup business and add the domain. Once you click ok it will ask you for a username for an authorized account (admin account) to add the server the domain, same way how you add a non-server to a domain.

 

Once that's all done you just have to promo it and follow the wizard which will mention the other DC and that you are a 2nd controller in the main forest.

[Mando]

I have always done it the traditional way, when adding a new server, patch it up with service packs/fixes, join to domain, then add roles to the server (inc DC role) after being joined.

 

a reboot save isn't valid if its not yet a part of the domain/DC cluster.

[Depicus]

  On 22/07/2014 at 19:18, sc302 said:

No.. You would have to give permission to that server to be a dns server..

 

Once completed you can take the zone transfers out. 

 

This saves on a reboot, takes me less time to do this than it does to do a reboot.  All about saving time when you don't have a lot of time to do this. 

 

Sounds like a recipe for disaster and I cannot believe it to be much faster than a join, reboot then promote. Kudos if that's what works for you but to me it seems a bit overly complicated.

[sc302 Veteran]

Depends, have you ever waited 5-10 minutes for a server reboot to scan through raid/scsi cards or that dell lifecycle controller? 

 

Not a recipe for disaster, there is nothing that would cause an issue.  Tell me what is going to screw up so bad by doing it the way I describe?  DNS?  no you are copying information not over writing.  The process of adding a server?  maybe, if you don't add the dns entries in the tcp/ip properties properly after you have copied the dns info over.

 

 

  On 10/12/2014 at 12:52, Mando said:

I have always done it the traditional way, when adding a new server, patch it up with service packs/fixes, join to domain, then add roles to the server (inc DC role) after being joined.

 

a reboot save isn't valid if its not yet a part of the domain/DC cluster.

btw, with my method the system does not need to be a domain member prior to dcpromo. 

[Depicus]

  On 10/12/2014 at 14:05, sc302 said:

Depends, have you ever waited 5-10 minutes for a server reboot to scan through raid/scsi cards or that dell lifecycle controller? 

 

Yes, I call that time "coffee" time or "me" time :)

 

Again kudos to you, and if it works for you go for it.

[binaryzero]

Always join the server to the domain first, then promote to DC. 

 

There shouldn't be any reason to create a secondary DNS zone, just replicate the primary DNS zone.