This guide will show you how to add a new domain controller to an existing Windows Active Directory Domain on a Server Core 2022 system.
My last post covered creating a new forest and domain, and converting a Windows Server Core machine to a domain controller. In this post, we're going to build on that, and run through how to add another domain controller into the mix.
Like last time, these instructions are based on a Windows Server Core 2022 system, but the Powershell commands are equally applicable to servers running the Desktop Experience, and to Server 2019 and Server 2016 systems.
As before, we first need to make sure we have set some basic stuff. This can be done from the server config window (
sconfig) which opens by default on Server 2022 Core. For older versions (2019, 2016), run
- Hostname - important. This will be the name of your domain controller. As this is a second DC, it's best to +1 from the name of the first one.
- Date and time. Make sure the date/time is right and set your timezone.
- IP and DNS. Make sure you have a static IP set. We're also installing the domain DNS service, and we can't have a DNS server running with a dynamic IP. The DNS should be pointing to an existing domain controller (so it knows where to find the domain we want to join).
- Enable remote desktop. Optional.
Exit from sconfig to the command prompt. Server 2022 defaults to powershell. If you end up somewhere else, enter into a powershell prompt with
Enter the command:
As before, we're running this on Server Core, so we don't need the management tools. You might include this on a full Desktop Experience system.
Add Domain Controller
Some of the information we specified before isn't needed when adding a new DC to an existing domain (the forest and domain level are inferred from the domain).
The command we need to run is surprisingly short:
Install-ADDSDomainController -DomainName 'ad.dictive.tech' -Credential (Get-Credential "AD\your-domain-admin") -InstallDns:$true
Because the domain now exists, we need to authenticate against it, so we need to enter a user account that has domain join permissions.
Get-Credential prompts for the password, so we don't have to visibly type it into Powershell.
After hitting enter, we'll get the prompt to create a safemode password, like before.
The process will take as long as last time, and should look quite familiar by now. Once it has finished, we'll need to make one last change.
Login and run
sconfig if required. We want to change the DNS address for the new domain controller, and also go back and change the DNS for the first DC.
For the new one, set the primary IP address as dc01's IP. Set the secondary to
127.0.0.1 (the loopback address of this new DC/DNS server). On DC01, do the same thing, except set the primary DNS address to be dc02's IP, with the secondary being
Microsoft's advice on the DNS address ordering for DC/DNS servers has changed over the years, as such, there are conflicting opinions. Setting the primary to another DC, and the secondary to its own loopback address seems to be as close to a consensus as we're likely to get.
That's it! If you've followed this guide, and the previous post, you've now got at least 2 domain controllers, meaning your setup is far more resilient than before! If you have any questions or comments, please let me know below, or you can find me at @techbitsio.