Adding secondary Domain Controller

Posted on 2008-10-29
Medium Priority
Last Modified: 2010-04-18
I understand there is no PDC / BDC since NT4.
I want to add a secondary DC for backup and redundancy, The current DC is a live webserver, AD users are used for all MS FTP accounts and is integrated with our CMS system. Within the Subnet of the server we have 2 other Win03 SP2 servers, one WEB Server and another Database server.  I would like to use one of these as the secondary DC. I understand the DCPROMO process for adding a secondary DC when setting up a new server. Both the servers I have mentioned are allready in use with local user accounts. will these be removed if I run DCPROMO?
Can you advise the best process for premoting an allready in use server to a secondary DC
Question by:eonic
  • 2
LVL 70

Expert Comment

ID: 22830094

Join the new machine to the existing domain as a member server (you may have already done this)

If the new Windows 2003 server is the R2 version and the existing set-up is not then you need to run Adprep  from CD2 of the R2 disks on the existing Domain controller. Adprep is in the \CMPNENTS\R2\ folder on CD2
you need to run

adprep /forestprep
adprep /domainprep

From the command line promote the new machine to a domain controller with the DCPROMO command from the command line Select - Additional Domain Controller in an existing Domain

Once Active Directory is installed then install DNS. You can do this through Add/Remove Programs->Windows Components->Networking Services->DNS.  If you are using Active Directory Integrated DNS then DNS will br replicated from the other DC/DNS.

Next make the new machine a global catalog server, go to Administrative Tools, Active Directory Sites and Services, Expand, Sites, Default first site and Servers. Right click on the new server and select properties and tick the Global Catalog checkbox. (Global catalog is essential for logon as it needs to be queried to establish Universal Group Membership)

If necessary install DHCP on the new DC. You can do this through Add/Remove Programs->Windows Components->Networking Services->DHCP.

You will then need to remove any existiing DHCP prior to authorising the new DHCP Server. When setting up the new DHCP server dont forget to set the default gateway (router) and DNS Servers. Talking of which all the clients (and the domain controllers themselves) need to have their Preferred DNS server set the new domain controller.

Both Domain Controllers by this point will have Active Directory, Global Catalog, DNS and the domain could function for a while at least should any one of them fail.

LVL 58

Expert Comment

ID: 22830098

If you promote a server with local user accounts as an Additional Domain Controller, those user accounts will be lost - there is no concept of local user accounts on Domain Controllers.

Your only option in this case would be to (somehow) export and re-import the accounts into the domain. That is the best place for them anyway, for SSO purposes, security and to prevent inconvenience during times like this.


Author Comment

ID: 22830255
If the local user accounts would be removed in place of the AD accounts this will not work for me. We also use Helm and other apps which use these local users accounts. Removing these accounts would be catastrophic
We also have a win03 SP1 server in a totally different Datacentre.
Can I use a server not within the same LAN as a secondary DC?
Can I use a SP1 Server as a secondary DC and what is the premotion process? DCPROMO will not work!
LVL 58

Accepted Solution

tigermatt earned 375 total points
ID: 22830285

Yes, you can use a server on another LAN as an additional domain controller; the only point to remember is the two DCs must be able to communicate with each other.

KCTS has posted the procedure for promoting it, and I've posted one below too. Dcpromo should work; it should be a case of simply going to Start, Run, typing dcpromo and pressing OK. If it does not open up, I would check to see the version of the server you are running isn't Windows Server 2003 Web Edition (that server OS cannot be promoted as a Domain Controller).



Install Windows Server 2003 onto the new server which is intended to be promoted as a Domain Controller. Ensure the new server is assigned a routable static IP address on your IP subnet. Ensure the IP address is not included in any of your existing DHCP scopes. The only DNS server entry at this stage should be the IP address of the existing domain controller on your network.

After installation, join the new machine to the existing domain as a member server. This procedure is exactly the same as joining a workstation to the domain.

Promote the new server as a Domain Controller for the domain. Enter dcpromo at a command prompt and follow the wizard. When prompted, select the option for an additional domain controller in an existing domain. After the wizard completes, the new server will be acting as a Domain Controller for your domain. It is necessary at this point to restart the server for these changes to be applied.

In a single-domain Active Directory forest, all servers should also be Global Catalog servers. The Global Catalog is a required component of Active Directory which is used during logins to establish universal group membership for a user account. To promote the new server as a Global Catalog, open Active Directory Sites and Services from the Administrative Tools container within Control Panel or on the Start Menu. Double-click Sites, then Servers, followed by the name of the new server. Next, right-click "NTDS Settings" and select Properties. On the General tab, check the Global Catalog checkbox. Restart the new Domain Controller for changes to take effect.

DNS is a critical component of your Active Directory network. The easiest way to install the DNS role onto the new server is to follow the instructions outlined at http://support.microsoft.com/kb/814591 You should be already using Active Directory-integrated DNS zones, which is the easiest method of allowing DNS replication to occur - DNS information is stored in Active Directory and replicates with Domain Controller replication traffic. To check if your DNS zones are AD-integrated (and convert them if not), please follow http://support.microsoft.com/kb/227844.

You probably want to enable DNS forwarding in the DNS console on the server, too. This forwards lookups for external domains to a DNS server at your ISP, which allows the server to effectively resolve DNS for external domains. More information on forwarders can be found at http://technet2.microsoft.com/WindowsServer/en/Library/ee992253-235e-4fd4-b4da-7e57e70ad3821033.mspx.


Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
Scripts are great for performing batch jobs against users, however sometimes the GUI is all you need.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
In this video, Percona Director of Solution Engineering Jon Tobin discusses the function and features of Percona Server for MongoDB. How Percona can help Percona can help you determine if Percona Server for MongoDB is the right solution for …
Suggested Courses

621 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question