Add Windows Server 2016 Domain Controller to Existing Domain

Given that Active Directory is the heart of your network, you should always have at least two Domain Controllers. This will help prevent rebuilding your entire domain should you have a disaster and lose a Domain Controller’s data.

Most environment use AD for the authentication back end for all sorts of solutions from 365 to Cisco ISE to MFA to Wirelesss Access. Lose your authentication servers and you’re not just rebuilding your domain but also all permissions and software that rely on that domain to function.

Fortunately, standing up a backup domain controller or two isn’t a complex task. Let’s go over the methods for adding a secondary domain controller.

Promote 2016 Server Core to Domain Controller using PowerShell

I highly recommend running server core for your domain controllers. This is the gui-less version of Windows Server 2016 (and 2012 R2) that you choose to use at OS install time.

By stripping out all the unnecessary bits of Windows the attack surface is reduced and the number of required patches and reboots are reduced as well. These are all good things for a Domain Controller.

Assuming you’ve got a Server 2016 Core server up and running with an appropriate name, lets begin:

  1. Log into the server and type the following command in the cmd window to open a new PowerShell window:
start powershell
  1. Figure out what your ethernet adapter is named by running:
Get-NetAdapter
  1. Use the name of the ethernet adapter (in this example it’s Ethernet) in the following command, along with the appropriate ip addresses:
New-NetIPAddress -InterfaceAlias Ethernet -IPAddress 10.6.0.4 -DefaultGateway 10.6.0.1 -AddressFamily IPv4 -PrefixLength 24
  1. Make sure the DNS is set correctly. If your first DC is your DNS server then use its’ IP like so:
Set-DnsClientServerAddress -InterfaceAlias Ethernet -ServerAddresses 10.6.0.2

If you have multiple DNS server address use this command:

Set-DnsClientServerAddress -InterfaceAlias Ethernet -ServerAddresses (“10.6.0.2”,”10.6.0.3”)
  1. Make sure your timezone is set correctly as well. We’ll use EST in this example:
Set-TimeZone -Id “Eastern Standard Time”
  1. Enter the following PowerShell command to install Active Directory Domain Services (AD DS):
Install-WindowsFeature ad-domain-services -IncludeManagementTools
  1. Run the following command, using your domain, to promote the server to a DC. You’ll be prompted to enter credentials with permission to update active directory:
Install-ADDSDomainController  -DomainName "ad.yourdomain.com" -InstallDNS:$True -credential (get-credential)
  1. After entering your credentials the you’ll be prompted to set a SafeModeAdministratorPassword to help with Directory Services Restore Mode during a DR (disasater recovery) scenario. After entering the information you’ll be prompted to restart.
  1. Once your server restarts you can verify everything is good by running:
dcdiag.exe
  1. You should also verify your domain shares were created by running the following command and looking for the sysvol and netlogon shares:
Get-smbshare

If that all checks out, you are good to go and to start playing with your new DC.

Promote 2016 Server to Domain Controller using Server Manager

If you’re running the full blown Windows Server 2016 or 2012 R2 and need to promote it to a DC, the steps are just as easy. You have two options. You can use the above commands to promote it through PowerShell or you can use the Server Manager. Let’s take a look at what the server manager steps look like.

I’m going to assume you’ve already named the server and set the IP, Gateway, and DNS addresses since those are trival with a desktop gui to work with.

Starting from there, let’s open the Server Manager and get to work.

  1. Type Server Manager in the start menu and launch it.
  2. Navigate to Manage -> Add Roles and Features
  3. Select Installation Type -> Role-based or feature-based installation -> Next.
  4. Select Server Selection -> Select a Server from the server pool -> Your server -> Next
  5. At the Server Roles screen choose Active Directory Domain Services -> Next
  6. You will now be asked to add several other features (the RSAT tools). Click on Add Features to confirm and then click Next.
  7. Click Next to leave the Features screen.
  8. Click Next to leave the AD DS Screen.
  9. On the Confirmation screen choose whether or not to reboot the server when the Roles and Features are installed and click Next to proceed with the install.
  10. Once the installation is complete and you restart the server, launch Server Manager again so that we can finish promoting the machine to a DC.
  11. You will see a warning icon in front of Manage, click the icon and then click “Promote this server to a domain controller”
  12. At the Deployment Configuration screen select “Add a domain controller to an existing domain,” select the domain, set the credentials to use, and then click Next.
  13. Choose the appropriate options, for this example we are going to select Domain Name System (DNS) server and Global Catalog (GC) so that our DC acts as a proper secondary DC and DNS server for our domain. Click Next.
  14. If you receive the warning “A delegation for this DNS server cannot be created because the authoritative parent zone cannot be found…” you can safely ignore the message and proceed. This error may pop up if you’re not using a parent zone and is a non-issue if you don’t need name resolution from outside the domain.
  15. On the additional options screen choose which domain controllers you want to replicate from. Since I’m not decommissioning any servers soon I chose Any Domain Controller. Click Next
  16. At the Paths screen leave the defaults (unless you have a really good reason not to) and click Next.
  17. At the Review Options screen verify everything looks good, optionally view the PowerShell script, and click Next.
  18. The prerequisite check will run. Once it’s complete click Install.
  19. Once the install completes your machine should warn you that it’s about to restart. Let it restart and you’ll be ready to start playing with your new DC.

As you can see, this method is a bit lengthier. It doesn’t walk you through some of the more advanced options, which you can also set using the PowerShell method if necessary. I opted to leave the options out of the PowerShell example since most people wont need to mess with them.

I don’t know about you, but the PowerShell method of promoting a secondary domain controller seems much more appealing once you’ve got the hang of it. PowerShell can be a real time saver.

Recommended for You: Solarwinds Server & Application Monitor (SAM)

Know which applications are having issues in your environment before users complain? Know which systems are causing those problems? How about which servers are about to have problems like running out of space or memory?

Automate collection of data and alerting on your applications and servers with Solarwinds Server & Application Monitor so you have these answers.

Get insight into Active Directory, DNS, DHCP, and your Virtual environment without needing to mess with complex templates or knowing a single line of code.

Leave a Reply

Your email address will not be published. Required fields are marked *