A domain controller (DC) provides critical services like authentication and authorization for an Active Directory domain. More accurately, a DC runs on Windows Server operating system and that has Active Directory Domain Services (AD DS) installed on it. All these we will see very shortly. In this guide, we will learn how to how to add a new Domain Controller to an Existing Domain. Please see how to Setup a Domain Controller, and how to Raise or Downgrade AD Domain and Forest Functional Level.

Note: Adding a new domain to an existing forest and adding a new domain to an existing domain are two different Active Directory (AD) management approaches. Each approach comes with each use cases and drawbacks. In the next guide, we will be discussing how to create a new child or tree domain. Here we will be utilising the “Adding a New Domain to an Existing Forest”.

Also see how to Setup a Domain Controller as Recommended by Microsoft, How To Configure a Domain Password Policy, and “how to fix this computer is a domain controller: The snap-in cannot be used on a domain controller“.

Create a Virtual Machine

Hyper-V is Microsoft’s own hardware virtualisation solution. Hyper-V enables you to create and run a software version of a computer otherwise referred to as a virtual machine. Each virtual machine acts like a complete computer, running its own operating system and programs.

Please see How to Create a Windows Server VM on HyperV, 3 Ways to Convert VMware VMs to Hyper-V, How to run Windows 11 on HyperV, and How to install free Hyper-V Server on a VMware Workstation.

I have referenced some articles on how to create a VM on Hyper-V. We have got tons of article on this and you can search the blog for similar posts.

Launch HyperV Manager, from the Action pane, click New, and then click Virtual Machine. Follow through the prompts and on where you want to install the operating system, click Next to install the Operating System as shown below

As you can see, we are installing Microsoft Server Operating System into this VM on Hyper-V.

Customise settings by entering your password and confirming the password entry again.

Now, you can access your VM with your local user account you have just created. See how to Prevent Local Administrators from managing BitLocker with the manage-bde command, How to configure Windows LAPS, how to configure LAPs with Intune (Entr ID) and how to Grant Local Admin Permissions to a Group [Part 1].

To learn about the various generations of VMs, here are some guides: Why does the legacy PXE not does work on Generation 2 VM, how to set up a VM via PXE boot on a Generation 1 VM, Generation 2 VM: Set up a HyperV VM through PXE boot

Why you should Configure a Static TCP/IP Address

Ensure the IP address is hard coded on your VM that will act as a DC. There are tons of reasons for this. Domain controllers provide critical services such as DNS, LDAP, and Kerberos authentication. These services depend on a stable network identity, which a static IP ensures. If the IP address of a DC changes frequently, these services become unreachable or unreliable. Here are some other reasons below.

Domain controllers register their IP addresses in DNS to enable clients and other domain controllers to find and communicate with them. If a DC’s IP address changes due to dynamic assignment, DNS records will become outdated, leading to connectivity issues. Active Directory relies on DNS Service (SRV) records for service location. These records need a consistent IP address to point to the correct domain controller.
AD replication between domain controllers requires stable network addresses to ensure data is synchronized correctly. Changing IP addresses can disrupt replication schedules and cause data inconsistencies. Also, Trust relationships between domains and forests depend on stable IP addresses. Dynamic IP changes can break these trusts and cause authentication issues
Static IP addresses allow for more precise firewall rules. Administrators can configure firewalls to allow specific traffic to and from the domain controller thereby enhancing network security.

Lastly, assigning static IP addresses to critical infrastructure components like domain controllers is a best practice widely adopted in IT environments to ensure stability and reliability. This makes it easier to document network configurations and comply with IT governance and regulatory requirements.

Configure TCP/IP Address

To set a static IP address on a Windows Server acting as a domain controller, you can locate this directly from the Server Manager. Or via the Control Panel > Network and Sharing Center > Change adapter settings. Right-click the network adapter and select Properties. Here you can set the IP address.

Please see , Configure SQL Server Instance to listen on a specific TCP Port, Setup is unable to access the SQL UDP Port 1434 on the specified SQL Server, and how to Configure TCP/IP Parameters: Post OS Installation and configuration of Windows Server 2019 Properties.

Join the New Server to the Existing Domain

In this section, we will join the newly created VM to the Domain. Ensure you have the desired Computer name set and right network configuration in place. Else, the domain join operation will fail.

To do this, open Server Manager, navigate to Local Server, and click on Workgroup. Click Change, select Domain, and enter the name of the existing domain as shown below and provide domain admin credentials when prompted..

Join Domain to the existing domain — Restart the server after joining it to the domain when prompted. You can halt this operation and perform other operations that require restart and restart your server when you are done.
This must be done before installing the ADDS Role.

As you can see below, we have successfully joined our new VM to the domain.

Now, you can access the VM with your Domain credentials.

Please see Domain Name System Protocol: Client Registration Issue, and how to keep Apps up to date on Windows.

Install Active Directory Domain Services (AD DS)

Active Directory Domain Services (AD DS) stores information about domain members, including devices and users. It verifies their credentials and defines their access rights (It authenticates and authorizes all users and computers in a Windows domain-type network, assigns and enforces security policies for all computers, and installs or updates software). A server running this service is a domain controller.

Open Server Manager and click on Add roles and features

Skip the before you begin page

Select Role-based or feature-based installation and click next

We have got only one server in the server pool. Click Next to proceed

Select the “Active Directory Domain Services role”

On the prompt to add the need Active Directory Domain Services role features, click on Add features.

As you can see, the “Active Directory Domain Services role” has been selected. Click next to proceed.

Skip this window and click next

On the Active Directory Domain Services role overview, click next as it is just informational.

Click install to install Active Directory Domain Services role unto your server.

You can close the window from here ow wait for the installation to complete and promote the domain from with in this window or follow the next steps below.

Post ADDS Deployment Configuration

After installing the AD DS role, click on the notification flag in Server Manager and select Promote this server to a domain controller.

Since we have a domain already, and we want another domain for High Availability and Fault Tolerance. We will select the option “Add a domain controller to an existing domain”.

Please supply your domain credential by clicking the change button.

add domain to an exisitng domain and specify user

Enter the credential and click ok.

Click on next to proceed.

Domain Controller Options

Note: You do not need to select Domain Name System (DNS) server and we have shown this here “How to add a second Domain Controller“. I am only selecting the DNS server because in this lab, I do not have a dedicated DNS server. The DNS server I have is on the root Domain Controller. What if the VM crashes? Therefore, it makes sense to install DNS on this second Domain Controller.

You can also choose to make this a Read only Domain Controller if you wish. But this is not the topic we are covering today.

So I am fine selecting the options such as DNS and Global Catalog. Please also set the DSRM password. Here is a guide where you will find this credential useful in the future when your AD is having issues. Please see AD Recovery: Fix device ran into an issue with error 0xc00002e2.

Since a DNS Server is being configured, you’ll be warned that a delegation for this DNS server cannot be created. This can be ignored, and click next to proceed

On the additional option Window, choose where you want your DC to replicate from. Active Directory can replicate from any domain controller or a specific one as you wish. I am fine with any option.

Specify the Location for AD DS Database, Logs, and SYSVOL. You can accept the default locations or specify different ones if you wish.

Please review your selections and click next.

As you can see below, the prerequisite check is passed. Click install

The server will automatically reboot after the installation.

Out server is restarting.

Welcome! We have successfully completed the steps on how to add a new Domain Controller to an Existing Domain.

Launch Active Directory User and Computers to see the new DC is the list of Domain Controllers.

Verify Active Directory Domain Services Replication

Also, you can verify the health of the new domain controller by running the command below, and ensure there is no replication error.

dcdiag /v
dcdiag /test:replications

We can also use the Active Directory Sites and Services for this. Expand the sites and “Default-First-Site-Name), this will be changed in another article. Right click on the NTDS settings and select check replication topology.

Please refresh and select replicate now. You will see the prompt as shown below that the ADDS has replicated the connection.

Use repadmin to ensure there are no replication errors. Run PowerShell as administrator and run the below command to get the current replication status for all Domain Controllers.

repadmin /showrepl
repadmin /showrepl *           --> (to get all the DC status')

Run the below command to get a replication summary of the current replication state.

repadmin /replsummary

Configure Preferred DNS Server Address for Domain Controllers

We need to configure the DNS servers correctly on the two domain controllers. Set the preferred DNS server to point to the other domain controller. Set the alternate DNS server to point to its own IP address (or the loopback address 127.0.0.1).