In this post, we’ll show you how to install an additional domain controller to a Windows Server 2016-based Active Directory forest. An extra domain controller can help with domain resiliency, load balancing between AD sites, and reducing the stress on WAN lines between the headquarters and branch offices. It is recommended to deploy an additional DC in each remote branch and configure replication between them for standard Active Directory functionality.
Let’s say you already have one AD domain controller in the central office and want to add another in your Toronto branch office. For example, suppose DC1 is the domain controller at HQ, and you want to add DC2 in Toronto.
To begin, construct IP subnets and an Active Directory site for your branch office. This is required in order for your branch’s computers and users to be approved on their local DC and not make requests to the central office DC01.
Open the Active Directory Sites and Services snap-in. Expand the Sites > Subnets and create 2 IP subnets (New > Subnet):
- 192.168.1.0/24 – head office network;
- 192.168.10.0/24 – branch office IP network.
Now create a new Toronto site (Sites > New Site).
Note. The Default-First-Site-Name site is created automatically when you deploy the first DC in the AD forest. In our example, this is the site of the central office.
Now open the properties of the 192.168.10.0/24 subnet and change the site to Toronto.
In the branch office, you can now install a new instance of Windows Server 2016. A physical or virtual server can be used.
On your new domain controller, make the following changes:
- Change the name of the server to DC2;
- Install all of Windows’ current security updates;
- Set the clock to the correct time and zone;
- Make sure to assign a new server a static IP address (in our case, 192.168.10.11);
- Set the primary DNS server to 127.0.0.1, and the alternative DNS server to the IP address of the first DC1 (for example, 192.168.1.11).
- Install the Active Directory Domain Services role using the Server Manager console.
Run Server Manager after installing the ADDS role and go to Post-deployment Configuration > Promote this server to a domain controller.
Select Add a domain controller to an existing domain in the Active Directory Domain Services Configuration Wizard and provide your domain’s name (in my case, test.com):
The following parameters must be enabled next:
- DNS (Domain Name System) server;
- GC (Global Catalog);
- Site name > instead of Default-First-Site-Name, use Toronto.
- For DSRM mode, enter a password.
You can select the domain controller from which you wish to do the initial replication of Active Directory data in the Additional Options phase. As a source, we’ll use DC1.
If the data link between the headquarters and the branch office is inadequate, you can generate an Install From Media image on DC1 and move the physical drive containing the IFM image to the branch. In this instance, a local copy of IFM can be used for first replication.
Set the Paths to the AD DS database (NTDS), log files, and the SYSVOL folder. We recommend leaving the default values.
That’s all. Check the info in the Prerequisites Check list and start the installation of an additional DC by clicking the Install button.
You can deploy an additional DC using a single PowerShell command:
Import-Module ADDSDeployment Install-ADDSDomainController ` -NoGlobalCatalog:$false ` -CreateDnsDelegation:$false ` -Credential (Get-Credential TestAdministrator) ` -CriticalReplicationOnly:$false ` -DatabasePath "C:WindowsNTDS" ` -DomainName "test.com" ` -InstallDns:$true ` -LogPath "C:WindowsNTDS" ` -NoRebootOnCompletion:$false ` -SiteName "Toronto" ` -SysvolPath "C:WindowsSYSVOL" ` -SafeModeAdministratorPassword (ConvertTo-SecureString '!P@ssw0rd!' -AsPlainText -Force) ` -Force:$true
After the installation is complete, your new server will show in the Domain Controllers area of the Active Directory Users and Computers (ADUC) panel.
The repadmin tool can be used to monitor the replication status between domain controllers: