In this article, we will show you how to deploy an additional domain controller in an existing Active Directory forest based on Windows Server 2016. An additional domain controller can be used to increase domain resiliency, used for load balancing between AD sites, and reduce the load on WAN links between the HQ and branch offices. For normal Active Directory operation, it is recommended to deploy an additional DC in each remote branch and configure replication between them.
Suppose you have one AD domain controller in the central office, and you want to add an additional DC in your remote branch office in Toronto. For example, the domain controller in HQ is called DC1, and you want to add DC2 in Toronto.
First of all, you need to create IP subnets and an AD site for your branch office. This is necessary in order for the computers and users in your branch are authorized on their own DC, and not send requests over the WAN link to the central office DC01.
Open the Active Directory Sites and Services snap-in. Expand the Sites > Subnets and create 2 IP subnets (New > Subnet):
- 192.168.1.0/24 – head office network;
- 192.168.10.0/24 – branch office IP network.
Now create a new Toronto site (Sites > New Site).
Note. The Default-First-Site-Name site is created automatically when you deploy the first DC in the AD forest. In our example, this is the site of the central office.
Now open the properties of the 192.168.10.0/24 subnet and change the site to Toronto.
Now you can install a new instance of Windows Server 2016 in the branch office. It can be a physical or virtual server.
Set the following settings on your new domain controller:
- Change the server name to DC2;
- Install all current Windows security updates;
- Set the correct time and time zone;
- Be sure to set the static IP address for a new server (in our example, this 192.168.10.11);
- Set the address 127.0.0.1 as the primary DNS server, and the IP address of the first DC1 as an alternative (for example, 192.168.1.11);
- Use the Server Manager console to install the Active Directory Domain Services role.
After installing the ADDS role, run the Server Manager and select Post-deployment Configuration > select Promote this server to a domain controller;
In the Active Directory Domain Services Configuration Wizard, select Add a domain controller to an existing domain and specify the name of your domain (in my example test.com):
The next step is to enable the following options:
- Domain Name System (DNS) server;
- Global Catalog (GC);
- Site name > select Toronto site instead of Default-First-Site-Name;
- Specify a password for DSRM mode.
In the Additional Options step, you can select the domain controller from which you want to perform the initial replication of Active Directory data. We will use DC1 as a source.
Hint. If you have a poor data channel between HQ and branch office, you can create an Install From Media image on DC1 and transfer the physical drive with the IFM image to the branch. In this case, you can use a local copy of IFM for initial replication.
Set the Paths to the AD DS database (NTDS), log files, and the SYSVOL folder. We recommend leaving the default values.
That’s all. Check the info in the Prerequisites Check list and start the installation of an additional DC by clicking the Install button.
Hint. You can deploy an additional DC using a single PowerShell command:
Import-Module ADDSDeployment Install-ADDSDomainController ` -NoGlobalCatalog:$false ` -CreateDnsDelegation:$false ` -Credential (Get-Credential Test\Administrator) ` -CriticalReplicationOnly:$false ` -DatabasePath "C:\Windows\NTDS" ` -DomainName "test.com" ` -InstallDns:$true ` -LogPath "C:\Windows\NTDS" ` -NoRebootOnCompletion:$false ` -SiteName "Toronto" ` -SysvolPath "C:\Windows\SYSVOL" ` -SafeModeAdministratorPassword (ConvertTo-SecureString '!P@ssw0rd!' -AsPlainText -Force) ` -Force:$true
After the installation is complete, your new server will appear in the Active Directory Users and Computers (ADUC) console in the Domain Controllers section.
You can check the replication status between domain controllers using the repadmin tool: