Creating Primary and Secondary Domain Controllers (Windows 2003 Server)

I was creating a new Domain the other day for testing purposes and thought I would document the process as I went along to put a short tutorial up over here.

This is how to create a Primary Domain Controller (Windows Server 2003) as well as a Secondary DC to act as a backup. I will not be covering FSMO roles or changing of FSMO roles in this tutorial however. The how-to assumes that you have two freshly installed Windows 2003 Servers.

1. Create your first DC. On your first freshly installed Windows 2003 Server machine, go to Start->Run, then type “dcpromo” then hit enter. Alternatively you can go to the “Manage your server” wizard and add a new Role of “Domain Controller (Active Directory)”. After running dcpromo, click Next till you get to the “Domain Controller Type” page. Here we will select “Domain controller for new domain”.

2. Next we select “Domain in a new forest”.

3. You can now enter your full DNS name for the new domain. I used “shogan.local”. Don’t use your web domain here as this is an “internal domain name”. Use something like “yourcompanyname.local”.

4. For the netbios name, leave as default. It should just be a shortened version of your domain specified in step 3. I believe this to help with compatibility when NT, 95, 98 machines are looking at a Windows 2000 or higher domain.

5. Next you can specify the location of your database and log folders. I usually leave mine in their default location.

6. Same for the Shared System Volume folder. I leave mine as default (C:\WINDOWS\SYSVOL).

7. Next the wizard will check to see if you have DNS installed on this machine. If not, select the second option “Install and Configure the DNS server on this computer”. This is the easiest option and the installation will set DNS up for you.

8. The next screen deals with compatibility. I selected the second option here (Windows 2000 and 2003) as I won’t have any other servers below Windows 2000 or 2003 on this particular domain.

9. Enter your Directory Services restore mode password on the next screen and keep this safe.

10. Continue the wizard and the installation will begin.

11. Once the Active Directory Installation wizard is complete, click Finish, then restart the server.

12. Once it has restarted, you should get a screen stating “This Server is now a Domain Controller”. Click Finish and you are done with the first DC!

13. Next, I go to the second server with a fresh install of Windows 2003 Server.

14. Set your IP addresses up. Now that you have a DNS server on the other DC, you can point this Server’s Preferred DNS address to the IP of the Primary DC we just set up. In this case my Primary DC has an IP of 192.168.1.1 and the second DC we are about to set up gets an IP of 192.168.1.2.

15. Run dcpromo on the new server.

16. This time we are going to choose “Additional Domain Controller for an existing domain” in the Active Directory installation wizard.

17. The next screen asks you for your “network credentials”. Enter your new domain administrator username and password (Set up from the first DC). This should be “Administrator” and whatever password you specified during the install. Enter your domain name specified in step 3 above. For example I used “shogan.local”.

18. Enter the domain name again (shogan.local) in my case on the next screen.

19. Complete the rest of the installation wizard as we did in the steps for the first DC. This just involves specifying log folders etc… I usually leave the rest of the options at their defaults. Once you are done, set up should ask you to restart the server.

20. Restart once complete and login with your domain admin account. You should now have a fully functional secondary DC. Any changes you make in Active directory on either server should now replicate across to the other DC.

Here are the images related to each step of the installation process. Click any thumbnail to bring up the larger version.

Feel free to post any questions or comments in the comments section below.

10 Comments

  1. I found this article very interesting and helped me to identify and how to setup a primary and secondary AD in windows server 2003 , which i was looking for long time .

    th

  2. I managed to setup the secondary DC as you discribed, but what about the users profiles? how do those get replicated? and if the primary goes down, how does the secondary pick up? thanks again for the post!

  3. My DC crashed, i have Additional Domain Controller, how to promote Additional Domain Controller as Domain Controller.

  4. Anil,

    Unlucky – but there is a way to promote a backup DC (or secondary DC) to take over the role(s) that the primary was handling. I will just need to caution you though, that using the Ntdsutil command incorrectly can result in partial or complete loss of your Active Directory! So just be careful, and do as much reading up on FSMO roles etc to ensure you are comfortable with what you are doing before continuing. Here is an article that seems to explain the process fairly nicely – http://geekswithblogs.net/mhamilton/archive/2007/04/15/111674.aspx – otherwise google around a bit more and find some other articles that demonstrate the process. Make sure the OS you are using also matches up with the steps you are following. Also it is important if you seize roles from the old DC that crashed, that if you get it working again, you do not connect it back up – you shouldn’t use this same DC again. Anyway have a read around and familiarise yourself first before you continue! Again, make sure you are comfortable with what you are doing before proceeding.

  5. Adrian, for the user’s profiles, what you probably want is to set up roaming profiles – they can be stored in a network share on a file server on your domain, and you can back these up using a backup script or software if you like. Otherwise if you mean the actual Active Directory User accounts (or user objects), then these are all held in Active Directory anyway and will be replicated automatically. See my reply to Anil about how a secondary would take over again – you basically need to transfer FSMO roles or in worst cases seize FSMO roles using the command line depending on the situation. If you didn’t have a secondary DC or backups of AD when your primary DC failed, then you would be in a very bad situation, so having a secondary DC is a very good idea!

  6. Mate,

    would just like to thank you for this info . It helped alot , I was stuck trying to create an additional DC on my VM.

    thanks

  7. can these be also synchronize to a ms exchange server? or can be also replicate all the data in ms exchange server.

  8. any suggestion for my Domain Controller and ms exchange server i want to make a Back up server.. that synchronize all the data in two server.. in-case one server fails i have another server running. any suggestion please what to do? Thanks

  9. Hi Sherwin,

    It all depends on what OS you are using, as your question is quite vague! I would suggest that you read through MS documentation for best practises pertaining to the version of Windows Server OS you are running, with regard to Domain Controllers, and then do the same for the version of MS Exchange you are running too. You should also always split out the roles – so don’t have any domain controller services running on an Exchange server for example!

Leave a Reply

Your email address will not be published. Required fields are marked *

ERROR: si-captcha.php plugin: GD image support not detected in PHP!

Contact your web host and ask them to enable GD image support for PHP.

ERROR: si-captcha.php plugin: imagepng function not detected in PHP!

Contact your web host and ask them to enable imagepng for PHP.