How to Promote a Server to a Domain Controller in Windows Server: Complete and Updated Guide

If you manage a network based on Windows ServerYou've probably heard about Active Directory and the vital importance of domain controllers in maintaining a secure, stable, and highly available infrastructure. In enterprise environments, ensuring redundancy and fault tolerance is key, and adding additional domain controllers is a recommended best practice.

Promoting a server to a domain controller is a very important process, not only when creating the first domain, but also when reinforcing it with new servers. Whether for growth, security, load balancing, or high availability, knowing how to perform this task correctly can save you a lot of trouble. In this article, we'll explain in detail how to perform this process. Windows Server (2016, 2019 and newer versions), integrating recommendations, steps and Tricks that ensure success and minimize risks.

Why promote a server to a domain controller?

El domain controller (Domain Controller or DC) is the organizational pillar of Active Directory. It's responsible for authenticating users, managing permissions, storing critical network information, and ensuring operational continuity. Therefore, limiting one to a single domain controller creates a single point of failure.

• Redundancy: Adding (or promoting) more DCs ensures that if one fails, another will take over.
• Load balancing: Login and authentication requests are distributed.
• Disaster recovery: A second DC facilitates domain reconstruction after failures.
• Geographic availability: You can have DCs in different physical locations.

For all this, most experts recommend having at least two domain controllers in any productive environment, regardless of the size of the organization.

Preliminary considerations and essential requirements

Before you jump into adding a new DC, there are several factors you shouldn't overlook that will ensure the entire process runs smoothly:

• Static IP: Always assign a fixed IP address to the server you're promoting. This will prevent computers from losing track of the controller if the address changes.
• DNS configuration: The server must have the IP of an existing DC in the domain as its primary or preferred DNS. If it's going to be the first DC, it must be its own.
• Server name: Use clear, descriptive nomenclature supported by your organization's policies.
• Security updates: Install the latest patches before any critical role changes.
• Administrative account: You need an account with sufficient privileges on the domain to complete the promotion.

Don't neglect the system timeTime synchronization is critical in Active Directory. Ensure all servers are properly synchronized to avoid authentication and replication issues.

Installing the Active Directory Domain Services (AD DS) Role

Before you can promote a server to DC, you need to add the role of Active Directory Domain Services to the server in question. This installation is simple using the Server Manager:Windows Server editions include this function and other additional functions necessary for the proper functioning of this role.

1. Access the Windows Server you want to add.
2. Sign in with an account that has administrator permissions.
3. Opens Server Administrator and look for the option Add roles and features in the role summary.
4. Go past the initial information screen and select role-based or feature-based installation.
5. Choose the destination server (make sure it's the correct one!).
6. Select the role Active Directory Domain Services (AD DS).
7. The installer will also suggest some additional features required for the proper functioning of this role (such as Group Policy Management). Accept them and move on.
8. Confirm the selection and, if you consider it appropriate, activate the option Reboot automatically the server after installation if necessary.
9. Click on Install and wait for the process to finish.

When the installation is complete, close the window. Your server is now ready to be promoted to a domain controller. To expand your knowledge, you can also learn how to join a computer to a Windows domain to manage your resources more efficiently.

Promoting a server to a primary or additional domain controller

Now comes the crucial moment: converting your server into a DC. Depending on whether you're creating a new forest/domain or simply adding a backup DC to an existing domain, there will be slight differences in the options, but the basic process is the same.

Promote the first domain controller

If you don't have any DCs in the domain yet, the initial setup is similar to other systems, but it's important to follow each step carefully. You can find details in our article about problems with domain services if you encounter difficulties in the initial creation.

1. Click on the notification that appears in Server Manager after installing the AD DS role (next to the Manage menu).
2. Choose Promote the server to a domain controller.
3. Choose the option Add a new forest and type the root domain name, making sure that it follows standardized naming practices (for example, local company).
4. Choose the functional level of the forest and the domainIt's recommended to keep them as up-to-date as possible to take advantage of the latest security features.
5. The wizard selects the DNS and Global Catalog (GC) server options by default. If this is the first DC, both must be enabled.
6. Define the Directory Services Restore Mode (DSRM) PasswordMemorize it or store it safely; it's key for recovery tasks.
7. NetBIOS Name: Enter the short domain name. This is usually the root domain name without suffixes.
8. The wizard may warn you that a DNS delegation could not be created (common in new deployments or when the DNS is on the same DC). This warning can be ignored.
9. Choose the folder where the database, log files, and SYSVOL will be stored. It's best to keep the default paths.
10. Review all the options. If everything is correct, allow the wizard to perform a prerequisite check, and when approved, click Install.

Once finished, the server will automatically reboot and you'll have your first DC up and running.

Add a domain controller to an existing domain

For load balancing, redundancy, or organizational growth, you can add additional servers as domain controllers to an existing domain. The process is very similar, but with nuances. For this, it's recommended to read how to add a domain controller to your domain. join a computer to a domain in Windows if it is not yet joined correctly.

1. Verify that the server is joined to the existing domain (if not, join from system properties and restart your computer).
2. Log in using domain administrator credentials (you can use the user in the format DOMAIN\user o user@domain.com).
3. After installing the AD DS role (as detailed above), access the Server Manager notification and select Promote the server to a domain controller.
4. On the wizard page, select Add a domain controller to an existing domain and enter the target domain name.
5. Confirm the user with sufficient privileges (you can change it if you are using another session).
6. En Domain Controller Options, leaves the DNS server and Global Catalog (GC) options active unless there are specific needs.
7. Select the site where the DC will be located, if you have several defined in Active Directory Sites and Services.
8. Enter the password for DSRM (may be the same as the administrator's, but it is recommended that it be robust and well kept).
9. The wizard may warn you that it's impossible to create a DNS delegation; in the vast majority of cases, this is unnecessary and can be ignored.
10. En Additional options, choose which existing DC you want the initial replication to occur from (if you have more than one). If you don't have enough bandwidth between sites, you can install from media (IFM), although this is typically replicated over the network.
11. Indicates the location of data, log and SYSVOL, usually default.
12. Review all options and allow Active Directory to verify prerequisites.
13. Click on Install and wait for the process to finish. A progress bar will appear, and once complete, the server will automatically restart.

Once it's booted and you're back online, the new DC will be operational and, after replicating with the rest, will fully assume its authentication, replication, and network support functions.

Post-promotion checks

While the wizard performs many automatic validations, it is important to perform some checks after the first Boot:

• Replication status: Open a console commands and run dcdiag /v to check the health of the DC.
• Check the events: The Event Viewer provides detailed information on any incident.
• DNS: Verify that DNS services are working correctly and that there are NO relevant delegation errors.
• Adjust network settings: In each DC, establish as Preferred DNS the other DC and itself as an alternate DNS. This optimizes resolution and availability.

This ensures that, if any DC fails, the network continues to function without authentication or name resolution issues. In cases where DNS services may experience difficulties, an analysis with resources such as NirSoft tools It may be useful to check DNS settings and status.

Common troubleshooting

Although the process is usually straightforward, sometimes problems can arise:

• Incorrect functional levels: If the wizard shows you previous or inconsistent versions (for example, "Windows Server Technical Preview" instead of the current version), update your system with the latest cumulative update from Windows Update before promoting the server.
• DNS delegation errors: This warning is common and, except in very specific cases of complex topologies, is usually harmless.
• Replication problems: If the changes are not replicated after installation, check the connectivity between DCs and ensure the required ports are open. To troubleshoot these issues, you can also refer to our guide on how to open ports in Active Directory.

Good practices for robust and secure environments

To get the most out of your AD infrastructure and avoid unexpected headaches, follow these recommendations:

• Always update your systems just before any promotion process or installation of critical roles.
• Avoid testing on production environments: use laboratories or Virtual machines whenever possible.
• Document all changes and keep DSRM passwords in safe places.
• Monitor replication periodically, especially after the incorporation of new DCs.
• Plan the physical location of the controllers (different CPDs, sites, etc.) to achieve greater resilience.
• Make backup copies periodically, including system state, to recover AD in the event of a disaster.

Master the process of promoting servers to domain controllers It's essential for professionally managing a Windows network. By following the steps and recommendations described in this article, you'll achieve a solid, secure infrastructure that's ready for any unforeseen event. By maintaining multiple DCs, you not only increase the security and availability of your services, but you also contribute to the smooth operation and growth of your organization. Furthermore, implementing verifications and best practices complements and reinforces all the previous work, minimizing both present and future risks.

Related article:

Active Directory Domain Services are not available [FULL FIX]

Isaac

Passionate writer about the world of bytes and technology in general. I love sharing my knowledge through writing, and that's what I'll do on this blog, show you all the most interesting things about gadgets, software, hardware, tech trends, and more. My goal is to help you navigate the digital world in a simple and entertaining way.