Finally the help of IT is here

Blog of computer solutions.

How to create an additional domain controller in Windows Server 2003

Written by Xaus Xavier Nadal on June 5th, 2008

As I promised I'll show you how it has to do to create an additional domain controller for an existing domain.

In the first instance we need to have an existing domain, in the previous post I showed you how to create the first domain controller for a domain called now is the time to install an additional driver for power in case the first fall have a manual high availability to validate users to solve the problem with the main server.

The first thing to do is reinstall Windows 2003 Server and put a fixed ip, in our case we will put the ip with mascara and door link and dns and can configure which is the primary domain controller we have installed in the previous post. The server name will be seconddomain.

When and you may have the system to the latest patch execute the command dcpromo.


Press Next.


Press Next.


Select Additional domain controller for an existing domain and press Next.


Fill in the fields with a user with Administrator permissions primary domain, enter your password and the domain field you will have to put the domain to which you are going to link in this case will be and press Next.


Click on Browse.


Select and press OK.


Press Next.


Press NextAs I said in another post, if the domain harbored a large number of users is recommended to place the NTDS directories on separate disks to improve performance of the Domain Controller.


Press Next.


You enter a password that is easy to remember because it never You will wear not until you break the domain controller and you may have to go into restore mode or ever ye despromover the domain.


Press Next to begin installation.


Press Finalize to complete the installation


Press Restart now. and now you will have a domain Controller right to check that it works properly you will have to turn off only the first domain controller and start session from a client PC, if you start is that it is doing by secondary domain controller. You can check this by looking at the Event Viewer -> Security to see the logon.

If you do not work is that you have done too fast, wait a few minutes for the network topology has spread properly and the RPC is available and return to test.

Related Posts Plugin for WordPress, Blogger ...
Tags: , , , , , , , , , , , ,

58 Responses to "How to create an additional domain controller in Windows Server 2003"

  1. Abel Says:

    hello greeting enormous help gracioas thousand deliveries to spread your computer skills

  2. Abel Says:

    I wonder register a domain extention payment info as I set that point to my website domain have a pc with windows server Serer 2003
    I do not understand that I set on my server could guide me thank you is a great help facilitating
    pd.abel anani

  3. xavixaus Says:

    First thank you very much to consult the blog, is a motivator that makes sense to write these posts.

    The first thing you have to have a fixed ip where to point the dns records from your domain. (If you do not have fixed this redirect ip will not be possible unless you go editing the registry dns to the new ip that will offer you your internet access provider, nearly every day (not viable).
    In case you have available and a fixed IP, you must enter your administration .info and add a type A record with www to the fixed IP address you have.
    (To see which ip you can connect to the following link What is my IP.

    In case your router settings you will be multi-NAT with port 80 (provided that this port is that you have as a web server) to the local address where your server is located.
    If you have standalone configuration (Not recommend) you should not do anything else.
    (For more information about how to do this you can go to adsl Help that will explain step by step how to do it.

    On the server if you have a firewall you must also open the way for the port 80 or as I said before you have configured.

    I hope you have been helpful and you tell us your link so you can refer. If you need more explanation do not hesitate to contact me-la.

  4. Abel Says:

    hi thanks for the reply
    my pc server I can have the dns server and WebSite (web server) all in one pc or is better hosting on separate teams and otracosa because every time I do a tes of 53 port appears I have a firewall and finally if I change the dns example NIC chile (the canvio by others) as deveria usually again be available on the internet new dns I have ports 80 21 53 in the router redirected to my ip fixed pc server open test all appear least 53 says ay have a firewall on the windows server dns server ip 2003 I give is the public IP ...
    good day thanks abel

  5. xavixaus Says:

    In my opinion, if you have room to spare and money is better to have them on separate servers. if you commit one does not affect others.

    If you change the DNS (Nic chile) depends on the provider time it takes to publish these records to other DNS. (Possibly 24 hours) But it depends as I said.

    I do not understand how you can have a pc with public ip and private ip one. You 2 external fixed ip's available?

    What happens to you is that the 53 port is the DNS and you have to redirect the DNS server to the web server.

    What I recommend is that the administration of external dns do it by (Nic Chile) and forget an internal dns (Unless you have a DMZ with proxy and reverse DNS (That this is about another loom).

    The Register A (www) should point to your external IP (Router) and do NAT port 80 to the ip web server ( Of the 53 (DNS) and 21 (FTP) ports not you will take if you only want to host a web.

    Sometimes the 80 port is blocked on the router that is the administration port. Change it by the 8080 for example and you work.

  6. ferran Says:

    Hello everyone, you know if it is possible to have the w2003 secondary server as a domain with w2000? pq do not get it ....

  7. XaviXaus Says:

    Yes it is possible but must run a adprep / domainprep y adprep / forestprep from the Windows CD 2003. (Check first that all domain controllers have available to them at least Service Pack 2 so that there is no side effect.

    This is to prepare the schema for windows 2000 2003 understand your windows.

    You say you how it went.

  8. Albert Says:

    hello can you help me have asked me to set up a rdp server to accedeer computers of my network and I'm really lost agradesco any help please can leave the mail sent to me to have if you help me figure it out and give me some steps to follow because I have not been able to put windows have a small walk busissns 2003 main server and enterprise edition windows should work as a side where the Annex rdp here the mail thanks

    The server has to be installed without that serve as domain controller in any way allowed to.

    First make a normal server without domain (using the command: dcpromo.exe, then you have to give the name: RDP2003 to ragaro.local DNS server address, IP, subnet mask, broadcast address and DNS server and then reboot the server.

    In the DNS server tables RAZGARO have to add the IP address RDP2003 with You also have to record all the computers name and IP address. So far, not made.
    question as I do this?

    You have to create an A-record for the IP address of the computer and a TXT record containing the user's name, so we can know, away, who is using what computer. Besides all computers have received the same name with a serial number, but do not notice ... Then you have to add the server RDP2003 "razgaro.local" domain, which already exists. It is very simple route system in the configuration screen.

    If you have finished all have to tell us, so here we can run everything else.

  9. Denisse Says:

    Hello Good afternoon, I will make migration of several domain controller to 2003 and are in 2000, my question is how is that to create a dc temporary type while the other ends of build, you help me or pass me some links where you come more specific this , I much appreciate your answer.


  10. ofo Says:

    Thanks was very helpful to me bye

  11. Marco Says:

    Hello, I found your article very interesenate because I'm trying to set up a new server, and to transfer all accounts the old server. The problem is that when I reach the step of additional domain you get next, and gives me the error:

    The mistake was: "This operation returned Because the timeout period expired."
    (Error code 0x000005B4 ERROR_TIMEOUT), and will not let me go, and not know what else can be. Check the dns server and point to try to conecatrme. I'd appreciate if you could help me please look at the servdor we currently about to stop working, of course thank you very much.


  12. Juani Says:

    Hello !
    very good blog!
    I look register a name and want to use it in a blog
    that is what you want is that when I put my name there will blog directly without putting blogspot can it ??
    I think that later in I order the dns I think but not how to load! hehe
    thank you!

  13. XaviXaus Says:

    Good, I have seen that you've already solved and I would like the expusieras yourself as you have done, as this will have an example to follow for future readers and is always appreciated your help.

    Thank you very much and hope to see you soon.

  14. Roller8k Says:


  15. Inoformatica Says:

    Hello everyone

    I see this forum if they can answer questions, therefore Qusiera to help me, tendo two Servers 2003, one is the primary domain controller and the other is the replica (the replica I made following the steps shown at the beginning of page) After a series of compliaciones could finzalir the replica, I a way to check if my work is to create a user on a server and should be replicated in the other, and vice versa, except that here comes my question. It is assumed that if I turn off the main server (I pretending to fall) the secondary should continue to function DNS and to continue being discharged in AD is not it?

    Because if it is, there is my problem, turn off my main server, when I want to do an nslookup on the side you tell me I can not find the DNS server and also allows me to create users in AD.

    Data on my primary server
    IP: / 24
    Domain name:

    Data on my secondary server
    IP: / 24

    Someone might tell me I is missing, the roles I have not replicated, nor am I sure have it to do, much less how, that has to do with my problem? if someone could answer I would appreciate it, and if necessary replicate the roles, if I could also say how.

    In advance thank you very much and I hope your answers.


  16. XaviXaus Says:

    Inoformatica good nights, the problem you have is that in the secondary domain controller installation did not install the DNS. At least default DNS service installation is performed as the secondary domain controller and detects that one exists and do not request to do the dcpromo.

    To solve this problem you will only need to install the DNS service on the secondary domain controller.


  17. Inoformatica Says:

    Thank you for responding, but I've agreago the dns in the secondary, but turning off the primary dc wanting to do nslookup still fails, ie not find the 100.10 address (I have in the primary)

    on my side I have my dns forward and reverse zones, each with their respective hosts and PTR.

    the only thing that was corrected after installing the dns in the secondary is already allows users creaer me even the principal, something that had not allowed me being off.

    What do you think I can be doing wrong or I may be missing?

  18. XaviXaus Says:

    Buenos inoformatica,

    Let's step, there you have 2 problems one is with DNS is supposed to have solved when you added the secondary DNS server.
    And the other very different is the power to create users when the primary server is off. This will occur because the secondary server is not a global catalog and so when you go to create a user is not able to do because it can not test if the domain already exists in an account like you're trying to create.

    To make your server a global catalog you have to place on Start - Default-First-Site-Name> - -> your secondary domain server -> Administrative Tools -> Sites and Services Active Directory -> Sites> and click the NTDS settings right click -> Properties -> and on the General tab check the option you Global Catalog.

    I hope it could help you.

  19. Dakoy Says:

    my network has the infrastructure sgte:
    2 2003 win servers.
    Server A = Primary
    Server B = Other
    The other time the primary server (server A) and the other server (which could not call secondary) was up, but anyway users could not log in the domain fell.

    I doubt execute instructions placed at the top of page on my server as "b" is replicated AD, and
    in production.
    the other thing I remember is that most of those steps to lift the run server B as additional server.
    But even so users are unable to log in to the server
    main off.

  20. juank Says:

    It happened to me the same thing and the problem is that the NETLOGON service is paused is-needed-start

  21. Martin Castro Razuri Says:

    Hi, I want to raise a controller secondary domio so that users do logion to the domain and not a workgroup, my proble is that the company I work there is already a contralador primary domain which in turn is an application server and dns not have confifugada the area Piledriver, Ajora's my question as I can make the dc secondary principal without it again replicate the mistakes of another server hope you can help

    Best regards

    Martin Castro

  22. XaviXaus Says:

    Good Martin, do not quite understand the question is what happens to you in the primary domain controller, that problem?
    You mean like moving the FSMO roles to another domain controller ??

    You'll tell me.

  23. Daniel Ramirez Says:

    Hi good morning, congratulations on the forum is very good, I need help, I hope can give me a hand.
    I have a DNS server on Linux, in my work bought a new server i put my server 2003 and you want to ride a domain controller or active directory, my question is can have the Active Directory and DNS on separate servers? q I think if you can, as you do for a punte q the active DNS server. I hope you have given me to understand and if not please comentenmelo, thank you very much

  24. XaviXaus Says:

    Good Daniel.

    Indeed you can have the domain controller and DNS server in another smoothly. But it is advisable to have in it that consultations take place faster and the DNS will be integrated with Active Directory.

    I've never tried is to have the DNS on a Linux server.

    I hope I have helped-te, and can tell me the experience.

  25. Dragon Says:

    Hi q such q I think this blog is late, but with q read eh I hope you can help me ..

    I have the following problem, I have a Windows Server 2003 situation for any damage my Active Directory and I can not discharge or change user passwords, my question is:

    Can I create a secondary domain controller to try to repair the AD and / or create user accounts and all that ?, If so, could you tell me how? ..

    Thanks anyway ... Thanks for all the information.


  26. XaviXaus Says:

    Good Dragon.

    Error that gives you in the event viewer main domini driver ?.

    With what you mention the secondary controller you will not be able to do anything because it will gather the data from the primary, possibly detect the problem making promotion to domain controler and you obtain more data.

    You could use DCDIAG that is in the support directory cd installing Windows Server 2003.

    I already tell you that messages appear.

  27. Dragon Says:

    XaviXaus Thanks for your time ..

    Q Look at the situation is as you comment can not change anything the user ... or her name or'password, that complicated by q me if I need to add another user ps I can not ..

    I mark the erro q such Pass to reset a "Windows cannnot complete the password change for -user- because: The system can not find the file specified" ..

    I can do about it, there is some way to fix it ?? ..

    Greetings and thanks again for your time and space ...

  28. Joseph Says:

    How about all first congratulations for this type of information, I have the following problem I have two servers and one did the additional domain controller but in the Operations Master option on the tab RID change the operations master my secondary server and I now appears error in that picture it affects and what should I do to correct it thank you very much.

  29. JOSEPH Says:

    How about xavi, I would see if I can help, I have two servers, one is additional domain controller and the other the main, only to change the operations master leading to additional and now I mark error in the box master operations rid I can do to return it to the main server

  30. XaviXaus Says:

    Good Jose.

    That mistake will appear? to return to previous state you must only connect to the main server and transfer the RID master role and ready, you can check my blog how to do it if you want, type in the search FSMO.

    Greetings and you can tell me.

  31. JOSEPH Says:

    Thank you for your prompt response, actually first I connect to the server I want to go back, the field which indicates the operations master RID tab, "ERROR" appears and the time to give change I get a message "transfer can not be performed the operations master function due to: Failed requested FSMO operation. You can not connect with the owner of fsmo. " Note: The screens are taken from the secondary server that the principal can not connect to additional domain controller.

  32. XaviXaus Says:

    Good Jose,

    Test from a command line with Ntdsutil.
    with seize ...

    If you do not know how to do it let me know and I'll explain, maybe make a little article ..
    You will tell me.

  33. JOSEPH Says:

    I appreciate you will explain more in detail and the article would be perfect

  34. William Says:

    wave friends I have a problem, you can add a secondary domain controller server 2008 win a main controller 2003 windows server? I tried but when I'm in the last step I get the following error message: To install a domain controller in this forest active directory, you must first prepare the mediantev forest "adprep / forestprep" utility adprep available in the \ sources \ adprep media installation of Windows server 2008. what do I do!!! please help!! Thank you.

  35. XaviXaus Says:

    Good Guillermo,

    To have a windows server domain controller 2008 you must extend the schema using adprep / forestrep and adprep / domainprep. After doing this and you can create a secondary server with windows server 2008 smoothly.

    Look at this article:

    If you have any further questions let me know.

  36. William Says:

    and execute that file but still the same problem

  37. Alejandro Says:

    Hello everyone, know that I have a problem and would like to see if someone has passed you install a Windows Server 2003 and mount a contrlador domain, everything worked perfect, the only mistake I made was that the domain I put the same name the website, and that affection apparently the operation of the website, who performed the pings between hosts and some gave me the right direction and others gave me the address of the website, I mean, I to a ping of secretaria1 to the server and I returned, response from 192.168.1.x, but when to a ping from secretaria1 to secretaria2, I returned the ip address of the server where the website is hosted, what I did was reformat the server and reinstall it, and you change the domain name, but the problem now is that the website can be accessed in some places and not others, like the mails, it will be the domain controller is generating conflict ?, or will be server problem ?, websites sali2

  38. XaviXaus Says:

    Good morning Alexander.

    The problem you have is not with the domain controller but with DNS.

    You should configure all clients DNS to point to the server and the server assign forwarders to external DNS for example and, so all offers consultation first performed on the dns and if not found will point to the forwarders.

    The DNS server must have access to internet to do the redirection.

    Remember that in the domain controller with DNS is good practice to point the primary DNS to (Local) and the secondary against secondary dns, if he does not have to put anything.

    I hope to have solved your problem. See you soon.

  39. Cristian Says:


    thank you very much for the info, I was very useful, but I have a query.
    I have problems with the Virtual machine is loaded where my domain controller. I need to create one, but this is in another pc different (either another VM or another physical pc).
    In your explanation I did not understand as I do that this second domain controller hosted in a different this pc, and not dependent on 1 domain controller.

    Thank you very much

  40. XaviXaus Says:

    Cristian good.

    The article explains how to make an additional domain controler the same domain. As long as the primary domain it is running.
    What happens to you is that the main driver is failing you? If so, you should make a disaster recovery of Active Directory. You have a copy of the recent systemstate?
    Can you explain a little more what you want to achieve and the stage set?

    You'll tell me

  41. GEORGE Says:

    my question is I have a server and an additional domain prinicpal both must go the Global Catalog or just the main, thank you very much for the help

  42. XaviXaus Says:

    Good Jorge, here your answer:

  43. GEORGE Says:

    Thank you very much, it has been of great help

  44. Scortes Says:


    my question is: I need to pass the domain server with which we are currently working on windows server 2000 to 2003, we initially performed the procedure to update the schema of the forest and to add the 2003 server as an additional domain controller, but when we are placing the user, pasword and command on the server to create 2003 as additional domain shows the following message.

    "The operation failed Because, The Active Directory Installation Wizard was unable to convert the computer account to a damain controller SERVERDOMINIO account. Access is denied. "

  45. XaviXaus Says:

    Good Scortes.

    What happens is that you're entering a user session with local administrator and I suppose you do with one that has domain administrator credentials.

    You'll tell me.

  46. LuToT Says:

    Good day all, information is very good, I have the following query, as I can add pc with win XP to a domain windows server 2003 without losing the configuration of the local user pcXP profile, or I can indicate how it performs procedure to add the domain pc without problems, xq two types of accounts are generated on a pc that are local and others that are in the domain.

  47. Otto Says:

    Bue day, I have a server with Windows Server DOMAINOLD.local 2003 name and I'm setting up a new domain name server with windows server 2008, the fact is that as set up so that both are reputable. I added both forwarders, ie DOMAINOLD I added the ip DOMAINNEW and vice versa. But yet when I ping not func. Could you help me. (Now if I configure secondary zones not working I get the error: "loaded zone for the DNS server"). Thanks in advance, I hope you can help me.

  48. xavixaus Says:

    Good Otto,

    The first thing I want you to check is the firewall to see if you have it on, When you have this done, look to ping directly from one computer to another, if you do not solve it you have a problem with the configuration of the network card or on cable, switch, etc ...

    When you have this checked and follow me know please ..

  49. Otto Says:

    Thank you for responding, the firewall was disabled, but now I activated = Can not ping, ping do as follows> ping DOMAINOLD.local (ip: from the DOMAINNEW and> ping ( from DOMAINOLD and tells me "the request could not find host host ..."; or I could say another way to put the two domains in confidence. Thank you very much for your comments.

  50. xavixaus Says:

    Good Otto,

    Look mask and gateway, if you have a managed switch with vlan or if I see is a small should network have the same mask for example, and the gateway of the router in this case to poderles give Internet output in the future.

    To make the relationship of trust first have to see each other at least try to share something, folder, or whatever, it will be that the ping will not work but really if you have visibility.
    What are you doing with virtual machines? which system you're using? Vmware virtual switch?
    Can you tell me a little stage, so between all we can help you better.


  51. John Borgas Says:

    I have a server 2003 dc.
    Install a secondary server every perfect win 2008 (32) sp2, but when I check the netlogon shared folders and sysbol I see that are not shared.
    I get this error:
    The File Replication Service is having trouble enabling replication from server to server 2003 2008 to c: \ windows \ sysvol \ domain using the DNS name server 2003.domino.local. FRS will keep trying.
    Here are some of the reasons why is this warning may appear.

    [1] FRS can not correctly resolve the DNS name from this computer ceim1.ceim.local.
    [2] FRS is not running in ceim1.ceim.local.
    [3] The topology information in this replica
    How can I solve that.

  52. xavixaus Says:

    Good Juan,

    Look Article

    You'll tell me.

  53. Alejandro Hernandez Says:

    Hello, good evening, very good information, has been very helpful.
    I explain my problem, I have 1 1 server running Windows Server
    2008, of which I want to migrate Active Directory and other services. So far I have followed several guides to do this.
    I have the following concerns, I have already made the transfer of FSMO roles successfully 5.
    Both servers are global catalogs, and my 2 server (which migrate Active Directory) is a master of operations. However when I disconnect my network server 2, it loses the data in the current directory.
    Obviously when testing from a client login utlizando 2 only the server, the login fails to find the domain.
    You think it could be happening ...

    Agredezco beforehand your prompt response ...


  54. dOGGY Says:

    good Compas

    and I have configured the Windows Server (2003) Primary and Secondary (2003) at one time worked spent several months, but last week I turn off the Windows Home Server but apparently the child did not respond

    my question as I can see apart from the Logon, another part was to see what happened

  55. xavixaus Says:

    Good doggy ...

    Do you mean that the secondary did not respond ... I spent all FSMO roles for the domain is stable?


  56. elsy Says:

    You saved me thanks for your input

  57. elsy Says:

    you can tell me if I can have more than one virtual child domain?

  58. xavixaus Says:

    good elsy

    You can have as many secondary domain controller as you need .. virtual or physical


Leave a Reply

XHTML: You can use in Original tags: <a href="" title=""> <abbr title = ""> <acronym title = ""> <b> <blockquote cite = ""> <cite> <code> <del datetime = ""> <em> <i> <q cite = ""> <s> <strike> <strong>

GTranslate Your license is inactive or expired, please subscribe again!