IT ProjectsFREE

Promoting a new domain controller into an existing domain

Adding a domain controller to an existing domain is one of the most common AD infrastructure tasks, and one that's easy to get subtly wrong. Skipping pre-flight checks leads to promotion failures mid-wizard. Missing post-promotion steps leaves a DC that's technically up but not properly integrated — replication not verified, DNS not fully registered, and the old DC still holding roles it shouldn't. This runbook covers every step in the correct order.

ⓘ This runbook assumes an additional DC, not a replacement

If you're replacing an existing DC, follow this runbook for the promotion, then follow the DC decommission runbook for the removal. Don't do both at the same time.

Pre-flight checks

Promotion failures are almost always caused by skipping pre-flight. Run these checks on the existing domain before touching the new server.

Check AD replication health

# Run on an existing DC
repadmin /replsummary
repadmin /showrepl

# A replication error on an existing DC will propagate to the new one

Verify DNS is healthy

dcdiag /test:DNS /v

# Verify _msdcs zone exists in DNS Manager:
# Forward Lookup Zones > _msdcs.domain.com

Check existing DC health

dcdiag /v
# Watch: Advertising, KccEvent, Replications, SysVolCheck

Prepare the new server

  • Set a static IP address — never promote a DHCP-addressed server
  • Point DNS at an existing DC, not itself (yet)
  • Join the server to the domain before promoting
  • Verify connectivity to existing DCs on ports 135, 389, 445, 636, 3268, 49152–65535
⚠ DNS must point at an existing DC before promotion

Setting DNS to the new server's own IP before promotion causes the promotion to fail when it tries to locate the domain. Point at an existing DC first. After promotion completes, add the new DC's own IP as secondary DNS.

Install the AD DS role

# PowerShell on the new server
Install-WindowsFeature AD-Domain-Services -IncludeManagementTools

# Verify
Get-WindowsFeature AD-Domain-Services

Promote to domain controller

Import-Module ADDSDeployment

Install-ADDSDomainController `
    -DomainName "corp.contoso.com" `
    -InstallDns:$true `
    -Credential (Get-Credential) `
    -SiteName "Default-First-Site-Name" `
    -DatabasePath "C:\Windows\NTDS" `
    -LogPath "C:\Windows\NTDS" `
    -SysvolPath "C:\Windows\SYSVOL" `
    -NoRebootOnCompletion:$false `
    -Force:$true

Key parameters:

  • -SiteName: Use the correct AD site for this DC's subnet — place it correctly now, moving later requires extra steps.
  • -InstallDns: Install DNS on the new DC. Recommended in most cases.
  • -DatabasePath / -LogPath: On production DCs, put NTDS on a dedicated data volume (e.g., D:\NTDS), not the OS volume.
⚠ Write down the DSRM password

The Directory Services Restore Mode password is the local admin password for AD recovery mode. Store it in your password manager immediately. Losing it means you cannot recover the DC from a corrupt AD database.

Post-promotion verification

# Verify DC is advertising
nltest /dsgetdc:corp.contoso.com

# Run dcdiag on the new DC
dcdiag /v

# Confirm SYSVOL is ready (value should be 1)
reg query "HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" /v SysvolReady

DNS and replication verification

# Force DNS registration
ipconfig /registerdns
nltest /dsregdns

# Verify SRV records
nslookup -type=srv _ldap._tcp.corp.contoso.com

# Force replication
repadmin /syncall /AdeP

# Check replication status
repadmin /replsummary
repadmin /showrepl DC02
ⓘ Allow 15 minutes for KCC to run

The KCC generates replication topology automatically after promotion. In multi-site forests, full replication across all DCs can take longer depending on site link schedules.

Cleanup and documentation

  1. Update DNS on the new DC: Add its own IP as primary, an existing DC as secondary.
  2. Update client DNS via DHCP or GPO if this DC will serve a new subnet.
  3. Verify NTP: Non-PDC DCs should sync from the domain hierarchy, not external NTP.
  4. Document: Hostname, IP, site, OS version, roles held, DSRM password location.
# Verify NTP source (should be the PDC emulator, not pool.ntp.org)
w32tm /query /source

# If incorrect, reset to domain hierarchy
w32tm /config /syncfromflags:domhier /update
net stop w32time && net start w32time
w32tm /resync

Summary

DC promotion fails when pre-flight is skipped — always check replication health and DNS on the existing domain first. The promotion itself is straightforward via PowerShell. The post-promotion work (SYSVOL verification, DNS record registration, replication confirmation, NTP) is what causes intermittent issues weeks later if skipped. Run every verification step before the new DC handles production traffic.