Use one of the following procedures as necessary to install an additional domain controller that runs Windows Server 2008 or Windows Server 2008 R2 to an existing domain.

If you are installing an additional Windows Server 2008 domain controller in a Windows Server 2008 forest, you do not have to prepare the forest before you begin the installation. However, if the additional domain controller that you are installing is the first Windows Server 2008 domain controller in an existing Windows Server 2003 or Windows 2000 Server domain, ensure that the following tasks are completed:

• If you are installing the first Windows Server 2008 or Windows Server 2008 R2 domain controller in the forest, run the adprep /forestprep command on the server that holds the schema master operations master (also known as flexible single master operations or FSMO) role. For more information, see Prepare a Windows 2000 or Windows Server 2003 Forest Schema for a Domain Controller That Runs Windows Server 2008 or Windows Server 2008 R2.
  
  
• If you are installing the first Windows Server 2008 or Windows Server 2008 R2 domain controller in the domain, run the adprep /domainprep /gpprep command on the server that holds the infrastructure operations master role. For more information, see Prepare a Windows 2000 or Windows Server 2003 Domain for a Domain Controller That Runs Windows Server 2008 or Windows Server 2008 R2.
  
  
• If you are installing the first read-only domain controller (RODC) in the domain, run the adprep /rodcprep command on any computer in the forest. For more information, see Prepare a Forest for a Read-Only Domain Controller.
  
  

You can install an additional Windows Server 2008 or Windows Server 2008 R2 domain controller by using the following methods:

• Installing an Additional Domain Controller by Using the Windows Interface
  
  
• Installing an Additional Domain Controller by Using the Command Line
  
  
• Installing an Additional Domain Controller by Using an Answer file
  
  

Note
Regardless of which method you use, you must be a member of the Domain Admins group in the domain that is being installed.

You also have the option to use the install from media (IFM) method of installation. For this option, you must have prepared installation media, either by using the improved Ntdsutil.exe command-line tool or, if necessary, from a restored backup of a domain controller in the same domain. For information about using IFM to install a domain controller in an existing domain, see Installing AD DS from Media.

Note

By default, when a domain controller account is added to the existing Active Directory domain, it is assigned an "Account Ops-FC" access control entry (ACE) that gives members of the Account Operators group full control over this domain controller account, which is not a recommended configuration. For example, members of Account Operators group will be able to reset this domain controller’s password. Because the Account Operators group has significant power in the domain, we recommend that you add members to it with caution. For a detailed description of the Account Operators group, see Default groups (http://go.microsoft.com/fwlink/?LinkID=131422). To modify permissions for Account Operators on a computer account, you can use the Active Directory Users and Computers snap-in and complete the following steps: To open Active Directory Users and Computers, click Start, click Administrative Tools, and then click Active Directory Users and Computers. In the console tree, right-click the affected domain controller account, and then click Properties. On the Security tab, select Account Operators in the Group or user names list, and then modify permissions according to the specifications of your environment.