Installing an Additional Domain Controller

Applies To: Windows Server 2008, Windows Server 2008 R2

This topic explains how to install an additional Active Directory domain controller in an existing domain. The steps apply to domain controllers that run Windows Server 2008 or Windows Server 2008 R2. If the domain controller that you plan to install will be the first that runs Windows Server 2008 or Windows Server 2008 R2 in your domain or forest, you need to prepare the domain before you can install the domain controller. Otherwise, follow the links later in this topic for the different methods (using the GUI, command-line, or an answer file) to install the new domain controller.

To prepare the domain and forest, you need to run Adprep.exe (or adprep32.exe) commands. If you want to understand all the details about what Adprep.exe does, see Running Adprep.exe (https://go.microsoft.com/fwlink/?LinkID=142597). The Adprep commands that need to be completed are:

Use one of the following procedures as necessary to install an additional domain controller that runs Windows Server 2008 or Windows Server 2008 R2 in an existing domain:

Note

Regardless of which method you use, you must be a member of the Domain Admins group in the domain that is being installed.

You also have the option to use the install from media (IFM) method of installation. For this option, you must have prepared installation media, either by using the improved Ntdsutil.exe command-line tool or, if necessary, from a restored backup of a domain controller in the same domain. For information about using IFM to install a domain controller in an existing domain, see Installing AD DS from Media.

Note

By default, when a domain controller account is added to the existing Active Directory domain, it is assigned an "Account Ops-FC" access control entry (ACE) that gives members of the Account Operators group full control over this domain controller account, which is not a recommended configuration. For example, members of Account Operators group will be able to reset this domain controller’s password. Because the Account Operators group has significant power in the domain, we recommend that you add members to it with caution. For a detailed description of the Account Operators group, see Default groups (https://go.microsoft.com/fwlink/?LinkID=131422). To modify permissions for Account Operators on a computer account, you can use the Active Directory Users and Computers snap-in and complete the following steps:

  1. To open Active Directory Users and Computers, click Start, click Administrative Tools, and then click Active Directory Users and Computers.

  2. In the console tree, right-click the affected domain controller account, and then click Properties.

  3. On the Security tab, select Account Operators in the Group or user names list, and then modify permissions according to the specifications of your environment.