Overview: Promoting a Server to Domain Controller

Adding a second (or additional) domain controller to an existing Active Directory domain is one of the most critical operations an administrator performs. A single-DC environment is a single point of failure — if that DC goes down, authentication, Group Policy application, DNS resolution, and file access all stop working for domain-joined machines. Windows Server 2022 makes the promotion process straightforward through PowerShell’s ADDSDeployment module, but there are important prerequisites and post-promotion verification steps that must not be skipped.

Prerequisites: Static IP and DNS Configuration

Before running any AD DS commands, the server being promoted must have a static IP address and its primary DNS server must point to an existing domain controller running DNS — not to itself. This is because the promotion process must locate the existing domain via DNS SRV records before it can replicate the AD database.

# Assign static IP to the server being promoted
New-NetIPAddress -InterfaceAlias "Ethernet" -IPAddress 192.168.1.11 -PrefixLength 24 -DefaultGateway 192.168.1.1

# Point DNS at the existing domain controller (DC01 at 192.168.1.10)
Set-DnsClientServerAddress -InterfaceAlias "Ethernet" -ServerAddresses 192.168.1.10

# Verify connectivity to existing DC
Test-NetConnection -ComputerName DC01 -Port 389

Port 389 is LDAP — if this test fails, check firewall rules on DC01 and on the network. Also verify the server name is resolvable:

Resolve-DnsName DC01.corp.example.com

Set a meaningful hostname before promotion, since renaming a DC afterward requires demoting it first:

Rename-Computer -NewName "DC02" -Restart

Installing the AD DS Role

The AD Domain Services role and management tools must be installed before promotion can proceed:

Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools -IncludeAllSubFeature -Restart:$false

Confirm the role is installed before proceeding:

Get-WindowsFeature AD-Domain-Services | Select-Object Name, InstallState

Import the deployment module explicitly if needed:

Import-Module ADDSDeployment

Promoting the Server: Adding a DC to an Existing Domain

Use Install-ADDSDomainController to promote the server as an additional DC in an existing domain. You must provide credentials of a user who is a member of the Domain Admins or Enterprise Admins group:

$cred = Get-Credential -UserName "CORPAdministrator" -Message "Enter DA credentials"

Install-ADDSDomainController `
  -DomainName "corp.example.com" `
  -Credential $cred `
  -DatabasePath "C:WindowsNTDS" `
  -SysvolPath "C:WindowsSYSVOL" `
  -LogPath "C:WindowsNTDS" `
  -InstallDns:$true `
  -ReplicationSourceDC "DC01.corp.example.com" `
  -SafeModeAdministratorPassword (ConvertTo-SecureString "P@ssw0rd!Secure" -AsPlainText -Force) `
  -SiteName "Default-First-Site-Name" `
  -Force:$true

The -ReplicationSourceDC parameter tells the new DC which existing DC to replicate from during initial synchronization. If omitted, one is chosen automatically. The -SiteName parameter assigns the DC to a specific AD site — ensure the site name matches one configured in AD Sites and Services (dssite.msc). The server will reboot automatically when promotion completes.

Adding a Child Domain

If you need to add a new domain to the forest (a child domain), use Install-ADDSDomain instead. This creates a domain as a subordinate to an existing parent domain, inheriting the forest trust automatically:

$cred = Get-Credential -UserName "CORPAdministrator" -Message "Enter Enterprise Admin credentials"

Install-ADDSDomain `
  -NewDomainName "eu" `
  -ParentDomainName "corp.example.com" `
  -NewDomainNetbiosName "EU" `
  -DomainType "ChildDomain" `
  -Credential $cred `
  -DatabasePath "C:WindowsNTDS" `
  -SysvolPath "C:WindowsSYSVOL" `
  -LogPath "C:WindowsNTDS" `
  -InstallDns:$true `
  -CreateDnsDelegation:$true `
  -SafeModeAdministratorPassword (ConvertTo-SecureString "P@ssw0rd!Secure" -AsPlainText -Force) `
  -Force:$true

This creates the child domain eu.corp.example.com. Enterprise Admin credentials are required because creating a new domain modifies the forest configuration. The -CreateDnsDelegation:$true parameter creates a DNS delegation record in the parent zone so that clients can locate the child domain’s DNS servers.

Verifying Replication with repadmin

After promotion and reboot, verify that replication is working correctly between domain controllers. The repadmin tool is the primary command-line utility for AD replication diagnostics:

# Summary of replication status across all DCs
repadmin /replsummary

# Show replication partners for each naming context
repadmin /showrepl

# Force replication from all partners immediately
repadmin /syncall /AdeP

# Show replication failures only
repadmin /showrepl * /errorsonly

The /replsummary output shows each DC, the number of deltas, failures, and the time of the last successful replication. A healthy environment shows 0 failures and recent replication times. The /showrepl output lists each replication link with its source DC, naming context (Domain NC, Schema NC, Configuration NC), USN (Update Sequence Number), and last replication time.

To check replication of a specific naming context from PowerShell:

Get-ADReplicationPartnerMetadata -Target "DC02" -Scope Domain

FSMO Roles: Viewing and Transferring

Active Directory defines five Flexible Single Master Operation (FSMO) roles that must be held by exactly one DC each. Forest-wide roles are Schema Master and Domain Naming Master (one per forest). Domain-wide roles are PDC Emulator, RID Master, and Infrastructure Master (one per domain).

View current FSMO role holders:

# Domain-wide roles
Get-ADDomain | Select-Object PDCEmulator, RIDMaster, InfrastructureMaster

# Forest-wide roles
Get-ADForest | Select-Object SchemaMaster, DomainNamingMaster

Transfer a FSMO role gracefully (preferred method when the current holder is online):

# Transfer PDC Emulator to DC02
Move-ADDirectoryServerOperationMasterRole -Identity "DC02" -OperationMasterRole PDCEmulator

# Transfer multiple roles at once
Move-ADDirectoryServerOperationMasterRole -Identity "DC02" -OperationMasterRole PDCEmulator, RIDMaster, InfrastructureMaster

If the current role holder is down and cannot be brought back online, you can seize the role (use only as a last resort — the original holder must never be brought back online after a seizure):

Move-ADDirectoryServerOperationMasterRole -Identity "DC02" -OperationMasterRole PDCEmulator -Force

Running dcdiag for Full DC Health Check

After promotion, run dcdiag to verify all aspects of the new domain controller are healthy:

dcdiag /test:all /v /f:C:dcdiag_report.txt

The /f parameter writes output to a file for review. Key tests to pay attention to:

Advertising — Verifies the DC is advertising itself via LDAP and Kerberos. A failure here means clients cannot find this DC for authentication.

Replications — Tests that AD replication is functioning and there are no lingering objects or replication errors.

NCSecDesc — Checks security descriptors on naming contexts. Failures can indicate permission problems.

NetLogons — Confirms that the NETLOGON and SYSVOL shares are online and accessible.

SysVolCheck — Verifies SYSVOL is shared and the DFSR replication state is healthy.

Run dcdiag targeting a specific DC from another machine:

dcdiag /s:DC02.corp.example.com /test:all

Removing a Domain Controller (Demoting)

To gracefully remove a DC from the domain, use Uninstall-ADDSDomainController. This demotes the DC, transfers any FSMO roles it holds, replicates all changes to remaining DCs, and then removes AD DS from the server:

$cred = Get-Credential -UserName "CORPAdministrator" -Message "Enter DA credentials"

Uninstall-ADDSDomainController `
  -DemoteOperationMasterRole:$true `
  -RemoveApplicationPartitions:$true `
  -Credential $cred `
  -Force:$true

The -DemoteOperationMasterRole:$true parameter automatically transfers any FSMO roles held by this DC to another DC before demoting. Without this flag, the cmdlet will fail if the DC holds any FSMO roles. After demotion the server reboots as a standalone server. Remove the stale computer account from AD:

Remove-ADComputer -Identity "DC02" -Confirm:$false

Also clean up DNS records and metadata if the demotion was not clean (forced removal of an offline DC). Use ntdsutil for metadata cleanup in those scenarios and then manually remove stale DNS records from DNS Manager or with PowerShell Remove-DnsServerResourceRecord.