How to Promote a Server to Domain Controller on Windows Server 2025
Adding a second — or third — domain controller to your Active Directory environment is one of the most important resilience steps you can take. A single domain controller is a single point of failure: if it goes offline, user logins stall, Group Policy stops applying, and DNS resolution for the domain breaks. Windows Server 2025 makes the promotion process straightforward via PowerShell, and this tutorial covers every scenario you are likely to encounter: joining a DC to an existing domain, creating a child domain, verifying replication health, and managing FSMO roles. By the end, you will have a robust, redundant AD infrastructure ready for production workloads.
Prerequisites
- An existing Active Directory domain with at least one functioning domain controller
- A Windows Server 2025 server with a static IP address and DNS pointing to an existing DC
- Domain Admin (or Enterprise Admin for cross-domain work) credentials
- Network connectivity between the new server and the existing DC (ports 389, 636, 3268, 88, 53, 135, 445, and 49152-65535)
- PowerShell running as Administrator on the target server
Step 1: Prepare the Server and Install AD DS
Before promotion, set the new server’s DNS to point to an existing domain controller so it can locate the domain during the join process. Then install the AD DS role exactly as you would for a new forest.
# Set DNS to an existing DC (replace with your DC's IP)
Set-DnsClientServerAddress `
-InterfaceAlias "Ethernet" `
-ServerAddresses "192.168.10.10", "192.168.10.11"
# Install the AD DS role and management tools
Install-WindowsFeature `
-Name AD-Domain-Services `
-IncludeManagementTools `
-Verbose
# Confirm installation
Get-WindowsFeature AD-Domain-Services | Select-Object Name, InstallState
Step 2: Promote as an Additional DC in an Existing Domain
To add this server as a replica domain controller in an existing domain, use Install-ADDSDomainController. The -Credential parameter accepts a domain administrator credential object, and -ReplicationSourceDC lets you specify which existing DC to replicate the initial data from — useful in multi-site environments where you want to pull from a local DC rather than one across a WAN link.
# Store domain admin credentials
$Cred = Get-Credential -Message "Enter Domain Admin credentials (CORPAdministrator)"
# Store DSRM password
$DSRMPassword = Read-Host -Prompt "Enter DSRM Password" -AsSecureString
# Promote as additional domain controller
Install-ADDSDomainController `
-DomainName "corp.example.com" `
-Credential $Cred `
-SafeModeAdministratorPassword $DSRMPassword `
-ReplicationSourceDC "DC01.corp.example.com" `
-InstallDns:$true `
-CreateDnsDelegation:$false `
-DatabasePath "C:WindowsNTDS" `
-SysvolPath "C:WindowsSYSVOL" `
-LogPath "C:WindowsNTDS" `
-SiteName "HQ-London" `
-NoRebootOnCompletion:$false `
-Force:$true
The server will replicate Active Directory data from the specified source DC, configure DNS, initialize SYSVOL replication via DFSR, and then reboot automatically.
Step 3: Promote as a New Child Domain
In larger organizations, you may need a separate child domain (e.g., emea.corp.example.com) that shares the same forest but has its own administrators and policies. Use Install-ADDSDomain for this scenario. You will need Enterprise Admin credentials from the parent domain’s forest root.
# Enterprise Admin credential from the forest root domain
$EntAdminCred = Get-Credential -Message "Enter Enterprise Admin credentials"
$DSRMPassword = Read-Host -Prompt "Enter DSRM Password" -AsSecureString
# Create a new child domain
Install-ADDSDomain `
-NewDomainName "emea" `
-ParentDomainName "corp.example.com" `
-DomainType "ChildDomain" `
-Credential $EntAdminCred `
-SafeModeAdministratorPassword $DSRMPassword `
-DomainMode "WinThreshold" `
-InstallDns:$true `
-CreateDnsDelegation:$true `
-ReplicationSourceDC "DC01.corp.example.com" `
-SiteName "HQ-London" `
-NoRebootOnCompletion:$false `
-Force:$true
The -CreateDnsDelegation:$true flag instructs AD to create a DNS delegation record in the parent zone so that clients querying corp.example.com DNS servers can be referred to the child domain’s DNS servers for emea.corp.example.com records.
Step 4: Verify Replication
After promotion and reboot, verify that Active Directory replication is functioning correctly between all domain controllers. The repadmin command-line tool is the primary instrument for this.
# Show inbound replication status for all naming contexts on this DC
repadmin /showrepl
# Show a concise replication summary across all DCs in the domain
repadmin /replsummary
# Force replication from all partners immediately
repadmin /syncall /AdeP
# Check for any replication errors
repadmin /showrepl * /csv | ConvertFrom-Csv | Where-Object { $_.'Number of Failures' -gt 0 }
All entries in /showrepl output should show 0 consecutive failures. If replication errors appear, check firewall rules, DNS resolution between DCs, and time synchronization (Kerberos requires clocks to be within 5 minutes of each other).
Step 5: Understand and Locate FSMO Roles
Flexible Single Master Operations (FSMO) roles are specialized tasks that only one DC at a time can perform. There are five roles split across forest and domain scope:
- Schema Master (forest-wide) — controls schema updates
- Domain Naming Master (forest-wide) — controls adding/removing domains
- PDC Emulator (per domain) — handles password changes, time sync, GPO edits
- RID Master (per domain) — allocates pools of relative identifiers for object creation
- Infrastructure Master (per domain) — maintains cross-domain object references
# Display all FSMO roles for the domain
$Domain = Get-ADDomain
$Forest = Get-ADForest
Write-Host "PDC Emulator: $($Domain.PDCEmulator)"
Write-Host "RID Master: $($Domain.RIDMaster)"
Write-Host "Infrastructure Master: $($Domain.InfrastructureMaster)"
Write-Host "Schema Master: $($Forest.SchemaMaster)"
Write-Host "Domain Naming Master: $($Forest.DomainNamingMaster)"
Step 6: Transfer FSMO Roles
After adding a new DC, you may want to distribute FSMO roles to balance the load or prepare to decommission the original DC. A transfer is the graceful method (both DCs are online); a seizure is the emergency method (original DC is unavailable).
# Transfer all five FSMO roles to DC02
# 0=PDC, 1=RID, 2=Infrastructure, 3=Schema, 4=DomainNaming
Move-ADDirectoryServerOperationMasterRole `
-Identity "DC02.corp.example.com" `
-OperationMasterRole PDCEmulator, RIDMaster, InfrastructureMaster, SchemaMaster, DomainNamingMaster `
-Confirm:$false
# Verify the transfer
Get-ADDomain | Select-Object PDCEmulator, RIDMaster, InfrastructureMaster
Get-ADForest | Select-Object SchemaMaster, DomainNamingMaster
Step 7: Verify SYSVOL Replication (DFSR)
SYSVOL contains Group Policy templates and logon scripts. Windows Server 2025 uses the Distributed File System Replication (DFSR) engine — the legacy FRS mechanism was retired. Confirm DFSR is operational on all DCs.
# Check the SYSVOL replication mechanism in use
(Get-ADDomain).SYSVOLReady
# Verify DFSR replication group for SYSVOL
Get-DfsrMembership -GroupName "Domain System Volume" -ComputerName * |
Select-Object ComputerName, State, Enabled
# Check DFSR event log for replication errors
Get-EventLog -LogName "DFS Replication" -EntryType Error, Warning -Newest 20
All members should show State: Joined and Enabled: True. If a DC shows State: Error, run dfsrdiag.exe pollad on the affected machine to force a configuration refresh.
Step 8: Run dcdiag for Full Health Check
The dcdiag utility runs a comprehensive suite of tests against a domain controller. Run it on both the new and existing DCs to confirm everything is functioning correctly.
# Run all standard tests on the local DC
dcdiag /test:Advertising /test:DNS /test:FrsEvent /test:Replications /test:Services /v
# Run tests against a specific remote DC
dcdiag /s:DC02.corp.example.com /test:Advertising /test:Replications /v
# Save the output to a file for review
dcdiag /v /f:C:Logsdcdiag-dc02.txt
Conclusion
You have successfully promoted a Windows Server 2025 server as an additional domain controller, verified replication, managed FSMO roles, and confirmed SYSVOL health via DFSR. With at least two domain controllers in your environment, your Active Directory infrastructure now has the redundancy needed to survive a single server failure without disrupting user authentication or Group Policy delivery. Keep both DCs patched, monitor replication status with repadmin /replsummary on a regular schedule, and document which DC holds which FSMO roles so you can respond quickly to any future incidents.
