Adding additional Domain Controller (Windows Server 2012)

Post migrated to:


27 responses to “Adding additional Domain Controller (Windows Server 2012)”

  1. Patrick says :

    Great Post, used it to setup our 2nd dc.

  2. Joe says :

    Great post!
    I have setup a primary DC (DC1) and followed by another DC (DC2), just like the example. Now I would like to have the latest addition (DC2) to be the primary controller and DC1 to be the secondary controller. How is this accomplished? How can I verify which DC is being used first?

    Thanks in advance.

    • iSiek says :

      Hi Joe,

      you cannot decide to which DC users/computers would be authenticated. If you have DCs in the same Site, all of them are used for authentication. In case you wish to separate authentication traffic, you need to create separate Site and subnet for it then configure your network with new subnet and traffic will be split between DCs.


      • Johnatan says :

        Can you show us an example of how créate, for example, two sites and let authenticate users depending on the subnet? Our DCs have the default-site created but now We would like to Split them: users on site A, authenticate at and users on site B at It’s not a new windows installation, DC already exits. Thanks in advance.

      • iSiek says :

        Hello Johnatan,

        yes of course, this is really good topic for post. Thank you very much for that. I will try to prepare this article in the next few days and publish it. I hope you still would need this guide.

        Thank you in advance for your patience.


    • Nikola says :

      You have to configure the priority of the SRV records for your domain controllers on your primary DNS server

  3. Muditha Gayan says :

    hi iSiek,
    You blob is great. I follow every steps and at the last steps (when installing ) I got a error . I could not understand the reason.

    The operation failed because:

    The attempt to join this computer to the “windowslab.local” domain failed.

    “The request is not supported.”
    please give some advises,
    thanks ,

    • iSiek says :

      Hi Muditha,

      is this case still valid? Do you still need help or did you solve the issue?


  4. Derek says :

    Pretty element of content. I just stumbled upon your blog
    and in accession capital to claim that I get actually loved account your weblog posts.
    Any way I’ll be subscribing on your augment and even I success you get entry to persistently quickly.

  5. Senthil says :

    After added the additional domains do I need to setup DNS service (forward /reveres) separately for every domain?

  6. Andrew says :

    I don’t have an option to ignore DNS delegation and it fails on verification. How do you avoid this?

  7. Purpleturtle99 says :

    when you say: Provide Enterprise Administrator credentials and go to the next step and you used: administrator@blah.local. Is the Blah part the existing domain control’s name? or could I just use administrator for the credentials?

  8. Tai says :

    Thank for your Great video. please i just want ask if it possible to add server 2012 as secondary domain to my sbs 2011 primary domain. thanks

  9. Dan Goldsmith says :

    Hi Krsysztof,

    I followed your excellent Configuring a forest root domain on a fresh install of Server2012r2 and it went perfectly. I’m now following this guide to add a 2nd DC to the existing forest, but I can get past this error ‘An Active Directory domain controller for “test.local” could not be found’
    I’ve configured the DNS as exactly as instructed on both servers but no matter what i try I always get stuck at the same point.

    I’m using 2x Server 2012R2 standard VMs on ESXi5.0. each O/S has been freshly installed and updated from an MSDN ISO (5 attempts for each now!)

    The weird thing is, if I put the IP of the first DC into the Domain field when triing to add it to the existing forest and hit select, it displays test.local, so the DNS looks like its working.

    Any ideas, I might try 2012 rather than 2012r2 next ?

    • iSiek says :

      Hi Dan,

      thank you for reading my blog and following the article. Your case is really curious 🙂

      I’m really surprised that you were able to set up Windows Server 2012 R2 on ESXi 5.0 ! VMWare recommends for 2012 at least ESXi 5.0 Update 3 (earlier versions have serious bug) and for 2012 R2 at least ESXi 5.1

      Please check below requirements and tell me if all of them are applied:
      – both VMs are using the same vNIC
      – both VMs are within the same VLAN
      – ports required for AD replication are opened (see this MS article about that at
      – Windows advance firewall allows for communication on the same ports as above
      – VMWare guest tools are installed on both servers
      – Under VMWare guest tools, time synchronization with host is disabled on both Windows servers
      – system time is the same on both servers (difference lower than 5 mins!)

      To verify ports, you may use portqry 2.0 toola available at or use a graphical version portqry UI at

      I would suppose this issue may be related with an environment (ESXi) rather than broken ISO image.

      and please let me know if this is still an issue for you? Then we’ll try to find another way to discover what’s wrong.


  10. ghuffar malik says :

    thank you very much it is very simple way for make adc ……………..ghuffar malik

  11. Jan says :

    Thank You! Very well explained

  12. Guest says :

    Thank you! very good manual, made it easy.

  13. Ross says :

    Thanks for the great article.
    I am still a little confused when it comes to adding a 2012 DC to an existing Domain with legacy trusts and members. I have Two DCs 2003R2 in a 2003 FFL and DFL domain. This domain has 2000 and NT 4 members and a trust to a nt4 domain. If I introduce a 2012R2 DC and keep the FFL, DFL and FMSO role as they are. Will the trust and member function as normal? is it possible to have the legacy members still authenticate on the 2003 DCs and maintain the external trust? Without any of the “Allow cryptography algorithms compatible with Windows NT 4.0” stuff.

    • iSiek says :

      Yes, trusts would work without changes. However, I’m not sure if you would be able to authenticate using NT4 domains when you remove Windows Server 2003 Domain Controllers

  14. Sunith says :


    Our current DC is Windows 2008 ENterprise R2 which is again our primary DNS server.

    We need to setup an Additional DC on Windows 2012 R2 Standard. Our objectives are

    1.The new server will be our Additional Domain Controller (ADC)

    2. The new server will be our 2ndary DNS server.

    We need to add a few new virtual servers to our domain with the DNS pointing to this new ADC & once this task is completed we will promote this server as the Primary Domain COntroller and the Primary DNS server.

    Which means I will need to transfer all the FSMO roles at this point.

    Appreciate if all you techies out there can help me to understand the best way to go about this.

    Thank You in advance.

  15. Asif says :

    Very clear and detailed post. Thank you!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: