Server 2016: Active Directory installation (part 2)

Foreword

In the first part of this article a new Active Directory has been installed. So far, however, there is only one domain controller. In order to keep the Active Directory available in the event of a server failure, at least two domain controllers should be installed per domain.

In this article, the second domain controller is installed and configured.

Preparation

As with the first domain controller, the preparations are completed quickly. A descriptive host name is assigned again, in this case FWDC2:

A static IP address is also required again. This time, the already installed domain controller is specified as the DNS server:

Finally, the server is added as a member of the existing Active Directory:

That was all the preparations for the second domain controller.

Install Active Directory role

As with the first domain controller, the Active Directory role must be installed first. The procedure is identical for all domain controllers and has already been described in the first part, so I will save the details here.

As soon as the role is installed, the server can be upgraded to Domain Controller:

Upgrade second domain controller

To upgrade the second domain controller, select the option "Add domain controller to an existing domain". As the server is already a member of the Active Directory, no further selection needs to be made under "Domain". It is important that a domain administrator is logged on to the server, otherwise the corresponding rights for upgrading a DC are missing.

The IP address is now used to determine the subnet and the corresponding Active Directory location (as created in part 1). Keep the password safe again:

Again, the message appears that no delegation can be created for the DNS server, as already mentioned, this is normal:

In the next dialog, you can specify the domain controller from which the initial replication should take place. If there are already several domain controllers or the first domain controller is installed in a new location, a DC that is best suited (fastest connection, lowest utilization, etc.) can be specified here:

The paths for the installation are normally left as they are:

A summary of the settings is now displayed again and there is again the option to save the settings as a script:

Click on Install to upgrade the server to Domain Controller and perform the initial replication:

The server is restarted automatically:

As soon as the restart has been carried out, the new domain controller is available, but there is still some rework to be done.

Reworking

First of all, the issue with the time again. The first domain controller, or the domain controller with the master role PDC, is synchronized with an external time source. In the first article, this is an NTP server from the Internet. All other domain controllers in this domain can now synchronize the time via the PDC.

This can be configured with the following commands (the parameter is really called "domhier", no name is entered, just accept it as it is):

w32tm /config /syncfromflags:domhier /update
net stop w32time && net start w32time

Actually, the thing with the time is quite simple: Synchronize PDC with an external time source, synchronize all other DCs of the domain with PDC, clients get their time from the domain controllers. Unfortunately, synchronization with an external time source is often forgotten.

Each DNS server should have at least two forwarders, in this example the router and Google DNS are used as targets for the DNS forward. However, a different domain controller is NOT specified here.

The background is as follows: All DNS queries that this DNS server cannot answer directly will be forwarded to the addresses that are configured as forwarders, which is why public DNS servers are normally entered here. Another domain controller will also not be able to answer the query and would also have to forward it, so it normally makes no sense to specify a different DC here:

To ensure that obsolete DNS entries are also deleted after a certain period of time, "Ageing" should also be activated:

The same applies to the reverse lookup zone:

To ensure that outdated entries are deleted, the "cleanup process" must be activated on the DNS servers:

Last but not least, a setting that affects the first domain controller. The second domain controller is set as the primary DNS server, the loopback address as the secondary DNS server:

The settings should also already suit the second domain controller.

This means that the Active Directory runs on two domain controllers and is protected against the failure of a single server. A proper backup must of course still be set up.