Promoting a Windows Server to an Active Directory Domain Controller turns a standalone server into the source of truth for users, computers, group policy, and Kerberos in your network. This guide does it via PowerShell, which is the only sane way for repeatable lab + production work.
Prerequisites
- Windows Server 2022 (or 2019) — Standard or Datacenter — with a static IP.
- Hostname set; the host has been rebooted with the final name.
- Time synced to a reliable source — AD is unforgiving about clock skew.
- A planned domain name (e.g.
corp.example.sa— internal, not your public DNS).
Step 1: Install AD DS + DNS roles
Install-WindowsFeature -Name AD-Domain-Services, DNS `
-IncludeManagementTools `
-IncludeAllSubFeature
This puts the bits on disk but does not promote the server yet.
Step 2: Promote the server
For a new forest (the first DC in a brand-new environment):
$SafeModePw = ConvertTo-SecureString "ChangeThis-32CharRandom!" -AsPlainText -Force
Install-ADDSForest `
-DomainName "corp.example.sa" `
-DomainNetbiosName "CORP" `
-ForestMode "WinThreshold" `
-DomainMode "WinThreshold" `
-InstallDns $true `
-DatabasePath "C:\Windows\NTDS" `
-LogPath "C:\Windows\NTDS" `
-SysvolPath "C:\Windows\SYSVOL" `
-SafeModeAdministratorPassword $SafeModePw `
-NoRebootOnCompletion:$false `
-Force:$true
The server reboots automatically.
For an additional DC in an existing forest:
Install-ADDSDomainController `
-DomainName "corp.example.sa" `
-InstallDns $true `
-Credential (Get-Credential) `
-SafeModeAdministratorPassword $SafeModePw `
-Force:$true
Step 3: Validate the promotion
After the reboot:
Get-ADDomain
Get-ADForest
Get-ADDomainController
dcdiag /v
dcdiag /v runs the standard health checks. Any FAIL on Connectivity, Replications, Topology, KCC or SYSVOL needs attention before another DC joins.
Step 4: Create the operations OU structure
New-ADOrganizationalUnit -Name "Corp" -Path "DC=corp,DC=example,DC=sa"
New-ADOrganizationalUnit -Name "Users" -Path "OU=Corp,DC=corp,DC=example,DC=sa"
New-ADOrganizationalUnit -Name "Groups" -Path "OU=Corp,DC=corp,DC=example,DC=sa"
New-ADOrganizationalUnit -Name "Servers" -Path "OU=Corp,DC=corp,DC=example,DC=sa"
New-ADOrganizationalUnit -Name "Workstations" -Path "OU=Corp,DC=corp,DC=example,DC=sa"
# Create a service account for backup software
New-ADUser -Name "svc-backup" `
-SamAccountName "svc-backup" `
-Path "OU=Users,OU=Corp,DC=corp,DC=example,DC=sa" `
-AccountPassword (ConvertTo-SecureString "Strong!Password-32" -AsPlainText -Force) `
-Enabled $true `
-PasswordNeverExpires $true
Step 5: Set the DNS forwarders
Your DC is now authoritative for corp.example.sa. For everything else (the public internet), set forwarders:
Add-DnsServerForwarder -IPAddress "1.1.1.1","8.8.8.8" -PassThru
Get-DnsServerForwarder
Step 6: Backup the System State
A DC without a System State backup is a single point of failure. Set up daily backups via Windows Server Backup:
Install-WindowsFeature -Name Windows-Server-Backup
wbadmin enable backup `
-addtarget:\\nas.corp.example.sa\backups\dc01 `
-systemState `
-schedule:02:00 `
-user:CORP\svc-backup `
-password:"Strong!Password-32"
Verify
Get-Service ADWS, KDC, NTDS, Netlogon, DNS
dcdiag /test:replications
dcdiag /test:dns
nltest /dsgetdc:corp.example.sa
Conclusion
You now have a working domain controller with DNS, an OU structure, a service account, forwarders, and scheduled backups. Add a second DC before you put any users on this domain — single-DC forests are an outage waiting to happen.
Next steps
- Apply Windows Firewall rules via PowerShell to limit inbound traffic to the AD ports.
- Schedule housekeeping with Windows Task Scheduler.
- For an app workload on the same host see IIS Web Server on Windows.
Comments
0 total · 0 threads