A domain controller (DC) is a server computer that responds to authentication requests. It participates in the replication and contains a complete copy of all directory information for its domain. If your environment requires high availability of IT systems when one DC fails, another takes over to ensure successful login, etc. Please see this guide for how to add a second DC to the existing environment, how to set up VMs in Hyper in order to have Domain Controllers running as Virtual Machines, and “Post OS configuration of Windows Server 2019 Properties. In this article, we will discuss Active Directory: How to Setup a Domain Controller.
Here are some related articles that might interest you. What are Active Directory Forest, Trees, Domain, and Sites, and how to synchronize your on-premises AD with Azure Active Directory using the Azure AD Connect tool? Here is a YouTube video on How to demote and remove a Domain Controller on Windows Servers.
Active Directory: Setup your first Domain Controller
Note: On the VMs, ensure you have searched rigorously and applied all updates: Click on Manage on the First VM you wish to use as the First DC. Select Add Roles and Features as shown below.
Click on next as shown below. You can optionally click on the check box to skip through this window in the future.
Select Role-based or Feature-based installation and click on next
Please see how to fix “Enter connection information for your on-premise directory or forests: Azure AD connect unable to connect directory, forest not available“, Active Directory Forest – Trees and Domain and Sites, How to install and configure Active Directory Domain Services on Windows Server 2022, and how to fix “The trust relationship between this workstation and the primary domain failed.
Select Active Directory Domain Services
Select the right server you wish to install the role on. Here I have just one server, so I will click on next. Under the Server role, Select Active Directory Domain Services
Note: When you click on Active Directory Domain Services (AD DS), it will prompt with a window to add features required for AD DS role
Note: There is no need to install the DNS server role alongside AD DS. This is because; you must not necessarily use the built-in DNS server. So I will be using a 3rd party DNS Server.
Click on Next without selecting to install the DNS server. Under the features, Windows, click next and do not select anything as no feature is needed at this moment by me.
If you do, you can select any and click on next. On the Active Directory Domain Services window, Click on next
On the confirmation tab, click on Install. Usually, if a restart is needed, the system will ask and prompt for this. But I do this on the fly by checking the box, and restarting the destination server if required as shown below.
Install Active Directory Domain Services
Please click on yes and click on install
Note 1: After installing AD DS, ensure you change the Default First Site name to a useful “name”. Ensure you change the Default First-Site-Name under Active Directory Sites and Services to reflect the domain name. Or else the default name stays.
Note: 2: Ensure, you change the computer- name and enter the right IP parameters. This is very vital.
Please see Linux Error 13: Permission denied, are you root, How to setup WatchGuard XTM, How to install and configure NGINX, how to make a back of the XTM Device configuration file, and how to copy TFTP Image to Flash on Cisco ASA.
Promoting as a Domain Controller | Installing Your First Forest in Windows Server 2019
Since this is going to be our first DC; it is going to be our Primary Domain Controller (DC): Here I will be adding a new Forest and the link to promote this server as a DC can be accessed from this link below
But if you decide to close this window and access the link via the Task details
Click on promote this server as a domain controller which will open the deployment configuration window as shown below.
Enter your root domain name and click on next.
Select the Forest and Domain Functional Level and DSRM Password
On the Domain controller option, I will be leaving the Forest and Domain functional level as shown below and will enter my Password that will be needed in the future for recovery purposes. Remember to uncheck the Domain Name Server (DNS) Server in order not to install DNS Server.
On the DNS Option below, click on Next and Do Nothing (this behaviour is normal as we do not want the name to be resolvable in Public DNS) as shown below.
On the Additional Option, the NetBIOS domain name will be automatically filled, click on Next.
If you have other drives and would like to save these folders, then you can select other paths. But I will leave it as default as shown below.
Under the review option, Click on Next (Note: you can also view the PowerShell cmdlets using the view script menu below).
Now the prerequisite test will be performed and when passed you can then install.
Click on install and this will continue to run displaying various progress steps etc. The Server will automatically restart itself and that is the end of the entire process.
Having set up a new DC, you may want to see this guide: Laps in Windows: How to Reset Directory Services Restore Mode (DSRM) password.
Some facts to note on Promoting a Domain Controller
I have decided to add this at the bottom in order not to interfere with your configuration steps above 🙂 To promote a Server to a DC, in the previous version you will need to run dcpromo. But this is not the case anymore as you have seen above.
When you run the dcpromo, it checks to see if the Active Directory Domain Services binaries (role) are installed. Note: If you install the ADDS role ahead of time, you do not need to promote the server.
Note: in place FQDN of the forest root domain, using .local is preferable as it cannot be resolved from the internet. This statement is no longer true. For more information on this, please see Active Directory: Best Practices for Internal Domain and Network Names.
At the time of writing this guide, this is no longer the case. Microsoft does not recommend using non-routable domains due to directory synchronization.
Please see this guide “how to synchronize your on-premises AD with Azure Active ” for more information. Otherwise, you may run into issues when integrating your environment with Azure AD (hybrid). Some more configuration is desired in this case. In short, using .com address will enable you to resolve hosts on the internet.
After promotion, note the local user and groups are no longer available and this is because the local user and groups are not as secure as domain users and this help protect the dc.I hope you found this blog post helpful on Active Directory: How to Setup a Domain Controller. If you have any questions, please let me know in the comment session.