Module 3: How to Create a Windows Domain Controller Using Active Directory

A domain controller is a server that manages authentication, user access, and security policies in a Windows network. Using Active Directory Domain Services (AD DS), you can promote a server to act as a domain controller.

Module 3: Creating a Windows Domain Controller

A Domain Controller (DC) is a critical component of any Windows Server-based network. It manages security authentication requests (like logging in, checking permissions) and centralizes user management via Active Directory Domain Services (AD DS).

Step 1: Prerequisites

Before setting up a domain controller:

  • Install Windows Server (2016/2019/2022).

  • Assign a static IP address.

  • Rename the computer (avoid default names like WIN-XXXXXX).

  • Set a strong local Administrator password.

Step 3: Promote Server to Domain Controller

  1. In Server Manager, click the yellow alert → Promote this server to a domain controller.

  2. Choose one:

    • Add a new forest (if starting from scratch).

    • Add to existing domain (for additional DCs).

  3. Enter root domain name (e.g., company.local).

  4. Set Directory Services Restore Mode (DSRM) password.

  5. Review prerequisites and install.

Step 4: Verify Domain Controller Configuration

After the server restarts:

  • Check Active Directory Users and Computers (ADUC) to see your domain structure.

  • Open DNS Manager to verify AD-integrated DNS zones.

  • Use dcdiag and nslookup to validate DC health.

dcdiag /v

Step 5: Create Organizational Units and Users

  1. Go to ADUC (dsa.msc).

  2. Right-click the domain → New → Organizational Unit (OU).

  3. Right-click the OU → New → User to create domain users.

Introduction to Creating a Windows Server Domain

Creating a Windows Server Domain is an essential task for managing a network of computers, users, and other resources within an organization. It helps streamline administrative tasks and improves security by centralizing the management of resources and access controls. In a domain, a central server, called a Domain Controller (DC), stores all information about the domain, including user accounts, group policies, and resources. This guide will provide an introduction to the key steps involved in creating a Windows Server Domain.

  • Domains Are the Core Administrative Unit
  • The First Domain Created Is the Root Domain of the Entire Forest or the Forest Root
  • Using the Active Directory Installation Wizard, You Can Create Domains and Domain Controllers
Forest Root
Installing Active Directory on Window Server 2018/2019/2022
Step 2: Install Active Directory Domain Services (AD DS)

  1. Open Server Manager.

  2. Click ManageAdd Roles and Features.

  3. Choose Role-Based Installation.

  4. Select the local server.

  5. In Server Roles, select Active Directory Domain Services.

  6. Click Next → Install.

AD DS role is installed, but the server is not yet a domain controller.

 
  • Preparing to Install Active Directory
  • Active Directory Installation Requirements
  • Computer Running Windows 2012 Server, Windows 2018 Advanced Server, or Windows 2022 Datacenter Server
  • Minimum Disk Space of 200 GB for Active Directory and 50 GB for Log Files
  • Partition or Volume That Is Formatted with the NTFS File System
  • TCP/IP Installed and Configured to Use DNS
  • Appropriate Administrative Privileges for Creating a Domain in an Existing Network
  • Creating the First Domain
  • Start the Active Directory Installation Wizard
  • Select the Domain Controller and Domain Type
  • Specify the Required Information
  • Domain, DNS, and NetBIOS names
  • Database, log, and shared system volume locations
  • Select to weaken permissions
  • Specify a password to use in Directory Services Restore Mode
  • The Active Directory Installation Wizard:
  • Installs Active Directory
  • Converts the computer to a domain controller
  • Adding a Replica Domain Controller
  • Fault Tolerance Requires a Minimum of Two Domain
  • Controllers in a Single Domain More Than One Domain Controller in a Domain Also Ensures That a Single Domain Controller Is Not Overloaded
  • Run Dcpromo to Add a Domain Controller to an Existing Domain
  • The Active Directory Installation Wizard:
  • Converts the computer to a domain controller
  • Replicates Active Directory from an existing domain controller
  • Using an Unattended Setup Script to Install Active Directory
  • Contains all of the parameters needed for an unattended session of installing Active Directory
  • Contains only the [DCInstall] section of the unattended setup parameters file
  • Can be run after Windows 2018 Server setup has been completed and a user has logged on to the computer
dcpromo/answer:answer file
Step-by-Step Guide to the Active Directory Installation Process in Windows Server

The Active Directory installation process involves adding the AD DS role to a Windows Server and promoting the server to a domain controller, allowing centralized authentication, user, and policy management.

  • Configuration Parameters
  • Checks Performed by the Active Directory Installation Wizard Before Installing Active Directory
  • Verifies User Interface Parameters
  • Verifies NetBIOS Name and Server Name
  • Verifies TCP/IP Configuration
  • Validates the DNS and NetBIOS Domain Names
  • Verifies User Credentials Verifies File Locations
  • Site Configuration
dcpromo
  • The Domain Controller Is Added to the Site That Is Associated with Its Subnet
  • The Server Is Placed in the Default-First-Site-Name Site if No Subnet Object Is Found
  • The Active Directory Installation Wizard Creates a Server Object
  • Directory Service Configuration
  • Verifies File Locations
  • Operations for All Types of Installations
  • Creates the required registry entries
  • Sets up the performance counters for Active Directory
  • Configures the server to automatically enroll for an X.509 domain controller certificate
  • Starts the Kerberos V5 authentication service
  • Sets the Local Security Authority (LSA) policy
  • Installs shortcuts to administration tools in Active Directory
  • Directory Partitions Configuration
  • Creates the schema directory partition
  • Creates the configuration directory partition
  • Creates the domain directory partition
  • Services and Security Configuration
  • Configuring Services and Security
  • Setting Services to Start Automatically
  • Remote Procedure Call (RPC) Locator
  • Net Logon
  • KDC
  • Interstice Messaging
  • Distributed Link Tracking Server
  • Windows Time
  • Setting Security
  • Sets security for the directory service and the file replication folders
  • Configures default DACLs on file and objects in Active Directory
  • Configures default Group Policy by using the security templates
  • Additional Active Directory Installation Operations
  • Additional Operations
  • Sets the Computer DNS Root Domain Name
  • Determines Whether the Server Computer Is a Member of the Domain
  • Creates a Computer Account in the Domain Controllers OU
  • Applies the User-Provided Password for the Administrator Account
  • Creates a Cross-Reference Object in the Configuration Container
  • Adds Shortcuts
  • Creates the SYSVOL Folder
  • Creates Schema and Configuration Containers
  • Assigns the Specific Roles to the Domain Controller

Examining the Default Structure of Active Directory in Windows Server

The default structure of Active Directory includes domains, trees, forests, organizational units (OUs), and containers that collectively define how resources and users are organized, managed, and secured in a Windows Server environment.

Examining the Default Structure of Active Directory

When you install Active Directory Domain Services (AD DS) and promote a server to a domain controller, Active Directory is initialized with a default structure that provides a logical and secure foundation for managing resources across a network.

Key Components of the Default AD Structure
1. Domain

  • A domain is the basic unit of the Active Directory structure.

  • It contains user accounts, groups, computers, and security policies.

  • When you create a new domain, Active Directory creates a DNS zone that matches the domain name (e.g., company.local).

2. Organizational Units (OUs)

  • OUs are used to logically group users, groups, and computers.

  • They help apply Group Policies and delegate administrative control.

  • By default, the following containers are present:

    • Users

    • Computers

    • Domain Controllers

3. Domain Tree

  • A collection of one or more domains that share a contiguous namespace.

  • For example, sales.company.local and hr.company.local are part of the same tree.

4. Forest

  • A forest is the highest-level container in Active Directory.

  • It can include multiple domain trees.

  • It provides a security boundary — trust relationships can be configured between domains in a forest.

5. Global Catalog

  • The Global Catalog (GC) is hosted on at least one domain controller.

  • It holds a searchable, partial replica of all objects in the forest.

  • Helps users find objects in other domains.

6. Schema

  • The schema defines object classes and attributes used in the directory.

  • It is consistent across the entire forest and rarely changed.

7. Sites and Subnets

  • Sites represent the physical structure (based on IP subnets).

  • Used for replication optimization and client logon efficiency.

Examining the Default Structure of Active Directory
  • Store Primary Zones in Active Directory
  • Replicate DNS Zone Information During Active Directory Replication
  • Provide Additional Benefits:
  • Eliminates a primary DNS server as a single point of failure
  • Enables secure dynamic updates
  • Performs standard zone transfers to other DNS servers

Performing Post-Installation Tasks After Installing Active Directory

After installing Active Directory and promoting a server to a domain controller, post-installation tasks include DNS verification, replication checks, OU creation, Group Policy setup, and security hardening.

Performing Post Active Directory Installation Tasks

Once you’ve successfully installed Active Directory Domain Services (AD DS) and promoted your server to a Domain Controller, several important tasks should be completed to ensure your domain environment is secure, functional, and ready for use.

1. Verify DNS Configuration

  • Confirm that AD-integrated DNS zones were created.

  • Ensure SRV records exist under:

    • _msdcs

    • _tcp

    • _udp

    • _sites

  • Run diagnostic tools:

nslookup domain.local
dcdiag /test:dns

2. Check Active Directory Replication

  • If you have multiple domain controllers, ensure replication is working.

  • Use tools like:

    • repadmin /replsummary

    • repadmin /showrepl

  • Check Event Viewer > Directory Service Logs for errors.

3. Create Organizational Units (OUs)

  • Use Active Directory Users and Computers (ADUC) to create OUs.

  • OUs help organize users, computers, and groups logically.

  • Avoid using the default “Users” and “Computers” containers in production.

4. Create User and Computer Accounts

  • Add users manually or via script/CSV import.

  • Join client computers to the domain via:

System Properties → Change settings → Domain join

5. Set Up Group Policy Objects (GPOs)

  • Use Group Policy Management Console (GPMC) to:

    • Set password policies

    • Configure desktop settings

    • Apply security restrictions

  • Link GPOs to OUs for granular control.

6. Configure Time Synchronization

  • Ensure all domain members sync time from the domain controller.

  • On PDC Emulator, configure time settings (especially if virtualized).

w32tm /query /status

7. Secure the Domain Controller

  • Enable Windows Firewall and only allow required ports.

  • Disable unused services and admin shares.

  • Limit who has Domain Admin privileges.

  • Enable audit logging for security events.

8. Back Up the Domain Controller

  • Perform a system state backup regularly using:

    • Windows Server Backup

    • Veeam or other third-party tools

  • Store backups securely offsite or in the cloud.

9. Document Configuration

  • Record:

    • Domain structure and naming

    • OU hierarchy

    • IP/DNS settings

    • Admin credentials (securely stored)

  • Helps in recovery, scaling, and audits.

  • Verifying the Active Directory Installation
  • Verify SRV Resource Records
  • Verify SYSVOL
  • Verify the Directory Database and Log Files
  • Verify the Installation Results by Examining the Event Logs
  • Implementing Active Directory Integrated Zones
  • Use DNS to Integrate a DNS Zone with Active Directory
  • Implement a Forward Lookup Zone
  • Implement a Reverse Lookup Zone
  • Securing Updates for Active Directory Integrated Zones
  • Use DNS to Secure Updates for Active Directory Integrated Zones
  • Secure the Active Directory Integrated Zones to Enable You to Control Access to Zones and Resource Records
Integrated Zones
  • Changing the Domain Mode
  • Active Directory Installs in Mixed Mode to Provide Support for Existing Domain Controllers
  • Group Nesting and Universal Security Groups Requires a Domain to Be in Native Mode
Changing the Domain Mode
  • Implementing an Organizational Unit Structure
  • Enhance Administrative Control
  • Delegate administrative control over network resources
  • Group similar network resources under one OU
  • Simplify object administration, and control visibility of network resources
  • Make resource administration more efficient
  • Control Group Policy Application
Troubleshooting Common Issues During Active Directory Installation
Troubleshooting Common Issues During Active Directory Installation

Active Directory installation issues often stem from DNS misconfigurations, replication errors, network problems, or system prerequisites not being met. Troubleshooting involves verifying DNS, ensuring proper IP settings, and checking logs for detailed error messages

Troubleshooting the Common Issues During Active Directory Installation

Installing Active Directory Domain Services (AD DS) can occasionally lead to errors that block domain controller promotion or prevent proper configuration. Here are the most common issues and how to fix them effectively.

1. DNS Configuration Errors

Symptoms:

  • Cannot locate domain controller.

  • SRV records not created.

  • DCDiag shows DNS failures.

Fix:

  • Ensure the server uses a static IP address.

  • Point DNS to the local server IP (not 8.8.8.8 or public DNS).

  • Verify DNS Server role is installed and zone matches domain name.

  • Run:

ipconfig /registerdns
dcdiag /test:dns

2. Domain Name or NetBIOS Conflicts

Symptoms:

  • “The specified domain already exists.”

  • Naming conflict error.

Fix:

  • Use a unique internal domain name (e.g., corp.local).

  • Check NetBIOS name isn’t conflicting with an existing domain.

  • Delete failed AD remnants using ntdsutil if needed.

3. Incorrect Forest/Domain Choices

Symptoms:

  • Cannot add a domain controller.

  • Trust relationship fails.

Fix:

  • Ensure you’re selecting the right option:

    • New forest for the first domain.

    • Add domain controller to existing domain for secondary DCs.

  • Use proper domain admin credentials when joining existing domains.

4. Network Connectivity Issues

Symptoms:

  • Server cannot reach DNS or existing DCs.

  • Errors during replication or domain join.

Fix:

  • Verify server has correct subnet, gateway, and DNS settings.

  • Test network with ping, nslookup, and tracert.

  • Check firewall rules on both ends.

5. Time Synchronization Problems

Symptoms:

  • Kerberos errors.

  • Logon or trust failures.

Fix:

  • Ensure time on all servers is within 5 minutes of each other.

  • Use:

w32tm /resync

6. Missing Prerequisites

Symptoms:

  • Role installation fails or AD wizard won’t launch.

Fix:

  • Ensure:

    • Correct Windows Server edition is used.

    • System is fully updated.

    • Minimum RAM, disk space, and CPU requirements are met.

7. Promotion Wizard Crashes or Freezes

Symptoms:

  • Stuck on “Replicating domain information” or similar.

Fix:

  • Restart the wizard or use PowerShell alternative:

Install-ADDSForest -DomainName “corp.local” -InstallDNS -SafeModeAdministratorPassword (Read-Host -AsSecureString)

  • Fixing “Access Denied” Errors When Creating or Adding Domain Controllers

“Access Denied” errors during domain controller creation usually occur due to insufficient permissions, DNS issues, replication failures, or time synchronization problems. Proper credentials and network setup are key to resolving this.

Access Denied While Creating or Adding Domain Controllers

Encountering an “Access Denied” error when trying to create or add a domain controller to your Active Directory environment is frustrating — but fixable. This issue typically stems from misconfigured permissions, replication issues, or DNS and time problems.

Common Causes of “Access Denied” Errors
1. Insufficient Permissions

  • You’re logged in with a user account that lacks the required Domain Admin or Enterprise Admin rights.

Fix:

  • Use an account that is a member of the Domain Admins group (for new DCs).

  • For new forests or the first DC, local Administrator permissions are sufficient.

2. DNS Misconfiguration

  • If DNS isn’t pointing to a valid AD DNS server, domain join and promotion will fail.

Fix:

  • Set the preferred DNS server to the IP address of the existing domain controller (or itself if it’s the first DC).

  • Avoid using external DNS (like 8.8.8.8) during installation.

  • Use:

nslookup domain.local
ipconfig /all

3. Replication or Trust Issues

  • An existing DC cannot authenticate the new server due to trust or replication problems.

Fix:

  • Use repadmin /replsummary and dcdiag to check replication health.

  • Ensure firewalls allow necessary ports (TCP/UDP 135, 389, 636, 3268, 53, etc.).

4. Time Synchronization Problems

  • Kerberos authentication fails if the clocks are out of sync.

Fix:

  • Sync the server’s time with the domain controller or an external NTP source.

  • Run:

w32tm /resync

5. Active Directory Object Already Exists

  • An attempt to add a DC fails because the object already exists in AD but lacks permissions to reuse it.

Fix:

  • Open Active Directory Users and Computers and check under:

    • Domain Controllers

    • Computers

  • Delete any existing entry with the same hostname.

6. Group Policy or Security Restrictions

  • Organizational policies may block domain join or promotion.

Fix:

  • Review GPOs applied to the server.

  • Temporarily move the server to a test OU with minimal policies.

  • DNS or NetBIOS Domain Names Are Not Unique
  • Domain Cannot Be Contacted
  • Insufficient Disk Space
How to Safely Remove Active Directory Domain Services from a Windows Server

Removing Active Directory involves demoting the domain controller and uninstalling the AD DS role. This process must be done carefully to prevent replication or authentication issues in your domain environment.

Removing Active Directory from a Windows Server

Removing Active Directory Domain Services (AD DS) from a Windows Server requires demoting the domain controller, especially if the server is no longer needed or being decommissioned. Proper removal ensures no residual metadata or replication issues in the domain.

When Should You Remove AD DS?

  • The domain controller is being retired.

  • You need to reinstall or reconfigure the server.

  • You’re removing a test environment.

  • The domain is being decommissioned.

Important Pre-Checks

  • Make sure this is not the last domain controller (unless you are removing the domain entirely).

  • Transfer FSMO roles to other DCs if applicable.

  • Backup the system or perform a system state backup.

  • Check for and resolve replication issues using:

repadmin /replsummary

Step-by-Step: Demote Domain Controller (GUI Method)

  1. Open Server Manager.

  2. Go to Manage > Remove Roles and Features.

  3. Uncheck Active Directory Domain Services.

  4. Click Demote this domain controller when prompted.

  5. Choose:

    • Force removal if replication is broken (not recommended unless necessary).

    • Provide local admin password for post-removal login.

  6. Review options and click Demote.

  7. After reboot, the server is no longer a domain controller.

Step-by-Step: Demote Using PowerShell

Uninstall-ADDSDomainController -DemoteOperationMasterRole -RemoveApplicationPartition -Force -LocalAdministratorPassword (Read-Host -AsSecureString “Set new local admin password”)

Post-Demotion Tasks

  • Confirm server has been removed from:

    • Active Directory Sites and Services

    • AD Users and Computers (Domain Controllers OU)

  • Check DNS Manager and remove stale records.

  • Run:

dcdiag
netdom query fsmo

  • Using the Active Directory Installation Wizard
  • Using the Active Directory Installation Wizard
  • Providing appropriate administrative credentials
  • The Active Directory Installation Wizard Performs Specific Removal Operations Depending on the Type of Domain Controller
Domain Controller (Windows 2012)
Best Practices
  • Implement Multiple Domain Controllers in a Domain
  • Reduce Administrative Overhead by Grouping Objects in an OU
  • Start with a Single Domain
  • Establish a Functional DNS Infrastructure
  • Install the Directory Database and Log Files
  • on Separate Drives Allow Free Disk Space for Directory Database and Log Files Allow Free Disk Space for SYSVOL

Add comment

Your email address will not be published. Required fields are marked

Quick Links

ADDITIONAL LINKS

Categories

Subscribe Now!

get 20% Off on courses collection Now!

© 2024 SkillPoint IT. All rights reserved.