If you’re a new IT professional or just new to PDQ.com, this post is sure to help ease your stress levels a bit. Today we’ll break down the steps necessary for creating a new domain controller.
Set a static IP address
To start, you’ll want to ensure your domain controller has a static IP address (that isn’t in a DHCP range either) to ensure it cannot change automatically.
Install the Role
From the Server Manager click Manage > Add Roles and Features this will open up the Add Roles and Features Wizard. Once open there isn’t much to do except click next until you reach the Server Roles section. Once there click the check box next to Active Directory Domain Services. Another window should open asking if you want to install Active Directory Administrative Center and the AD DS Snap-in and Command Line-Tools. We recommend you accept this and click the Add Features button with the Include Management tools (if applicable) box checked as well.
That will be the only role to include this time so you can click next and you can also click next through the features section as well. Once you reach the confirmation section it will display the list of roles and features to be installed; it should match the image below. Click install and now we wait!
And we’re done! What? You’re not done yet? Let’s get going!!!
Promoting to a Domain Controller
Now that the ADDS (Active Directory Domain Services) role is installed we’ll need to promote the first domain controller. You can do this from the server manager by clicking on the flag in the top right-hand corner and pressing the “Promote this server to a domain controller” button, and the Active Directory Domain Services Configuration Wizard should open.
Since we’re starting new and fresh we’ll have to configure the forest (a forest in ADDS is a collection of domains) by clicking the New Forest radio button and entering the root domain name into the text box. It’s recommended to check any current Microsoft documentation to see if the recommendations have changed. At this time we recommend you use a real domain name (that you own) and append some sort of subdomain to it. In our example, we used ad.whiskeytime.club, and yes, it’s a real domain name!
Once the “Add a new forest radio,” button is checked and the root domain name has been chosen, click next. Here we’ll set the forest and domain functional levels, domain controller capabilities, and the Directory Services Restore Mode password. When you set the restore mode password be sure to save it, as without it you cannot access restore mode! Be sure to leave the DNS server option checked as without it you’ll have a very tough time. Click next; you’ll be informed a DNS delegation could not be created, this is expected for a new forest. Click next again and wait for a little for the validation to complete before entering the NetBIOS name for the new domain.
By default, the NetBIOS name will be set for the highest subdomain in the domain name in our case it will be AD for ad.whiskeytime.club but we’ll change it to WHISKEYTIME. You should set the NetBIOS name to whatever makes the most sense in your environment. Chances are that will be the plain domain name too. Click next.
Next comes the locations to save the ADDS database to, unless you know better and have a good reason to change the directory we recommend leaving the default values and click next. And finally we arrive at the review section, this part shows what options have been selected so far and, if you want it, a PowerShell script showing how to do exactly what we’ve done without the GUI wizard from the View Script button. Click next and wait for the final validation to complete.
Bringing it all Together
On this final page, you might get some warnings that a DNS delegation zone could not be created for a new domain, this is expected. If you set the forest and domain functional levels to 2016, you’ll also see an error that hopefully the soon to be extinct dinosaurs (Windows NT 4.0) cannot communicate using the cryptographic algorithms that the 2016 levels require. Now click install, you’ll be signed out. Then wait for the process to complete. Once the process is completed, you’ll be able to sign in with the freshly minted domain admin account and start domain admin-ing!
Don’t forget to check out this video for even more helpful information on setting up a new domain controller.
With one foot in development and one foot in operations, Dakota has over ten years of experience in information technology and has presented at the PowerShell + DevOps Global Summit. He's an advocate for automating the boring things and collaborating on the stuff that matters. Das ist mir Wurst! Dakota was a PDQ employee.