How to Configure Active Directory and Set Up Your First Domain Controller on Windows Server

May 31, 2026 Windows Server
Summarize this article with:
Last update: May 31, 2026 7 min read

Overview

Active Directory (AD) is Microsoft’s directory service for managing users, computers, and policies across a Windows network. When you install it on a server, that server becomes a domain controller — the authority that authenticates everyone logging into your domain. If you’re running a business network, hosting internal apps on a Dedicated Server, or building out a Windows-based infrastructure, Active Directory is almost certainly part of the plan.

Most people hit this guide because they’ve spun up a fresh Windows Server instance and need to get AD running from scratch — either for a new domain or to add a second domain controller to an existing one. This article covers the first scenario: a clean installation on Windows Server 2019 or 2022, promoting the server to a new forest and domain.

The process itself takes about 20 minutes. What takes longer is cleaning up mistakes made during setup — DNS misconfiguration being the big one. I’ll flag those as we go.

Prerequisites

  • Windows Server 2019 or 2022 (Standard or Datacenter edition) — fully updated
  • Administrator-level access to the server
  • A static private IP address assigned to the server’s network adapter — DHCP addresses will cause problems after promotion
  • A planned domain name in the format yourdomain.local or an internal subdomain like corp.yourdomain.com — avoid using your public domain name directly
  • At least 4 GB RAM and 40 GB disk space (AD SYSVOL and logs grow over time)
  • RDP access or direct console access — you will need to restart the server during this process

📝 Note: If this server is hosted on bare metal, Host & Tech’s Dedicated Servers give you full control over network configuration including static IPs, which is exactly what AD needs. VPS environments work too, but confirm you can set a static private IP before starting.

Step-by-Step Instructions

Step 1: Set a Static IP Address

Before installing any roles, assign a static IP. Once this server is a domain controller, other machines will point to it for DNS. If the IP changes, authentication breaks.

  1. Open Settings > Network & Internet > Change adapter options.
  2. Right-click your primary network adapter and select Properties.
  3. Select Internet Protocol Version 4 (TCP/IPv4) and click Properties.
  4. Set your IP, subnet mask, and default gateway. For the Preferred DNS Server, enter 127.0.0.1 — this server will be its own DNS after promotion.

⚠ Warning: Do not skip the DNS field. If the server can’t resolve DNS for its own domain after promotion, replication and authentication will silently fail. Setting 127.0.0.1 here is the correct move.

Step 2: Set the Server Hostname

Pick a meaningful hostname now — changing it after promotion is painful and can break AD replication.

  1. Open Server Manager > Local Server.
  2. Click the current computer name and select Change.
  3. Enter your hostname (e.g., DC01) and click OK.
  4. Restart when prompted.

Step 3: Install the AD DS Role

You can do this through Server Manager or PowerShell. PowerShell is faster and easier to document for repeat deployments.

Option A — PowerShell (recommended):

Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools

Option B — Server Manager GUI:

  1. Open Server Manager and click Add roles and features.
  2. Click through to Server Roles and check Active Directory Domain Services.
  3. Accept the additional features prompt and click Install.
  4. Wait for installation to complete — don’t restart yet.

Step 4: Promote the Server to a Domain Controller

Installing AD DS doesn’t make the server a domain controller. You need to run the promotion wizard next.

Via PowerShell (new forest, clean install):

Import-Module ADDSDeployment

Install-ADDSForest `
  -CreateDnsDelegation:$false `
  -DatabasePath "C:WindowsNTDS" `
  -DomainMode "WinThreshold" `
  -DomainName "corp.yourdomain.com" `
  -DomainNetbiosName "CORP" `
  -ForestMode "WinThreshold" `
  -InstallDns:$true `
  -LogPath "C:WindowsNTDS" `
  -NoRebootOnCompletion:$false `
  -SysvolPath "C:WindowsSYSVOL" `
  -Force:$true

You’ll be prompted to enter a Safe Mode Administrator Password (DSRM password). Store this somewhere secure — it’s the only way to recover AD if something goes wrong at the directory level.

📝 Note: WinThreshold corresponds to Windows Server 2016 functional level, which is the current maximum even on Server 2022. This is intentional — Microsoft hasn’t released a new functional level since 2016.

Via GUI:

  1. In Server Manager, click the flag icon with the warning triangle (appears after AD DS installs) and select Promote this server to a domain controller.
  2. Select Add a new forest and enter your root domain name.
  3. Set forest and domain functional levels to Windows Server 2016.
  4. Leave DNS server checked.
  5. Set your DSRM password and click through the remaining screens.
  6. Click Install. The server will restart automatically.

Step 5: Verify the Domain Controller is Healthy

After the server restarts, log in with your domain admin account: CORPAdministrator or Administrator@corp.yourdomain.com. Then run the following checks.

# Check AD DS services are running
Get-Service adws, kdc, netlogon, dns | Select-Object Name, Status

# Verify the domain controller
Get-ADDomainController

# Run the built-in diagnostic tool
dcdiag /test:dns /v

All critical tests in dcdiag should pass. If DNS tests fail, see the troubleshooting section below.

Step 6: Create Your First Organisational Unit and User

This is the minimal setup you need to start managing users through AD instead of local accounts.

# Create an Organisational Unit
New-ADOrganizationalUnit -Name "Staff" -Path "DC=corp,DC=yourdomain,DC=com"

# Create a user inside it
New-ADUser `
  -Name "Jane Smith" `
  -GivenName "Jane" `
  -Surname "Smith" `
  -SamAccountName "jsmith" `
  -UserPrincipalName "jsmith@corp.yourdomain.com" `
  -Path "OU=Staff,DC=corp,DC=yourdomain,DC=com" `
  -AccountPassword (ConvertTo-SecureString "P@ssword123!" -AsPlainText -Force) `
  -Enabled $true

⚠ Warning: That password is for illustration only. Enforce a real password policy before any users go near this system. Set it in Group Policy Management > Default Domain Policy > Computer Configuration > Windows Settings > Security Settings > Account Policies.

Common Issues & Troubleshooting

DNS resolution fails after promotion

This is the most common post-promotion problem. The server promoted fine but nslookup or dcdiag /test:dns returns errors. The usual cause: the network adapter’s DNS server is still pointing to an external IP (your router, ISP, or a public resolver like 8.8.8.8) instead of 127.0.0.1.

Go back to your adapter settings and set the preferred DNS to 127.0.0.1. Then flush DNS and re-register:

ipconfig /flushdns
ipconfig /registerdns
Restart-Service dns

“The operation failed because: The RPC server is unavailable”

Usually a firewall issue. AD requires a significant number of ports open between domain controllers and client machines. Check that Windows Firewall isn’t blocking RPC. The quickest diagnostic is temporarily enabling the built-in “Active Directory Domain Services” firewall rule group:

Enable-NetFirewallRule -DisplayGroup "Active Directory Domain Services"

If that fixes it, tighten the rules properly rather than leaving the full group open.

Users can’t log in: “The trust relationship between this workstation and the primary domain failed”

This means the computer account in AD is out of sync — common after a VM snapshot restore or cloning a machine. Fix it by rejoining the domain. On the affected workstation:

# Run as local administrator
Reset-ComputerMachinePassword -Server DC01 -Credential (Get-Credential)

Then restart the workstation. No need to remove and rejoin the domain.

dcdiag reports “failed test VerifyReferences” or “failed test SysVolCheck”

SYSVOL isn’t replicating or hasn’t finished initialising. This often happens on a freshly promoted DC if you check too quickly. Wait 5 minutes and run dcdiag again. If it still fails, check the NETLOGON and SYSVOL shares exist:

net share

If they’re missing, the DFSR service may not have completed initial sync. Check Event Viewer under Applications and Services Logs > Microsoft > Windows > DFSR for errors.

Promotion fails with “Verification of prerequisites failed”

Almost always caused by the server not being able to resolve its own hostname via DNS before promotion. Make sure the static IP and DNS settings from Step 1 are correct, then run:

Resolve-DnsName $env:COMPUTERNAME

If that fails, fix DNS first. Promotion won’t proceed until the server can resolve itself.

FAQ

Frequently Asked Questions

Do I need a dedicated server to run Active Directory, or can I use a VPS?

A VPS can run a domain controller, but for production environments handling real user authentication, a dedicated server is a better fit. AD is sensitive to network latency and consistent IP addressing — things bare metal handles more predictably. If you’re evaluating or running a small internal setup, a VPS is fine to start with.

What's the difference between a domain and a forest in Active Directory?

A forest is the top-level security boundary in AD — it’s the container that holds one or more domains. Most small-to-medium organisations run a single forest with a single domain. You’d use multiple domains within one forest if you have separate business units that need different policies but still need to trust each other.

Should I use .local for my internal Active Directory domain name?

No — and this is a mistake a lot of people made in the early 2000s that’s still causing headaches. The .local TLD conflicts with mDNS (Bonjour/Avahi) and can cause certificate issues. Microsoft’s current guidance is to use a subdomain of a domain you actually own and control, like corp.yourdomain.com or ad.yourdomain.com.

How do I add a second domain controller for redundancy?

Install AD DS on the second server, then run the promotion wizard and choose ‘Add a domain controller to an existing domain’ instead of creating a new forest. Point the second server’s DNS at the first DC during setup. Once promoted, update it to also point at itself as a secondary DNS. You want at least two DCs in any production environment — if the only domain controller goes down, nobody can log in.

What is the DSRM password and do I actually need it?

DSRM stands for Directory Services Restore Mode — it’s a special boot mode for recovering a corrupted or failed Active Directory database. The password is set during promotion and is separate from your regular administrator password. You probably won’t need it often, but if AD breaks badly enough that you can’t log in normally, it’s the only way in. Store it in a password manager or secure vault the moment you set it.

Related Articles

How to Configure SSL Certificate in IIS (Windows Server 2019 / 2022) Windows Server Backup and Recovery: A Complete Setup Guide How to Install and Configure IIS on Windows Server

SHARE THIS ARTICLE

Need help with your hosting?

Host & Tech provides 24/7 support for all VPS, dedicated, and shared hosting customers.

Contact Support View Plans
Scroll to Top