Installing Active Directory Domain Services
Complete the full lesson to earn 25 points
Work through each section, then tap “Mark as Complete” on the last one.
✦ Skip the page breaks and see fewer ads — read each lesson on a single page with Pro
Lesson: Installing Active Directory Domain Services (AD DS)
Introduction: The Foundation of Identity Management
Active Directory Domain Services (AD DS) serves as the backbone of identity and access management in the vast majority of enterprise environments running Windows Server. At its core, AD DS is a database and a set of services that connect users with the network resources they need to get their work done. It acts as the "phone book" of the network, storing information about users, computers, printers, and security groups, while simultaneously managing the authentication and authorization processes that keep your data secure.
When you deploy AD DS, you are moving away from decentralized, standalone machine management toward a centralized, policy-driven infrastructure. Without a directory service, managing user permissions, password policies, and software distribution across a fleet of computers would require manual configuration on every single device. By installing AD DS, you gain the ability to enforce consistent security configurations, deploy software updates, and manage user access from a single point of control. Understanding the installation process is not just about clicking "next" in a wizard; it is about understanding how the directory architecture supports the needs of your organization.
In this lesson, we will explore the technical requirements, the installation process, and the post-installation tasks required to build a functioning domain controller. We will examine the transition from a standalone server to a domain controller, the implications of forest and domain functional levels, and the critical importance of DNS integration. By the end of this module, you will have the knowledge required to deploy a new domain environment from the ground up, following industry best practices to ensure your directory service is stable, secure, and ready for production.
Prerequisites for AD DS Deployment
Before you begin the installation of Active Directory, you must ensure that your environment is prepared. Deploying AD DS is a significant change to your network architecture, and skipping the planning phase often leads to difficult-to-resolve issues later.
Hardware and OS Requirements
While modern Windows Server versions have relatively low base hardware requirements, AD DS performance is highly dependent on memory and disk I/O. For a production environment, you should ensure that your server has a static IP address, as dynamic addressing via DHCP will break the functionality of your domain controllers. Furthermore, ensure that the server is updated with the latest security patches before you promote it to a domain controller.
The Role of DNS
DNS is the heartbeat of Active Directory. AD DS relies on DNS to locate domain controllers, services, and resources. If your DNS configuration is incorrect, your clients will not be able to find the domain, and replication between domain controllers will fail. You should ideally configure your domain controller to use its own IP address as its primary DNS server, and point to a stable upstream DNS server for external resolution.
Planning the Namespace
You must decide on a Fully Qualified Domain Name (FQDN) for your forest. A common pitfall is using a domain name that you do not own, such as "company.local." While this was common practice years ago, industry standards now recommend using a subdomain of a registered public namespace, such as "corp.example.com." This avoids potential conflicts with public DNS records and simplifies SSL certificate management for internal services.
Step-by-Step Installation Process
The installation of AD DS is a two-part process. First, you install the binary files for the Active Directory Domain Services role. Second, you "promote" the server to a domain controller by configuring the directory database and forest structure.
Phase 1: Installing the Role Binaries
You can perform this step using the Server Manager GUI or via PowerShell. For automation and consistency, learning the PowerShell method is highly recommended.
Using PowerShell: To install the AD DS role, execute the following command in an elevated PowerShell window:
Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools
This command installs the necessary binaries and the Active Directory module for PowerShell, which includes the tools needed for management and the promotion process.
Phase 2: Promoting the Server to a Domain Controller
Once the binaries are installed, you must configure the server to act as a domain controller. This involves creating a new forest, a new domain tree, or adding a domain controller to an existing domain.
Using the Configuration Wizard:
- Open Server Manager and click the yellow notification flag in the top right corner.
- Select "Promote this server to a domain controller."
- In the Deployment Configuration wizard, choose "Add a new forest" if this is your first server.
- Enter your chosen Root Domain Name.
- Select the Forest and Domain Functional Levels.
Callout: Understanding Functional Levels Functional levels determine the capabilities of your domain and forest. Setting the functional level to the highest version supported by all your domain controllers allows you to take advantage of the latest features, such as advanced encryption types and improved password policies. However, once raised, you cannot easily lower the functional level, so ensure all domain controllers are running the target OS version before making the change.
Phase 3: Domain Controller Options
During the promotion, you will be asked to configure several critical settings:
- DNS Server: It is almost always recommended to keep this checked. The domain controller will host the DNS zones for your domain.
- Global Catalog (GC): This is checked by default for the first domain controller. The GC is essential for searching across the forest.
- Directory Services Restore Mode (DSRM) Password: This password is used when you need to perform maintenance on the AD database in an offline state. Store this password in a secure, offline password manager.
PowerShell Automation for AD DS Deployment
In modern infrastructure, manual GUI installations are discouraged because they are prone to human error and difficult to audit. Using the Install-ADDSForest cmdlet allows you to script the creation of your domain, ensuring that every setting is applied exactly as intended.
Example Script for Forest Creation:
# Define parameters for the new domain
$domainName = "corp.contoso.com"
$netbiosName = "CONTOSO"
$safeModePassword = Read-Host -AsSecureString "Enter DSRM Password"
# Install the forest
Install-ADDSForest `
-CreateDnsDelegation:$false `
-DatabasePath "C:\Windows\NTDS" `
-DomainMode "Win2016" `
-DomainName $domainName `
-ForestMode "Win2016" `
-InstallDns:$true `
-LogPath "C:\Windows\NTDS" `
-NoRebootOnCompletion:$false `
-SysvolPath "C:\Windows\SYSVOL" `
-Force:$true
Explanation of the Script:
-CreateDnsDelegation: Set to$falsebecause this is the root of the forest.-DatabasePathand-LogPath: It is a best practice to keep these on separate physical disks from the operating system to improve performance and prevent system crashes from corrupting the database.-DomainModeand-ForestMode: These set the functional levels. Always choose the highest version compatible with your environment.-Force: This suppresses the confirmation prompts, making the script suitable for unattended deployment.
Post-Installation Best Practices
After the server reboots and becomes a domain controller, your work is not finished. A raw installation is functional but not yet secure or optimized for an enterprise environment.
1. Verify DNS Configuration
Check the DNS manager and ensure that the SRV records for the domain exist. These records are how clients find your domain controllers. You can test this by running the following command in Command Prompt:
nslookup -type=srv _ldap._tcp.dc._msdcs.corp.contoso.com
If the command returns the IP address of your domain controller, your DNS is configured correctly.
2. Configure Time Synchronization
Active Directory relies on Kerberos for authentication, which requires time synchronization between clients and servers. If the time difference between a client and the domain controller is more than five minutes, authentication will fail. Ensure your domain controller is configured to sync with an external, reliable time source (NTP).
3. Secure the SYSVOL Share
The SYSVOL share contains Group Policy Objects (GPOs) and login scripts. Ensure that the permissions on the SYSVOL folder are restricted to authorized administrators. Regularly check that the file replication service (DFS-R) is healthy, as this ensures policies are identical across all domain controllers.
4. Implement Delegated Administration
Never use the "Domain Admin" account for daily tasks. Create separate, lower-privileged accounts for daily administrative work. Use the principle of least privilege, assigning specific permissions only when necessary.
Callout: The Danger of Domain Admin Using a Domain Admin account for routine tasks like checking printer queues or resetting user passwords is a significant security risk. If that account is compromised, the attacker gains full control over the entire forest. Always use a tiered administrative model where you use restricted accounts for standard tasks and reserve Domain Admin credentials for high-level directory changes only.
Common Pitfalls and Troubleshooting
Even with careful planning, issues can arise during or after installation. Here are some of the most common mistakes and how to avoid them.
Pitfall 1: Using the Wrong DNS Settings
Many administrators forget to update the TCP/IP settings of the server after it is promoted. If the server is still pointing to an external DNS provider (like 8.8.8.8) instead of its own loopback address (127.0.0.1), the local DNS service will fail to resolve internal records properly.
- Fix: Always ensure the primary DNS server on the NIC is set to 127.0.0.1.
Pitfall 2: Neglecting Database Placement
Installing the NTDS database on the C: drive is a common mistake. If the OS partition fills up, the Active Directory database will stop responding, causing the entire network to lose authentication services.
- Fix: Always place the NTDS database (
ntds.dit) and log files on a dedicated, high-performance volume, separate from the operating system files.
Pitfall 3: Ignoring Replication Errors
If you are adding a second domain controller, you might encounter replication errors due to firewall settings or mismatched DNS configurations.
- Fix: Run
dcdiag /vto perform a comprehensive health check of your domain controller. This tool examines everything from DNS connectivity to replication status and provides a clear report of any failures.
Comparison of Installation Methods
| Feature | Server Manager (GUI) | PowerShell (CLI) |
|---|---|---|
| Ease of Use | High (Visual steps) | Moderate (Requires syntax knowledge) |
| Consistency | Low (Manual input) | High (Repeatable scripts) |
| Automation | Not possible | Fully automated |
| Error Logging | Limited | High (Detailed console output) |
| Auditing | Difficult to track | Easy to version control (Git) |
Managing Active Directory Post-Deployment
Once the domain is up and running, you need to establish a routine for managing the environment. Active Directory is a living system that requires maintenance to ensure that user accounts are current, groups are correctly populated, and security policies are enforced.
User and Computer Management
Use the "Active Directory Users and Computers" (ADUC) snap-in to organize your environment into Organizational Units (OUs). OUs allow you to delegate administrative control and apply Group Policy Objects (GPOs) to specific subsets of users or machines. For example, you might create an OU for "Workstations" and another for "Servers," applying different security policies to each.
Group Policy Management
Group Policy is one of the most powerful features of AD DS. It allows you to manage everything from desktop wallpapers to complex registry settings across thousands of computers. When creating GPOs, always test them in a pilot OU before applying them to your entire organization. A poorly configured GPO can break access to critical services or lock users out of their workstations.
Monitoring Directory Health
You should treat your domain controllers as critical infrastructure. Use monitoring tools to track CPU usage, memory consumption, and disk latency. More importantly, monitor the health of the Active Directory database itself. The ntds.dit file should be backed up regularly using system-state backups. Never attempt to manually copy or move the database file while the service is running; always use the provided backup tools.
Security Considerations for AD DS
The security of your domain is paramount. An attacker who gains control of your domain controller effectively owns the entire network.
Physical Security
If someone has physical access to your domain controller, they can boot from an external drive, bypass the operating system, and potentially extract the ntds.dit file. Always keep domain controllers in a locked, secure server room with limited access.
Network Segmentation
Domain controllers should be placed in a restricted network zone. Use firewalls to ensure that only necessary traffic is allowed to and from the domain controllers. Specifically, ensure that management traffic is restricted to known administrative workstations.
Patch Management
Domain controllers are high-value targets. Maintain a strict patch management schedule, but always test updates in a lab environment first. A faulty update can cause replication issues or service outages that are difficult to diagnose in a production environment.
Advanced Deployment: Read-Only Domain Controllers (RODC)
In branch offices or locations where physical security cannot be guaranteed, you should consider deploying a Read-Only Domain Controller (RODC). An RODC contains a read-only copy of the Active Directory database and does not replicate changes back to the main forest. If an attacker physically steals an RODC, they cannot use it to compromise the rest of the domain, as it does not hold the full set of credentials for the entire forest.
Benefits of RODC:
- Increased Security: Even if stolen, the secrets on the device are limited.
- Reduced Bandwidth: It can be configured to filter which credentials are cached locally.
- Simplified Deployment: It is designed for environments with limited IT staff.
When to use an RODC:
- Small branch offices with no dedicated server room.
- Environments where physical access is shared with non-IT staff.
- Locations with high-latency network connections back to the main site.
The Role of Functional Levels in Detail
When you install a new forest, you select the Forest Functional Level (FFL) and the Domain Functional Level (DFL). These settings define the "feature set" available to your domain. For instance, if you are running Windows Server 2022, you should set your FFL and DFL to Windows Server 2016 or higher. This enables features like:
- Active Directory Recycle Bin: Allows you to restore accidentally deleted objects without performing an authoritative restore.
- Fine-Grained Password Policies: Allows you to apply different password complexity requirements to different sets of users.
- Advanced Cryptography: Better support for AES encryption in Kerberos tickets.
Note: The functional level does not change the version of the operating system on your servers. It only changes the features available within the Active Directory database. You can have a Windows Server 2022 server running at a Windows Server 2012 functional level, but you will not be able to use the features introduced in 2016 or 2019.
Step-by-Step: Validating Your Installation
Once you have successfully promoted your server, you must validate that the installation is healthy. Follow these steps to ensure that your domain is ready for production:
- Check the Event Viewer: Open
eventvwr.mscand navigate to the "Directory Service" log. Look for any errors or warnings related to replication or database consistency. - Verify DNS Records: Open the DNS Manager and ensure that the
_msdcs,_sites,_tcp, and_udpfolders are populated. These are created automatically by the domain controller to advertise its services. - Test User Authentication: Create a test user account in ADUC and attempt to log in to a workstation that is joined to the domain using that account.
- Check Replication (if applicable): If you have more than one domain controller, run
repadmin /replsummaryto ensure that all controllers are communicating and that changes are being replicated across the environment. - Review SYSVOL: Navigate to
C:\Windows\SYSVOL\sysvoland ensure that the domain folder is present. This verifies that the GPO and script shares have been initialized.
Scaling Your Infrastructure
As your organization grows, you will eventually need to add more domain controllers. Adding a secondary domain controller is conceptually similar to the first, but you will choose "Add a domain controller to an existing domain" during the promotion process.
Load Balancing and Redundancy
By having multiple domain controllers, you ensure that authentication services remain available even if one server fails. You should distribute your domain controllers across different physical locations or different virtual hosts to protect against hardware failure.
Global Catalog Servers
A Global Catalog (GC) server is a domain controller that stores a partial copy of all objects in the forest. Every forest must have at least one GC. In larger, multi-site environments, you should consider making every domain controller a Global Catalog server to reduce the impact of network latency when users perform searches or log in.
Best Practices for Long-Term Maintenance
Active Directory is not a "set it and forget it" system. To maintain a healthy environment, adopt the following habits:
- Regular Backups: Perform system-state backups daily. Test these backups by performing a restore in a virtual lab environment at least once every six months.
- Clean Up Stale Objects: Periodically audit your directory for inactive user accounts and computer accounts that have not logged in for over 90 days.
- Documentation: Maintain an up-to-date network map, a list of domain controllers, and a record of any custom configurations or GPOs.
- Stay Informed: Keep track of security advisories from the vendor. Active Directory is a frequent target for attackers, and staying current with security updates is the best defense.
Key Takeaways
After completing this lesson, you should be familiar with the following core concepts of AD DS deployment:
- Preparation is Critical: Always plan your namespace, DNS configuration, and hardware requirements before starting the installation to avoid architectural bottlenecks later.
- DNS is the Foundation: Active Directory cannot function without a perfectly configured DNS environment. Ensure that your domain controllers are their own DNS servers and that all necessary SRV records are present.
- Automation Over Manual Work: Use PowerShell for the installation process to ensure consistency, reduce the risk of human error, and create an auditable record of your deployment.
- Functional Levels Matter: Always select the highest functional level supported by your environment to ensure you have access to modern security features and administrative tools.
- Security is Layered: Protect your domain controllers with physical security, restricted network access, and the principle of least privilege. Use tiered administration to protect high-level credentials.
- Validation is Required: Never assume a successful installation message means the system is healthy. Always run health checks like
dcdiagandrepadminto confirm that the directory service is operating as expected. - Ongoing Maintenance: Treat your AD environment as a critical production system. Regular backups, monitoring, and cleanup of stale objects are essential for long-term stability and security.
By following these guidelines and understanding the underlying mechanics of Active Directory, you will be well-equipped to deploy and manage a directory service that supports the needs of your organization while maintaining a high standard of security and reliability. Remember that every environment is unique, and the best administrator is one who continuously learns and adapts to the changing landscape of identity management.
Continue the course
Enjoying the courses?
Everything stays free. Pro shows fewer ads, doubles your daily points limit so you progress twice as fast, and lets you read each lesson on one page.
- ✓ Fewer advertisements
- ✓ 2× daily points limit
- ✓ Distraction-free lessons