How to Set Up a Windows Domain Controller: Active Directory Configuration Guide for Network Admins


3 views

A domain controller (DC) is a server that responds to security authentication requests within a Windows Server domain. It's a fundamental component of Active Directory (AD) infrastructure, handling user authentication, access control, and policy enforcement across networked systems.

Consider implementing a DC when:

  • Managing more than 10-15 computers in a network
  • Requiring centralized user authentication
  • Needing group policy management
  • Implementing security compliance standards
  • Managing resource access permissions

Before installation, ensure:

- Windows Server OS (2012 R2 or later recommended)
- Static IP address configured
- Minimum 2GB RAM (4GB+ recommended)
- NTFS file system partition
- Administrator privileges

Here's how to promote a server to domain controller using PowerShell:

# Install AD Domain Services feature
Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools

# Import the ADDSDeployment module
Import-Module ADDSDeployment

# Promote server to domain controller
Install-ADDSForest 
-CreateDnsDelegation:$false 
-DatabasePath "C:\Windows\NTDS" 
-DomainMode "WinThreshold" 
-DomainName "yourdomain.local" 
-DomainNetbiosName "YOURDOMAIN" 
-ForestMode "WinThreshold" 
-InstallDns:$true 
-LogPath "C:\Windows\NTDS" 
-NoRebootOnCompletion:$false 
-SysvolPath "C:\Windows\SYSVOL" 
-Force:$true

After reboot, verify installation with these commands:

# Verify AD DS status
Get-Service adws,kdc,netlogon,dns

# Check domain controller health
dcdiag /test:dcpromo /test:dns /v

# View domain information
Get-ADDomain

Adding a Secondary DC:

# On existing domain member server
Install-ADDSDomainController 
-DomainName "yourdomain.local" 
-InstallDns:$true 
-SiteName "Default-First-Site-Name" 
-ReplicationSourceDC "DC1.yourdomain.local" 
-DatabasePath "C:\Windows\NTDS" 
-SysvolPath "C:\Windows\SYSVOL" 
-NoGlobalCatalog:$false 
-CreateDnsDelegation:$false 
-NoRebootOnCompletion:$false 
-Force:$true

Configuring DNS Forwarding:

# Set DNS forwarder
Set-DnsServerForwarder -IPAddress 8.8.8.8,8.8.4.4 -PassThru

Common problems and their solutions:

# DNS resolution failing
Clear-DnsServerCache -Force

# Replication issues
repadmin /syncall /AdeP

# Time synchronization problems
w32tm /resync /rediscover

# FSMO role issues
netdom query fsmo

# Implement secure LDAP
Set-ADForestMode -Identity yourdomain.local -ForestMode Windows2016Forest

# Enable LDAPS
Install-WindowsFeature -Name ADCS-Cert-Authority -IncludeManagementTools
Install-AdcsCertificationAuthority -CAType EnterpriseRootCA -Force

# Audit DC access
auditpol /set /subcategory:"Directory Service Access" /success:enable /failure:enable

Sample PowerShell script for routine maintenance:

# DC Maintenance Script
$Date = Get-Date -Format "yyyyMMdd"
$LogFile = "C:\Logs\DCMaintenance_$Date.log"

function Check-DCServices {
    $Services = Get-Service -ComputerName $env:COMPUTERNAME | 
                Where-Object {$_.DisplayName -like "*Active Directory*" -or 
                             $_.DisplayName -like "*DNS*" -or 
                             $_.Name -eq "Netlogon"}
    $Services | ForEach-Object {
        if ($_.Status -ne "Running") {
            Start-Service -InputObject $_ -PassThru | 
            Out-File -Append -FilePath $LogFile
        }
    }
}

function Backup-SystemState {
    wbadmin start systemstatebackup -backuptarget:E: -quiet |
    Out-File -Append -FilePath $LogFile
}

Check-DCServices
Backup-SystemState

A Domain Controller (DC) is a server that manages network security and authentication for Windows-based systems. It runs Active Directory Domain Services (AD DS) and handles authentication requests, enforcing security policies across all devices in a domain.

  • Centralized user management for 50+ devices
  • Enterprise environments requiring Group Policy
  • Organizations needing single sign-on (SSO)
  • Environments requiring security auditing
  • Businesses with shared network resources

Here's how to configure a Windows Server as a DC using PowerShell:

# Install AD DS role
Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools

# Promote server to domain controller
Import-Module ADDSDeployment
Install-ADDSForest 
-CreateDnsDelegation:$false 
-DatabasePath "C:\Windows\NTDS" 
-DomainMode "WinThreshold" 
-DomainName "corp.example.com" 
-DomainNetbiosName "CORP" 
-ForestMode "WinThreshold" 
-InstallDns:$true 
-LogPath "C:\Windows\NTDS" 
-NoRebootOnCompletion:$false 
-SysvolPath "C:\Windows\SYSVOL" 
-Force:$true
  1. Always deploy at least two DCs for redundancy
  2. Place DCs in separate physical locations when possible
  3. Configure regular system state backups
  4. Implement proper DNS configuration
  5. Set up appropriate monitoring

Automating user creation via PowerShell:

# Create bulk users from CSV
Import-Csv "C:\Users.csv" | ForEach-Object {
    New-ADUser 
    -Name $_.Name 
    -GivenName $_.FirstName 
    -Surname $_.LastName 
    -SamAccountName $_.Username 
    -UserPrincipalName "$($_.Username)@corp.example.com" 
    -Path "OU=Users,DC=corp,DC=example,DC=com" 
    -AccountPassword (ConvertTo-SecureString "P@ssw0rd" -AsPlainText -Force) 
    -Enabled $true
}

Managing Group Policy Objects programmatically:

# Create and link GPO
New-GPO -Name "Workstation Security Policy" | 
New-GPLink -Target "OU=Workstations,DC=corp,DC=example,DC=com"

# Set GPO settings
Set-GPRegistryValue 
-Name "Workstation Security Policy" 
-Key "HKLM\Software\Policies\Microsoft\Windows\System" 
-ValueName "DisableAutomaticRestartSignOn" 
-Value 1 
-Type DWord
Issue Solution
DNS resolution failures Verify SRV records and DC registration
Replication problems Run repadmin /syncall
Authentication errors Check NTP synchronization
FSMO role issues Use netdom query fsmo