Promote your server to a domain controller to manage Active Directory and network services efficiently. Follow our detailed guide for a seamless setup.
Promoting a server to a domain controller is a fundamental task for any Windows network administrator. This process transforms a standard server into the central authority for managing users, computers, and resources within a network. This central management system is known as Active Directory Domain Services (AD DS).
Active Directory is the backbone of most business networks, providing a powerful, centralized way to manage security policies, user access, and resource sharing. Without it, managing a network of more than a handful of computers would be a chaotic and time-consuming process. This guide will walk you through the entire process, from preparing your server to verifying that everything is working as it should.
Before you begin the promotion process, it is critical to ensure your server meets all the necessary prerequisites. Failing to complete these steps can lead to errors and a failed promotion.
Static IP Address: The server you are promoting must have a static IP address. Domain controllers serve as DNS servers, and their address cannot change dynamically.
Correct Server Name: The server should have a descriptive and easily identifiable name. The server name should be configured before promotion and cannot be easily changed afterward without complex steps.
Administrator Privileges: You must be logged in with a local administrator account that has the necessary permissions to install roles and features.
DNS Configuration: If you are adding a new domain controller to an existing domain, the server's DNS settings must point to an existing domain controller. If you are creating a new forest, the DNS can point to itself (127.0.0.1) or be unconfigured initially.
Backups: Pro Tip: Always take a full system backup before starting the promotion process. This provides a safety net if something goes wrong, allowing you to quickly restore the server to its previous state.
The first step is to install the Active Directory Domain Services (AD DS) role on your Windows Server 2022 or Windows Server 2019 machine.
Open Server Manager. You can find it on the taskbar or via the Start menu.
In the top-right corner, click Manage and then select Add Roles and Features.
The Add Roles and Features Wizard will open. Click Next to proceed past the "Before you begin" screen.
On the Installation Type screen, select Role-based or feature-based installation and click Next.
On the Server Selection screen, ensure your local server is selected and click Next.
On the Server Roles screen, check the box for Active Directory Domain Services. A new pop-up will appear, asking if you want to add required features. Click Add Features to include the necessary management tools.
Click Next on the Server Roles screen and the Features screen.
On the AD DS screen, review the information and click Next.
On the Confirmation screen, click Install to begin the installation.
Once the installation is complete, you will see a link at the top of the Server Manager dashboard. It will say, "Promote this server to a domain controller." This is your next step. Do not close the wizard.
After installing the AD DS role, the server is ready to be promoted. This process is handled by the Active Directory Installation Wizard.
Click the link "Promote this server to a domain controller" in the Server Manager dashboard. This will launch the wizard.
On the Deployment Configuration screen, you will be presented with three critical options. This is where you decide the role of your new domain controller.
Select Add a new forest.
This option is used when you are building the very first domain in your entire organization or for a completely separate, new environment.
You will be asked to provide a Root domain name. This should be a full DNS name, like yourcompany.com or corp.yourcompany.local.
Select Add a new domain to an existing forest.
This is for creating a child domain or a tree domain within an existing Active Directory forest. For example, if your forest root is yourcompany.com, you might create a new child domain like sales.yourcompany.com.
You will be prompted to provide the parent domain name and the new domain name. You will also need to provide credentials with the appropriate permissions.
Select Add a domain controller to an existing domain.
This is the most common option. It is used to add a new domain controller to a domain that is already up and running. This provides redundancy and load balancing.
You will be asked to provide the domain name and credentials with enterprise admin rights.
After making your selection, click Next.
On the Domain Controller Options screen, configure the following:
Domain Name System (DNS) server: This box is checked by default and should remain so. The new domain controller will be a DNS server for the domain.
Global Catalog (GC): This is checked by default and is crucial for allowing users to search for objects across the entire forest.
Read-only domain controller (RODC): This is typically for branch offices where physical security may be a concern. Do not select this unless you have a specific reason to do so.
Directory Services Restore Mode (DSRM) password: Create a strong password for DSRM. You will need this to perform a restore of the Active Directory database. Remember this password and store it securely.
Click Next to proceed. On the DNS Options screen, you may receive a warning about DNS delegation. You can typically ignore this for the initial setup.
On the Additional Options screen, you can specify the location of the AD DS database, log files, and SYSVOL folder. Unless you have a specific reason to change these, the default locations are fine.
Review the Prerequisites Check results. The wizard will perform a quick check to ensure the server is ready for promotion. It is crucial to address any errors that appear before proceeding. If warnings are present, you should understand what they are before continuing.
After the checks pass, click Install. The Active Directory installation wizard will now begin the final promotion process. This will take some time and the server will automatically restart when complete.
Once the server has restarted, it is now a domain controller. There are several key steps to verify and complete the setup.
Verify AD DS and DNS Service Status: Open Server Manager. The AD DS and DNS roles should now appear in the list. Check the services to ensure they are running without any errors.
Open Active Directory Users and Computers: Navigate to Tools in Server Manager and open Active Directory Users and Computers. This is a key management console that confirms the domain is operational. You should be able to see the domain, users, and computers.
Check DNS Records: Open the DNS management console from Server Manager's Tools menu. Expand the server and navigate to the Forward Lookup Zones. You should see a zone for your domain. Expand this and verify that the required service location (SRV) records for Active Directory (e.g., _ldap._tcp) have been automatically created.
Create a Test User: As a final test, create a new user account in Active Directory Users and Computers. Log in to another computer on the network using the new domain account to confirm that authentication is working correctly.
Configure Group Policy: A key benefit of Active Directory is Group Policy. Go to Tools > Group Policy Management to begin creating and linking Group Policy Objects (GPOs) to your domain or Organizational Units (OUs). This is how you will enforce security settings, software installations, and other configurations across your network. Internal Link Suggestion: For more on how to leverage this powerful feature, read our guide on Group Policy Best Practices.
Prerequisites Check Fails: The most common cause is an incorrect DNS server setting. Ensure the server's DNS is pointing to an existing domain controller if you're joining a domain. If you are creating a new forest, the DNS setting should be unconfigured or set to 127.0.0.1.
"dcpromo is no longer an option": On Windows Server 2022 and Windows Server 2019, the old dcpromo command-line utility is no longer the primary method. It has been replaced by the streamlined Active Directory Installation Wizard that runs within Server Manager and PowerShell.
"A referral was returned from the server": This error can occur when DNS is misconfigured. Ensure your DNS server can correctly resolve the domain name and that the new server can communicate with existing domain controllers.
DNS Service Won't Start: Check the server's event logs for more details. This often indicates a conflict, such as another application using the same port (53) or an incorrect DNS configuration after the promotion.
A domain controller (DC) is a server that manages security authentication, user accounts, and group policies in an Active Directory environment.
Ensure the server runs a supported Windows Server version, has a static IP, proper DNS settings, and administrative privileges.
While it's possible, configuring DNS during the promotion process is highly recommended for a functional Active Directory environment.
Log in with a domain admin account, check Active Directory Users and Computers (ADUC), and run diagnostic commands like dcdiag.
No. The dcpromo command-line utility was deprecated after Windows Server 2008 R2. For modern Windows Server versions (2012 and newer), you use the Active Directory Installation Wizard in Server Manager or PowerShell cmdlets.
A forest is the top-level container for all objects, domains, and trees. A domain is a group of objects (users, computers, etc.) that share a common database and security policies. An OU (Organizational Unit) is a container within a domain used to organize objects and delegate administrative control.
You can choose the Read-only domain controller (RODC) option during the promotion wizard. An RODC is best for remote or physically insecure locations, as it stores a read-only copy of the Active Directory database, preventing any changes from being made locally.
Beyond the visual checks in Server Manager and the Active Directory consoles, you can use the command prompt. Running nltest /dclist:domainname will list all domain controllers in your domain.