A comprehensive guide demonstrating the installation and configuration of Active Directory Domain Services (AD DS) on Windows Server, including domain controller promotion and forest creation.
This project showcases the complete process of transforming a Windows Server into an Active Directory Domain Controller, demonstrating enterprise-level identity and access management skills essential for IT infrastructure administration.
Watch the complete Active Directory configuration process:
This video demonstrates the complete Active Directory Domain Services installation and domain controller promotion from start to finish.
Platform: Windows Server 2025
Service: Active Directory Domain Services (AD DS)
Domain: keenan.local
Forest: New forest creation
Role: Primary Domain Controller
- Accessed Windows Server virtual machine via RDP
- Launched Server Manager application
- Server Manager typically opens automatically on login
- Dashboard provides centralized server management interface
Purpose: Server Manager is the central hub for managing Windows Server roles and features.
- Located "Manage" menu in Server Manager
- Selected "Add Roles and Features"
- Initiated the Add Roles and Features Wizard
- Prepared for Active Directory installation
What this does: Launches the wizard to install server roles and features.
- Chose "Role-based or feature-based installation"
- Selected target server from server pool
- Clicked "Next" to proceed
- Confirmed server selection
Installation Types:
- Role-based: Install roles and features on a single server
- Remote Desktop Services: Configure RDS deployment
- VHD-based: Install on virtual hard disk
- From the Server Roles list, selected "Active Directory Domain Services"
- System prompted to add required features
- Clicked "Add Features" to include management tools
- Confirmed AD DS role selection
Included Components:
- Active Directory Domain Services
- Group Policy Management
- Active Directory Administrative Center
- DNS Server (automatically added)
- Reviewed Features page (default selections)
- Reviewed AD DS information page
- Confirmed installation selections
- Clicked "Next" through remaining pages
- Reached "Confirmation" page
- Clicked "Install" to begin installation
Installation Process:
- Copies necessary files
- Registers services
- Configures system components
- Prepares for domain controller promotion
- Monitored installation progress bar
- Waited for "Installation succeeded" message
- Verified successful installation status
- Noted post-deployment configuration notification
- Closed installation wizard
Status Check: Installation completes but server is not yet a domain controller.
- Located yellow notification flag in Server Manager
- Clicked on "Promote this server to a domain controller" link
- Launched Active Directory Domain Services Configuration Wizard
- Began domain controller promotion process
Critical Step: This transforms the server from a member server to a domain controller.
- Selected deployment operation: "Add a new forest"
- Entered Root domain name:
keenan.local - Validated domain name format
- Clicked "Next" to proceed
Domain Naming:
- Used
.localTLD for internal network - Format:
[name].local(e.g., keenan.local) - Avoid using public domain names for internal AD
- Forest functional level: Windows Server 2016 (or latest)
- Domain functional level: Windows Server 2016 (or latest)
- Domain Controller capabilities:
- β Domain Name System (DNS) server
- β Global Catalog (GC)
- Created Directory Services Restore Mode (DSRM) password
- Entered strong, secure password
- Confirmed password
DSRM Password: Critical for disaster recovery - store securely!
- DNS Options: Reviewed DNS delegation warning (expected for new forest)
- Additional Options: Verified NetBIOS domain name (auto-generated: KEENAN)
- Paths: Accepted default locations for:
- Database folder:
C:\Windows\NTDS - Log files folder:
C:\Windows\NTDS - SYSVOL folder:
C:\Windows\SYSVOL
- Database folder:
- Reviewed complete configuration summary
- Verified all settings:
- Forest name: keenan.local
- Domain name: keenan.local
- NetBIOS name: KEENAN
- Functional levels
- DNS configuration
- Clicked "Next" to proceed
Prerequisites Check: System automatically validates requirements.
- Reviewed prerequisites check results
- Verified all checks passed (green checkmarks)
- Clicked "Install" to begin promotion
- Monitored installation progress
- Waited for completion message
Installation Actions:
- Configures Active Directory database
- Creates SYSVOL structure
- Configures DNS zones
- Establishes domain controller role
- System automatically initiated restart
- Server rebooted to apply changes
- Waited for server to come back online
- Reconnected via RDP after restart
Post-Restart: Server is now a fully functional domain controller!
Forest Name: keenan.local
Domain Name: keenan.local
NetBIOS Name: KEENAN
Forest Functional Level: Windows Server 2016+
Domain Functional Level: Windows Server 2016+
Domain Controller: Primary DC
DNS Server: Integrated
Global Catalog: Yes
- Active Directory Domain Services - Core AD functionality
- DNS Server - Name resolution for domain
- File Replication Service - SYSVOL replication
- Kerberos Key Distribution Center - Authentication
- Domain Controllers
- Users
- Computers
- Builtin
- ForeignSecurityPrincipals
- Managed Service Accounts
- Program Data
- Purpose: Restore Mode administrator password
- Usage: Disaster recovery and offline maintenance
- Best Practice: Store securely, document separately
- Requirement: Strong, complex password
- Username: Administrator@keenan.local
- Domain: KEENAN\Administrator
- Purpose: Domain administrative access
- Security: Change default password immediately
- Domain Admins
- Enterprise Admins
- Schema Admins
- Domain Users
- Domain Computers
- Group Policy Creator Owners
1. β
Verify DNS configuration
2. β
Create Organizational Units (OUs)
3. β
Create user accounts
4. β
Configure Group Policy Objects (GPOs)
5. β
Set up backup strategy
6. β
Configure time synchronization
7. β
Document DSRM password securely
# Check DNS server status
Get-DnsServer
# Verify DNS zones
Get-DnsServerZone
# Test DNS resolution
nslookup keenan.local# Check domain controller status
Get-ADDomainController
# Verify domain information
Get-ADDomain
# Check forest information
Get-ADForest
# List domain users
Get-ADUser -Filter *
# Verify SYSVOL replication
Get-SmbShare- Authentication - Kerberos and NTLM
- Authorization - Access control and permissions
- Directory Services - Centralized object management
- Group Policy - Centralized configuration management
- Replication - Multi-master replication between DCs
- Forward Lookup Zones - Name to IP resolution
- Reverse Lookup Zones - IP to name resolution
- Dynamic Updates - Automatic DNS record updates
- Secure Updates - Only domain members can update
- β Server Manager proficiency
- β Role and feature installation
- β Active Directory deployment
- β Domain controller configuration
- β DNS integration
- β Forest and domain creation
- β Domain controller promotion
- β Functional level selection
- β DSRM configuration
- β DNS integration
- β Identity and access management
- β Directory services architecture
- β Security best practices
- β Disaster recovery planning
- β Infrastructure documentation
# Create OU structure
New-ADOrganizationalUnit -Name "Employees" -Path "DC=keenan,DC=local"
New-ADOrganizationalUnit -Name "IT" -Path "OU=Employees,DC=keenan,DC=local"
New-ADOrganizationalUnit -Name "HR" -Path "OU=Employees,DC=keenan,DC=local"# Create new user
New-ADUser -Name "John Doe" `
-GivenName "John" `
-Surname "Doe" `
-SamAccountName "jdoe" `
-UserPrincipalName "jdoe@keenan.local" `
-Path "OU=IT,OU=Employees,DC=keenan,DC=local" `
-AccountPassword (ConvertTo-SecureString "P@ssw0rd123!" -AsPlainText -Force) `
-Enabled $true# Create security group
New-ADGroup -Name "IT Admins" `
-GroupScope Global `
-GroupCategory Security `
-Path "OU=IT,OU=Employees,DC=keenan,DC=local"
# Add user to group
Add-ADGroupMember -Identity "IT Admins" -Members "jdoe"Problem: DNS not resolving domain names
Solutions:
# Restart DNS service
Restart-Service DNS
# Check DNS forwarders
Get-DnsServerForwarder
# Verify DNS zones
Get-DnsServerZoneProblem: SYSVOL or AD replication failures
Solutions:
# Check replication status
repadmin /replsummary
# Force replication
repadmin /syncall
# Check SYSVOL replication
dfsrdiag ReplicationStateProblem: Users cannot log in to domain
Solutions:
# Verify domain controller
dcdiag /v
# Check time synchronization
w32tm /query /status
# Verify Kerberos
klist tickets- β Implement least privilege access
- β Use separate admin accounts
- β Enable audit logging
- β Configure account lockout policies
- β Implement password complexity requirements
- β Regular security updates
- β System State backups (includes AD database)
- β Regular backup schedule
- β Test restore procedures
- β Document DSRM password
- β Offsite backup storage
- β Event log monitoring
- β Replication health checks
- β DNS health monitoring
- β Performance monitoring
- β Security audit reviews
- Microsoft Exchange Server - Email services
- Microsoft SharePoint - Collaboration platform
- Microsoft SQL Server - Database authentication
- File Servers - Centralized access control
- VPN Solutions - Remote access authentication
- Cloud Services - Azure AD Connect
- Centralized Management - Single point of user/computer management
- Security - Unified authentication and authorization
- Scalability - Supports thousands of users and computers
- Group Policy - Automated configuration management
- Single Sign-On - One credential for multiple resources
- Active Directory Domain Services Overview
- Install Active Directory Domain Services
- Active Directory Best Practices
- PowerShell Active Directory Module
Keenan Kelly
This project demonstrates enterprise-level Windows Server and Active Directory administration skills essential for IT infrastructure management.
- Creating a VM on AWS - EC2 Windows Server deployment
- EC2 RDP Connection - Secure remote access guide
Demonstrating enterprise identity and access management with Active Directory Domain Services