Install the AD DS role on Windows Server 2025 and create a new Active Directory domain with enhanced security features and Win2025 functional levels.
Evan MaelActive Directory Domain Services (AD DS) forms the backbone of enterprise Windows networks, providing centralized authentication, authorization, and directory services. Windows Server 2025 introduces enhanced security features, improved deployment wizards, and support for the latest Win2025 functional levels that unlock advanced capabilities for modern hybrid cloud environments.
The 2025 release brings significant improvements over previous versions. Enhanced security defaults protect against modern threats, while improved PowerShell cmdlets streamline automation tasks. The new functional levels support advanced features like enhanced authentication protocols and better integration with Azure Active Directory. For organizations building new domains or upgrading existing infrastructure, Server 2025 provides the most secure and feature-rich AD DS platform available.
While the core installation process remains familiar, Server 2025 includes refined wizards with better validation checks and clearer error messages. The prerequisites checker is more thorough, catching potential issues before they cause deployment failures. PowerShell deployment options have been expanded with new parameters for cloud-hybrid scenarios, making automated deployments more reliable and flexible than ever before.
Before installing AD DS, configure your server's network settings properly. Open the Network and Sharing Center and set a static IP address.
Navigate to Control Panel > Network and Internet > Network and Sharing Center > Change adapter settings. Right-click your network adapter and select Properties.
Select Internet Protocol Version 4 (TCP/IPv4) and click Properties. Configure these settings:
IP address: 192.168.1.10 (example)
Subnet mask: 255.255.255.0
Default gateway: 192.168.1.1
Preferred DNS server: 127.0.0.1
Alternate DNS server: 8.8.8.8Setting the preferred DNS to 127.0.0.1 (localhost) is crucial because your server will become the DNS server for the domain.
Verification: Run ipconfig /all in Command Prompt to confirm your static IP configuration is active.
Open Server Manager from the taskbar or Start menu. Click Manage in the top-right corner and select Add Roles and Features.
The Add Roles and Features Wizard opens. Click Next on the Before You Begin page, then select Role-based or feature-based installation and click Next.
Select your target server from the server pool (it should be highlighted by default) and click Next.
In the Server Roles page, scroll down and check Active Directory Domain Services. A popup appears asking to add required features - click Add Features to include the management tools.
Click Next through the Features page (no additional features needed), then Next on the AD DS information page.
Review your selections on the Confirmation page and click Install. The installation takes 2-3 minutes.
Verification: After installation completes, you'll see a notification flag in Server Manager with a yellow warning triangle. This indicates the role is installed but not configured yet.
In Server Manager, click the notification flag (yellow triangle with exclamation mark) and select Promote this server to a domain controller.
The Active Directory Domain Services Configuration Wizard launches. On the Deployment Configuration page, select Add a new forest since you're creating a new domain.
Enter your root domain name in the Root domain name field. Use a proper FQDN format like contoso.com or company.local. Avoid single-label names or .local if you plan internet integration.
Root domain name: contoso.comClick Next to proceed to domain controller options.
Verification: The wizard validates your domain name format. Invalid names (like single words or reserved names) will show an error.
On the Domain Controller Options page, configure the functional levels and services:
Set both Forest functional level and Domain functional level to Windows Server 2025. This enables all the latest AD features and security enhancements.
Ensure Domain Name System (DNS) server is checked. This automatically installs and configures DNS, which is required for AD DS.
Leave Global Catalog (GC) checked - the first domain controller in a forest must be a GC.
Enter a strong Directory Services Restore Mode (DSRM) password. This is used for offline AD maintenance:
DSRM Password: ComplexPassword123!
Confirm Password: ComplexPassword123!Click Next to continue.
Verification: The wizard checks password complexity requirements. Weak passwords will trigger validation errors.
On the DNS Options page, you may see a warning about DNS delegation. For a new forest, this is normal and expected. The warning states that a delegation cannot be created because the authoritative parent zone cannot be found.
Leave Create DNS delegation unchecked and click Next.
On the Additional Options page, the wizard automatically generates a NetBIOS domain name based on your FQDN. For contoso.com, it suggests CONTOSO.
NetBIOS domain name: CONTOSOYou can modify this if needed, but the default is usually appropriate. The NetBIOS name must be 15 characters or less and contain only letters, numbers, and hyphens.
Click Next to proceed.
Verification: The wizard validates NetBIOS name uniqueness on your network segment.
On the Paths page, specify locations for the AD database, log files, and SYSVOL folder. The default locations are:
Database folder: C:\Windows\NTDS
Log files folder: C:\Windows\NTDS
SYSVOL folder: C:\Windows\SYSVOLFor production environments, consider separating these components:
For this tutorial, accept the defaults and click Next.
Verification: The wizard checks that specified paths exist and have sufficient free space (minimum 200 MB for database, 50 MB for logs).
The Review Options page displays a summary of your configuration. Review all settings carefully:
Forest name: contoso.com
Domain name: contoso.com
NetBIOS name: CONTOSO
Functional levels: Windows Server 2025
DNS Server: Yes
Global Catalog: YesClick Next to run the prerequisites check. This critical step validates your server configuration and identifies potential issues.
The prerequisites check examines:
If the check passes, you'll see green checkmarks. Any warnings (yellow) should be reviewed but don't prevent installation. Errors (red) must be resolved before proceeding.
Verification: All prerequisite checks show green checkmarks or acceptable warnings. The Install button becomes enabled.
After the prerequisites check passes, click Install to begin the domain controller promotion process.
The installation progress shows several phases:
The process takes 10-15 minutes depending on your hardware. The server will automatically reboot 1-2 times during promotion.
After the final reboot, log in with your domain administrator credentials:
Username: CONTOSO\Administrator
Password: [Your original local admin password]Verification: The login screen shows your domain name (CONTOSO) in the username field, and Server Manager displays the AD DS role as running.
Open Active Directory Users and Computers from the Start menu or Server Manager Tools menu. You should see your domain structure with default organizational units:
Verify DNS configuration by opening DNS Manager. You should see forward and reverse lookup zones for your domain:
Forward Lookup Zones:
- contoso.com
- _msdcs.contoso.com
Reverse Lookup Zones:
- 192.168.1.x Subnet (if configured)Test domain functionality with PowerShell commands:
Get-ADDomain
Get-ADForest
Get-ADDomainControllerThese commands should return information about your newly created domain without errors.
dsquery user to list all domain users.Verification: Run dcdiag /v in Command Prompt to perform comprehensive domain controller diagnostics. All tests should pass or show acceptable warnings.
Complete your AD DS setup with essential security configurations. First, configure Windows Firewall rules for AD DS services:
Enable-NetFirewallRule -DisplayGroup "Active Directory Domain Services"
Enable-NetFirewallRule -DisplayGroup "DNS Service"Create additional organizational units for better management:
New-ADOrganizationalUnit -Name "Corporate Users" -Path "DC=contoso,DC=com"
New-ADOrganizationalUnit -Name "Servers" -Path "DC=contoso,DC=com"
New-ADOrganizationalUnit -Name "Workstations" -Path "DC=contoso,DC=com"Configure Group Policy settings by opening Group Policy Management from Server Manager Tools. Create a baseline security policy for your domain.
Set up regular AD backups using Windows Server Backup:
Install-WindowsFeature Windows-Server-Backup
wbadmin enable backup -addtarget:E: -schedule:02:00 -include:C:\Windows\NTDS,C:\Windows\SYSVOLEnable-ADOptionalFeature -Identity 'Recycle Bin Feature' -Scope ForestOrConfigurationSet -Target contoso.com to protect against accidental deletions.Verification: Run repadmin /showrepl to verify replication is working correctly, even with a single domain controller.
Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.
Deepen your knowledge with related resources
Share your thoughts and insights
Sign in to join the discussion