How to Install and Configure Active Directory Domain Services (AD DS) on Windows Server 2025
Active Directory Domain Services (AD DS) is the cornerstone of Windows enterprise networking, providing centralized identity management, authentication, and authorization for users, computers, and resources across an organization. Windows Server 2025 brings incremental improvements to AD DS, including enhanced security defaults, improved Kerberos support, and tighter integration with cloud-based identity providers like Microsoft Entra ID. This tutorial walks you through every step of a fresh AD DS deployment — from preparing your server environment through verifying a fully functional domain — so you have a reliable foundation for your Windows infrastructure.
Prerequisites
- A physical or virtual machine running Windows Server 2025 (Standard or Datacenter edition)
- At minimum 2 vCPUs, 4 GB RAM, and 60 GB of disk space for the system volume
- A statically assigned IP address — DHCP-assigned addresses are unsuitable for domain controllers
- The server’s preferred DNS server should point to itself (127.0.0.1) or to a known DNS server that will be updated after promotion
- A strong password ready for the Directory Services Restore Mode (DSRM) account
- Local administrator credentials on the target server
- PowerShell 5.1 or later (included with Windows Server 2025)
Step 1: Assign a Static IP Address
Before installing any server role, your future domain controller must have a fixed IP address. Using PowerShell, identify your active network adapter and configure it appropriately. The example below uses the Get-NetAdapter and New-NetIPAddress cmdlets to set a static IPv4 address, default gateway, and DNS server pointing back to the local machine.
# Identify the active network adapter
Get-NetAdapter | Where-Object { $_.Status -eq 'Up' }
# Set a static IP (adjust InterfaceAlias, IPAddress, and gateway to match your environment)
New-NetIPAddress `
-InterfaceAlias "Ethernet" `
-IPAddress "192.168.10.10" `
-PrefixLength 24 `
-DefaultGateway "192.168.10.1"
# Point DNS to the local machine (itself) so AD DNS updates correctly after promotion
Set-DnsClientServerAddress `
-InterfaceAlias "Ethernet" `
-ServerAddresses "127.0.0.1"
# Verify the configuration
Get-NetIPAddress -InterfaceAlias "Ethernet"
Get-DnsClientServerAddress -InterfaceAlias "Ethernet"
Confirm connectivity by pinging your gateway and an external address before continuing.
Step 2: Install the AD DS Windows Feature
The AD DS role and its management tools are installed via the Install-WindowsFeature cmdlet. The -IncludeManagementTools flag pulls in the Remote Server Administration Tools (RSAT) for AD, including Active Directory Administrative Center, Active Directory Users and Computers, and the Group Policy Management Console.
# Install the AD DS role and all associated management tools
Install-WindowsFeature `
-Name AD-Domain-Services `
-IncludeManagementTools `
-Verbose
# Verify the installation completed successfully
Get-WindowsFeature AD-Domain-Services
The output should show the feature as Installed with an X in the display. No reboot is required at this stage; the feature is staged and ready for promotion.
Step 3: Promote the Server — Create a New Forest
Promoting the server to a domain controller and establishing a new Active Directory forest is accomplished with Install-ADDSForest. Choosing the correct ForestMode and DomainMode determines which AD features are available. For a pure Windows Server 2025 environment, use WinThreshold (Windows Server 2016 functional level — the highest level currently recognized by the PowerShell enum; Windows Server 2025 DCs operate at this level and above).
# Store the DSRM password securely
$DSRMPassword = Read-Host -Prompt "Enter DSRM Password" -AsSecureString
# Promote this server to the first DC in a new forest
Install-ADDSForest `
-DomainName "corp.example.com" `
-DomainNetBIOSName "CORP" `
-ForestMode "WinThreshold" `
-DomainMode "WinThreshold" `
-SafeModeAdministratorPassword $DSRMPassword `
-InstallDns:$true `
-CreateDnsDelegation:$false `
-DatabasePath "C:WindowsNTDS" `
-SysvolPath "C:WindowsSYSVOL" `
-LogPath "C:WindowsNTDS" `
-NoRebootOnCompletion:$false `
-Force:$true
The promotion process configures the local DNS server, creates the NTDS database and SYSVOL share, and then automatically reboots the server. The reboot is mandatory — the domain controller is not operational until it restarts.
Step 4: Verify the Active Directory Installation
After the server reboots, log in with the domain administrator account (CORPAdministrator). Open an elevated PowerShell session and confirm that the domain and forest are healthy.
# Verify domain information
Get-ADDomain
# Verify forest information
Get-ADForest
# Check that the domain controller is properly registered
Get-ADDomainController -Filter *
# Run dcdiag to validate DC health
dcdiag /test:dns /test:replications /test:services /v
The Get-ADDomain output should show DomainMode: Windows2016Domain (the WinThreshold level), and Get-ADForest should confirm ForestMode: Windows2016Forest. Ensure dcdiag reports no failures.
Step 5: Configure DNS Forwarders After Promotion
Once the DC is up, its DNS server handles all name resolution for the domain zone. External name resolution (e.g., internet addresses) must be forwarded to an upstream DNS server. Without forwarders, clients joined to the domain may fail to resolve public hostnames.
# Add forwarders to upstream DNS servers (e.g., your ISP or public resolvers)
Add-DnsServerForwarder -IPAddress "8.8.8.8" -PassThru
Add-DnsServerForwarder -IPAddress "8.8.4.4" -PassThru
# Verify forwarders are configured
Get-DnsServerForwarder
# Test external resolution from the DC
Resolve-DnsName "www.microsoft.com"
Step 6: Create an Active Directory Site
AD Sites represent the physical or logical network topology of your organization. Even in a single-site deployment, it is good practice to rename the default Default-First-Site-Name and associate your subnets with it so that site-aware services like DFS and SYSVOL replication work correctly.
# Rename the default site to something meaningful
Get-ADReplicationSite -Filter * | Rename-ADObject -NewName "HQ-London"
# Create a subnet and associate it with the site
New-ADReplicationSubnet `
-Name "192.168.10.0/24" `
-Site "HQ-London" `
-Location "London Headquarters"
# Verify
Get-ADReplicationSite -Filter *
Get-ADReplicationSubnet -Filter *
Step 7: Review Forest and Domain Functional Levels
Functional levels control which AD features are available and which Windows Server versions can act as domain controllers. Once all DCs in the domain or forest run Windows Server 2025, you can raise the functional level — though the practical benefit is primarily unlocking features that require all older DC versions to be retired.
# Check current functional levels
(Get-ADDomain).DomainMode
(Get-ADForest).ForestMode
# To raise the domain functional level (only after all DCs are at the target version)
Set-ADDomainMode -Identity "corp.example.com" -DomainMode Windows2016Domain
# To raise the forest functional level
Set-ADForestMode -Identity "corp.example.com" -ForestMode Windows2016Forest
Domain vs. Workgroup
A workgroup is a peer-to-peer network where each computer manages its own local user accounts and security policies — suitable only for very small environments. A domain provides centralized management: user accounts, group policies, software deployment, and security settings are all administered from domain controllers. For any organization with more than a handful of computers or users, a domain is the appropriate architecture. To join an existing Windows Server 2025 machine to your new domain, use:
# Join a member server to the domain
Add-Computer `
-DomainName "corp.example.com" `
-Credential (Get-Credential) `
-OUPath "OU=Servers,DC=corp,DC=example,DC=com" `
-Restart
Conclusion
You now have a fully operational Active Directory Domain Services environment running on Windows Server 2025. Starting from a clean static IP configuration, you installed the AD DS role, promoted the server to the first domain controller in a new forest, configured DNS forwarders for external resolution, and established proper site and subnet definitions. This foundation supports every downstream service — Group Policy, file shares, certificate authorities, and more — that your organization will build on top of Active Directory. As your environment grows, you will want to add at least one additional domain controller for redundancy, a process covered in the next tutorial in this series.
