How to Configure Windows Server 2019 Initial Settings

After installing Windows Server 2019, several initial configuration tasks must be completed before the server is ready for production use. This includes setting the hostname, assigning a static IP address, configuring the time zone, joining a domain, enabling remote management, and setting up basic security policies. Completing these steps correctly from the start prevents problems down the line and ensures the server integrates properly with your network infrastructure.

Setting the Computer Name

Every server should have a meaningful, descriptive hostname that identifies its role and location. Avoid the default random names like WIN-A1B2C3D4E5F. Use a naming convention such as LOCATION-ROLE-NUMBER (e.g., NYC-DC01, LON-FS02). To rename the server using PowerShell:

Rename-Computer -NewName "NYC-WEB01" -Restart

Or without an immediate restart:

Rename-Computer -NewName "NYC-WEB01"
Restart-Computer -Confirm

Via the GUI: Right-click on the Start button, select System, click “Rename this PC,” enter the new name, and restart when prompted. After the restart, verify the new name:

$env:COMPUTERNAME
# or
hostname

Configuring a Static IP Address

Servers should always use static IP addresses rather than DHCP-assigned addresses. A server with a changing IP address would break DNS records, client connections, and service configurations. Use PowerShell to configure a static IP:

# Get the current network adapter name
Get-NetAdapter

# Set static IP address (replace values with your network details)
New-NetIPAddress -InterfaceAlias "Ethernet" `
    -IPAddress 192.168.1.10 `
    -PrefixLength 24 `
    -DefaultGateway 192.168.1.1

# Set DNS server addresses
Set-DnsClientServerAddress -InterfaceAlias "Ethernet" `
    -ServerAddresses 192.168.1.1, 8.8.8.8

If the adapter already has a DHCP-assigned address, remove it first:

Remove-NetIPAddress -InterfaceAlias "Ethernet" -Confirm:$false
Remove-NetRoute -InterfaceAlias "Ethernet" -Confirm:$false

Verify the configuration:

Get-NetIPAddress -InterfaceAlias "Ethernet"
Get-DnsClientServerAddress -InterfaceAlias "Ethernet"
ipconfig /all

Setting the Time Zone and NTP Configuration

Accurate time is critical for Kerberos authentication, event log correlation, and certificate validation. All servers in a domain should synchronize time from a reliable source. Set the correct time zone first:

# List all available time zones
Get-TimeZone -ListAvailable

# Set the time zone
Set-TimeZone -Id "Eastern Standard Time"

# Verify
Get-TimeZone

Configure the Windows Time service to synchronize with an external NTP server:

w32tm /config /manualpeerlist:"time.windows.com,0x8 pool.ntp.org,0x8" /syncfromflags:manual /reliable:YES /update
Restart-Service w32tm
w32tm /resync
w32tm /query /status

For domain members, time sync is handled automatically via the domain hierarchy with the PDC Emulator at the top. Only configure external NTP on the PDC Emulator or standalone servers.

Joining an Active Directory Domain

Most servers should be domain members for centralized management, Group Policy application, and Kerberos authentication. Ensure the server’s DNS points to a domain controller before joining:

# Verify DNS resolves the domain
Resolve-DnsName yourdomain.com

# Join the domain
Add-Computer -DomainName "yourdomain.com" `
    -Credential (Get-Credential) `
    -OUPath "OU=Servers,DC=yourdomain,DC=com" `
    -Restart

The -OUPath parameter places the computer object in a specific Organizational Unit rather than the default Computers container. After restart, verify domain membership:

(Get-WmiObject Win32_ComputerSystem).Domain

Enabling Windows Remote Management

PowerShell remoting and WS-Management enable remote administration without requiring RDP. Configure WinRM for remote management:

# Enable PowerShell remoting
Enable-PSRemoting -Force

# Verify WinRM is listening
Get-WSManInstance -ResourceURI winrm/config/listener -SelectorSet @{Address="*"; Transport="HTTP"}

# Configure WinRM for HTTPS (recommended for production)
# First, ensure a certificate exists in the local machine store
$cert = New-SelfSignedCertificate -DnsName "NYC-WEB01.yourdomain.com" -CertStoreLocation Cert:LocalMachineMy

New-WSManInstance -ResourceUri winrm/config/Listener `
    -SelectorSet @{Address="*"; Transport="HTTPS"} `
    -ValueSet @{Hostname="NYC-WEB01.yourdomain.com"; CertificateThumbprint=$cert.Thumbprint}

Configuring Remote Desktop

Enable Remote Desktop for GUI-based remote management. Note that Server Core should primarily be managed via PowerShell remoting or Windows Admin Center, but Desktop Experience servers often need RDP:

# Enable Remote Desktop
Set-ItemProperty -Path "HKLM:SystemCurrentControlSetControlTerminal Server" `
    -Name "fDenyTSConnections" -Value 0

# Enable the firewall rule for RDP
Enable-NetFirewallRule -DisplayGroup "Remote Desktop"

# Optionally require Network Level Authentication (NLA) for security
Set-ItemProperty -Path "HKLM:SystemCurrentControlSetControlTerminal ServerWinStationsRDP-Tcp" `
    -Name "UserAuthentication" -Value 1

To restrict which users can connect via RDP, add them to the “Remote Desktop Users” local group:

Add-LocalGroupMember -Group "Remote Desktop Users" -Member "DOMAINusername"

Configuring Windows Firewall Baseline

Windows Firewall with Advanced Security should remain enabled. Configure a baseline by enabling necessary firewall rules and disabling unneeded ones:

# Verify firewall is active for all profiles
Get-NetFirewallProfile | Select-Object Name, Enabled

# Enable firewall for all profiles if disabled
Set-NetFirewallProfile -Profile Domain, Public, Private -Enabled True

# Allow ICMPv4 echo (ping) for troubleshooting
New-NetFirewallRule -DisplayName "Allow ICMPv4-In" `
    -Protocol ICMPv4 -IcmpType 8 `
    -Direction Inbound -Action Allow

Disabling Unnecessary Services

Reduce the attack surface by disabling services that are not required for the server’s role:

# View all running services
Get-Service | Where-Object {$_.Status -eq "Running"} | Sort-Object DisplayName

# Disable a specific service (example: Bluetooth Support Service)
Stop-Service -Name bthserv
Set-Service -Name bthserv -StartupType Disabled

# Disable Print Spooler if not a print server
Stop-Service -Name Spooler
Set-Service -Name Spooler -StartupType Disabled

Configuring Windows Event Logging

Increase event log sizes and configure forwarding to a central log server. Larger log sizes prevent events from rolling over and losing historical audit data:

# Set Security event log to 1 GB
wevtutil sl Security /ms:1073741824

# Set Application event log to 256 MB
wevtutil sl Application /ms:268435456

# Set System event log to 256 MB
wevtutil sl System /ms:268435456

# Verify settings
wevtutil gl Security | findstr /i "maxSize"

Setting Strong Password Policy via Local Security Policy

For standalone servers not subject to domain Group Policy, configure the local password policy:

# View current password policy
net accounts

# Set password policy using net accounts
net accounts /minpwlen:12
net accounts /maxpwage:90
net accounts /minpwage:1
net accounts /uniquepw:5
net accounts /lockoutthreshold:5
net accounts /lockoutduration:30

Verifying System Information

After completing initial configuration, verify system details and ensure everything is set correctly:

# Full system information
systeminfo

# Or using PowerShell for structured output
Get-ComputerInfo | Select-Object CsName, OsName, OsVersion, CsDomain, CsWorkgroup, OsArchitecture, CsProcessors, CsTotalPhysicalMemory

# Check disk space
Get-PSDrive -PSProvider FileSystem | Select-Object Name, Used, Free

With these initial settings configured, Windows Server 2019 is ready for role-specific configuration. Consistent initial configuration across all servers in your environment simplifies management, improves security, and reduces troubleshooting time. Document all configuration choices including IP addresses, hostnames, and role assignments in your infrastructure documentation.