How to Set Up Active Directory Domain Services on Windows Server 2019

How to Set Up Active Directory Domain Services on Windows Server 2019

Active Directory Domain Services (AD DS) is the cornerstone of Windows enterprise identity management. It provides centralized authentication and authorization using Kerberos and LDAP, enables Group Policy for configuration management, and creates a hierarchical structure of domains, trees, and forests. This guide walks through promoting a Windows Server 2019 machine to a domain controller, covering both new forest creation and adding a domain controller to an existing domain.

Prerequisites

Before promoting the server, ensure it has a static IP address, a fully qualified domain name (FQDN) is planned (e.g., yourdomain.com or corp.company.local), and the server’s DNS points to itself (127.0.0.1 or its own IP) since it will become a DNS server. The server needs at least 2 GB of RAM and 32 GB of disk space for the AD database, SYSVOL, and logs. For production domain controllers, use a dedicated NTDS volume separate from the OS drive.

# Verify static IP is configured
Get-NetIPAddress -InterfaceAlias "Ethernet" -AddressFamily IPv4

# Set DNS to point to itself for DC promotion
Set-DnsClientServerAddress -InterfaceAlias "Ethernet" -ServerAddresses 127.0.0.1

Installing the AD DS Role

Install the Active Directory Domain Services role and management tools using PowerShell. This does not yet promote the server to a domain controller — it only installs the binaries and management snap-ins:

Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools

# Verify installation
Get-WindowsFeature -Name AD-Domain-Services

The management tools installed include Active Directory Users and Computers (ADUC), Active Directory Sites and Services, Active Directory Domains and Trusts, Group Policy Management Console (GPMC), and the ADDSDeployment PowerShell module.

Creating a New Forest (First Domain Controller)

If this is the first domain controller in a new environment, you will create a new Active Directory forest. The forest root domain is the most important domain in an AD environment — plan its name carefully. Use an internal domain name or a delegated subdomain (e.g., corp.company.com). Avoid using .local as it can cause issues with modern services and SSL certificates.

Import-Module ADDSDeployment

Install-ADDSForest `
    -DomainName "corp.example.com" `
    -DomainNetbiosName "CORP" `
    -ForestMode "WinThreshold" `
    -DomainMode "WinThreshold" `
    -DomainType "TreeDomain" `
    -DatabasePath "C:WindowsNTDS" `
    -LogPath "C:WindowsNTDS" `
    -SysvolPath "C:WindowsSYSVOL" `
    -NoRebootOnCompletion:$false `
    -InstallDns:$true `
    -SafeModeAdministratorPassword (ConvertTo-SecureString "P@ssw0rd!Complex123" -AsPlainText -Force) `
    -Force:$true

The -ForestMode “WinThreshold” and -DomainMode “WinThreshold” set the functional level to Windows Server 2016 (the highest level available at the time of Windows Server 2019 release, which is shared between 2016 and 2019). The Safe Mode Administrator Password is used to log in to Directory Services Restore Mode (DSRM) for AD recovery scenarios — store it securely.

The server will automatically restart after promotion. After reboot, log in as CORPAdministrator.

Adding a Domain Controller to an Existing Domain

Adding a second (or more) domain controllers provides redundancy and load distribution. All domain controllers host a complete read-write replica of the AD database by default. Before promoting the new server, ensure its DNS points to an existing domain controller:

Set-DnsClientServerAddress -InterfaceAlias "Ethernet" -ServerAddresses 192.168.1.10

# Install the AD DS role
Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools

# Promote to additional domain controller
Import-Module ADDSDeployment

Install-ADDSDomainController `
    -DomainName "corp.example.com" `
    -InstallDns:$true `
    -DatabasePath "C:WindowsNTDS" `
    -LogPath "C:WindowsNTDS" `
    -SysvolPath "C:WindowsSYSVOL" `
    -SiteName "Default-First-Site-Name" `
    -Credential (Get-Credential "CORPAdministrator") `
    -SafeModeAdministratorPassword (ConvertTo-SecureString "P@ssw0rd!Complex123" -AsPlainText -Force) `
    -NoRebootOnCompletion:$false `
    -Force:$true

Verifying Active Directory After Promotion

After the server reboots and the AD DS role is fully initialized, verify the domain controller is functioning correctly:

# Check AD DS service status
Get-Service adws, dns, kdc, netlogon | Select-Object Name, Status

# Verify domain information
Get-ADDomain

# Verify forest information
Get-ADForest

# Check FSMO roles (Flexible Single Master Operations)
Get-ADDomain | Select-Object PDCEmulator, RIDMaster, InfrastructureMaster
Get-ADForest | Select-Object SchemaMaster, DomainNamingMaster

# Run dcdiag to check DC health
dcdiag /test:all /v

# Check replication status (for multiple DCs)
repadmin /showrepl
repadmin /replsummary

Creating Organizational Units

Organizational Units (OUs) are containers used to organize AD objects and apply Group Policy. Create a logical OU structure that reflects your organization:

# Create top-level OUs
New-ADOrganizationalUnit -Name "Corp" -Path "DC=corp,DC=example,DC=com" -ProtectedFromAccidentalDeletion $true

# Create sub-OUs
New-ADOrganizationalUnit -Name "Users" -Path "OU=Corp,DC=corp,DC=example,DC=com"
New-ADOrganizationalUnit -Name "Computers" -Path "OU=Corp,DC=corp,DC=example,DC=com"
New-ADOrganizationalUnit -Name "Servers" -Path "OU=Corp,DC=corp,DC=example,DC=com"
New-ADOrganizationalUnit -Name "Groups" -Path "OU=Corp,DC=corp,DC=example,DC=com"
New-ADOrganizationalUnit -Name "Service Accounts" -Path "OU=Corp,DC=corp,DC=example,DC=com"

# Verify OU structure
Get-ADOrganizationalUnit -Filter * | Select-Object Name, DistinguishedName | Sort-Object Name

Creating User Accounts

Create AD user accounts for your organization. Use consistent naming conventions such as first initial + last name (jdoe) or first.last (john.doe):

# Create a single user account
New-ADUser `
    -Name "John Doe" `
    -GivenName "John" `
    -Surname "Doe" `
    -SamAccountName "jdoe" `
    -UserPrincipalName "[email protected]" `
    -Path "OU=Users,OU=Corp,DC=corp,DC=example,DC=com" `
    -AccountPassword (ConvertTo-SecureString "TempP@ss123!" -AsPlainText -Force) `
    -ChangePasswordAtLogon $true `
    -Enabled $true `
    -Department "IT" `
    -Title "Systems Administrator" `
    -Company "Example Corp"

# Verify user was created
Get-ADUser -Identity jdoe -Properties *

Creating Security Groups

Security groups control access to resources. Use the AGDLP (Account, Global group, Domain Local group, Permission) model for group nesting in multi-domain forests:

# Create a global security group
New-ADGroup `
    -Name "IT-Admins" `
    -GroupScope Global `
    -GroupCategory Security `
    -Path "OU=Groups,OU=Corp,DC=corp,DC=example,DC=com" `
    -Description "IT Administrator group"

# Add user to group
Add-ADGroupMember -Identity "IT-Admins" -Members "jdoe"

# Verify group membership
Get-ADGroupMember -Identity "IT-Admins"

Configuring AD Sites and Subnets

Active Directory Sites control replication topology and help clients find the nearest domain controller. Define sites for each physical location:

# Import AD Sites and Services module
Import-Module ActiveDirectory

# Create a new site
New-ADReplicationSite -Name "London"

# Create a subnet and associate it with the site
New-ADReplicationSubnet -Name "10.10.0.0/24" -Site "London" -Location "London Office"

# Create a site link between sites for replication scheduling
New-ADReplicationSiteLink `
    -Name "NYC-London" `
    -SitesIncluded @("Default-First-Site-Name","London") `
    -Cost 100 `
    -ReplicationFrequencyInMinutes 180

Configuring Fine-Grained Password Policies

Windows Server 2019 supports Password Settings Objects (PSOs) that allow different password policies for different groups of users. This requires Domain Functional Level 2008 or higher:

# Create a stricter policy for admin accounts
New-ADFineGrainedPasswordPolicy `
    -Name "AdminPasswordPolicy" `
    -Precedence 10 `
    -MinPasswordLength 16 `
    -PasswordHistoryCount 24 `
    -MaxPasswordAge (New-TimeSpan -Days 60) `
    -MinPasswordAge (New-TimeSpan -Days 1) `
    -LockoutThreshold 3 `
    -LockoutDuration (New-TimeSpan -Minutes 60) `
    -LockoutObservationWindow (New-TimeSpan -Minutes 60) `
    -ComplexityEnabled $true `
    -ReversibleEncryptionEnabled $false

# Apply the PSO to the IT-Admins group
Add-ADFineGrainedPasswordPolicySubject -Identity "AdminPasswordPolicy" -Subjects "IT-Admins"

Active Directory is now configured and ready to support authentication, Group Policy, and resource access across your organization. Maintain at least two domain controllers in every site for redundancy, and ensure regular backups of the AD database using Windows Server Backup with the AD-aware VSS writer.