How to Install Active Directory Domain Services on Windows Server 2016
Active Directory Domain Services (AD DS) is the cornerstone of identity and access management in Windows environments. Installing AD DS on Windows Server 2016 allows you to create a new forest and domain, manage user accounts, computers, and group policies from a central location. This guide covers installing the AD DS role, promoting the server to a domain controller, and performing post-installation verification.
Prerequisites
Before installing AD DS, complete the following prerequisites:
Set a static IP address on the server. The domain controller must not use DHCP. Set the preferred DNS to point to itself (127.0.0.1) or to an existing DNS server in your environment. Ensure the server has a meaningful hostname, as this cannot be easily changed after domain promotion. Confirm the server has at least 4 GB RAM and 40 GB of available disk space for production use.
Step 1: Install the AD DS Role
Install the Active Directory Domain Services role using PowerShell or Server Manager. Using PowerShell is recommended for speed and repeatability:
# Install AD DS role and management tools
Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools
# Verify the role was installed
Get-WindowsFeature -Name AD-Domain-Services
Alternatively, open Server Manager, click “Add Roles and Features”, proceed through the wizard, and select “Active Directory Domain Services” on the Server Roles screen.
Step 2: Promote the Server to a Domain Controller
Installing the AD DS role only prepares the server. You must then promote it to a domain controller. There are three promotion scenarios:
Scenario A: Create a New Forest (First Domain Controller)
# Create a new Active Directory forest and domain
$SafeModePassword = ConvertTo-SecureString "P@ssword1234!" -AsPlainText -Force
Install-ADDSForest `
-DomainName "corp.example.com" `
-DomainNetBiosName "CORP" `
-ForestMode "Win2016" `
-DomainMode "Win2016" `
-DatabasePath "C:WindowsNTDS" `
-SysvolPath "C:WindowsSYSVOL" `
-LogPath "C:WindowsNTDS" `
-SafeModeAdministratorPassword $SafeModePassword `
-InstallDns:$true `
-NoRebootOnCompletion:$false `
-Force:$true
Scenario B: Add a Domain Controller to an Existing Domain
# Add this server as an additional DC in an existing domain
$SafeModePassword = ConvertTo-SecureString "P@ssword1234!" -AsPlainText -Force
$DomainAdminCred = Get-Credential -Message "Enter Domain Admin credentials"
Install-ADDSDomainController `
-DomainName "corp.example.com" `
-Credential $DomainAdminCred `
-SafeModeAdministratorPassword $SafeModePassword `
-InstallDns:$true `
-DatabasePath "C:WindowsNTDS" `
-SysvolPath "C:WindowsSYSVOL" `
-LogPath "C:WindowsNTDS" `
-NoRebootOnCompletion:$false `
-Force:$true
Scenario C: Create a New Child Domain
# Create a new child domain (e.g., east.corp.example.com)
$SafeModePassword = ConvertTo-SecureString "P@ssword1234!" -AsPlainText -Force
$ParentDomainCred = Get-Credential
Install-ADDSDomain `
-NewDomainName "east" `
-ParentDomainName "corp.example.com" `
-Credential $ParentDomainCred `
-SafeModeAdministratorPassword $SafeModePassword `
-DomainMode "Win2016" `
-InstallDns:$true `
-NoRebootOnCompletion:$false `
-Force:$true
Step 3: Verify the Installation After Reboot
After the server reboots, log in as the domain Administrator and verify AD DS is working correctly:
# Verify Active Directory domain services are running
Get-Service NTDS,DNS,Netlogon,DFSR | Select-Object DisplayName, Status
# Check domain controller info
Get-ADDomainController
# Verify the domain
Get-ADDomain
# Verify the forest
Get-ADForest
# List all domain controllers
Get-ADDomainController -Filter * | Select-Object Name, Site, IPv4Address, OperatingSystem
Step 4: Verify SYSVOL and NETLOGON Shares
SYSVOL and NETLOGON are critical shares that must be available on a domain controller for Group Policy and login scripts to function:
# Verify SYSVOL and NETLOGON shares are present
net share
# Or via PowerShell
Get-SmbShare | Where-Object { $_.Name -in "SYSVOL","NETLOGON" }
# Check SYSVOL replication status
dcdiag /test:SysVolCheck /v
Step 5: Run DCDiag and NetDiag
Run the built-in diagnostic tools to confirm the domain controller is healthy:
# Run all domain controller diagnostics
dcdiag /v
# Run specific tests
dcdiag /test:Replications
dcdiag /test:DNS
dcdiag /test:Services
dcdiag /test:KccEvent
# Check replication status
repadmin /showrepl
repadmin /replsummary
Step 6: Create Organizational Units and User Accounts
Once the domain is running, organize the directory with Organizational Units (OUs) and create initial user accounts:
# Create Organizational Units
New-ADOrganizationalUnit -Name "Servers" -Path "DC=corp,DC=example,DC=com"
New-ADOrganizationalUnit -Name "Workstations" -Path "DC=corp,DC=example,DC=com"
New-ADOrganizationalUnit -Name "Users" -Path "DC=corp,DC=example,DC=com"
New-ADOrganizationalUnit -Name "Groups" -Path "DC=corp,DC=example,DC=com"
# Create a new user account
$UserPassword = ConvertTo-SecureString "UserP@ss2016!" -AsPlainText -Force
New-ADUser `
-Name "John Doe" `
-GivenName "John" `
-Surname "Doe" `
-SamAccountName "jdoe" `
-UserPrincipalName "[email protected]" `
-Path "OU=Users,DC=corp,DC=example,DC=com" `
-AccountPassword $UserPassword `
-Enabled $true `
-PasswordNeverExpires $false `
-ChangePasswordAtLogon $true
# Create a security group
New-ADGroup -Name "IT Admins" -GroupScope Global -GroupCategory Security `
-Path "OU=Groups,DC=corp,DC=example,DC=com"
# Add user to group
Add-ADGroupMember -Identity "IT Admins" -Members "jdoe"
Active Directory Domain Services is now installed and running on Windows Server 2016. The server is functioning as a domain controller, ready to authenticate users, apply Group Policies, and manage resources across the network. For production environments, always deploy at least two domain controllers for redundancy.
