How to Set Up Active Directory Domain Services on Windows Server 2012 R2

How to Set Up Active Directory Domain Services on Windows Server 2012 R2

Active Directory Domain Services (AD DS) is the cornerstone identity and access management platform in Windows Server environments. It provides centralised authentication, authorisation, Group Policy application, and a directory of all users, computers, and resources in an organisation. Windows Server 2012 R2 introduced a greatly simplified AD DS deployment model — the dcpromo.exe wizard was retired and replaced with a fully PowerShell-driven promotion process backed by a GUI in Server Manager.

This guide walks through installing a brand-new AD DS forest (the first domain controller in an organisation) as well as adding subsequent domain controllers to an existing domain, both via Server Manager and PowerShell.

Prerequisites

• Windows Server 2012 R2 with a static IP address configured.
• DNS must be resolvable — configure the NIC’s preferred DNS to the server’s own static IP (it will host DNS after promotion).
• The server must NOT already be joined to the target domain (for new forest deployments).
• Minimum 512 MB RAM; 2 GB+ recommended for production.
• A strong DSRM (Directory Services Restore Mode) password prepared.

Step 1: Install the AD DS Role

Before promoting the server to a domain controller, you must install the AD DS role binaries.

Via Server Manager: Open Server Manager → Manage → Add Roles and Features. Select Role-based or feature-based installation, choose the local server, and tick Active Directory Domain Services. Accept the additional features (DNS Server, Group Policy Management) and complete the wizard.

Via PowerShell (faster and scriptable):

# Install AD DS role and management tools, including DNS Server
Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools

# Verify the installation
Get-WindowsFeature -Name AD-Domain-Services, DNS | 
    Select-Object Name, InstallState, DisplayName

Step 2: Promote to the First Domain Controller (New Forest)

Promoting the server creates the new Active Directory forest, the root domain, and the initial domain controller. This replaces the old dcpromo.exe process entirely in Windows Server 2012 R2.

# Import the ADDSDeployment module
Import-Module ADDSDeployment

# Install a new AD DS forest
Install-ADDSForest `
    -DomainName "corp.example.com" `
    -DomainNetbiosName "CORP" `
    -DomainMode "Win2012R2" `
    -ForestMode "Win2012R2" `
    -DatabasePath "C:WindowsNTDS" `
    -SysvolPath "C:WindowsSYSVOL" `
    -LogPath "C:WindowsNTDS" `
    -InstallDns:$true `
    -SafeModeAdministratorPassword (ConvertTo-SecureString "P@ssw0rd!DSRM" -AsPlainText -Force) `
    -Force:$true

The server will automatically reboot after successful promotion. When it comes back up, the local Administrator account becomes the Domain Administrator.

Step 3: Verify the Domain Controller Installation

# Check that the domain controller is operational
Get-ADDomainController -Filter *

# Verify domain information
Get-ADDomain

# Check forest information
Get-ADForest

# Verify FSMO role holders (all five roles on the first DC)
netdom query fsmo

# Verify AD DS services are running
Get-Service -Name "NTDS","ADWS","DNS","KDC","Netlogon" | 
    Select-Object Name, Status, StartType

Step 4: Add a Second Domain Controller to an Existing Domain

High availability requires at least two domain controllers. Adding a replica DC distributes the authentication load and provides fault tolerance.

# On the second server, first install the AD DS role
Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools

# Promote the server as a replica DC in an existing domain
Install-ADDSDomainController `
    -DomainName "corp.example.com" `
    -InstallDns:$true `
    -DatabasePath "C:WindowsNTDS" `
    -SysvolPath "C:WindowsSYSVOL" `
    -LogPath "C:WindowsNTDS" `
    -SiteName "Default-First-Site-Name" `
    -SafeModeAdministratorPassword (ConvertTo-SecureString "P@ssw0rd!DSRM" -AsPlainText -Force) `
    -Credential (Get-Credential "CORPAdministrator") `
    -Force:$true

Step 5: Create Organisational Units, Users, and Groups

Once Active Directory is operational, you can begin populating the directory. Organisational Units (OUs) provide a hierarchical structure for applying Group Policy and delegating administrative control.

# Create top-level OU structure
New-ADOrganizationalUnit -Name "Corp" -Path "DC=corp,DC=example,DC=com"
New-ADOrganizationalUnit -Name "Users" -Path "OU=Corp,DC=corp,DC=example,DC=com"
New-ADOrganizationalUnit -Name "Computers" -Path "OU=Corp,DC=corp,DC=example,DC=com"
New-ADOrganizationalUnit -Name "Servers" -Path "OU=Corp,DC=corp,DC=example,DC=com"
New-ADOrganizationalUnit -Name "Groups" -Path "OU=Corp,DC=corp,DC=example,DC=com"

# Create a new user
New-ADUser `
    -Name "John Smith" `
    -GivenName "John" `
    -Surname "Smith" `
    -SamAccountName "jsmith" `
    -UserPrincipalName "[email protected]" `
    -Path "OU=Users,OU=Corp,DC=corp,DC=example,DC=com" `
    -AccountPassword (ConvertTo-SecureString "Welcome@2024!" -AsPlainText -Force) `
    -Enabled $true `
    -PasswordNeverExpires $false `
    -ChangePasswordAtLogon $true

# Create a security group
New-ADGroup `
    -Name "IT Administrators" `
    -GroupScope Global `
    -GroupCategory Security `
    -Path "OU=Groups,OU=Corp,DC=corp,DC=example,DC=com"

# Add the user to the group
Add-ADGroupMember -Identity "IT Administrators" -Members "jsmith"

Step 6: Configure Active Directory Sites and Subnets

AD DS Sites and Services controls replication topology and client authentication site affinity. Proper configuration is important in multi-site environments:

# Create a new site
New-ADReplicationSite -Name "London-Site"

# Create a subnet and associate it with the site
New-ADReplicationSubnet -Name "10.10.0.0/16" -Site "London-Site"

# Create a site link between HQ and London
New-ADReplicationSiteLink `
    -Name "HQ-London-Link" `
    -SitesIncluded "Default-First-Site-Name","London-Site" `
    -Cost 100 `
    -ReplicationFrequencyInMinutes 15

# Move a domain controller to a site
Move-ADDirectoryServer -Identity "LONDC01" -Site "London-Site"

Step 7: Transfer FSMO Roles

Flexible Single Master Operation (FSMO) roles must be distributed deliberately when adding domain controllers. The five roles are: Schema Master, Domain Naming Master, RID Master, PDC Emulator, and Infrastructure Master.

# Transfer PDC Emulator role to DC02
Move-ADDirectoryServerOperationMasterRole `
    -Identity "DC02" `
    -OperationMasterRole PDCEmulator

# Transfer RID Master role
Move-ADDirectoryServerOperationMasterRole `
    -Identity "DC02" `
    -OperationMasterRole RIDMaster

# Transfer all five roles at once
Move-ADDirectoryServerOperationMasterRole `
    -Identity "DC02" `
    -OperationMasterRole SchemaMaster,DomainNamingMaster,PDCEmulator,RIDMaster,InfrastructureMaster

# Verify current FSMO role holders
Get-ADDomain | Select-Object PDCEmulator, RIDMaster, InfrastructureMaster
Get-ADForest | Select-Object SchemaMaster, DomainNamingMaster

Summary

Active Directory Domain Services on Windows Server 2012 R2 is deployed and managed entirely through PowerShell and Server Manager, with the old dcpromo.exe tool no longer used. The key steps for a new forest deployment are: install the AD-Domain-Services role with Install-WindowsFeature, promote using Install-ADDSForest, and verify the result with AD PowerShell cmdlets. For production deployments always deploy a minimum of two domain controllers, configure AD Sites and Subnets to match your network topology, and plan FSMO role placement carefully. Active Directory is the identity foundation for virtually every other Windows Server role, so a well-structured deployment pays dividends across the entire infrastructure.