ANAVEM
EnglishFrancais
ANAVEM
Reference
Languagefr
How to Install Active Directory Domain Services on Windows Server 2025

How to Install Active Directory Domain Services on Windows Server 2025

Install the AD DS role on Windows Server 2025 and create a new Active Directory domain with enhanced security features and Win2025 functional levels.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
March 17, 2026 15 min 10
mediumactive-directory 10 steps 15 min

Why Install Active Directory Domain Services on Windows Server 2025?

Active Directory Domain Services (AD DS) forms the backbone of enterprise Windows networks, providing centralized authentication, authorization, and directory services. Windows Server 2025 introduces enhanced security features, improved deployment wizards, and support for the latest Win2025 functional levels that unlock advanced capabilities for modern hybrid cloud environments.

What Are the Key Benefits of Windows Server 2025 AD DS?

The 2025 release brings significant improvements over previous versions. Enhanced security defaults protect against modern threats, while improved PowerShell cmdlets streamline automation tasks. The new functional levels support advanced features like enhanced authentication protocols and better integration with Azure Active Directory. For organizations building new domains or upgrading existing infrastructure, Server 2025 provides the most secure and feature-rich AD DS platform available.

How Does the Installation Process Differ in Server 2025?

While the core installation process remains familiar, Server 2025 includes refined wizards with better validation checks and clearer error messages. The prerequisites checker is more thorough, catching potential issues before they cause deployment failures. PowerShell deployment options have been expanded with new parameters for cloud-hybrid scenarios, making automated deployments more reliable and flexible than ever before.

Related: Create Desktop Shortcuts for Domain Users Using Group

Related: How to Install and Configure WSUS on Windows Server 2019

Implementation Guide

Full Procedure

01

Configure Network Settings and Prerequisites

Before installing AD DS, configure your server's network settings properly. Open the Network and Sharing Center and set a static IP address.

Navigate to Control Panel > Network and Internet > Network and Sharing Center > Change adapter settings. Right-click your network adapter and select Properties.

Select Internet Protocol Version 4 (TCP/IPv4) and click Properties. Configure these settings:

IP address: 192.168.1.10 (example)
Subnet mask: 255.255.255.0
Default gateway: 192.168.1.1
Preferred DNS server: 127.0.0.1
Alternate DNS server: 8.8.8.8

Setting the preferred DNS to 127.0.0.1 (localhost) is crucial because your server will become the DNS server for the domain.

Pro tip: Document your IP configuration before making changes. You'll need these settings for troubleshooting later.

Verification: Run ipconfig /all in Command Prompt to confirm your static IP configuration is active.

02

Install Active Directory Domain Services Role

Open Server Manager from the taskbar or Start menu. Click Manage in the top-right corner and select Add Roles and Features.

The Add Roles and Features Wizard opens. Click Next on the Before You Begin page, then select Role-based or feature-based installation and click Next.

Select your target server from the server pool (it should be highlighted by default) and click Next.

In the Server Roles page, scroll down and check Active Directory Domain Services. A popup appears asking to add required features - click Add Features to include the management tools.

Click Next through the Features page (no additional features needed), then Next on the AD DS information page.

Review your selections on the Confirmation page and click Install. The installation takes 2-3 minutes.

Warning: Don't close the wizard during installation. The process needs to complete fully before domain promotion.

Verification: After installation completes, you'll see a notification flag in Server Manager with a yellow warning triangle. This indicates the role is installed but not configured yet.

03

Promote Server to Domain Controller

In Server Manager, click the notification flag (yellow triangle with exclamation mark) and select Promote this server to a domain controller.

The Active Directory Domain Services Configuration Wizard launches. On the Deployment Configuration page, select Add a new forest since you're creating a new domain.

Enter your root domain name in the Root domain name field. Use a proper FQDN format like contoso.com or company.local. Avoid single-label names or .local if you plan internet integration.

Root domain name: contoso.com

Click Next to proceed to domain controller options.

Pro tip: Choose your domain name carefully. Changing it later requires a complete AD rebuild. Use your organization's registered domain or a .local suffix for internal-only domains.

Verification: The wizard validates your domain name format. Invalid names (like single words or reserved names) will show an error.

04

Configure Domain Controller Options

On the Domain Controller Options page, configure the functional levels and services:

Set both Forest functional level and Domain functional level to Windows Server 2025. This enables all the latest AD features and security enhancements.

Ensure Domain Name System (DNS) server is checked. This automatically installs and configures DNS, which is required for AD DS.

Leave Global Catalog (GC) checked - the first domain controller in a forest must be a GC.

Enter a strong Directory Services Restore Mode (DSRM) password. This is used for offline AD maintenance:

DSRM Password: ComplexPassword123!
Confirm Password: ComplexPassword123!
Warning: Store the DSRM password securely. You'll need it for disaster recovery scenarios. It cannot be reset through normal AD tools.

Click Next to continue.

Verification: The wizard checks password complexity requirements. Weak passwords will trigger validation errors.

05

Configure DNS Options and NetBIOS Name

On the DNS Options page, you may see a warning about DNS delegation. For a new forest, this is normal and expected. The warning states that a delegation cannot be created because the authoritative parent zone cannot be found.

Leave Create DNS delegation unchecked and click Next.

On the Additional Options page, the wizard automatically generates a NetBIOS domain name based on your FQDN. For contoso.com, it suggests CONTOSO.

NetBIOS domain name: CONTOSO

You can modify this if needed, but the default is usually appropriate. The NetBIOS name must be 15 characters or less and contain only letters, numbers, and hyphens.

Click Next to proceed.

Pro tip: Keep NetBIOS names short and meaningful. Legacy applications and some network protocols still use NetBIOS names for authentication.

Verification: The wizard validates NetBIOS name uniqueness on your network segment.

06

Configure Database and Log Paths

On the Paths page, specify locations for the AD database, log files, and SYSVOL folder. The default locations are:

Database folder: C:\Windows\NTDS
Log files folder: C:\Windows\NTDS
SYSVOL folder: C:\Windows\SYSVOL

For production environments, consider separating these components:

  • Database: Place on a fast drive (SSD preferred)
  • Logs: Place on a separate drive from the database for performance
  • SYSVOL: Can remain on the system drive

For this tutorial, accept the defaults and click Next.

Pro tip: In production, place AD logs on a separate physical drive from the database. This improves performance and provides better fault tolerance.

Verification: The wizard checks that specified paths exist and have sufficient free space (minimum 200 MB for database, 50 MB for logs).

07

Review Configuration and Run Prerequisites Check

The Review Options page displays a summary of your configuration. Review all settings carefully:

Forest name: contoso.com
Domain name: contoso.com
NetBIOS name: CONTOSO
Functional levels: Windows Server 2025
DNS Server: Yes
Global Catalog: Yes

Click Next to run the prerequisites check. This critical step validates your server configuration and identifies potential issues.

The prerequisites check examines:

  • Network configuration and DNS settings
  • Disk space and file system requirements
  • Security permissions and policies
  • Existing domain conflicts

If the check passes, you'll see green checkmarks. Any warnings (yellow) should be reviewed but don't prevent installation. Errors (red) must be resolved before proceeding.

Warning: Don't ignore prerequisites check warnings. Common issues include incorrect DNS settings or insufficient disk space, which can cause domain promotion failures.

Verification: All prerequisite checks show green checkmarks or acceptable warnings. The Install button becomes enabled.

08

Complete Domain Controller Promotion

After the prerequisites check passes, click Install to begin the domain controller promotion process.

The installation progress shows several phases:

  • Configuring Active Directory Domain Services
  • Installing DNS Server role
  • Creating domain database and log files
  • Configuring security policies
  • Preparing for reboot

The process takes 10-15 minutes depending on your hardware. The server will automatically reboot 1-2 times during promotion.

Warning: Do not interrupt the promotion process or power off the server. Interruption can corrupt the AD database and require a complete reinstallation.

After the final reboot, log in with your domain administrator credentials:

Username: CONTOSO\Administrator
Password: [Your original local admin password]

Verification: The login screen shows your domain name (CONTOSO) in the username field, and Server Manager displays the AD DS role as running.

09

Verify Active Directory Installation and Configuration

Open Active Directory Users and Computers from the Start menu or Server Manager Tools menu. You should see your domain structure with default organizational units:

  • Builtin
  • Computers
  • Domain Controllers
  • ForeignSecurityPrincipals
  • Managed Service Accounts
  • Users

Verify DNS configuration by opening DNS Manager. You should see forward and reverse lookup zones for your domain:

Forward Lookup Zones:
  - contoso.com
  - _msdcs.contoso.com

Reverse Lookup Zones:
  - 192.168.1.x Subnet (if configured)

Test domain functionality with PowerShell commands:

Get-ADDomain
Get-ADForest
Get-ADDomainController

These commands should return information about your newly created domain without errors.

Pro tip: Create a test user account and try logging in from another machine to fully verify domain functionality. Use dsquery user to list all domain users.

Verification: Run dcdiag /v in Command Prompt to perform comprehensive domain controller diagnostics. All tests should pass or show acceptable warnings.

10

Configure Post-Installation Security and Best Practices

Complete your AD DS setup with essential security configurations. First, configure Windows Firewall rules for AD DS services:

Enable-NetFirewallRule -DisplayGroup "Active Directory Domain Services"
Enable-NetFirewallRule -DisplayGroup "DNS Service"

Create additional organizational units for better management:

New-ADOrganizationalUnit -Name "Corporate Users" -Path "DC=contoso,DC=com"
New-ADOrganizationalUnit -Name "Servers" -Path "DC=contoso,DC=com"
New-ADOrganizationalUnit -Name "Workstations" -Path "DC=contoso,DC=com"

Configure Group Policy settings by opening Group Policy Management from Server Manager Tools. Create a baseline security policy for your domain.

Set up regular AD backups using Windows Server Backup:

Install-WindowsFeature Windows-Server-Backup
wbadmin enable backup -addtarget:E: -schedule:02:00 -include:C:\Windows\NTDS,C:\Windows\SYSVOL
Pro tip: Enable AD Recycle Bin immediately after domain creation. Run Enable-ADOptionalFeature -Identity 'Recycle Bin Feature' -Scope ForestOrConfigurationSet -Target contoso.com to protect against accidental deletions.

Verification: Run repadmin /showrepl to verify replication is working correctly, even with a single domain controller.

Frequently Asked Questions

What are the minimum system requirements for installing AD DS on Windows Server 2025?+
Windows Server 2025 requires a minimum 1.4 GHz 64-bit processor, 512 MB RAM (2 GB recommended for AD DS), and 32 GB disk space. You need a static IP address, NTFS-formatted drives, and local Administrator privileges. The server should not be domain-joined initially, and you need network connectivity for DNS resolution during the promotion process.
Can I install Active Directory Domain Services using PowerShell instead of Server Manager?+
Yes, you can use PowerShell for automated AD DS installation and domain promotion. First install the role with Install-WindowsFeature AD-Domain-Services, then use Install-ADDSForest cmdlet with parameters for domain name, functional levels, and paths. This method is preferred for scripted deployments and offers more granular control over the configuration process.
What is the Directory Services Restore Mode password and why is it important?+
The DSRM password is a local administrator password used for offline Active Directory maintenance and disaster recovery. It's set during domain controller promotion and cannot be changed through normal AD tools. This password is crucial for booting into Directory Services Restore Mode when the AD database is corrupted or needs offline maintenance. Store it securely as it's your last resort for AD recovery.
Should I use Windows Server 2025 functional levels for a new domain?+
Yes, always use the highest available functional levels (Win2025) for new domains unless you have specific compatibility requirements. Higher functional levels unlock advanced security features, improved replication, and better integration with cloud services. You can only raise functional levels, never lower them, so starting with Win2025 ensures access to all current and future features.
How do I troubleshoot common AD DS installation failures on Windows Server 2025?+
Common failures include DNS misconfiguration, insufficient disk space, or network connectivity issues. First, verify your static IP configuration and ensure DNS points to 127.0.0.1. Check that NTFS drives have adequate space and run the prerequisites checker carefully. Use dcdiag and repadmin tools post-installation to verify functionality. Enable detailed logging in Event Viewer's Directory Service log for specific error diagnosis.
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#active-directory#windows-server#domain-controller

Further Intelligence

Deepen your knowledge with related resources

How to Install Office 365 Offline for Enterprise Deployment
tutorial
General

How to Install Office 365 Offline for Enterprise Deployment

Deep Dive
How to Bulk Import Active Directory Users from CSV Using PowerShell
tutorial
DevOps

How to Bulk Import Active Directory Users from CSV Using PowerShell

Deep Dive
How to Deploy and Configure Remote Desktop Services (RDS) on Windows Server
tutorial
Networking

How to Deploy and Configure Remote Desktop Services (RDS) on Windows Server

Deep Dive

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...