Promoting a server to a domain controller: A step-by-step guide

A domain controller (DC) is an AD server that hosts Active Directory Domain Services (AD DS). DCs are responsible for managing the security of AD objects, as they respond to authentication requests and verify users on the network. They also provide authorization to different domain resources.

DCs are an integral part of any AD infrastructure, and can be considered a gatekeeper that has keys to the domain resources. They are also responsible for the security of the domain.

Member server vs. domain controller

Although a DC is a server, it should not be confused with a member server inside the AD environment. A member server is a computer in a domain which can perform the functions of a file, application, web, and print server. The DC, on the other hand, is responsible for authentication and authorization. Also, only domain administrators should have the permissions to logon to DCs.

Why should you promote a server to a DC?

A regular server cannot perform authentication and authorization functions. Admins need to promote a server to a DC to achieve this functionality. The decision to have more than one DC depends on the organization's size and complexity of their IT infrastructure. As a general best practice, organizations should have more than one DC in their AD environment. Here are some key reasons why:

1. Load balance: Administrators often might find themselves in situations where there is a lot of load on one DC. An additional DC helps ensure admins can balance the load of network traffic.

2. Reduction in downtime: Having more than one DC, reduces downtime. If one of the DCs is unreachable or goes offline, the authentication services can easily connect to the next available DC.

3. Reliability: Having more than one DC ensures increased reliability, availability, and reduces downtime.

Now, with the basic understanding of DCs and the role they play in AD DS addressed, we can take the next step in this learning journey.

In this blog, we'll provide detailed, step-by-step instructions on how you can promote a server into a DC. A promotion ensures that the status of the server has been changed to a DC, with all its authentication and authorization capabilities.

Step 1: Install AD DS

Start by installing AD DS, if you haven't already.

1. Log in to the AD server with admin credentials (username and password).

2. Open the Server Manager console, then click Dashboard > Add roles and features to start the Add Roles and Features Wizard.

   

3. On the Before you begin page, click Next.

4. Next on the Select installation type page, choose Role-based or feature-based installation, or if it's a virtual machine-based deployment then choose Remote Desktop Services installation. Click Next.

   

5. Select the destination server now on which the role will be assigned. Click on Select a server from the server pool, and choose the name of the server where you want to install AD DS. Then, click Next.

   

6. Now, on the Select server roles page, choose the roles you want to install on the server like Active Directory Domain Services, Active Directory Federation Services, Active Directory Rights Management Services, and more. In our case, the basic requirement is Active Directory Domain Services.

   

7. After selecting AD DS, you need to add features for the selected role on the Add Roles and Feature Wizard, and click Next. The basic roles and features for AD DS are already selected by default. You can select more as per your requirements.

   

8. Review the information and on Confirm installation selections page, click Install.

   

Step 2: Promote the server to a domain controller

1. Once you have finished installing AD DS role in the server, click on the notification flag. Here, select "Promote this server to a domain controller".

   

   

2. Next, you will be prompted to access the AD DS configuration wizard. Here, on the Deployment Configuration page, select the first option "Add a domain controller to an existing domain". Also, provide the name of the domain in which the new DC will be added (for example, abc.testcorp.com), and click Next.

   

3. Next, click Domain Controller Options in the left pane and perform these steps:

   • Select the desired Domain and Forest functional level.
   • Specify the domain controller capabilities. By default, the options to make DC a Domain Name Server (DNS) and a Global Catalog (GC) are already selected.
   • Select the Site name for the DC.
   • Provide the Directory Services Restore Mode (DSRM) password. The DSRM password is crucial in instances where you might need to restore a backup of the server or in case of DC failure.

   

4. Next, on the DNS Options page, you will receive a warning stating "DNS Delegation not being created". As we have already configured the DNS server as part of our initial efforts (step 3), this can be safely ignored. Click Next.

5. On the Additional Options page, specify the DC that you want to replicate the AD DS data, or you can choose the option Any domain controller, and then click Next.

   

6. The next page is Paths, where you can specify the location of the AD DS database, log files, and SYSVOL folder, or you can accept the default locations/ folders. Click Next.

   

7. The next page, Review Options, provides you with the option to review and confirm your selections. Optionally, you can click view the PowerShell script, and click Next.

   

8. On the Prerequisites Check page, Windows will perform a prerequisites check. Confirm the check and then click Install.

   

9. The system will restart automatically after replication to complete the AD DS installation process. Once finished, you will be directed to the login screen.

That's how you promote a server to a DC!

As mentioned earlier, DCs are one of the most critical components for any organizations' AD infrastructure.

IT administrators should continuously monitor the DC events so that they can detect any anomalous activity, identify any misuse of privileges, and expedite the forensic analysis in case of a threat situation.