How to Install and Configure Active Directory on Windows Server 2025 (Step-by-Step Guide)

Active Directory Domain Services (AD DS) is the core identity and access management platform for Windows networks, used in environments ranging from home labs to large enterprise infrastructures.

With Windows Server 2025, Microsoft continues to refine the installation experience, security defaults, and integration points, while the core deployment process stays very consistent with Windows Server 2016–2022. Setting up your first domain controller gives you centralized user & computer management, Group Policy control, Kerberos authentication, DNS integration, and the foundation for many other Microsoft services.

In this step-by-step tutorial, we'll walk through promoting a fresh Windows Server 2025 instance to a domain controller by creating a brand-new Active Directory forest.

Prerequisites

Windows Server 2025 installed (Datacenter or Standard)
Internet access for updates (optional but recommended before starting)
Administrator privileges

Note: This guide creates a new forest (root domain). For production environments, it is recommended to deploy at least two domain controllers for redundancy. Basic knowledge of computer networking is assumed.

Step 01: Prepare the Server – Basic Configuration

To perform all the configurations of the server, we will be using the Server Manger. Type Server Manager in the search bar on the taskbar, and open it by clicking on it.

When you open the Server Manager window you might be greeted with lots of indicators turned RED but you can ignore them for now.

Server Name Configuration

For easier monitoring and reliable client connectivity, the server must have a clear and unique name on the network. That’s why the first step is to configure a clear and meaningful computer name. A descriptive name (such as PDC-WIN2025 or DC01) lets you identify the server at a glance instead of dealing with random or default names like EC2AMAZ-XXXXXX.

Click on the Local Server in the list to the left of the window.

This opens the server properties section where you can change the computer name. Look for the section Computer name and click on the link in front of it.

Clicking on already configured computer name in properties window

This will open the System Properties window. Click on the Change button.

This will open the Computer Name/Domain Changes window. Enter a descriptive name (eg: PDC-Win2025) for the server within the field for typing the Computer Name and click OK.

It will display a prompt asking to restart the server, click Restart Later for now.

Static IP Configuration

To ensure constant, reliable availability for network authentication, DNS, and Active Directory services, it is important that the domain controller is configured with a static IP. Navigate to Local Server section in the Server Manager again and look for the setting starting with Ethernet. Click on the link in front of it.

Clicking on the link will open the Network Connections window, and select the correct network adapter (eg: Ethernet 2) and double click on it to open its Status Window.

Click on the Properties button on the Status Window to open the Interface Property Window, then look for item Internet Protocol Version 4 (TCP/IPv4) in the list and double click on it to configure IPv4 properties.

Clicking on Properties button in the Interface Status Window

Double clicking on Internet Protocol Version 4 (TCP/IPv4) in Interface Property Window

To configure static IP & DNS configuration, select Use the following IP address & Use the following DNS server addresses. Then configure the IP address, Subnet mask, and the Default gateway manually.

For the DNS configuration, use the domain controller's own IP as the Preferred DNS server as this is the only domain controller in our current setup.

Note: In production environments where there are at least two domain controllers (Primary, and Secondary) use the each others IP as the Preferred DNS server, and their own IPs as the Alternated DNS server.

Select Validate settings upon exit, and click OK.

Configure Time Zone

It is important that the server is always configured with the correct time, as this is essential for effective troubleshooting and accurate incident investigation. In the Properties window (in Local Server section of the Server Manager) look for Time zone and click the link in front of it to open the Date & Time window.

Time zone in Properties window (Local Server) section

Click on Change Time zone button in the Date & Time window.

Clicking Change Time zone in Date & Time window

Then select your Time Zone from the Time zone window and click OK.

Updating Windows

It is important you download and install latest windows updates to get access to security patches and new features in the production environment. But if you are doing this on a lab for learning purposes, you can safely skip this for now. You can update the server by looking for the Windows Update label within the Local Server and clicking on the link in front of it.

Windows Update section in Local Server Section

Finally, restart the server to allow configuration changes—such as the computer name—to take effect. You may skip this step if a Windows Update restart is already pending. This completes the initial setup.

Step 02: Install the Active Directory Domain Services Role

For the server to function as a domain controller, the Active Directory Domain Services (AD DS) role must be installed, as it is not enabled by default. To begin, open the Server Manager dashboard and click Add roles and features.

Clicking on Add roles & features in Server Manger Dashboard

This will open the Add Roles & Features Wizard. You will be presented with the Before You Begin page, which explains how to use the wizard and advises you to ensure that certain prerequisite tasks are completed. Read everything carefully and click Next. You may skip this page in the future by selecting Skip this page by default.

Add roles & feature - Before You Begin page

In the Installation Type section, there are two types:

Role-based or feature-based installation

Selected by default, this is the standard way to add almost anything to your server. This option allows you to add individual roles, and features when setting up a standard server.

Remote Desktop Services installation

This is a guided, wizard-driven deployment specifically for Remote Desktop Services (formerly Terminal Services). It is designed to set up a complete RDS environment more easily.

Select Role-based or feature-based installation and click Next.

Selecting Installation Type - Roles based or feature based installation

In the Server Selection page, you will select the server you want to install the specific role or feature. Currently only your server is listed. Make sure you have selected the default options - Select a server from the server pool, and your server from the list - and click Next to go to the Server Roles page.

Selecting a server in Server Selection page

In the Server Roles page, select the Active Directory Domain Services option and click Next. (Note: You can see a description of the server role selected to the right side of the window)

Selecting Active Directory Domain Services role

This will display a prompt asking your permission to automatically add/select features required to run domain controller. Click Add Features.

Add features required for running a domain controller

Keep the default selections in the Select Features page, and click Next.

Keeping the default sections in the Select Features page

The next page AD DS will give you an summary of what an AD DS (Active Directory Domain Services) is.

After reading it, click Next to go the Confirmation page. Then select Restart the destination server if required and click Install.

After clicking on the Install button, wait until the installation is finished.

Step 03: AD DS Post Deployment Configuration

After AD DS installation is complete, close the Add Roles and Features Wizard and click on the Flag Icon in the right top corner of the Server Manager window to open the notification list. Click on the link Promote this server to a domain controller under the Post-deployment Configuration notification.

This will open the AD DS Configuration Wizard. For this setup we will create a new forest. In Active Directory a Forest is a collection of domains that share a common schema, configuration, and global catalog. In the Deployment Configuration page select Add a new forest, and enter the Root Domain Name (eg: mrtechsparrow.local). Click Next.

In the Domain Controller Options page it asks you to select the functional levels of the new forest and the root domain which. This determines which features are available and which versions of Windows Server can run on domain controllers.

Forest Functional Level

Applies to all the domains within the forest.
This determines the forest wide AD DS features and the minimum Windows Server version required for domain controllers across all the domains within the forest.

Domain Functional Level

Applies only to a single domain.
Determines the AD DS features and the minimum Windows Server version required for domain controllers within the domain.

When creating a new forest, it is recommended to use the newest possible version to take advantage of the latest features and improvements. Therefore keep the default selection Windows Server 2025 for both Forest and Domain function levels.

Keep all other settings at their default values, then create a strong Directory Services Restore Mode (DSRM) password. This is a dedicated password used exclusively for the local Administrator account that is automatically created when a server is promoted to a Domain Controller in a Windows Server Active Directory environment.

Note: This local account (.\Administrator) is separate from and not the same as the Domain Administrator account. You will only be using this password for recovery purposes using DSRM.

After configuring Domain Controller Options, click Next and in the DNS Options page keep the default values and click Next again.

In the Additional Options page, it suggest and ask you to verify The NetBIOS domain name. This is the older-style, short name for your Active Directory domain. You can keep the default value unless you think it is too long or unclear. Click Next.

Additional Options page - NetBIOS domain name

The Paths page allows you to choose where the Active Directory Database, Log files, and SYSVOL folders will be stored. Unless there are specific requirements—such as managing a large domain or using separate partitions for the operating system and data—you can keep the default values and click Next.

Paths page - Selecting the path for creating AD Database, Logs, and SYSVOL folders

The Review Options page allows you to review the configuration selections and view or copy the PowerShell script that can implement these settings. The copied script can be used to automate future deployments if needed. After reviewing the configuration, click Next.

On the Prerequisites Check page, you can verify that all requirements for configuring Active Directory Domain Services (AD DS) have been met. For now, you can ignore any warnings related to DNS delegation. Click Install and wait for the installation to complete and the server to reboot.

Step 04: DNS Configuration

After the promotion process, Windows may automatically change the Preferred DNS server to 127.0.0.1. In most environments it is recommended to use the server's static IP address instead, as this avoids certain name resolution edge cases. Navigate to the IPv4 Properties window by repeating the steps used during the basic server setup for configuring the static IP address. Then correct the Preferred DNS server address, which was automatically changed during Step 03, from 127.0.0.1 to the server’s static IP address.

Fixing the proffered dns server address to the servers static IP

Now were are going to configure Reverse Lookup Zones, and the PTR record. While this step is not strictly required, it is a highly recommended step. Open the Tools menu in Server Manger, and click on DNS to open the DNS Manager.

In the DNS Manager window, expand your server's hostname and select Reverse Lookup Zones. Then click on New Zone on the Action menu.

This will open the New Zone Wizard. Click Next.

Make sure Primary zone option is selected as the Zone Type and click Next.

Select To all DNS servers running on domain controllers in this domain: yourdomain.name option as the Active Directory Zone Replication Scope and click Next.

Select IPv4 Reverse Lookup Zone, as the Reverse Lookup Zone Name. Then click Next.

In the next page enter the Network ID (first three octets of the IP), and click Next.

Reverse Lookup Zone Name - Configure Network ID

In the Dynamic Update page, select Allow only secure dynamic updates and click Next.

Click Finish to complete the configuration.

Now select the Forward Lookup Zones, and double click your domain name under it.

Double click on the A record for your server's hostname (computer name).

Select Update associated pointer (PTR) record, and click OK.

You have now successfully promoted your Windows Server to a Domain Controller. The next step is to create Organizational Units (OUs) and configure and apply Group Policy Objects (GPOs).

If you found this guide helpful, please consider leaving a comment and sharing it with others.

Search This Blog

Mr.TechSparrow