# Promoting the server to a domain controller Goal: turn the freshly installed Windows Server into the first DC of a new Active Directory forest. We also install the DNS role, required by AD. ## What we create An Active Directory forest is a logical structure containing one or more domains. Here we create: - a new forest with the configured domain at its root (`corp.lab` by default) - a first domain controller (`DC01`) hosting the AD database and DNS A DC is critical: it handles authentication, GPOs, internal DNS. Production setups use at least two for redundancy. One is enough for this lab. ## Preparation Rename the machine first. Once promoted, a DC cannot be renamed without being demoted. ### GUI 1. `Settings > System > About > Rename this PC` (or `Win + Pause` > "Change settings") 2. New name: `DC01` 3. Restart ### PowerShell ``` Rename-Computer -NewName "DC01" -Restart ``` If `Rename-Computer` refuses authentication on a fresh install, use the GUI or the registry approach (see `troubleshooting.md`). ## Install the roles After the reboot, open a session as Administrator. ### GUI 1. Open `Server Manager` 2. `Manage > Add Roles and Features` 3. Select: - `AD DS` - `DNS Server` 4. Leave defaults, install 5. When done, click the warning flag > `Promote this server to a domain controller` ### PowerShell ``` Install-WindowsFeature -Name AD-Domain-Services, DNS -IncludeManagementTools ``` ## Promote to domain controller ### GUI 1. In the AD DS configuration wizard: 2. `Add a new forest` > Root name: `corp.lab` 3. Functional levels: keep the suggested value 4. Check `DNS Server` and `Global Catalog` 5. Set a DSRM password (Directory Services Restore Mode) 6. Ignore DNS warnings (normal on a brand new DC) 7. Validate, let the machine reboot ### PowerShell ``` $dsrmPwd = Read-Host -AsSecureString "DSRM password" Install-ADDSForest ` -DomainName "corp.lab" ` -DomainNetbiosName "CORP" ` -InstallDns ` -SafeModeAdministratorPassword $dsrmPwd ` -Force ``` Key cmdlets: - `Install-ADDSForest` creates a new forest - `Install-ADDSDomainController` adds a DC to an existing forest ## Validation After reboot, log back in (account is now `CORP\Administrator`): ``` Get-ADDomain Get-ADForest dcdiag ``` The first two return domain/forest info. `dcdiag` runs integrity tests. Minor DNS warnings are normal on a standalone DC. ## Notes - The DSRM password is independent of Administrator's. It is used in AD recovery mode. Keep it in your password manager. - Once promoted, a DC cannot be renamed without demotion first (`Uninstall-ADDSDomainController`). - Fresh dockur installs come with an auto-generated hostname (`WIN-xxxx`). Renaming **before** promotion is crucial. ## Next AD is live but empty. Create OUs, users and groups in `03-ou-users-groups.md`.