How to create a new domain in windows server 2026: AD DS Setup, Forest Design, and Domain Promotion

Yes, you can create a new domain in Windows Server 2019 by installing AD DS and running the AD DS Configuration Wizard to create a new forest and domain. In this guide, you’ll get a practical, step-by-step plan to design, deploy, and verify a brand-new domain in Windows Server 2019. We’ll cover prerequisites, installation, promotion, DNS integration, OU design, Group Policy basics, and post-setup checks. Here’s a concise roadmap you’ll follow:

– Plan your namespace and forest/domain structure
– Prepare DNS and network requirements
– Install the AD DS role on a Windows Server 2019 machine
– Promote the server to a domain controller for a new forest and domain
– Verify health and replication, and configure DNS as needed
– Create an OU structure and basic Group Policy
– Secure, back up, and plan for additional domain controllers

Useful resources text only, not clickable:
Microsoft Docs – Install Active Directory Domain Services on Windows Server 2019 – https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/deploy/install-active-directory-domain-services-ADDS
Microsoft Docs – What is Active Directory – https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/get-started/what-is-active-directory
Microsoft Docs – Deploy a DNS server for Active Directory – https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/deploy/install-a-dns-server-for-active-directory
Tech Community – Active Directory Best Practices – https://techcommunity.microsoft.com/t5/identity-access-management

Introduction
Yes, you can create a new domain in Windows Server 2019 by installing AD DS and running the AD DS Configuration Wizard to create a new forest and domain. In this guide we’ll walk you through planning, preparing, and executing the domain deployment, with practical steps, commands, and checks you can copy-paste or adapt. You’ll learn about prerequisites, how to install the AD DS role, how to promote the server to a domain controller for a new forest, how to configure DNS, and how to structure your OUs and policies for a clean, scalable environment. We’ll also cover common pitfalls and best practices for securing and backing up your new domain.

What you’ll get in this post
– Step-by-step installation and promotion steps
– PowerShell commands for automation
– DNS integration tips and common DNS pitfalls
– OU design, user/computer provisioning tips, and basic Group Policy guidance
– Health checks and troubleshooting tips
– A FAQ with practical answers to common questions

Prerequisites and planning what you should know before you start
Before you install AD DS, take a moment to plan. A well-planned domain reduces future headaches as your environment grows.

– Domain naming: Decide on your domain name e.g., corp.local or contoso.com. If you need internet-facing services, use a publicly resolvable domain name, but for an on-premises AD DS domain you can use a non-routable name like corp.local. You cannot rename a domain easily later, so pick carefully.
– Forest and domain functional levels: For Windows Server 2019, you’ll typically set both the forest and domain functional levels to Windows2019, unless you need compatibility with older domain controllers.
– DNS readiness: AD DS relies on DNS. Plan to install and configure DNS on your AD DS domain controller or on dedicated DNS servers connected to the AD DS forest. Ensure forwarders to external DNS are in place if you need external name resolution.
– Network and security: The server should have a static IP, proper time synchronization domain member time must be in sync with the domain, and appropriate firewall rules allowing AD DS and DNS traffic.
– Hardware and capacity: A single domain controller can run on modest hardware, but plan for future growth. Windows Server 2019 standard guidance is at least 2 cores and 4 GB RAM for light workloads, but production needs typically require more. For a new forest, ensure you have enough CPU, memory, and disk I/O for AD DS, DNS, and SYSVOL operations.
– Administrative account: You’ll promote the server using an account that is a member of the local Administrators group, and you’ll set a Secure Admin Password for DSRM Directory Services Restore Mode.

What you’ll need to run through the steps
– A Windows Server 2019 machine physical or virtual with a static IP.
– Administrative privileges on the server.
– A secure password for the DSRM Directory Services Restore Mode password used during promotion.
– A planned domain name and a plan for the initial OU structure and basic GPOs.

Step-by-step: install AD DS role
1 Open Server Manager and add the AD DS role
– In Server Manager, choose Manage > Add Roles and Features.
– On the Before You Begin page, click Next.
– Choose Role-based or feature-based installation and select the server you’re configuring.
– On the Select server roles page, check Active Directory Domain Services.
– When prompted, add required features for AD DS and click Next, then Install.
– Wait for installation to complete. Do not reboot yet unless prompted.

If you prefer PowerShell, you can install the role with:
“`
Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools

Step-by-step: promote the server to a domain controller for a new forest and domain
2 Promote to a domain controller new forest and domain
– In Server Manager, after AD DS is installed, there will be a notification flag that says “Promote this server to a domain controller.” Click it to begin the AD DS configuration wizard.
– Choose “Add a new forest” and enter your root domain name for example, corp.local or contoso.com.
– Set the Forest functional level and Domain functional level to Windows2019 or your desired level.
– If your domain will manage DNS recommended, select “Create DNS server” and allow DNS to be installed alongside AD DS.
– Provide the Safe Mode Administrator Password DSRM and confirm. This password is used only for maintenance in Directory Services Restore Mode.
– Review the options and click Next, then Install. The server will reboot automatically once the promotion completes.

If you’re using PowerShell for automation, you can run:
Import-Module ADDSDeployment
Install-ADDSForest -DomainName “corp.local” -ForestMode “Win2019” -DomainMode “Win2019” -CreateDnsDelegation:$false -DatabasePath “C:\Windows\NTDS” -LogPath “C:\Windows\NTDS” -SysvolPath “C:\Windows\SYSVOL” -Force
Note: When you run Install-ADDSForest, you’ll be prompted for the Safe Mode Administrator password if you didn’t supply it inline.

Step-by-step: verify the installation and health
3 Post-promotion verification
– After the server reboots, log in with a domain administrator account e.g., CORP\Administrator or a delegated admin.
– Open Command Prompt or PowerShell and run:
Get-ADDomain
Get-ADForest
Get-ADDomainController -Filter *
– Confirm that the domain and forest are created and that there is at least one domain controller listed.
– Check DNS: ensure DNS service is running and that the DC is the primary DNS server for the domain. Verify DNS records SRV records in _msdcs, etc. exist in DNS.
– Confirm time synchronization: the DC should be authoritative for time in its domain. domain members will sync with this DC.

PowerShell commands you’ll use for health checks
– Check domain health:
Get-ADDomain.Hostname
Get-ADForest.Name
– Verify DC replication and status if you have multiple DCs:
Get-ADReplicationPartnerMetadata -Target “YourDCName”
– Force a quick health check:
Dcdiag /v /c /q
– Validate the secure channel to the domain:
Test-ComputerSecureChannel -Server “YourDCName”

Configure DNS properly for AD DS
4 DNS considerations you shouldn’t skip
– AD DS relies on DNS. If you’re using DNS on the same server that’s hosting AD DS, ensure the DNS service is installed and configured to host the active directory domain zone automatically e.g., corp.local.
– Consider setting up forwarders to your ISP’s or public DNS resolvers for external name resolution.
– Enable dynamic updates in DNS to allow clients to register their hostnames automatically, or set up static DNS records for critical servers if you need tighter control.
– Create a reverse lookup zone for IP-to-name resolution, which helps with troubleshooting.

OU design and initial provisioning
5 Plan your OU structure and user/computer provisioning
– Start with a simple but scalable layout:
– OU=CompanyName
– OU=Users
– OU=Employees
– OU=Contractors
– OU=Computers
– OU=Desktops
– OU=Laptops
– OU=Servers
– OU=Domain Controllers
– OU=ApplicationServers
– Use the “Users” OU for human users and “Computers” for domain-joined devices. Keep Domain Controllers in their own OU for easier management.
– Think about delegating administration. For example, delegate control to helpdesk groups at the OU level to ease user management without giving broad admin rights.

Group Policy: a quick-start primer
6 Basics to get started with Group Policy
– Create a GPO in the domain for security settings, password policies, and workstation configurations.
– Link GPOs to the appropriate OUs e.g., Users OU for user policies, Computers OU for device policies.
– Common policies to start with:
– Password policy: minimum length, complexity, lockout settings
– Account lockout policy and logon attempt controls
– Desktop and start menu configurations
– Software deployment policies if you’re rolling out apps via GPO
– Use Group Policy Results gpresult and Group Policy Modeling GPMC to verify applied policies and troubleshoot issues.

Security, backup, and disaster recovery
7 Security and backups you’ll want
– Regular backups: Your AD DS data, SYSVOL, and DNS data should be included in regular backups. Consider a backup solution that includes AD DS-aware backups and allows you to perform authoritative restores if needed.
– FSMO roles: In a single-DC environment, you’ll have all FSMO roles on that DC. If you add additional DCs, plan how you’ll transfer FSMO roles later using:
– ntdsutil or Active Directory Module for Windows PowerShell
– Hardening: Implement least privilege, monitor administrator accounts, and enable auditing for critical objects. Consider enabling AD DS and DNS auditing if you need to track changes.
– Time sync: Ensure reliable time synchronization across domain controllers and domain-joined machines to avoid Kerberos issues.
– Patch management: Keep the Domain Controller up to date with Windows updates and security patches.

High availability and future expansion
8 Expanding beyond a single DC
– Plan for at least two domain controllers for high availability. With AD DS, you can deploy a second DC on another server, join it to the new domain, and promote it as a DC in the same domain. Replication will keep both DCs in sync.
– DNS redundancy: If you have multiple DCs, make sure DNS is replicated and that clients can query more than one DNS server for name resolution.
– Global Catalog: On at least one DC and preferably on both in larger environments, enable the Global Catalog as it helps with user logon and directory lookups.

Backup and recovery planning
9 Backup and disaster recovery basics
– Regular system state backups of every DC are recommended.
– Document recovery procedures and consider a test DR drill every 6–12 months.
– Keep offline documentation of FSMO role holders and administrator accounts.
– Test restoring a DC in a lab environment before you need it in production.

Common pitfalls and troubleshooting tips
10 Watch out for these common issues
– DNS misconfiguration: If DNS isn’t installed or properly configured, domain services promotion will fail. Double-check DNS server IP settings and forwarders.
– Time mismatch: Kerberos relies on time synchronization. A skew beyond 5 minutes can cause authentication failures.
– Network name uniqueness: Ensure domain naming doesn’t conflict with existing DNS zones or other external domains.
– Inadequate permissions: Be sure you’re using an account with the right privileges to promote a DC and create domain components.

Table: Forest and Domain functional levels
| Item | Default setting for Windows Server 2019 | Description |
|—|—|—|
| Forest functional level | Windows2019 | Enables features available in Windows Server 2019 AD |
| Domain functional level | Windows2019 | Enables domain-wide features for Windows Server 2019 |
| Downlevel functional level | Windows2019 | Used when you have older domain controllers |

PowerTips and quick checks
– If you’re templating deployments, consider script-based domain creation in a lab and then adapt for production.
– For large environments, think about automated OU provisioning and GPO assignment through PowerShell DSC or other deployment tools.
– Document every change. A small note in your ops wiki about the domain structure, DCs, and policies saves hours later.

Frequently asked questions
Frequently Asked Questions

# What is Active Directory Domain Services AD DS?
AD DS is the directory service that stores information about objects in a network, such as users, groups, computers, and policies. It handles authentication, authorization, and directory lookups, enabling centralized management.

# What’s the difference between a forest and a domain?
A domain represents a security boundary for a set of objects and a namespace. A forest is a collection of one or more domain trees that share a common schema and global catalog, enabling trust and resource sharing across domains.

# Can I create a domain controller using Server Core?
Yes. You can install AD DS on Server Core and promote it to a domain controller using PowerShell. This reduces the footprint and attack surface while still providing the same directory services.

# What is the minimum hardware to install AD DS?
There’s no one-size-fits-all answer. For a test environment, a modern VM with 2 vCPUs and 4 GB RAM can work, but production typically requires more for DNS, SYSVOL, and additional services. Aim for enough CPU and RAM to handle AD DS, DNS, and growth.

# How do I promote a server to a domain controller using Server Manager vs PowerShell?
Server Manager provides a guided, UI-based experience, great for beginners. PowerShell is ideal for automation and repeatable deployments. The UI steps mirror the PowerShell commands shown earlier.

# How do I set up DNS integration with AD DS?
Install the DNS role alongside AD DS and choose to install DNS during promotion. Ensure forwarders are configured for external name resolution, and that the DNS zone for your domain is created and dynamic updates are enabled.

# How do I verify AD DS health after promotion?
Run commands like Get-ADDomain, Get-ADForest, Get-ADDomainController -Filter *, and use Dcdiag to run a health check. Check SYSVOL replication and DNS records with nslookup and DNS Manager.

# How do I back up Active Directory?
Back up the system state of your DCs. Use Windows Server Backup or a third-party solution that supports AD DS state backups. Regularly test restores in a lab environment.

# What’s the difference between a root domain and a child domain?
The root domain is the first domain in a forest and forms the top of the namespace. child domains are subdomains within the forest. Trust relationships exist between root and child domains, and they share the global catalog.

# How do I transfer FSMO roles if I add more domain controllers?
Use the Active Directory Module for Windows PowerShell or the ntdsutil tool to seize or transfer FSMO roles from one DC to another. Plan this during maintenance windows and document the changes.

# Can I migrate users and groups from another domain or forest?
Yes. You can use tools like ADMT Active Directory Migration Tool to migrate users, groups, and computers between domains or forests. Plan user principal names and UPNs to avoid sign-in issues.

# How long does it take to promote a domain controller in Windows Server 2019?
Promotion time depends on hardware, DNS provisioning, replication needs, and domain size. A small forest can promote in under 30 minutes, but larger forests can take longer due to DNS and SYSVOL replication.

# What are best practices for domain design in a growing organization?
Start with a clear OU structure, plan for multiple domain controllers, implement a policy framework early, standardize naming conventions, and automate provisioning where possible. Regularly review security groups and GPOs for drift.

Note: The content above is a practical, real-world guide to creating a new domain in Windows Server 2019, designed for readers who want both clarity and thorough coverage. If you’d like, I can tailor the steps to a specific environment e.g., a company name, domain name, or a specific OU design and provide a ready-to-run script bundle for automation.