How to install Active Directory on Windows Server 2025 comes down to three steps: install the AD DS role, promote the server to a domain controller, and verify the result. The entire process takes about 20 minutes when the server is prepared correctly. Most of that time is the reboot.
This guide covers how to install Active Directory using both the GUI path (Server Manager) and PowerShell, the pre-installation requirements that break deployments when skipped, and the verification steps that confirm a healthy domain controller — not just a server that rebooted without errors.
If you’re new to Active Directory and need background on what you’re about to deploy, start with What Is Active Directory first. For the component model — forests, domains, and OUs — see Active Directory Components Explained.
- Static IP configured on the server before installation — DHCP is not acceptable on a domain controller
- Hostname set to its final value — renaming a DC after promotion is a separate, painful operation
- No
.localsuffix in the planned domain name — usecorp.example.comformat - NTFS volumes confirmed for AD database, logs, and SYSVOL — ReFS is unsupported
- DNS role NOT pre-installed — let the AD DS promotion wizard handle it
- DSRM password storage location prepared before you start
- Administrator credentials confirmed
Before You Install Active Directory on Windows Server 2025
Most guides on how to install Active Directory jump straight to Server Manager. The steps that follow work only when the server configuration is clean first. The installation itself rarely fails. What fails is the environment the installation runs into.
| Method | Best For | Notes |
|---|---|---|
| Server Manager (GUI) | First deployment, learning the options | Visual confirmation at each step; easier to review settings before committing |
| PowerShell | Automation, scripted builds, repeatability | Same result as GUI; supports unattended deployment with -Force |
| PowerShell on Server Core | Production DCs, reduced attack surface | Microsoft’s recommended DC deployment model; no GUI available |
Static IP. Domain controllers need a stable IP address. A DHCP lease that changes forces DNS pointer record updates, which creates gaps in AD-integrated DNS resolution. Kerberos authentication depends on DNS; broken DNS means broken authentication. Set the static IP before the role is installed — not after, not during.
Hostname. The server’s hostname becomes part of the domain controller’s identity objects in Active Directory. Renaming a DC after promotion requires transferring FSMO roles, updating DNS records, and running netdom computername with specific syntax. It works, but it’s an avoidable operation. Set the final hostname first.
Domain name. Use a routable DNS namespace: corp.example.com, ad.company.com, anything with a proper TLD suffix. The .local suffix causes conflicts with mDNS (Multicast DNS) and Bonjour on networks that include macOS, Linux, or Synology NAS devices. Those systems use .local for their own service discovery and attempt to resolve it via multicast rather than via your DC’s DNS. The result is intermittent resolution failures that are hard to diagnose.
Avoid using your externally registered domain name directly as the internal AD namespace — split-brain DNS adds ongoing operational overhead. A subdomain like corp.company.com is cleaner.
Storage. Active Directory requires NTFS for the database (%SystemRoot%\NTDS\ by default), logs, and SYSVOL. ReFS is not supported. The default NTFS system volume is fine for most deployments; don’t redirect AD files to a ReFS-formatted data disk.
DNS. Do not install the DNS Server role before running the AD DS promotion. One of the most common mistakes when you install Active Directory on Windows Server 2025 is pre-installing DNS manually. When you create a new forest, the AD DS wizard installs DNS automatically and creates AD-integrated DNS zones. If DNS is already installed, the wizard may partially configure it rather than replace it — leaving SRV records missing or DNS zones in a non-AD-integrated state. Let the wizard own the DNS installation.
If you close the AD DS Configuration Wizard partway through the promotion process, the server is left in an intermediate state: the AD DS role is installed, but the server was never promoted to a domain controller. The domain doesn’t exist and the server’s role installation is incomplete. To recover, reopen Server Manager — the notification flag still shows “Promote this server to a domain controller.” Run the promotion wizard again from the beginning. No reinstall of Windows required.
How to Install Active Directory Using Server Manager
Server Manager is the standard way to install Active Directory on Windows Server 2025 for first-time deployments. It walks through every configuration decision with validation at each step.
Step 1 — Open Add Roles and Features
Open Server Manager. From the dashboard, select Manage → Add Roles and Features. The wizard opens with a before-you-begin page. Click Next.
On the installation type screen, select Role-based or feature-based installation and click Next.
Step 2 — Select the Destination Server
Confirm the current server is selected in the server pool. Click Next.
Step 3 — Select Active Directory Domain Services
In the server roles list, check Active Directory Domain Services. A dialog appears asking to add required features — click Add Features. This includes the AD DS management tools: Active Directory Users and Computers, Active Directory Sites and Services, AD Administrative Center, and the AD PowerShell module.
Click Next through the features screen without changes. Click Next on the AD DS description screen. Click Install.
The role installs in a few minutes. Do not close Server Manager.
Step 4 — Promote the Server to a Domain Controller
When installation completes, Server Manager displays a yellow notification flag at the top. Click it and select Promote this server to a domain controller.
The AD DS Configuration Wizard opens with three deployment operation choices:
- Add a domain controller to an existing domain — for adding a replica DC to an existing forest
- Add a new domain to an existing forest — for child domains or tree roots
- Add a new forest — for a first deployment; creates the forest root domain
For a new Active Directory deployment, select Add a new forest and enter the root domain name.
Step 5 — Configure the Domain Name
Enter the forest root domain name in multi-label DNS format:
corp.example.comThis becomes the internal DNS namespace for the entire forest. Every computer joined to this domain uses this namespace for AD-integrated DNS resolution. Choose carefully — renaming an AD forest is a documented but complex procedure that touches every domain controller.
Step 6 — Set Forest and Domain Functional Levels
The functional level controls which Windows Server versions can serve as domain controllers and which AD features are available. When you install Active Directory on a fresh forest with no legacy DCs, choose the highest supported level.
For most new deployments, Windows Server 2022 is the pragmatic choice — it supports both 2022 and 2025 DCs, giving flexibility if you add servers later. Choose Windows Server 2025 only if you’re certain all current and future DCs will run 2025. Functional levels can be raised later; they cannot be lowered.
DNS Server is checked automatically on this screen. Leave it checked — this is correct behavior.
Step 7 — Configure the DSRM Password
When you install Active Directory and create a new domain, the wizard requires a DSRM password before it completes promotion. The Directory Services Restore Mode (DSRM) password is not an Active Directory account. It’s a local administrator password used to boot the DC into recovery mode when AD DS services cannot start — for AD database repair, authoritative restore operations, and forest recovery.
This password is independent of every other credential in the environment. It does not expire, it is not synchronized with anything, and it cannot be recovered through standard Active Directory tools. Set a strong password and store it in a password manager before clicking Next.
If you ever need DSRM access and don’t have the password, the recovery path involves booting from Windows Server installation media and running ntdsutil to reset it — which requires physical or out-of-band server access. The five minutes it takes to store this credential now is not optional.
Step 8 — DNS Options
On the DNS Options screen, you’ll see: “A delegation for this DNS server cannot be created because the authoritative parent zone cannot be found.”
This is expected for a new forest. Click Next. The warning means there’s no parent DNS zone to delegate to, which is correct when creating a new internal namespace. It is not an error.
Step 9 — Set Paths for AD Database, Logs, and SYSVOL
The defaults are acceptable for most deployments:
Database folder: C:\Windows\NTDS
Log files folder: C:\Windows\NTDS
SYSVOL folder: C:\Windows\SYSVOLIf you’re redirecting the AD database and logs to a dedicated NTFS volume for capacity reasons, specify the paths here. The SYSVOL path stores Group Policy templates and logon scripts — it must be on NTFS and on reliable storage.
Step 10 — Review and Install
The Review Options screen summarizes the configuration. The View Script button generates a PowerShell equivalent of the wizard settings — worth saving if you plan to document the deployment or replicate it.
Click Next. The prerequisites check runs automatically. Informational warnings are expected. If prerequisites pass, Install becomes available. Click Install. The promotion runs and the server reboots automatically when complete.
| Phase | Typical Duration |
|---|---|
| AD DS role installation | 3–5 minutes |
| DC promotion (prerequisites + configuration) | 5–10 minutes |
| Reboot | 3–5 minutes |
| Post-reboot verification | 5 minutes |
How to Install Active Directory Using PowerShell
The PowerShell method to install Active Directory on Windows Server 2025 produces the same result as Server Manager. It’s faster, scriptable, and the only option on Server Core installations.
Step 1 — Install the AD DS role and management tools:
Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools-IncludeManagementTools installs RSAT for AD — Active Directory Users and Computers, the AD PowerShell module, and related tools. Without it, you get the service role but no management interface. Output shows Success : True with RestartNeeded : No — the reboot happens after promotion, not after role install.
Step 2 — Create the new forest and promote the server:
Install-ADDSForest `
-DomainName "corp.example.com" `
-ForestMode Win2022 `
-DomainMode Win2022Parameters: -DomainName sets the forest root domain name; -ForestMode and -DomainMode set the functional levels. After running the command, PowerShell prompts for the DSRM password and a reboot confirmation. The server reboots automatically after promotion completes.
For Server Core or fully scripted deployment, suppress the interactive prompts:
$DSRMPassword = ConvertTo-SecureString "YourDSRMPassword" -AsPlainText -Force
Install-ADDSForest `
-DomainName "corp.example.com" `
-ForestMode Win2022 `
-DomainMode Win2022 `
-SafeModeAdministratorPassword $DSRMPassword `
-Force-Force suppresses the reboot confirmation. The server reboots automatically when promotion completes. The full Install-ADDSForest cmdlet reference on Microsoft Learn covers all available parameters.
Verify the Active Directory Installation
After you install Active Directory on Windows Server 2025 and the server reboots, the next step is confirming the DC is actually healthy — not just that promotion completed without an error dialog. Run these verification steps before treating the domain controller as production-ready.
Check SYSVOL and NETLOGON Shares
net shareA healthy DC shows both SYSVOL and NETLOGON in the share list. These shares are created when you install Active Directory on Windows Server 2025 — SYSVOL stores Group Policy templates and scripts; NETLOGON is the logon script share clients use during authentication.
If either share is missing, SYSVOL replication hasn’t finished initializing. On a brand-new single DC, wait two to three minutes and run net share again. If shares are still absent after five minutes, check the DFSR service: Get-Service DFSR.
Confirm FSMO Role Assignment
netdom query fsmoOn a new forest with a single domain controller, all five FSMO roles are assigned to that DC. Expected output:
Schema master DC01.corp.example.com
Domain naming master DC01.corp.example.com
PDC DC01.corp.example.com
RID pool manager DC01.corp.example.com
Infrastructure master DC01.corp.example.com| FSMO Role | Scope | Function |
|---|---|---|
| Schema Master | Forest | Controls schema changes; one per forest |
| Domain Naming Master | Forest | Controls domain additions and removals; one per forest |
| PDC Emulator | Domain | Time synchronization, password changes, GPO edits; one per domain |
| RID Pool Manager | Domain | Issues RID blocks for object creation; one per domain |
| Infrastructure Master | Domain | Maintains cross-domain object references; one per domain |
All five on the first DC is correct and expected. Operators unfamiliar with FSMO sometimes treat this as a misconfiguration — it isn’t. For details on FSMO role functions and when to transfer them, see FSMO Roles in Active Directory.
Run DCDIAG
dcdiag /q/q (quiet mode) suppresses passing tests and shows only warnings and failures. A clean installation returns no output at all.
One warning is expected on a fresh single-DC deployment: DcGetDcName(GC_SERVER_REQUIRED) call failed. This means the Global Catalog hasn’t fully advertised itself yet — it resolves within a few minutes. It is not a failure.
If dcdiag shows actual failures, check Event Viewer under Applications and Services Logs → Directory Service for Event IDs in the 1000–1300 range. From PowerShell:
Get-WinEvent -LogName "Directory Service" -MaxEvents 20 | Where-Object { $_.LevelDisplayName -eq "Error" }Verify DNS Is Serving AD Records
Confirming the server is up is not the same as confirming DNS is working. SRV records are what clients use to locate the domain controller. Run this from cmd:
nslookup
set type=srv
_ldap._tcp.dc._msdcs.corp.example.comReplace corp.example.com with your actual domain. Expected output is one or more SRV records pointing to your DC’s hostname and IP. If nslookup returns nothing or “Non-existent domain,” AD-integrated DNS did not create SRV records correctly — the most common cause is the DNS pre-install trap described below.
Verify Time Synchronization
w32tm /query /statusKerberos authentication fails if the DC’s clock is more than five minutes off from client clocks. On a new deployment, the PDC Emulator synchronizes to an external NTP source by default. Confirm the source shows a valid time server and the last sync time is recent. If the source shows “Local CMOS Clock,” configure an external NTP source before adding clients to the domain.
Check Replication Health
repadmin /replsummaryOn a single domain controller with no replication partners, this returns empty output. That is normal. Running this now establishes a baseline — you’ll use the same command when you add a second DC to confirm replication is healthy between them.
Common Mistakes When You Install Active Directory
- Symptom: domain controller appears healthy but clients cannot locate it; SRV records missing;
nslookup _ldap._tcp.dc._msdcsreturns nothing - Cause: manually installed DNS creates a standalone forward lookup zone; the AD DS wizard finds it and partially configures it rather than replacing it with an AD-integrated zone
- Confirm: open DNS Manager, check whether the zone shows “Active Directory-Integrated” or “Primary” — primary means standalone and wrong
- Fix: remove the DNS Server role, re-run the AD DS promotion wizard from scratch
- Verify:
nslookupSRV query returns DC hostname and IP
- Symptom:
net sharedoes not show SYSVOL or NETLOGON; Group Policy cannot apply - Check DFSR service status:
Get-Service DFSR— should be Running - Check DFSR initialization state:
dfsrmig /getglobalstate— state progresses from 0 to 3 on a healthy new deployment - Check Event Viewer → DFS Replication log for Event ID 4602 or errors in the 5000–5014 range
- If DFSR is running and no errors appear, wait five minutes and recheck. If shares remain absent after 10 minutes:
Restart-Service DFSR
Static IP set after promotion. The DC’s DNS records are written during promotion using whatever IP the server has at that moment. If DHCP later assigns a different IP, DNS records become stale and clients can’t locate the DC. Configure the static IP before you install Active Directory — this is step zero.
The .local domain suffix. On any network with macOS clients, Synology NAS, or Linux systems, .local is reserved for mDNS/Bonjour service discovery. Those systems resolve .local via multicast, not via your DC’s DNS. The result is inconsistent name resolution that varies by client OS and network conditions. Use a routable namespace.
ReFS for AD files. Redirecting the AD database, logs, or SYSVOL to a ReFS-formatted volume during promotion is an unsupported configuration. The wizard may complete without error, but AD stability issues follow. Use NTFS.
Undocumented DSRM password. The DSRM password cannot be recovered through standard AD tools. Recovery requires physical server access and ntdsutil from installation media. Store it in a password manager during installation. The AD forest recovery documentation on Microsoft Learn shows exactly where DSRM access is required.
After You Install Active Directory: What Happens Next
The domain is live. The first DC holds all five FSMO roles. DNS is running and serving AD-integrated zones. SYSVOL and NETLOGON shares are active. Time synchronization is confirmed.
You now know how to install Active Directory on Windows Server 2025 — but what you have at this point is a functional but unconfigured deployment. The next phase — OU structure, delegation, Group Policy baseline, DNS health checks, backup configuration — is covered in the Active Directory Post-Install Checklist.
FAQ
Do I need to install DNS before installing Active Directory?
No — and you shouldn’t. When you install Active Directory and create a new forest, the AD DS promotion wizard installs the DNS Server role automatically and creates AD-integrated DNS zones. Pre-installing DNS creates a standalone configuration that conflicts with what the wizard expects to build. Let the wizard handle DNS from the start.
What functional level should I choose when I install Active Directory on Windows Server 2025?
For most new deployments, Windows Server 2022 is the pragmatic choice — it supports both 2022 and 2025 DCs and gives flexibility if you add servers with different OS versions later. Choose Windows Server 2025 only if you’re certain all current and future DCs will run 2025. Functional levels can be raised later; they cannot be lowered.
Can I install Active Directory on Windows Server 2025 Core?
Yes. When you install Active Directory on Server Core, use the PowerShell path — there’s no GUI available. Server Core is Microsoft’s recommended deployment model for production DCs: smaller attack surface, lower resource consumption. Use -Force and -SafeModeAdministratorPassword parameters for unattended promotion.
What is DSRM and why does it matter when I install Active Directory?
DSRM (Directory Services Restore Mode) is a special boot mode used when AD DS services cannot start normally — for database repair, authoritative restores, and forest recovery. The DSRM password is a local administrator credential, independent of any AD account, non-expiring, and not recoverable through standard AD tools. If you need it and don’t have it, recovery requires physical server access and ntdsutil from installation media. Store it in a password manager immediately after promotion.
How do I verify Active Directory installed correctly after I install Active Directory?
Run five checks after the first post-promotion login: net share to confirm SYSVOL and NETLOGON shares are present; netdom query fsmo to confirm all five FSMO roles are assigned; dcdiag /q where no output means no failures; an nslookup SRV query to confirm DNS is serving AD records; and w32tm /query /status to confirm time synchronization is working.
Why should I avoid using a .local domain name when installing Active Directory?
The .local suffix is used by mDNS and Bonjour for service discovery on macOS, Linux, and network appliances. Those systems resolve .local via multicast — they don’t query your AD DNS server. In a mixed-OS environment, Windows clients find the DC and macOS or Linux clients don’t, with failures that vary by network conditions. Use a routable DNS namespace when you install Active Directory.
Does the first domain controller automatically hold all FSMO roles?
Yes. When you install Active Directory and create a new forest, the first DC is assigned all five FSMO roles: Schema Master, Domain Naming Master, PDC Emulator, RID Pool Manager, and Infrastructure Master. This is correct and expected — not a misconfiguration. See FSMO Roles in Active Directory for details on when and how to transfer them.
The official Install Active Directory Domain Services guide on Microsoft Learn covers additional deployment scenarios including read-only DCs and staged installations.
Active Directory Series
14 articles — Windows Server 2025 · Forest & Domain · FSMO · GPO · Replication · DNS