Build a Windows Server 2008 R2 Domain Controller
I posted a tutorial on creating a domain controller using Windows Server 2003, and decided to post an update that included step-by-step instructions for Windows Server 2008 R2. This should be the same for Windows Server 2008.
This is great for developers, testers, and anyone looking to learn Active Directory or deploy to a small network. If this is for a production deployment, you might want to bring in a professional to help you. There are many other things to consider, like ‘hardening’ your server and setting up Group Policy. Having an insecure or unprotected domain controller is inviting havoc on your network.
So without any further ado and in the immortal words of ‘Marv’, “Let’s get to it!”
In the Server Manager click on Add Roles.
Keep reading…
Click next on the ‘Before You Begin’ screen if it shows. On the next screen, ‘Select Server Roles’, check the box for Active Directory Domain Services. After checking the box, you may receive a window that says you need to add required features, click the button marked Add Required Features.
Then back at the ‘Select Server Roles’ window, click Next. Here you can do some reading if you’re unfamiliar with Active Directory. There are links for an overview, installation instructions, and common configurations. There’s also some notes that say it is advisable to have at least 2 domain controllers, that you’ll need a DNS server, that you’ll have to run DCPROMO.exe, and informs you that you’re also installing DFS (Distributed File System), and some replication services tied to DFS.
Click Next and you’ll see the ‘Confirm Installation Selections’ window. Click the button marked Install.
The ‘Installation Progress’ window will appear letting you know what the system is doing. After a few minutes the ‘Installation Results’ window will appear. Click the link marked Close this wizard and launch the Active Directory Domain Services Installation Wizard (dcpromo.exe).
Another wizard will open, ‘Active Directory Domain Services Installation Wizard’. Click Next.
Read the note on the next screen titled ‘Operating System Compatibility’. The link to the KB article 942564 underneath is (http://go.microsoft.com/fwlink/?LinkId=104751). Click Next. On the ‘Choose a Deployment Configuration’ screen, we’ll choose Create a new domain in a new forest for the purposes of this tutorial. If you’re attempting to add a domain controller to an existing domain / forest, you would choose the ‘Existing Forest’ checkbox. Click Next.
Here’s where you input what you want your FQDN (Fully Qualified Domain Name) to be. Then click Next.
The system will confirm that the FQDN is not in existence already on your network, then allow you to choose your Domain NetBIOS name. After doing so, click Next. The system will then confirm that NetBIOS name is not in use.
On the next screen, you select what you want your forest functional level to be. You can choose: Windows Server 2003, 2008, or 2008 R2. In this tutorial we’ll be setting the forest functional level to Windows Server 2008 R2. If you’ll be connecting other DCs that are running Windows Server 2008 or 2003, then may will need to choose a compatible level. Click Next.
Now we’ll install the DNS server. Make sure that DNS server checkbox is checked, then click Next. Domain controllers, DCs, require Domain Name Services.
Click Yes at the next window, which is warning you that delegation cannot be configured for the parent zone. Don’t worry, there is no parent zone. Accept the default locations for your Database, Log Files, and SYSVOL folders, or change them if you really like. Click Next.
Input a password, twice, in the ‘Directory Services Restore Mode Administrator Password’ window. Then click Next. Review your selections and click Next.
The wizard will then install and configure Active Directory Domain Services and Directory Services on the DC. Click Finish, and select to Restart.
Congratulations, you’ve just done the basic setup for an Active Directory Domain Controller, and DNS support services on Windows Server 2008 R2. After the reboot, you can log into your server using the administrator account and password that was previously assigned to the local administrator account. NOTE: the password that you were using, is now assigned as your domain admin. It is advisable to make sure that password is STRONG. If you have questions about that, you can check out my other post on passwords and security. Protecting yourself and your passwords…
My next post, will be on installation of a Enterprise CA, Certificate Authority. I’ll demo this on the same Windows Server 2008 R2 domain controller, as this is a very likely place to put a CA. If this is for production, you may want to create an Enterprise CA, and a subordinate CA, taking your Enterprise CA offline, which is more secure from what I’ve come to understand. For development and small networks, combining the CA with the domain controller is convenient and will provide certificate services to your network.
Good luck and happy administering. 
About the author
- More at
Good post. Interested to see where you are with SQL 2008 on Server 2008 R2. I ran into some issues with compatibility that was a pain to fix.
How do you like that new administrative center on R2??
Love it. Like everything being in one place. All I need now is a compatible vmware graphics driver and it’ll be good to go.
very helpful post. the static ip config done for 2003 R2 DC – any need to do that for IPv6 as well as the IPV4 on the 2008 R2 DC ? the IPv6 settings are quite different. thinking of having the VM as a DC on a host-only VMWare dev network …
or should mayb just de-select the use of IPv6 protocol. not need for VM private network .. ?
Nollkoll, I would deselect IPv6 or leave it enabled as it is by default. Unless you’re building out a future network and have switches and routers that support IPv6, you’ll never put it to use. The main thing that I can think of off-hand that would require IPv6 is the Direct Access feature which allows remote connections without VPN. A very cool feature, but I haven’t had the chance to play with it yet.
Good luck.