Installing a Windows Server 2012 Domain Controller

Published on
17,574 Points
7 Endorsements
Last Modified:
This tutorial will go through the steps required to promote a Windows 2012 server to a domain controller in an existing Active Directory Forest / Domain. It is important to note that dcpromo (the tool used to promote / demote domain controllers in previous Windows versions) has been deprecated and has been replaced by the Active Directory Domain Services Configuration wizard.

The following assumptions have also been made:

You have an existing forest in place
The Forest Functional Level is at least Windows 2003 or higher in order to introduce a Windows 2012 domain controller
You have installed and configured DNS
You are either a member of Domain Admins / Enterprise Admins / Schema Admins (as appropriate) or have been delegated the relevant rights
Microsoft best practice will be followed in order to split the database and logs onto different spindles

1. Check Forest & Domain Functional Levels

To check the existing Forest / Domain Functionality Level you can use Powershell. You can install the Active Directory module by using any of the following methods.

On a Windows Server 2008 R2 or Windows 2012 Server when you install the AD DS or AD LDS server roles
When you make a Windows 2008R2 or a Windows 2012 server a domain controller by running dcpromo.exe / AD DS Configuration Wizard
As part of the Remote Server Administration Tools (RSAT) on a Windows Server 2008R2 or a Windows 2012 server
As part of the RSAT feature on a Windows 7 or Windows 8 computer (If you want to use the Active Directory module in Windows 7 / 8 to remotely manage an Active Directory domain, an AD LDS instance or configuration set or an Active Directory Database Mounting Tool instance, you must have 1 Windows Server 2008R2 domain controller in your domain or at least one instance in an AD LDS configuration set that is running on a Windows Server 2008R2 server Source)

Important! Do not proceed any further if you do not know or understand what the domain and forest functional levels are. As we are informed by the Technet documentation:
After you set the forest functional level to a certain value, you cannot roll back or lower the forest functional level, with the following exception: after you raise the forest functional level to Windows Server 2012, you can lower it to Windows Server 2008 R2. If Active Directory Recycle Bin has not been enabled, you can also lower the forest functional level from Windows Server 2012 to either Windows Server 2008 R2 or Windows Server 2008, or from Windows Server 2008 R2 back to Windows Server 2008. If the forest functional level is set to Windows Server 2008 R2, it cannot be rolled back, for example, to Windows Server 2003; the same is also true for the Domain Functional Level.

Open an elevated Powershell windows ("Run as Administrator")
Import the Active Directory Module by typing: Import-Module ActiveDirectory
Press Enter
Type: Get-ADForest | Select DomainMode | FL
Press Enter
Ensure the Forest Functional Level is set to Windows Server 2003 or higher
Type: Get-ADDomain | Select DomainMode | FL
Press Enter
Ensure the Domain Functional Level is set to Windows Server 2003 or higher

Domain & Forest Functional Level
Alternatively you can use the Active Directory Domains and Trusts management console (MMC) snap-in by doing the following:

Launch > Active Directory Domains and Trusts from the Start screen or Administrative Tools
Right Click > Active Directory Domains and Trusts [YOURDC.FQDN.COM]
Select > Raise Forest Functional Level
Active Directory Domains and Trusts Check Forest Functional Level
Active Directory Domains and Trusts Check Domain Functional Level

2. Permissions

If this is the first Windows Server 2012 domain controller in your forest and you did not extend the schema via adprep you must be a member of the Schema Admins, Enterprise Admins, and Domain Admins groups of the domain which hosts the schema master, which is by default the forest root domain.

If you are promoting a Windows Server 2012 domain controller in an existing forest / domain that already has Windows Server 2012 domain controllers, you need to be a member of Domain Admins in the domain in which you wish to promote the server, or have the appropriate rights delegated to your user account.

3. Promoting a Domain Controller using the Active Directory Domain Services Configuration Wizard

Logon to your Windows Server 2012 machine and launch Server Manager

Server Manager
Select > Manage
Select > Add Roles and Features

Add Roles and Features
Read the before you begin step and click > Next

Before you begin
Select > Role based or feature-based installation
Select > Next

Role-based or feature-based installation
Select > Select a server from the server pool
Select > <Your server>
Select > Next

Select a server
Select > Active Directory Domain Services

Active Directory Domain Services
Select > Include management tools (if applicable, by default this should be selected)
Select > Add Features

Add AD Features & Tools
Select > Next

Select > Next

Next again
Read through the AD DS notes and Select > Next

AD DS Notes
Select > Restart the destination server automatically if required (which it may)

Select > Install

RSAT Installation
Launch Server Manager and Click on Notifications

Select > Promote this server to a domain controller

Promote this server to a domain controller
Select > Add a domain controller to an existing domain

In the domain field type the FQDN of the domain or Select from the list

Select > Change and enter credentials with the relevant permissions as per the assumptions and Select > OK

Deployment Operation
Review and Select > Next

Review & Select Next
Untick > DNS Server (if appropriate)
Select > A Site Name
Enter > A DSRM Password (The DSRM password is needed in order to logon to a domain controller where AD DS is not running, the password must adhere to the local password policy on the server which by default does not require a strong password. Though always choose a strong, complex password for more information about how to syncronize the DSRM password with the password of a domain user account go to DSRM Sync Password)
Select > Next

Domain Controller Options
Optionally, select a preferred domain controller to replicate from (we will not be discussing Install from Media (IFM) in this tutorial)

Select > Next

Additional Options
Change the location of the database, logs and SYSVOL paths as appropriate
Select > Next

The first time your introduce a Windows Server 2012 domain controller, Active Directory must be prepared for both the Forest and Domain. For larger organizations, you can still use adprep and perform this process in stages if you are familiar with this process. Please also note that if you are logged in with an account that does not have the right permissions, you will be told so and will have an option to provide alternative credentials at the preparation options (more information can be located at ADPrep)
Select > Next

Preparation Options
At this stage, if required, you can view the PowerShell syntax for all your configuration options by clicking on View Script
Review all options and select > Next

Review Options
Confirm prerequisites check passes successfully and select > Install

Prerequisite Check
Ensure installation completes successfully and reboot your server. That's it! You now have a Windows Server 2012 domain controller!

4. Promoting a Domain Controller using Powershell

The following table contains the names and a brief description of each ADDSDeployment cmdlet:

AD DS Deployment CmdletsSource

For the purpose of this tutorial I will only be demonstrating the use of the Install-ADDSDomainController cmdlet.

Open an elevated Windows Powershell window
Type > Import-Module ServerManager
Press Enter
Type > Add-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools
Press Enter

Add-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools
Now, lets promote the Windows Server 2012 to a domain controller:

There are a few ways we can do this and I am going to show you the following method, which will install a domain controller into an existing domain and prompt for the Directory Services Restore Mode (DSRM) password.

In the same Powershell window, type > Install-ADDSDomainController -DomainName "<FQDN>" (where <FQDN> is a placeholder for you to input the fully qualified domain name of your domain e.g. exchange.local)
You will be prompted for the DSRM password

Install-ADDSDomainController -DomainName "<FQDN>"
Type a complex password (recommended)
Press Enter
You will be asked to confirm the DSRM password, enter the password again

DSRM Password
Press Enter

You will be prompted to confirm you would like to continue promoting the server to a domain controller and that the domain controller will be restarted to complete the promotion if you go ahead, type > Y
Press Enter to begin

Confirm ActionsThis process can take an extended period of time to complete, the server will reboot upon completion, that's it you have now completed the process of installing a Windows Server 2012 domain controller using Powershell!

To get a full list of cmdlets and descriptions for Install-ADDSDomainController, including its ability to perform an unattended promotion of a Domain Controller, go to Install-ADDSDomainController Cmdlets on the TechNet website.

Please also note you can get examples by typing > Help Install-ADDSDomainController -Examples. In the event, you do not get any examples returned you must update your help files by typing > Update-Help

I hope you found this article helpful. If so, please vote Yes below!
LVL 58

Expert Comment

A good read, and a very important document for fellow readers to refer to as they learn new skills on their Windows Server 2012 journey.

Thanks for taking the time to contribute it!

LVL 16

Author Comment

Thanks Matt :)!
LVL 10

Expert Comment

You say the promotion of the first 2012 server can take an extended time...  How long is "extended"??  I'm just installing in a lab, so it's a relatively small domain, and it's been going for 3 hours now...  All DCs (2008 and the new 2012) are VMs, but this seems excessive based on experience with previous versions..
LVL 16

Author Comment

It certainly should not take 3 hours, have you check the debug logs?

They are located at:




Expert Comment

Will this procedure work for migrating AD from SBS 2003 to Win server 2012 R2 in VM mode ?

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Join & Write a Comment

Overview of OneDrive and collaboration.
Please check the video also in regards to recovery of deleted emails from office 365 admin center and through the MFCMAPI tool. I have mentioned each and every step with the proper steps that need to be taken care of.

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month