Installing a Windows Server 2012 Domain Controller

This tutorial will go through the steps required to promote a Windows 2012 server to a domain controller in an existing Active Directory Forest / Domain. It is important to note that dcpromo (the tool used to promote / demote domain controllers in previous Windows versions) has been deprecated and has been replaced by the Active Directory Domain Services Configuration wizard.

The following assumptions have also been made:

You have an existing forest in place

The Forest Functional Level is at least Windows 2003 or higher in order to introduce a Windows 2012 domain controller

You have installed and configured DNS

You are either a member of Domain Admins / Enterprise Admins / Schema Admins (as appropriate) or have been delegated the relevant rights

Microsoft best practice will be followed in order to split the database and logs onto different spindles

1. Check Forest & Domain Functional Levels

To check the existing Forest / Domain Functionality Level you can use Powershell. You can install the Active Directory module by using any of the following methods.

On a Windows Server 2008 R2 or Windows 2012 Server when you install the AD DS or AD LDS server roles

When you make a Windows 2008R2 or a Windows 2012 server a domain controller by running dcpromo.exe / AD DS Configuration Wizard

As part of the Remote Server Administration Tools (RSAT) on a Windows Server 2008R2 or a Windows 2012 server

As part of the RSAT feature on a Windows 7 or Windows 8 computer (If you want to use the Active Directory module in Windows 7 / 8 to remotely manage an Active Directory domain, an AD LDS instance or configuration set or an Active Directory Database Mounting Tool instance, you must have 1 Windows Server 2008R2 domain controller in your domain or at least one instance in an AD LDS configuration set that is running on a Windows Server 2008R2 server Source)

Important! Do not proceed any further if you do not know or understand what the domain and forest functional levels are. As we are informed by the Technet documentation:

After you set the forest functional level to a certain value, you cannot roll back or lower the forest functional level, with the following exception: after you raise the forest functional level to Windows Server 2012, you can lower it to Windows Server 2008 R2. If Active Directory Recycle Bin has not been enabled, you can also lower the forest functional level from Windows Server 2012 to either Windows Server 2008 R2 or Windows Server 2008, or from Windows Server 2008 R2 back to Windows Server 2008. If the forest functional level is set to Windows Server 2008 R2, it cannot be rolled back, for example, to Windows Server 2003; the same is also true for the Domain Functional Level.

Open an elevated Powershell windows ("Run as Administrator")

Import the Active Directory Module by typing: Import-Module ActiveDirectory

Press Enter

Type: Get-ADForest | Select DomainMode | FL

Press Enter

Ensure the Forest Functional Level is set to Windows Server 2003 or higher

Type: Get-ADDomain | Select DomainMode | FL

Press Enter

Ensure the Domain Functional Level is set to Windows Server 2003 or higher

Alternatively you can use the Active Directory Domains and Trusts management console (MMC) snap-in by doing the following:

Launch > Active Directory Domains and Trusts from the Start screen or Administrative Tools

Right Click > Active Directory Domains and Trusts [YOURDC.FQDN.COM]

Select > Raise Forest Functional Level

Active Directory Domains and Trusts Check Forest Functional Level

Active Directory Domains and Trusts Check Domain Functional Level

2. Permissions

If this is the first Windows Server 2012 domain controller in your forest and you did not extend the schema via adprep you must be a member of the Schema Admins, Enterprise Admins, and Domain Admins groups of the domain which hosts the schema master, which is by default the forest root domain.

If you are promoting a Windows Server 2012 domain controller in an existing forest / domain that already has Windows Server 2012 domain controllers, you need to be a member of Domain Admins in the domain in which you wish to promote the server, or have the appropriate rights delegated to your user account.

3. Promoting a Domain Controller using the Active Directory Domain Services Configuration Wizard

Logon to your Windows Server 2012 machine and launch Server Manager

Select > Manage

Select > Add Roles and Features

Read the before you begin step and click > Next

Select > Role based or feature-based installation

Select > Next

Select > Select a server from the server pool

Select > <Your server>

Select > Next

Select > Active Directory Domain Services

Select > Include management tools (if applicable, by default this should be selected)

Select > Add Features

Select > Next

Read through the AD DS notes and Select > Next

Select > Restart the destination server automatically if required (which it may)

Select > Install

Launch Server Manager and Click on Notifications

Select > Promote this server to a domain controller

Select > Add a domain controller to an existing domain

In the domain field type the FQDN of the domain or Select from the list

Select > Change and enter credentials with the relevant permissions as per the assumptions and Select > OK

Review and Select > Next

Untick > DNS Server (if appropriate)

Select > A Site Name

Enter > A DSRM Password (The DSRM password is needed in order to logon to a domain controller where AD DS is not running, the password must adhere to the local password policy on the server which by default does not require a strong password. Though always choose a strong, complex password for more information about how to syncronize the DSRM password with the password of a domain user account go to DSRM Sync Password)

Select > Next

Optionally, select a preferred domain controller to replicate from (we will not be discussing Install from Media (IFM) in this tutorial)

Select > Next

Change the location of the database, logs and SYSVOL paths as appropriate

Select > Next

The first time your introduce a Windows Server 2012 domain controller, Active Directory must be prepared for both the Forest and Domain. For larger organizations, you can still use adprep and perform this process in stages if you are familiar with this process. Please also note that if you are logged in with an account that does not have the right permissions, you will be told so and will have an option to provide alternative credentials at the preparation options (more information can be located at ADPrep)

Select > Next

At this stage, if required, you can view the PowerShell syntax for all your configuration options by clicking on View Script

Review all options and select > Next

Confirm prerequisites check passes successfully and select > Install

Ensure installation completes successfully and reboot your server. That's it! You now have a Windows Server 2012 domain controller!

4. Promoting a Domain Controller using Powershell

The following table contains the names and a brief description of each ADDSDeployment cmdlet:

Source

For the purpose of this tutorial I will only be demonstrating the use of the Install-ADDSDomainController cmdlet.

Open an elevated Windows Powershell window

Type > Import-Module ServerManager

Press Enter

Type > Add-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools

Press Enter

Now, lets promote the Windows Server 2012 to a domain controller:

There are a few ways we can do this and I am going to show you the following method, which will install a domain controller into an existing domain and prompt for the Directory Services Restore Mode (DSRM) password.

In the same Powershell window, type > Install-ADDSDomainController -DomainName "<FQDN>" (where <FQDN> is a placeholder for you to input the fully qualified domain name of your domain e.g. exchange.local)

You will be prompted for the DSRM password

Type a complex password (recommended)

Press Enter

You will be asked to confirm the DSRM password, enter the password again

Press Enter

You will be prompted to confirm you would like to continue promoting the server to a domain controller and that the domain controller will be restarted to complete the promotion if you go ahead, type > Y

Press Enter to begin

This process can take an extended period of time to complete, the server will reboot upon completion, that's it you have now completed the process of installing a Windows Server 2012 domain controller using Powershell!

To get a full list of cmdlets and descriptions for Install-ADDSDomainController, including its ability to perform an unattended promotion of a Domain Controller, go to Install-ADDSDomainController Cmdlets on the TechNet website.

Please also note you can get examples by typing > Help Install-ADDSDomainController -Examples. In the event, you do not get any examples returned you must update your help files by typing > Update-Help

I hope you found this article helpful. If so, please vote Yes below!

Comments (5)

tigermatt

Staff Platform Engineer

CERTIFIED EXPERT

Most Valuable Expert 2011

Commented: 2012-10-18

A good read, and a very important document for fellow readers to refer to as they learn new skills on their Windows Server 2012 journey.

Thanks for taking the time to contribute it!

-Matt

Raheem05

Author

Thanks Matt :)!

172pilotSteve

Commented: 2013-06-28

You say the promotion of the first 2012 server can take an extended time... How long is "extended"?? I'm just installing in a lab, so it's a relatively small domain, and it's been going for 3 hours now... All DCs (2008 and the new 2012) are VMs, but this seems excessive based on experience with previous versions..
-Steve

Commented: 2013-06-29

It certainly should not take 3 hours, have you check the debug logs?

They are located at:

%systemroot%\debug\dcpromo.log

%systemroot%\debug\dcpromoui.log

Raheem

JPD153

Commented: 2015-02-11

Will this procedure work for migrating AD from SBS 2003 to Win server 2012 R2 in VM mode ?