Create a new Active Directory Domain on Windows Server Core

Create a new Active Directory Domain on Windows Server Core
Photo by Taylor Vick / Unsplash

Whether you're trying to configure a new active directory Forest and Domain on Windows Server Core, or you just want to use Powershell instead of the 'Install Roles' GUI, you're in the right place. This short guide will show you how to create a new Forest & Domain faster than if you were trying to use the GUI.

The screenshots below are from a Windows Server Standard Core 2022 installation, but the commands should work fine on Server 2016 and 2019. Equally, the commands will work on a server with Desktop Experience (GUI) in Powershell.

Windows Server Core is a slimmed-down version of Windows Server, and as such, it requires fewer resources to run, as well as presenting a much smaller attack surface (in regards to security).

Server Configuration

First, we need to make sure we have some basic things set. We'll do this from the server config window (sconfig) which opens by default now on Server 2022. For older versions, run sconfig.

  • Hostname - exceptionally important. This will be the name of your domain controller. dc01 is a boring, but fine choice.
  • Date and time. Make sure the date/time is correct and set your timezone.
  • IP and DNS. Make sure you have a static IP set. We're also installing the domain DNS service, and we can't have a DNS server running with a dynamic IP. Only set one DNS server, and set it to itself.
  • Enable remote desktop. Optional. Useful for management.

Install the Feature

Exit from sconfig to the command prompt. Server 2022 defaults to powershell. If you end up somewhere else, enter into a powershell prompt with powershell.

Enter the command below:

Install-WindowsFeature AD-Domain-Services

Optional things here: –IncludeManagementTools, -Verbose

The management tools might be a valid option if you're installing via Powershell on a Server with GUI, but we don't need this on our Server Core installation. We'll install management tools on a client machine in future.

It's a fairly short installation, so -Verbose is probably not necessary.

Install the Forest

Now we install the new Forest, and therefore, our domain, using the Install-ADDSForest cmdlet. We specify the -DomainName, in this case, I'm using a subdomain of ad, which is fairly common. Equally common would be using a subdomain of 'corp'. Because we're installing a new forest, we've set the -ForestMode and -DomainMode to the same level of 7, which is the current latest domain and forest functional level: Server2016.

The domain mode and forest mode determine the level of features of the domain services. If this is a new domain, there's no reason to go for anything other than the latest (2016). For older modes, you could specify 'Win2012R2', 'Win2008', etc., but for 2016, Microsoft seems to have limited it to the equivalent integer (which for 2016 is 7).

The -DomainNetbiosName is the first part of the domain. If you chose just '', the netbios name would be 'EXAMPLE'. In our case, it's the sub-domain part: 'AD'. Finally, -InstallDns:$true says that we want to install the DNS service. The complete command looks like:

Install-ADDSForest -DomainName -ForestMode 7 -DomainMode 7 -DomainNetbiosName AD -InstallDns:$true
If you want logs and database locations to be anything but the default, you can add the flags: -DatabasePath "path", -SysvolPath "path", -LogPath "path"

Once you run this, you'll be prompted for a SafeModeAdministratorPassword. This can be the same as the administrator password but it's worth knowing what the safe mode password is for: If you ever need to use directory services restore mode, or start the DC in safe mode, you will need this password.

As you have probably gathered, 'directory services restore mode' is what you'd use if you were having severe issues, so you certainly won't want to make it more severe by not remembering the password.

Enter the SMAP, and you'll be presented with the final opportunity to cancel the process: "The target server will be configured as a domain controller and restarted when this operation is complete. Do you want to continue with this operation?"

I test across numerous hosts and domains, so when I ran this command initially, I got the error 'The netbios domain name AD is already being used". This is because I had another domain using the ad subdomain. Here's how to fix that error.

Say yes to this, and watch the progress. It will throw some warnings, but as this is a new domain/forest, we can safely ignore them.

Once it has finished, it will automatically restart the server and can take some time to continue configuring/applying some group policy stuff after boot. After a little patience, you'll be able to login to your brand new domain controller!

That's it! You've created a new Windows Forest & Domain, and can now start adding users, hosts and DNS records.

Great! Next, complete checkout for full access to
Welcome back! You've successfully signed in
You've successfully subscribed to
Success! Your account is fully activated, you now have access to all content
Success! Your billing info has been updated
Your billing was not updated