Summary: How to install a Windows Server 2008 server as a domain controller.
Date: Around 2009
Refactor: 20 February 2025: Checked links and formatting.

This is an installation report of a basic installation of Microsoft's Active Directory through the tool dcpromo. The settings are based on a small AD domain design and should be set to your own settings when installing in a production environment.

This page is created for a 2008 R2 AD, if you need an explanation for 2003, look here.

To start the installation go to start → run and type dcpromo. After pressing <enter> the installation wizard first checks whether the required binaries are installed:

After a while (shouldn't take more than a few minutes tops) you'll get the welcome screen of the installation wizard, where you'll just keep the default (do not select the advanced mode):

Read the warning (it will just take a few seconds) and click next:

Now select to create a new domain in a new forest:

Enter the full FQDN name for your domain. I've found it a good practice to set this the same as your internal DNS domain suffix. Click Next:

Select the functional level you require:

Also select to install the DNS server, as this is a recommendation and AD is very DNS dependent:

Because you're installing a new DNS server, and there is none yet available, you'll get a warning, which can be ignored in most cases:

Keep the defaults, both the database and the log folder won't grow out of proportion, so just click Next:

Enter a password which you'll need if you'll ever need to start AD in restore mode. Document this password properly:

Check the installation summary and if everything is correct, click next:

And the installation will start:

When done click finish and REBOOT THE MACHINE. No seriously, please do:

After the installation and after the reboot of the server it's not so wise to rush into any other installation (like Exchange). Unfortunately, Microsoft does not have the best reputation on software installations and that's not without a reason. We're going to verify if our installation went well.

• Start → Run → dsa.msc (starts AD Users and Computers)
• Check to see if the DC is listed under the 'Domain Controllers' OU.

• Start → Run → dssite.msc (starts AD Sites and Services)
• Check to see if you have a 'NTDS Settings' under your DC.

• Start → Run → dnsmgmt.msc (starts the DNS Management MMC snap-in)
• Check the DNS configuration and zones.

By default, dcpromo creates a forward lookup zone, but no reverse lookup zone. I recommend to create one right away, this will make some tools behave nice, and prevents you from creating all kind of records manually when you have to add one later on. Right click the reverse lookup zones and select 'Add new zone'. This will give you this wizard so you can select your options:

Select primary zone and keep the zone stored in AD and click Next:

Set the replication to all DNS servers in the domain:

Select a IPv4 reverse lookup zone:

Fill in the network ID:

Allow only secure updates:

Click finish to complete the wizard and start using your reverse lookup zone:

Check these folders to see if the content is correct:

• C:\WINDOWS\NTDS
  • The AD database should be created (NTDS.DIT, keeps information stored about user accounts, groups, etc.)
  • The edb.chk file is a checkpoint file that points to the last committed checkpoint in the log file. The edb.log file is the name of the current log file and is for the ntds.dit transactions.
  • edbres00001.jrs and edbres00002.jrs are reserve log files in case the drive runs out of disk space. These files are always 10 MB in size.
• C:\WINDOWS\SYSVOL
  • In the SYSVOL\domain\Policies should be two directories containing the 'Default Domain Policy' and the 'Default Domain Controllers Policy'. You won't recognize them as such since they have unique names, for example '6AC1786C-016F-11D2-945F-00C04fB984F9'.