Docs / Windows Server / Set Up Active Directory Domain Services on Windows Server VPS

Set Up Active Directory Domain Services on Windows Server VPS

By Admin · Mar 15, 2026 · Updated Apr 24, 2026 · 327 views · 4 min read

Active Directory Domain Services (AD DS) is the cornerstone of Windows enterprise infrastructure, providing centralized authentication, authorization, and directory services. Running AD DS on a Windows Server VPS enables you to manage users, computers, and group policies across your organization. This guide covers deploying a fully functional AD DS environment on your Kazepute Windows Breeze.

Prerequisites

  • Windows Server 2022 or 2025 with Desktop Experience
  • Static IP address: Domain controllers must have a static IP
  • Minimum 4GB RAM, 8GB recommended for production
  • DNS: AD DS requires DNS — it will be installed alongside

Install AD DS via PowerShell

# Install the AD DS role and management tools
Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools

# Verify installation
Get-WindowsFeature AD-Domain-Services

# Check prerequisites
Test-ADDSForestInstallation `
    -DomainName "corp.example.com" `
    -DomainNetBiosName "CORP" `
    -ForestMode "WinThreshold" `
    -DomainMode "WinThreshold"

Promote to Domain Controller

# Create a new forest (first domain controller)
$SafeModePassword = ConvertTo-SecureString "SecureD$RM0de!" -AsPlainText -Force

Install-ADDSForest `
    -DomainName "corp.example.com" `
    -DomainNetBiosName "CORP" `
    -ForestMode "WinThreshold" `
    -DomainMode "WinThreshold" `
    -InstallDns:$true `
    -DatabasePath "C:\Windows\NTDS" `
    -SysvolPath "C:\Windows\SYSVOL" `
    -LogPath "C:\Windows\NTDS" `
    -SafeModeAdministratorPassword $SafeModePassword `
    -NoRebootOnCompletion:$false `
    -Force:$true

# Server will reboot automatically

Post-Installation Configuration

# After reboot, verify AD DS is running
Get-Service NTDS, DNS, KDC, Netlogon

# Check domain controller health
dcdiag /v
repadmin /showrepl

# Verify DNS
Resolve-DnsName corp.example.com
Resolve-DnsName _ldap._tcp.dc._msdcs.corp.example.com -Type SRV

Create Organizational Units

# Create OU structure
$OUs = @(
    "OU=Company,DC=corp,DC=example,DC=com",
    "OU=Users,OU=Company,DC=corp,DC=example,DC=com",
    "OU=Groups,OU=Company,DC=corp,DC=example,DC=com",
    "OU=Computers,OU=Company,DC=corp,DC=example,DC=com",
    "OU=Servers,OU=Company,DC=corp,DC=example,DC=com",
    "OU=Service Accounts,OU=Company,DC=corp,DC=example,DC=com"
)

foreach ($OU in $OUs) {
    try {
        New-ADOrganizationalUnit -Path ($OU -replace "^OU=[^,]+,", "") `
            -Name ($OU -replace "OU=([^,]+),.*", '$1') `
            -ProtectedFromAccidentalDeletion $true
        Write-Host "Created: $OU"
    } catch {
        Write-Host "Exists or error: $OU"
    }
}

Create Users and Groups

# Create a user
$Password = ConvertTo-SecureString "TempP@ss123!" -AsPlainText -Force
New-ADUser -Name "John Smith" `
    -GivenName "John" `
    -Surname "Smith" `
    -SamAccountName "jsmith" `
    -UserPrincipalName "jsmith@corp.example.com" `
    -Path "OU=Users,OU=Company,DC=corp,DC=example,DC=com" `
    -AccountPassword $Password `
    -Enabled $true `
    -ChangePasswordAtLogon $true

# Create security groups
New-ADGroup -Name "IT Administrators" `
    -GroupScope Global `
    -GroupCategory Security `
    -Path "OU=Groups,OU=Company,DC=corp,DC=example,DC=com" `
    -Description "IT department administrators"

# Add user to group
Add-ADGroupMember -Identity "IT Administrators" -Members "jsmith"

# Bulk user creation from CSV
Import-Csv "C:\users.csv" | ForEach-Object {
    $Password = ConvertTo-SecureString $_.Password -AsPlainText -Force
    New-ADUser -Name "$($_.FirstName) $($_.LastName)" `
        -GivenName $_.FirstName `
        -Surname $_.LastName `
        -SamAccountName $_.Username `
        -UserPrincipalName "$($_.Username)@corp.example.com" `
        -Path "OU=Users,OU=Company,DC=corp,DC=example,DC=com" `
        -AccountPassword $Password `
        -Enabled $true `
        -Department $_.Department `
        -Title $_.Title
}

DNS Configuration

# Configure DNS forwarders
Set-DnsServerForwarder -IPAddress "1.1.1.1", "8.8.8.8"

# Add conditional forwarder
Add-DnsServerConditionalForwarderZone `
    -Name "partner.com" `
    -MasterServers "10.0.0.1"

# Create DNS records
Add-DnsServerResourceRecordA -ZoneName "corp.example.com" `
    -Name "intranet" -IPv4Address "10.0.0.50"

Add-DnsServerResourceRecordCName -ZoneName "corp.example.com" `
    -Name "mail" -HostNameAlias "mail.example.com"

Add a Second Domain Controller

# On the second server, install AD DS
Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools

# Join as additional DC
$Credential = Get-Credential  # Domain admin credentials
$SafePassword = ConvertTo-SecureString "SafeM0de!" -AsPlainText -Force

Install-ADDSDomainController `
    -DomainName "corp.example.com" `
    -Credential $Credential `
    -InstallDns:$true `
    -DatabasePath "C:\Windows\NTDS" `
    -SysvolPath "C:\Windows\SYSVOL" `
    -LogPath "C:\Windows\NTDS" `
    -SafeModeAdministratorPassword $SafePassword `
    -NoRebootOnCompletion:$false `
    -Force:$true

Security Best Practices

  • Use a strong DSRM password — you need it for Active Directory recovery
  • Deploy at least two domain controllers for redundancy
  • Enable audit logging for security-sensitive operations
  • Protect admin accounts: Use dedicated admin accounts, not daily-use accounts
  • Keep DCs updated with the latest security patches
  • Use fine-grained password policies for different security levels
  • Regular AD backups: Use wbadmin to back up System State
  • Monitor replication with repadmin /replsummary

Was this article helpful?

Related Articles