Setting Up Active Directory on Windows Server
Active Directory Domain Services (AD DS) is the cornerstone of Windows enterprise networking, providing centralized authentication, authorization, and directory services. This guide walks you through deploying a new Active Directory domain controller on your Kazepute Breeze running Windows Server.
Prerequisites
- A Kazepute Breeze running Windows Server 2019 or 2022
- A static IP address configured on the server
- Administrator access
- A planned domain name (e.g.,
corp.example.com)
Step 1: Set a Static IP Address
Active Directory requires a static IP. Configure one via PowerShell:
# View current network configuration
Get-NetIPConfiguration
# Set static IP (adjust values for your Breeze)
New-NetIPAddress -InterfaceAlias "Ethernet" -IPAddress 10.0.0.5 -PrefixLength 24 -DefaultGateway 10.0.0.1
# Set DNS to point to itself (required for AD)
Set-DnsClientServerAddress -InterfaceAlias "Ethernet" -ServerAddresses 10.0.0.5, 8.8.8.8Step 2: Install the AD DS Role
# Install Active Directory Domain Services
Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools
# Verify installation
Get-WindowsFeature AD-Domain-ServicesStep 3: Promote to Domain Controller
After installing the role, promote the server to a domain controller:
# Create a new forest and domain
Install-ADDSForest `
-DomainName "corp.example.com" `
-DomainNetbiosName "CORP" `
-ForestMode "WinThreshold" `
-DomainMode "WinThreshold" `
-InstallDns:$true `
-DatabasePath "C:\Windows\NTDS" `
-LogPath "C:\Windows\NTDS" `
-SysvolPath "C:\Windows\SYSVOL" `
-SafeModeAdministratorPassword (ConvertTo-SecureString "YourDSRMPassword123!" -AsPlainText -Force) `
-Force:$trueThe server will automatically reboot after promotion. Wait a few minutes before reconnecting.
Step 4: Verify Active Directory
After the reboot, log in with the domain administrator account and verify:
# Check AD services
Get-Service -Name NTDS, DNS, Kdc, Netlogon
# Verify the domain
Get-ADDomain
# Check the forest
Get-ADForest
# Test DNS resolution
Resolve-DnsName corp.example.comStep 5: Create Organizational Units and Users
Organize your directory with OUs and add users:
# Create organizational units
New-ADOrganizationalUnit -Name "Staff" -Path "DC=corp,DC=example,DC=com"
New-ADOrganizationalUnit -Name "Servers" -Path "DC=corp,DC=example,DC=com"
# Create a new user
New-ADUser -Name "John Smith" `
-GivenName "John" `
-Surname "Smith" `
-SamAccountName "jsmith" `
-UserPrincipalName "jsmith@corp.example.com" `
-Path "OU=Staff,DC=corp,DC=example,DC=com" `
-AccountPassword (ConvertTo-SecureString "TempPass123!" -AsPlainText -Force) `
-Enabled $true `
-ChangePasswordAtLogon $true
# List all domain users
Get-ADUser -Filter * | Format-Table Name, SamAccountName, EnabledStep 6: Configure Group Policy
Group Policy Objects (GPOs) let you enforce settings across your domain:
# List existing GPOs
Get-GPO -All
# Create a new GPO
New-GPO -Name "Password Policy" -Comment "Enforce strong passwords"
# Link a GPO to an OU
New-GPLink -Name "Password Policy" -Target "OU=Staff,DC=corp,DC=example,DC=com"Best Practices
- Always use a strong Directory Services Restore Mode (DSRM) password and store it securely.
- Deploy at least two domain controllers for redundancy.
- Keep the AD database and SYSVOL on fast storage.
- Regularly back up Active Directory using Windows Server Backup.
- Enable auditing for logon events, account changes, and group policy modifications.
- Use separate admin accounts for day-to-day work versus domain administration.