Email This List Email This List Print This List Print This List

Cre­at­ing A Win­dows 2012R2 Domain Con­trol­ler

With Win­dows 2003 near­ing end-of-life, it is becom­ing more imper­at­ive to upgrade to a new­er oper­at­ing sys­tem. For many IT admins, this is a great oppor­tun­ity to start upgrad­ing infra­struc­tures to Win­dows 2012 or Win­dows 2012R2. Since DCPromo was depre­ci­ated in Win­dows Serv­er 2012, the fol­low­ing art­icle serves as a step-by-step guide to cre­at­ing a Win­dows 2012R2 domain con­trol­ler and adding it to an exist­ing envir­on­ment.

Adding the Win­dows 2012R2 Serv­er Domain Ser­vices Role

There are a num­ber of ways to get to the role man­age­ment screen. The easi­est will be to do it from the Serv­er Man­ager win­dow. If this win­dow has already been closed, right click on My Com­puter, and select Man­age.

Server Manager- Dashboard


Once the Serv­er Man­ager has been opened, click on Man­age and select Add Roles and Fea­tures.


Add Roles and Features


Once the Add Roles and Fea­tures Wiz­ard has star­ted up, select Next.


Add Roles and Features Wizard

On the next page, the default set­tings can be used.

Add Roles and Features Wizard - Default Settings


Under serv­er selec­tion, the default set­tings should be select­ing the domain con­trol.


Server Selection

On the Serv­er Roles page, select Act­ive Dir­ect­ory Domain Ser­vices.


Server Roles Page

Win­dows will prompt for any addi­tion­al fea­tures that will be needed.


Add Roles and Features Wizard - Additional Features


The next win­dow will prompt with a few addi­tion­al notes regard­ing best prac­tices. Note that the Act­ive Dir­ect­ory Domain Ser­vices Role will install the fol­low­ing in a new envir­on­ment:

  • DNS Ser­vices
  • DFS Namespaces Ser­vices
  • DFS Rep­lic­a­tion Ser­vices- Rep­lic­a­tion Ser­vices
  • Group Policy Man­age­ment


Active Directory Domain Services

The con­firm­a­tion page will dis­play all com­pon­ents that will be rein­stalled. Note that on a new serv­er, a reboot is not required to install the Act­ive Dir­ect­ory Domain Ser­vices role.


Confirm Installation Selections


Once the install­a­tion has com­pleted, this machine can be pro­moted to a domain con­trol­ler.


Once a Win­dows 2012 or Win­dows 2012R2 has had the Act­ive Dir­ect­ory Domain Ser­vices role installed, the domain con­trol­ler must be pro­moted to a domain con­trol­ler. This art­icle out­lines the steps needed to add a domain con­trol­ler to an exist­ing envir­on­ment.

How to Pro­mote a Win­dows 2012R2 Domain Con­trol­ler

Post install­a­tion of the role, the option to pro­mote a domain con­trol­ler will be avail­able. If Serv­er Man­ager has been closed, it will need to be opened back up. To do this, right click on My Com­puter and select man­age.

In the top right corner, a warn­ing label will now appear next to the task details icon. Click on this icon and select Pro­mote this serv­er to a domain con­trol­ler.

Promote this server to a domain controller


The Act­ive Dir­ect­ory Domain Ser­vices Con­fig­ur­a­tion Wiz­ard will begin. In the example shown below, I am adding a new domain con­trol­ler to an exist­ing domain. In most cases, I use the Admin­is­trat­or account. How­ever, in the example below, I am using an account that has the fol­low­ing three roles:

  • Domain Admin­is­trat­or
  • Enter­prise Admin
  • Schema Admin

Note that depend­ing on the scen­ario, you may be required to have only some or pos­sibly all three of these roles to be able to com­plete the install­a­tion.


Deployment Configuration


Since the new serv­er being deployed is going to replace one of the primary domain con­trol­lers, both DNS and Glob­al Cata­log were selec­ted. Addi­tion­ally, I used a Dir­ect­ory Ser­vices Restore Mode (DSRM) pass­word that did not match the domain admin­is­trat­or. Although this pass­word can match the domain admin­is­trat­or, I chose not to use the same pass­word for secur­ity pur­poses. Make sure this pass­word is doc­u­mented as this pass­word can help gain access to an envir­on­ment in the event that all domain admin­is­trat­or accounts lose access.


Domain Controller Options


Since I was not using a par­ent zone, I got the fol­low­ing warn­ing. In my case, I can ignore the warn­ing as this will not affect wheth­er the DNS fea­ture gets installed.


DNS Options


On the next screen, Act­ive Dir­ect­ory can rep­lic­ate from any domain con­trol­ler or a domain con­trol­ler can be spe­cified. In the screen­shot shown below there have three domain con­trol­ler lis­ted. Since two of these will be decom­mis­sioned in the near future, the new­est domain con­trol­ler was selec­ted.


Additional Options


All the AD DS data­base, log files and SYSVOL data was left at their default loc­a­tions.




The next win­dow will be a sum­mary of all selec­ted options. If any­thing needs to be adjus­ted, now would be the best time to do it.


Review Options


Win­dows will per­form a pre­requis­ites check. If the user account used to pro­mote the serv­er does not have suf­fi­cient priv­ileges (Schema Admin or Enter­prise admin), then the install­a­tion will not be able to be com­pleted. Either log onto anoth­er account that has the cor­rect per­mis­sions or grant those per­mis­sions to the desired user and start over from the begin­ning of the pro­mo­tion wiz­ard.


Prerequisites Check


For smal­ler, new­er envir­on­ments, the rep­lic­a­tion pro­cess will com­plete fairly quickly. In older and lar­ger envir­on­ments, it may take a bit of time to rep­lic­ate AD DS.




Once the install­a­tion has been com­pleted and the wiz­ard has been closed out, the AD DS will reboot.


Sign out


Once the serv­er has rebooted, FSMO roles can trans­ferred to the newly added domain con­trol­ler. See the Trans­fer­ring FSMO Roles to Anoth­er Act­ive Dir­ect­ory Con­trol­ler art­icle for addi­tion­al detials.

Related Post

admin has written 133 articles