Creating a New Windows Domain and Forest

AlphaCMD IT Posts, Windows

Creating a new Windows domain

The first step in this, as with anything in IT, is planning. There’s information you’re going to need before you start this process to begin configuration.

For this configuration I will be using the domain and give explanations for each configuration that we will be changing. There are some configurations that may be covered in future posts however, will not be covered by this post.


  • A network that is reachable to any other computers or virtual machines
  • Fresh installation of Server 2016 (virtual machine or bare metal installation are OK)
  • At least one network adapter (attached to the server 2016 installation) is configured with a static IP address.
  • The host name is set.
  • Domain name, in the format of
    • Ex.
  • Requirement 2


  • A strong password or randomly generated password by a system application.
  • Completing available updates provided by Microsoft.

Step 2: Begin Configuration

The first thing that opens up when you log into the server should be Server manager. This is what we will use to add the necessary server roles to build the domain.

Select “2 Add roles and features”. This should open a new window.

As a general rule when building a domain, I consider it a requirement to set any domain controllers with a static IP address & proper hostname. If you need assistance with setting a hostname and static IP address, please see this post regarding standard Windows configurations and settings. The window that comes up is a wizard to install rolls and features provided by Microsoft. This wizard recommends a strong admin password, a static IP & newest updates. As a security engineer, I would highly advise all three of these items be configured before configuration.

This is to select what type of services we are going to install. In this case we have two options Role-based or feature-based installation and Remote Desktop services. In this case we’re building our first domain controller which will lead us to select the first option, to install the appropriate roles & features.

Given that this is our first server in the domain, there’s not going to be an option to select a server other than the Domain Controller (DC) that we’re building. However, this gives us an excellent opportunity to verify the information that we believe is already configured. The hostname, IP and OS are all listed in this wizard (this applies to serves 2008-2016). If there is any information listed that contradicts what you have configured, cancel this installation and reconfigure the items that are missing or incorrect.

There are 3 services that we are going to install based on the configuration listed for this course, ADDS (Active Directory Domain Services), DNS Server & DHCP Server. Simply clicking the boxes for each of these services will begin the installation for both the rolls and required features for each service. File and Storage Services (1 of 12) will automatically be included. Leave this defaulted as the services will be required for certain domain services such as domain Group Policies.

The next 3 screens are going to show you what each service is and the recommended configurations. Hit next to get through the “AD DS” “DHCP Server” & “DNS Server” Windows.

This will bring you to the Confirmation window. This will show you all of the rolls and features that are going to be installed to the server. Hit the Install button to begin.

This will bring you to the installation status screen. This screen will periodically update when features and rolls have installed. When this is complete, you will see a status of Installation Complete. When this installation has completed, click close.

When complete your server manager will refresh and you will now have AD DS, DHCP, DNS & File and Storage Services. Up in the top right corner you will see a flag with a yellow triangle. When you click on this, it will tell you that post configurations are required for each service.

To begin, click on “promote this server to a domain controller”. This will bring up the configuration window for the AD DS service.

There are 3 options in this first window:

  1. Add a domain controller to an existing domain
    1. This is used when adding domain controllers to an existing domain and forest. The purposes of this can range from redundancy to having local controllers at a branch office.
  2. Add a new domain to an existing forest
    1. This is used when there are multiple organizations are a part of the same forest. This is most commonly used in a parent/child domain configuration. When adding a domain to a forest, this could be configured as
  3. Add a new forest
    1. This is to create an entirely new forest and domain. This is used when an organization is creating the first domain in the infrastructure.  

In this example, we’ll be creating the first domain and forest. In this example, I’ve used the “” domain. For the first domain in a new forest, this should be in the format of a (EX:,, This is generally used in combination with a domain purchased from a domain registrar however, is not restricted to it. The only top level domain that I recommend to not be used, is ‘.local’. the ‘.local’ domain is generally reserved for the multicast domain name service.

When this information has been filled in, click next.

The next window will request the forest and domain function level. This should match the lowest level server you have or will have in the domain. In this example, we are installing the domain on Server 2016 and will not have a server lower than Server 2016 in the domain. If you have or plan to have a server that is lower than this, you will want to decrease the forest and domain levels to match that server’s OS for best compatibility with that OS. Lowering the function level of a domain/forest will decrease its capabilities and potential functions.

The next part is giving a DSRM (Directory Services Restore Mode) a password. This will be used if you ever need to recover and restore an AD database to a server in the event of corruption or other issues. I recommend creating a randomly generated password that is securely stored in a manager or management software.

Hit next, when the password has been typed in.

The next window will be asking if you wanted to specify DNS delegation. In this case, this is the first domain controller and this server will be creating the DNS authoritative parent zone. You will be unable to change these options.

The next window will be to set the NetBIOS name. This will be another reference to the domain. When logging into a computer, the username will be in the format of “NETBIOS\Username”. You can leave this as the generated default or set this to anything you wish. In my case I changed this to “ACMD”.

The next options will be “Paths”. This will allow you to set what the database, logging and SYSVOL folder are stored. I highly recommend leaving these defaulted. I have yet to encounter a situation where it is necessary to change this information.

This screen will give you the overview of the configuration that has been specified in the last several screens. If all information is correct, click next.

This will run a check to make sure that all configurations are correct or in place to allow for the configuration specified. There are going to be 2 items on this list that will have a warning symbol, a message regarding allowed cryptography algorithms and one about the DNS Delegation. Both of these warnings can be ignored for now. If you have a message at the top saying “All Prerequisite checks passed successfully” and you do not have any critical errors or failures, click install to begin the configuration and installation.

Once you hit “install” the next window will go through the configuration check again and begin the installing all services that were given or necessary to complete the domain creation. This will take several minutes.

When the installation is complete you will see two messages then, the server will automatically reboot and complete the configurations.

  1. The server was successfully configured as a domain controller
  2. You’re about to be signed out.

When the server has completed its reboot, login and server manager will automatically start up. The last service that needs to be configured is DHCP. Click on the flag with the yellow warning sign and select the only remaining task “Complete DHCP configuration”.

The following window will bring up the description of what this configuration will do.

Click “Next”.

This window will be requesting credentials to use for authorization to create the services and install the necessary groups. In this case, we are going to select “User the following user’s credentials”. Simply hit Commit from here.

This should simply show that it completed the authorization.

Configuration Complete!