Configuring a forest root domain on Windows Server 2012


This scenario is suitable mostly for test environments because it is very rarely that someone wants to do that in production (because it already exists). But of course, maybe you start creating domain environment for new company which doesn’t have it or you are preparing new forest for migration. Then this article is also for you.

This article describes only single forest, single domain scenario.

If you wish, you may also view a video on my Youtube channel. It is without voice but I will try to fix that in the nearest future 🙂

We need some details before we will start configuration.

  • Company name – which will be helpful in choosing forest/domain name
  • Network configuration – valid IP addresses range for our company, router’s IP (as default gateway)
  • ISP DNS servers on any public DNS servers to be able to access the Internet resources from our company
  • Services we need to run – what additional services will be required to fulfill a company requirements

Let’s start to prepare them all.

  • Company name – Test Environment
  • Network configuration – IP addresses range; the last available IP address is a router (default gateway)
  • Public DNS servers – and (Google public DNS servers)
  • Services – Active Directory: Directory Services, DNS server(s), DHCP server(s)

Now, we can install our first Windows Server 2012 and configure it. After that we would be able to promote this box as a Domain Controller.

When our server is installed, then we need to log on there on local administrator account and we can start its preparation.

Open Server Manager (or wait short time because it runs itself by default), set up static IP address for your server (in this case it’s with network mask), configure time zone and change server name accordingly to naming convention in your company. You may also set up there other options like NIC teaming, remote management and remote access.

This is very important part of network configuration before promoting server as a Domain Controller. In DNS preferred IP address type (loopback interface) or the same IP address as server is configured to point the server to DNS itself.

To configure network parameters, click on “Local Server” node on the left side of Server Manager

Local server basic configuration

and then click on “Ethernet” to configure these settings

Network card configuration

You will see “Network connections” where you network card is being seen

Network card

edit its properties and set up required IP information under IPv4 section

IPv4 settings edition

Note! Do not disable IPv6 if you do not use it. Just go go to its properties and disable dynamic DNS registration for it only. This can be done under “Advanced” settings on “DNS” tab under IPv6 section

So, going back to IPv4 IP settings, under its properties put valid IP address, network mask, default gateway and DNS server IP address

IPv4 settings

Now, let’s configure server name and reboot it to be able start promotion to Domain Controller. To change server name, click on “Computer name” section and provide appropriate name

Server name change

Server name change

Server name change

Server name change

apply changes and reboot server. When your server is up and running again, you can start promotion process.

Now, small change in Domain Controller promotion 🙂 There is no more dcpromo command valid. Microsoft decided to simplify this process as much as it was possible.


This time, you need to install Active Directory: Directory Services role and after all, follow post-install steps which promotes server to Domain Controller. To do that open Server Manager and go to “Add roles and features” on Dashboard screen

Adding roles

You will see a wizard which will guide you through role installation process. Go further up to a screen with roles selection using default options and choose “Active Directory Directory Services” role. Confirm all dependent roles/features to be installed with AD:DS role

Active Directory: Directory Services role installation

confirm also features which will be installed with selected role

AD:DS role installation

Go “Next” to screen with installation summary and click “Install”

Roles and features installation

and wait until Active Directory: Directory Services role will be installed

Role installation

When role is installed, you will see yellow exclamation mark in notification area

Post-installation steps

That means, there are additional steps to do after role installation. Click on that field and you will see what do to next

Post-installation steps

Click on “Promote this server to a domain controller” and promotion wizard will be displayed.

It is similar to previous wizard from DCPROMO on older OS versions. Promotion process is much more simple than previously and requires less steps to be finished.

In our case, we are configuring new forest root domain, so we need to choose “Add a new forest” option and specify DNS domain name for this new forest. As it was mentioned before, in this example we will use testenv.local as DNS domain name

Domain Controller promotion

On the next screen, you need to specify Domain and Forest Functional Levels. For more details about that, please check another articles on my blog:

Important! When you set up Domain/Forest Functional level it cannot be changed to lower mode, so be careful when you choose them. If you are not sure which functional level is adequate for you, choose the lower one. You can always raise it without any business continuity disruption later.

also, define if that server would have DNS role installed and if it would be Global Catalog. As this is the first Domain Controller, all these roles must be installed.

Specify Directory Services Restoration Mode (DSRM) password which will be also used for domain administrator account at this stage

Domain Controller promotion

As this is the first Domain Controller and forest root domain, do not worry about DNS delegation and go to the next step

Domain Controller promotion

When you specified DNS domain name, you need to type also NetBIOS domain name. By default wizard suggests the first part from DNS domain name. If you have no reasons to use different NetBIOS name, I would suggest to leave that as after this name change, you will have an issue with Active Directory Administrative Center which does not recognize changed NetBIOS domain name (it uses the first part of  DNS domain name).

Domain Controller promotion

Specify location of AD database and SYSVOL. You may leave defaults or move them to another drive

Domain Controller promotion

You will see summary screen with all details before installation. As in Windows Server 2012 everything from Server Manager is translated into PowerShell and executed in the background, you may click on “View script” to see what will be done to install and configure Domain Controller

PowerShell script for Domain Controller promotion

when you are ready, click on next to go to the final screen where script will be executed in a background

Domain Controller promotion

If all prerequisites will pass, you can start installation

Domain Controller promotion

Wait a while and server will be rebooted. After reboot, your server will be a Domain Controller.

Congratulations! Your Domain Controller for a forest root domain is ready! You can log on, on it, using password specified during promotion process (the same password as Directory Services Restoration Mode)

Domain Controller logon screen

Log on, using domain administrator credentials into your new Domain Controller.

We have to configure DNS server to send unresolved DNS queries to ISP DNS server(s) or any other public DNS server(s). This configuration is necessary to be able to access the Internet resources from our internal network.

Open DNS management console from Tools in Server Manager and select server name.

DNS forwarders configuration

In the right pane at the bottom of that window, double click on Forwarders

DNS forwarders configuration

When Forwarders window appears, click on “Edit” button to put there public DNS server for the Internet access

DNS forwarders configuration

You should see a window, where you can put ISP or public DNS servers. Add DNS to the list. In this case we will use Google public DNS servers ( and Wait until they will be validated and close console

DNS forwarders configuration

After all, you should consider Domain Controller and DNS server redundancy in your network by placing additional server with these roles. Another very important part is performing SystemState backup of Domain Controllers regularly.

In case of lack hardware resources in your network, you can consider placing DHCP server on this Domain Controller. However, it’s not recommended to install additional roles on DCs because of security reasons.

Author: Krzysztof Pytko


18 responses to “Configuring a forest root domain on Windows Server 2012”

  1. Tom Noehle says :

    Exactly what I was looking for! Thank you very much & greetings from germany 🙂

  2. Burkhardt & Larson Attorneys At Law says :

    I got this site from my friend who shared with me on the topic of this web page and
    at the moment this time I am browsing this web site and reading very informative articles
    or reviews at this time.

  3. Burkhardt & Larson Attorneys At Law says :

    Thanks on your marvelous posting! I genuinely enjoyed reading it, you
    are a great author. I will always bookmark your blog and will eventually come back at some point.
    I want to encourage you to ultimately continue your great work, have a nice weekend!

  4. Eusebia says :

    Howdy! This blog post could not be written any better!
    Going through this article reminds me of my previous roommate!
    He constantly kept preaching about this. I most certainly will forward this
    information to him. Pretty sure he’ll have a very good read. I appreciate you for sharing!

  5. Patrick says :

    Thank you so much. You’re this first one that explains how to configure DNS on the first DC. I’ve spent hours looking for such a simple explanation. Thank you again. Do you have a post on how to configure a second DC. Should its DNS entry (prefered DNS server) in the IP configuration point to itself or should it pont to the first DC. Then should the Alternate DNS server entry be configured, with witch address? And finally, is there any modification that needs to be done on one or both DNS Server so they can replicate object in AD ?

    Thank you again,


    • iSiek says :

      Hello Patrick,

      I’m glad that my article helped you to solve the issue. Yes, of course I have an article about adding additional Domain Controller in the existing environemnt. Please take a look at this one:

      I would strongly suggest to set up DNS IP address in this order:

      Primary DNS: another DNS in the same location
      Alternative DNS: IP address of that DNS itself
      3rd DNS: (loopback interface)

      But before you will change DNS order, leave just only one DNS IP address poiting to remote DNS in the same location for one day to be sure that whole AD database and its configuration were replicated


  6. Forhad says :

    Awesome article. I have learnt a lot from this simple explanation.

  7. Gabriel says :

    Thanks you, Greeting from Dominican Republic.

  8. Sumit Kumar says :

    Thank you so much for this fantastic article. I followed all the steps and installed AD on my QA server. However now I am not able to remote into the server. Any idea, why its happening?

  9. Kate says :

    what a great article!! thank you. very handy for building my test environment. it is rare that you ever have to build a forest from scratch.

  10. windsor says :

    what if few of the prerequisites checks failed during deployment configuration?

    • iSiek says :

      Everything depends at which state they occurred. I would not suggest to follow other steps before issues are addressed and fixed.



Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.