With the schema now extended for Windows Server 2025, it’s time to move forward with installing Active Directory Domain Services (AD DS) on our new Server 2025 machines and promoting them to domain controllers. This is where our new infrastructure begins to take form. We’ll introduce our Windows Server 2025 Domain Controllers into an existing domain—running alongside our 2016 ones—and ensure a seamless, zero-downtime transition.

A cartoon of a raccoon and a bear holding a computer AI-generated content may be incorrect.

Installing the Active Directory Domain Services Role

Install the AD DS role on your new Windows Server 2025 machine. This will load all necessary binaries and management tools and promote the server as a domain controller.

Step 1: Install AD DS Role via PowerShell

On the new 2025 server (e.g., DC2025-1), log in as an administrator and open a PowerShell prompt:

?
1
Install-WindowsFeature AD-Domain-Services -IncludeManagementTools

This installs both the AD DS role and the AD management tools. Once complete, you can verify with:

?
1
Get-WindowsFeature AD-Domain-Services

It should report as Installed.

Promoting the Server to a Domain Controller

Now that the role is installed, the next step is to promote the server to a domain controller. We’ll use PowerShell to streamline the process and make it easily repeatable.

Step 2: Promote via PowerShell

?
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
Install-ADDSDomainController `
 
-DomainName "CONTOSO.COM" `
 
-InstallDns `
 
-SiteName "Default-First-Site-Name" `
 
-Credential (Get-Credential "CONTOSO\Administrator") `
 
-DatabasePath "C:\Windows\NTDS" `
 
-LogPath "C:\Windows\NTDS" `
 
-SysvolPath "C:\Windows\SYSVOL" `
 
-SafeModeAdministratorPassword (ConvertTo-SecureString "YourDSRMpassword" -AsPlainText -Force) `
 
-Verbose

Parameter Breakdown:

  • DomainName: The domain to which the server will be added.
  • InstallDns: Installs the DNS Server role.
  • SiteName: Name of the AD site (default is usually “Default-First-Site-Name”).
  • Credential: Supply an account with Domain Admin/Enterprise Admin rights.
  • DatabasePath, LogPath, SysvolPath: Leave as default or customize.
  • SafeModeAdministratorPassword: Set the DSRM password.
  • Verbose: Get detailed output during promotion.

After successful execution, the server will reboot and begin the process of becoming a domain controller.

GUI Alternative

The server manager will show a post-installation task for those who prefer a graphical method. Click “Promote this server to a domain controller” and follow the wizard. Select “Add a domain controller to an existing domain” and provide the necessary details, including credentials and DSRM password. Then reboot when prompted.

Post-Promotion Validation

Once the server has rebooted and promotion completes:

  • Log in using a domain account (local accounts are now disabled).
  • Run dcdiag to verify the health of the new DC.
  • Check Active Directory Users and Computers: Ensure the new DC appears in the Domain Controllers OU.
  • Use Active Directory Sites and Services: Verify the NTDS Settings object exists under the correct site.

Confirm Global Catalog

Most new DCs are also Global Catalog servers by default. To confirm:

?
1
Get-ADDomainController -Identity "DC2025-1" -Properties IsGlobalCatalog

It should return IsGlobalCatalog: True.

Verify Replication

Use the following command to check replication:

?
1
2
3
repadmin /replsummary
 
repadmin /showrepl DC2025-1

Look for successful replication on all partitions.

Check DNS

Open DNS Manager and connect to the new DC. Confirm the zones (e.g., contoso.com and _msdcs.contoso.com) are present. Under the SRV records path, verify that the new DC has registered itself:

?
1
nslookup -type=SRV _ldap._tcp.dc._msdcs.contoso.com

Your new DC should appear alongside the existing ones.

Adding Additional Domain Controllers

For resilience and redundancy, repeat the process above on another Server 2025 machine (e.g., DC2025-2). Having two new DCs allows you to eventually decommission the legacy ones without creating a single point of failure.

Advanced Note: In large environments or remote locations with poor connectivity, use Install From Media (IFM) to stage the new DC and reduce replication overhead.

Ensuring Zero Downtime

Adding new DCs is a non-disruptive process. While the new DC is promoted, existing DCs continue serving clients. There’s no need to stop services or take the domain offline. The only interruption is rebooting the new server—users are unaffected.

Post-Promotion Cleanup

Update DNS Settings

Set the new DCs to point to each other or themselves for DNS resolution:

  • DC2025-1: Primary DNS = itself; Secondary = DC2025-2
  • DC2025-2: Primary DNS = itself; Secondary = DC2025-1

Avoid pointing to old 2016 DCs to reduce dependency.

Time Synchronization

New DCs will sync time from the current PDC Emulator. Just verify that their clocks are accurate. We’ll handle time master changes in a later part.

Monitor Event Logs and Performance

Watch for:

  • Replication errors: Event ID 1311 or 1566
  • Directory Service logs
  • CPU/memory spikes

Test Authentication

Verify that clients can authenticate via the new DCs using tools like setting a logon server or temporarily shutting down old DCs.

Wrapping Up Part 3

Your domain is running in mixed mode with 2016 and 2025 domain controllers. Promotion has occurred with zero downtime, and replication is flowing. In the next part, we’ll begin adjusting SRV records and draining traffic from the old DCs to transition fully to the new environment. Onward!

Thanks,

Cristal Kawula – Checkyourlogs.net