In this guide, we will walk through the process of setting up a local domain environment using Windows Server 2025. We will cover server preparation, installing the Active Directory Domain Services (AD DS) role, promoting the server to a Domain Controller (DC), creating users, and joining a Windows 11 client to the new domain.
Before installing any roles, we must prepare the server with a proper name and static IP address to ensure stability and discoverability on the network.
By default, Windows Server has a generic, random hostname. Navigate to Settings > System > About and click "Rename this PC". A standard naming convention is recommended, such as LAB-DC01 (where DC stands for Domain Controller). You must restart the server for this change to take effect.
Domain Controllers should never use dynamic (DHCP) IP addresses. Go to Network & Internet settings > Ethernet and edit the IP assignment. Set it to Manual IPv4 and assign a static IP address (e.g., 10.0.0.7) within your subnet range. Point the DNS server to your gateway or leave it blank for now—we will update this after installing the DNS role.
Once the server is prepared, we use Server Manager to install the necessary roles.
Open Server Manager and select "Add roles and features". Proceed through the wizard, ensuring your server (LAB-DC01) is selected.
Check the box for Active Directory Domain Services. Accept the prompt to add required features (management tools). Continue through the wizard and click Install. The installation will take a few minutes.
After installation, the server is not yet a Domain Controller. You must promote it.
Click the notification flag in Server Manager and select "Promote this server to a domain controller".
Since this is the first server, select Add a new forest. Enter your Root domain name, such as ad.lab or internal.company.com.
Set the Forest and Domain functional levels to Windows Server 2025 (or the latest available version compatible with your environment). Ensure the DNS Server capability is checked.
Crucial: Set a strong DSRM (Directory Services Restore Mode) password. This is required for disaster recovery scenarios.
Ignore the DNS delegation warning (this is normal for the first DC). The NetBIOS name (e.g., AD) will be generated automatically. Review your settings and click Install. The server will automatically reboot to complete the promotion.
After the reboot, log in using your domain admin credentials (e.g., AD\Administrator).
Now that the server is a DNS server, update its network interface settings. Set the Preferred DNS server to its own static IP (e.g., 10.0.0.7) or the loopback address (127.0.0.1). This ensures the DC looks to itself for domain resolution.
Open DNS Manager. Right-click your server name and select Properties. In the Forwarders tab, add external DNS servers (like Google's 8.8.8.8 or Cloudflare's 1.1.1.1). This allows your local network to resolve internet domain names.
Avoid using the default Administrator account for daily tasks. Create dedicated user accounts instead.
Open Active Directory Users and Computers. Right-click the domain and create a new Organizational Unit (e.g., "HR" or "IT"). OUs help organize users and apply specific policies.
Inside the new OU, right-click and select New > User. Create a user (e.g., "Tim Smith") and set a secure password.
Finally, we will connect a Windows 11 machine to our new domain.
On the Windows 11 client, go to network settings. Change the Preferred DNS server to the IP address of your Domain Controller (10.0.0.7). Without this, the client cannot find the domain.
Go to System > About and select "Domain or workgroup". Click Change, select Domain, and type your domain name (ad.lab).
You will be prompted for credentials. Enter the Administrator username and password for the domain. Upon success, restart the client machine.
After rebooting, log in using the new domain user account (e.g., AD\Tim.Smith). You can verify the connection by opening a command prompt and typing whoami or doing an nslookup for an internal server.