How to Set Up Active Directory Using PowerShell

Overview

This article explains how to use PowerShell on Windows Server to build an Active Directory (AD) environment and add a second Domain Controller (DC).

Variable Conventions

The following variables represent environment-dependent values. Replace them with those appropriate for your setup.

Variable	Example	Description
`<<DOMAIN_NAME>>`	`example.local`	Active Directory domain name
`<<NETBIOS_NAME>>`	`EXAMPLE`	NetBIOS name (recommended in uppercase)
`<<ADMIN_PASSWORD>>`	`P@ssw0rd!`	DSRM (Directory Services Restore Mode) password
`<<DOMAIN_ADMIN>>`	`Administrator`	Domain administrator account
`<<DOMAIN_ADMIN_PASSWORD>>`	`P@ssw0rd!`	Domain administrator password (for automation)
`<<INTERFACE_ALIAS>>`	`Ethernet`	Network adapter name (e.g., Ethernet, Ethernet0)
`<<PRIMARY_DC_IP>>`	`192.168.1.10`	IP address of the primary domain controller

Step 1: Install the AD DS Role on the First Server

Install the Active Directory Domain Services (AD DS) role on the first server.

Install-WindowsFeature AD-Domain-Services -IncludeManagementTools

Step 2: Create a New Forest and Promote to Domain Controller

Use PowerShell to create a new forest and promote the first server as the Primary Domain Controller.

Forest/Domain Functional Levels

Functional Level	Enum Name
Windows Server 2008	Window2008
Windows Server 2008 R2	Window2008R2
Windows Server 2012	Window2012
Windows Server 2012 R2	Window2012R2
Windows Server 2016	WinThreshold
Windows Server 2025	Win2025

💡 In this example, both forest and domain functional levels are set to Windows Server 2016 (WinThreshold).

Install-ADDSForest `
 -DomainName "<<DOMAIN_NAME>>" `
 -DomainNetbiosName "<<NETBIOS_NAME>>" `
 -SafeModeAdministratorPassword (ConvertTo-SecureString "<<ADMIN_PASSWORD>>" -AsPlainText -Force) `
 -InstallDNS:$true `
 -ForestMode WinThreshold `
 -DomainMode WinThreshold `
 -Force

⚠️ If prompted to reboot, run the following command:

Restart-Computer

Step 3: Verify the First Domain Controller

After promotion, confirm that the domain structure was successfully created.

Get-ADDomain
Get-ADDomainController
Get-Service DNS

Step 4: Install the AD DS Role on the Second Server

Install the AD DS feature on the second server.

Install-WindowsFeature AD-Domain-Services -IncludeManagementTools

Step 5: Verify and Configure DNS Settings

Before promoting the second server, ensure DNS settings are correct.
The secondary DC must reference the primary DC’s DNS server for domain join and replication.

# Check current DNS settings
Get-DnsClientServerAddress

# Set DNS to primary DC
Set-DnsClientServerAddress -InterfaceAlias "<<INTERFACE_ALIAS>>" -ServerAddresses "<<PRIMARY_DC_IP>>"

⚠️ If the second DC points to itself as the DNS server, promotion will fail.
Always configure the primary DC as the first DNS server before promotion.

Step 6: Promote the Second Server as an Additional Domain Controller

# Credentials
$User = "<<NETBIOS_NAME>>\<<DOMAIN_ADMIN>>"
$Pass = ConvertTo-SecureString "<<DOMAIN_ADMIN_PASSWORD>>" -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential($User, $Pass)

Install-ADDSDomainController `
 -DomainName "<<DOMAIN_NAME>>" `
 -Credential $Cred `
 -SafeModeAdministratorPassword (ConvertTo-SecureString "<<ADMIN_PASSWORD>>" -AsPlainText -Force) `
 -InstallDNS:$true `
 -Force

⚠️ Reboot if prompted:

Restart-Computer

Step 7: Verify Domain Controller Configuration

Ensure both domain controllers are listed and properly replicating.

Get-ADDomainController -Filter *

To check replication status in detail:

repadmin /replsummary
repadmin /showrepl

Step 8: Check DNS and Time Synchronization (Optional)

Verify DNS service and time synchronization on both DCs.

Get-Service DNS
w32tm /query /status

Conclusion

By following these steps, you can use PowerShell to build a complete Active Directory environment and quickly deploy redundant domain controllers. Automating these steps ensures consistent, repeatable deployments across multiple sites or recovery environments.