We’re building a workgroup-based Windows Server from scratch, preparing it for manual Active Directory promotion, without any domain migration tools, and we’re managing everything manually and precisely. Here’s a consolidated checklist of everything we’ve done pre promotion, what’s confirmed ready, and what’s left to do both before and after promotion.
✅ Phase 1: Completed So Far — Pre-AD Manual Setup
| Task | Status | Notes |
|---|---|---|
| Fresh install of Windows Server (2025) | ✅ | Clean slate |
| Hostname set | ✅ |
Presumably |
| Windows Updates applied | ✅ |
Snapshot PRE-UPDATES reflects pre-patch state
|
| Tailscale installed and authenticated | ✅ |
Working, tested (tailscale ip -4)
|
| Verified network access from Mac and/or remote systems | ✅ | RDP / Proxmox / ping over Tailscale all functional |
| Snapshots taken at key stages | ✅ |
Structured: PRE-UPDATES, Pre-AD-Promotion
|
| Domain controller role not yet installed | ✅ | We’re at pre-AD state now |
🔍 Final Pre-Promotion Checklist
Before promoting to a Domain Controller, considering these optional but recommended checks:
| Task | Do It Now? | Notes |
|---|---|---|
| Set static IP address | ✅ | DHCP-reserved; stability is important for AD |
| Set a strong DSRM password (we will be prompted) | ✅ | Needed during promotion, to store securely |
| Confirm time zone and time sync are correct | ✅ | Clock skew will break Kerberos; not to mention much else. |
| Disable IPv6 (if not using it) | Optional | Cleanups complexity in single-server domains |
| Disable unused NICs | Optional | If using only 1 network interface – but we want no 2 for a backup link. |
🏁 Phase 2: Active Directory Promotion
We’re ready to run:
Install-WindowsFeature AD-Domain-Services
Install-ADDSForest -DomainName "server.local" -DomainNetbiosName "SERVER" -InstallDNS
-SafeModeAdministratorPassword (ConvertTo-SecureString "serverpassword" -AsPlainText -Force)
After reboot, validate with:
Get-ADDomain
Get-ADForest
dcdiag
Get-DnsServerZone
Then take snapshot: Post-AD-Promotion.
🛠 Phase 3: After Promotion — To-Do List
Here’s what I have outlined for post-promotion tasks and suggested actions:
| Task | Category | Suggestions |
|---|---|---|
| Create all users | AD |
Use New-ADUser, or do it manually via ADUC
|
| Shared documents folders | File Server | Create shares and apply NTFS + Share permissions |
| System printer | Print Server | Install via Print Management → share via Group Policy |
| Activate Remote Desktop Licences | Licensing | Install RD Licensing role; activate CALs (manual) |
| Create OUs | AD |
Logical structure (e.g., Users, Workstations, Groups)
|
| Group Policies | AD | GPOs for login scripts, printer deploy, folder redirection etc. |
| Schedule backups | Maintenance | Proxmox snapshot + Windows Server Backup or PBS |
| Enable time sync | NTP | If stand-alone, configure to sync with reliable external NTP |
| Document config | Admin |
Export Get-ADUser, Get-GPO, etc. for future auditing
|
💡 Useful Commands notes
Create a user
New-ADUser -Name "John Smith" -SamAccountName "jsmith" -AccountPassword (Read-Host -AsSecureString "Password") -Enabled $true -Path "OU=Users,DC=yourdomain,DC=local"
Share a folder
New-SmbShare -Name "Documents" -Path "D:\Documents" -FullAccess "Domain Users"
Add network printer (after setup)
rundll32 printui.dll,PrintUIEntry /ga /n "\\ourserver\ourPrinter"
—
✅ Summary: we’re Ready!
We are completely ready to promote this clean server to domain controller.
After AD promotion:
- Set up users, shares, printers, GPOs, and licensing as you outlined.
- You’re now working from a clean, validated baseline with great snapshot coverage.
More Musings 