--- title: "Active Directory on Windows Nodes" --- # Troubleshooting Active Directory on Windows Nodes This guide walks through promoting a Windows Server node to a Domain Controller, joining client nodes to the domain, and resolving the most common issues encountered during setup. ## Common Active Directory Issues | Issue | What to do | | ----------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | Yellow warning triangle does not appear after AD DS install | AD DS may not be installed. Add the role from Server Manager → Add Roles and Features → **Active Directory Domain Services**. | | Promotion wizard refuses with "static IP required" | Set a static IPv4 address on the server before promoting. Domain Controllers cannot use DHCP-assigned addresses. | | "Cannot create DNS delegation" warning | Expected on the first DC of a new forest. Click **Next**. | | Prerequisites check fails with a NetBIOS name conflict | Choose a different NetBIOS domain name that is not in use on the network. | | Forgot DSRM password | Reset it with `ntdsutil` from an elevated Command Prompt on the domain controller, or boot into DSRM if normal domain logon is not available. Store the new password securely. | | Client cannot find the domain | Confirm the client's primary DNS server is set to the Domain Controller's IP. The client must use the DC for DNS, not a public resolver. | | Domain join fails with "incorrect credentials" | Use a domain account with rights to join machines — usually the Domain Administrator. | | Server Manager → Tools shows no AD tools after promotion | Sign out and back in, or reboot. RSAT tools register on first login after promotion. | | Client joined but Group Policy not applying | Confirm DNS is pointing at the DC, then run `gpupdate /force` on the client. | | Time skew error during domain join | Domain Controllers and clients must agree on time. Sync the client's clock (the default w32time configuration with the DC as time source is usually enough). | ## Promoting Your Server to a Domain Controller After installing the Active Directory Domain Services role on your Windows Server, you must promote it before it can act as a Domain Controller. ### 1. Open Server Manager If Server Manager has been closed, reopen it. Look for a **yellow triangle warning sign** in the menu bar — this indicates that AD DS was installed and post-deployment configuration is pending. ### 2. Open Post-Deployment Configuration Click the warning sign. The dropdown shows the required post-deployment actions. ### 3. Choose "Promote this Server to a Domain Controller" This launches the promotion wizard. ### 4. Add a New Forest On the **Deployment Configuration** screen: - Select **Add a new forest**. - Enter your desired **Root Domain Name**. - Click **Next**. ### 5. Set Domain Controller Options Leave the defaults in place. Enter and confirm a **Directory Services Restore Mode (DSRM) password**. :::tip Note Record the DSRM password securely. Changing it later requires extra steps and DSRM is only used during recovery scenarios — but it must be available when needed. ::: ### 6. Configure DNS Options The wizard will warn: > A delegation for this DNS server cannot be created because the authoritative parent zone cannot be found. This message is **expected** when promoting the first DC of a new forest. Click **Next** to continue. ### 7. Configure Additional Options Confirm or enter the **NetBIOS domain name**. Click **Next**. ### 8. Review Pre-Selected Paths Three or more directory paths will be shown (Database, Log files, SYSVOL). Leave them at the defaults. Click **Next**. ### 9. Review Your Selections Review the summary. Use **Previous** to change anything; otherwise click **Next**. ### 10. Run Prerequisites Check The wizard runs a final set of prerequisite checks. Any errors are listed — fix them at the indicated checkpoint and re-run. When all checks pass with green ticks, click **Install**. ### 11. Wait for Installation and Reboot The server restarts automatically once promotion is complete. AD DS is now running. ## Connecting a Client to the Domain Controller On the client Windows node: 1. Open **Server Manager → Local Server**, click **WORKGROUP**. 2. Click **Change**. 3. Enter the **Domain Name** of the promoted Domain Controller. Click **OK**. 4. Click **OK** in the **Computer Name / Domain Changes** dialog and **restart** the client machine. ### Verify the Domain Join On the Domain Controller: - Open **Server Manager → Tools → Active Directory Users and Computers → Domain Controllers**. On the client: - Open **Network & Internet settings** and confirm the domain membership. ## Related Resources - [Active Directory on Windows Nodes](/docs/myaccount/node/troubleshoot/active-directory) - [Connect to a Windows Node](/docs/myaccount/node/connect-to-node/windows-node) - [Network Troubleshooting](./network.md) - [Security Troubleshooting](./security.md) ---