Troubleshooting Active Directory on Windows Nodes
This guide walks through promoting a Windows Server node to a Domain Controller, joining client nodes to the domain, and resolving the most common issues encountered during setup.
Common Active Directory Issues
| Issue | What to do |
|---|---|
| Yellow warning triangle does not appear after AD DS install | AD DS may not be installed. Add the role from Server Manager → Add Roles and Features → Active Directory Domain Services. |
| Promotion wizard refuses with "static IP required" | Set a static IPv4 address on the server before promoting. Domain Controllers cannot use DHCP-assigned addresses. |
| "Cannot create DNS delegation" warning | Expected on the first DC of a new forest. Click Next. |
| Prerequisites check fails with a NetBIOS name conflict | Choose a different NetBIOS domain name that is not in use on the network. |
| Forgot DSRM password | Reset it with ntdsutil from an elevated Command Prompt on the domain controller, or boot into DSRM if normal domain logon is not available. Store the new password securely. |
| Client cannot find the domain | Confirm the client's primary DNS server is set to the Domain Controller's IP. The client must use the DC for DNS, not a public resolver. |
| Domain join fails with "incorrect credentials" | Use a domain account with rights to join machines — usually the Domain Administrator. |
| Server Manager → Tools shows no AD tools after promotion | Sign out and back in, or reboot. RSAT tools register on first login after promotion. |
| Client joined but Group Policy not applying | Confirm DNS is pointing at the DC, then run gpupdate /force on the client. |
| Time skew error during domain join | Domain Controllers and clients must agree on time. Sync the client's clock (the default w32time configuration with the DC as time source is usually enough). |
Promoting Your Server to a Domain Controller
After installing the Active Directory Domain Services role on your Windows Server, you must promote it before it can act as a Domain Controller.
1. Open Server Manager
If Server Manager has been closed, reopen it. Look for a yellow triangle warning sign in the menu bar — this indicates that AD DS was installed and post-deployment configuration is pending.
2. Open Post-Deployment Configuration
Click the warning sign. The dropdown shows the required post-deployment actions.
3. Choose "Promote this Server to a Domain Controller"
This launches the promotion wizard.
4. Add a New Forest
On the Deployment Configuration screen:
- Select Add a new forest.
- Enter your desired Root Domain Name.
- Click Next.
5. Set Domain Controller Options
Leave the defaults in place. Enter and confirm a Directory Services Restore Mode (DSRM) password.
Record the DSRM password securely. Changing it later requires extra steps and DSRM is only used during recovery scenarios — but it must be available when needed.
6. Configure DNS Options
The wizard will warn:
A delegation for this DNS server cannot be created because the authoritative parent zone cannot be found.
This message is expected when promoting the first DC of a new forest. Click Next to continue.
7. Configure Additional Options
Confirm or enter the NetBIOS domain name. Click Next.
8. Review Pre-Selected Paths
Three or more directory paths will be shown (Database, Log files, SYSVOL). Leave them at the defaults. Click Next.
9. Review Your Selections
Review the summary. Use Previous to change anything; otherwise click Next.
10. Run Prerequisites Check
The wizard runs a final set of prerequisite checks. Any errors are listed — fix them at the indicated checkpoint and re-run. When all checks pass with green ticks, click Install.
11. Wait for Installation and Reboot
The server restarts automatically once promotion is complete. AD DS is now running.
Connecting a Client to the Domain Controller
On the client Windows node:
-
Open Server Manager → Local Server, click WORKGROUP.
-
Click Change.
-
Enter the Domain Name of the promoted Domain Controller. Click OK.
-
Click OK in the Computer Name / Domain Changes dialog and restart the client machine.
Verify the Domain Join
On the Domain Controller:
- Open Server Manager → Tools → Active Directory Users and Computers → Domain Controllers.
On the client:
- Open Network & Internet settings and confirm the domain membership.
Related Resources
- Active Directory on Windows Nodes
- Connect to a Windows Node
- Network Troubleshooting
- Security Troubleshooting