How to Deploy a Secure Windows Server Core Domain Controller (AD DS + DNS) with Redundancy

In this lab, you will deploy a secure Windows Server Core domain controller, configure Active Directory and DNS, join a Windows 10 workstation to the domain and add a second domain controller for redundancy.

Windows

Scenario

Your organisation is modernising its on‑premises infrastructure and wants to improve the security posture of its Active Directory environment. The current domain controllers run the Desktop Experience version of Windows Server, increasing the attack surface and requiring more maintenance.

You’ve been tasked with deploying a new, secure domain using Windows Server Core, configuring remote management, and ensuring high availability by adding a second domain controller. This lab walks you through the full process end‑to‑end, just as you would perform it in a real production environment.

Lab Objectives

By the end of this lab, you will be able to:

  • Install and configure Windows Server Core as a domain controller.
  • Deploy a new Active Directory forest and DNS server.
  • Join a Windows 10 workstation to the domain and manage the DC remotely using RSAT.
  • Add a second Server Core domain controller for redundancy.
  • Validate AD replication and failover between domain controllers.

Prerequisites

  • Windows Server 2019 (Server Core installation media)
  • A Windows 10 workstation
  • Local administrator access on both servers and the workstation
  • Ability to configure static IP addressing
  • Internet access for Windows Updates and RSAT installation

Install Windows Server Core

Prepare the base operating system for domain controller deployment.

  1. Boot from the Windows Server 2019 installation media.
  2. Select Windows Server 2019 Standard/Datacenter – Server Core.
  3. Complete the installation and set the local Administrator password.

Verification
You should be presented with a command prompt on login, this confirms Server Core is installed correctly.

Configure Server Core Using sconfig

Set the hostname, networking, updates, and remote management.

  1. Run sconfig from the command prompt.
  2. Configure:
    • Computer Name
    • Administrator account password
    • Windows Updates (Install All)
    • Static IP address and DNS (point DNS to this server)
    • Enable Remote Management
  3. Restart the server when prompted.

Verification
Run ipconfig /all and confirm the hostname, IP address, and DNS settings are correct.

Install Active Directory Domain Services

Add the AD DS role and prepare the server for domain creation.

  1. Enter PowerShell:
    powershell
  2. Install AD DS:
    Install-WindowsFeature AD-Domain-Services -IncludeManagementTools
  3. Verify installation:
    Get-WindowsFeature AD-Domain-Services

Verification
The AD DS role should show as Installed.

Create a New Forest and Domain

Promote the server to a domain controller.

  1. Run:
    Install-ADDSForest -DomainName "yourdomain.local"
  2. Set the Directory Services Restore Mode (DSRM) password when prompted.
  3. Allow the server to reboot automatically.

Verification
After reboot, run:

  • Get-ADDomain
  • Get-ADDomainController
  • Get-Service DNS

All should return valid results confirming AD DS and DNS are operational.

Join a Windows 10 Workstation to the Domain

Prepare the management workstation and join it to the new domain.

  1. Set the workstation’s DNS server to the IP of the domain controller.
  2. Open PowerShell as Administrator and run:
    Add-Computer -DomainName "yourdomain.local"
  3. Restart the workstation.

Verification
Log in using a domain account. Successful login confirms domain connectivity and DNS resolution.

Install RSAT on Windows 10

Enable remote management of the domain controller.

  1. Go to Settings → Apps → Optional Features.
  2. Install:
    • RSAT: Active Directory Domain Services Tools
    • RSAT: DNS Server Tools
    • RSAT: Server Manager
  3. Open Server Manager and add the Server Core domain controller.

Verification
You should now be able to open Active Directory Users and Computers, DNS Manager, and manage the DC remotely.

Deploy a Second Server Core Domain Controller

Add redundancy to the domain.

  1. Install Windows Server Core on a second server (DC02).
  2. Configure hostname, IP, and DNS (point DNS to DC01 and DC02).
  3. Join the server to the domain:
    Add-Computer -DomainName "yourdomain.local"
  4. Install AD DS and promote the server:
    Install-ADDSDomainController -DomainName "yourdomain.local"

Verification
Run on either DC:
Get-ADDomainController -Filter *
Both DC01 and DC02 should appear.

Validate AD Replication

Ensure both domain controllers are synchronising correctly.

  1. On DC01, create a new AD user.
  2. Wait a few seconds.
  3. On DC02, open Active Directory Users and Computers remotely and check for the new user.

Verification
The user should appear on both domain controllers, confirming replication is working.

Test Domain Controller Failover

Confirm that authentication continues even if one DC goes offline.

  1. Shut down DC01.
  2. Attempt to log in to the Windows 10 workstation using a domain account.
  3. Check DNS and AD services on DC02.

Verification
Login should succeed, proving DC02 is handling authentication and DNS queries.

Conclusion

In this lab, you deployed a secure Windows Server Core domain controller, configured Active Directory and DNS, enabled remote management using RSAT, and added a second domain controller for redundancy. You validated replication and confirmed that authentication continues even if one domain controller fails.

This setup significantly improves security, reduces attack surface, and ensures high availability for your organisation’s identity infrastructure.

Lab Video

Watch On YouTube
Get NordVPN