AD Domain Controller Build Best Practices

DOMAIN NAMING:

  • Do not use Domain.local, since “.local” is not routable
  • Use an Internet routable domain name, such Domain.com or Domain.net
  • Best practice is to use the same name as your public domain name
  • Do not use dashes (-) or underscores (_) in the DC server names
  • Allows to get a public SSL/TLS certificate
  • Allows to setup Entra ID Connect Sync to sync on-prem domain object to the cloud

DOMAIN CONTROLLER (DC) NAMING:

  • DC names should follow a standard naming convention, such as “DC01”, “DC02”, etc
  • Name should be 15 or less characters long to comply with NetBIOS
  • Do not use dashes (-) or underscores (_) in the DC server names

DC BUSINESS CONTINUITY:

  • DCs should not be shut down to operate efficiently; shutting down DCs breaks replication and authentication from workstations and other services
  • For testing purposes, a single DC is sufficient holding all FSMO roles
  • DC should be backed up regularly and backups tested
  • DCs should be on recent, supported versions (Server 2019, 2022, or 2025)

DNS SERVER BEST PRACTICES:

  • With a single DC in a domain, the DC should point their primary DNS to themselves
  • With two DCs in a domain, DC01 should point to DC02 as primary, and itself as secondary
  • With multiple DCs, follow the same strategy as above, pointing the DC to itself last
  • Do not use loopback IP addresses in DNS settings (i.e 127.0.0.1)
  • Do not use public DNS servers in DCs Network Interface Card (NIC) settings (i.e. 8.8.8.8)

DOMAIN ADMINISTRATORS:

  • Domain Administrators should not be standard users with elevated rights
  • If you John Smith has a user account “John.Smith” they should have a “John.Smith-Admin” account that has elevated Domain Admin role and is not used by the user regularly
  • Domain Admin accounts should be monitored for suspicious activity (MDR, SIEM, IDS, etc)
  • Domain Admin accounts should have complex passwords, different from other passwords; passwords should not be shared with others
  • Domain Admin accounts should have MFA where possible
  • Domain Admin accounts should be unique to each admin for proper auditing; no re-sharing accounts between multiple users for auditing and non-repudiation purposes

SETTING EXTERNAL TIME SOURCES:

There are three common scenarios:

  • Single DC: Set an external time source if it’s the single DC (by default it’s the PDC Emulator role holder).
  • Multiple DCs at one site: If there are multiple DCs at one site, set an external time source on the PDC Emulator ONLY (other DCs and computers will get time from it).
  • *Multiple DCs at several sites: If there are multiple DCs across sites, set an external time source on one DC per site.  

You can use commands to set external sources (in Administrative mode):

  • Set external time sources: w32tm /config /syncfromflags:manual /manualpeerlist:”0.pool.ntp.org 1.pool.ntp.org 2.pool.ntp.org 3.pool.ntp.org”
  • Restart time service: net stop w32time && net start w32time
  • Update time config: w32tm /config /update
  • Resync: w32tm /resync

Verify configuration: w32tm /query /configuration

CONFIGURE GROUP POLICIES:

Create group policies for everything possible, to automate user onboarding, workstation setups, etc.

  • Network Printers Deployment
  • Network Shares/Drives Deployment
  • Domain Password Policy
  • Windows Firewall
  • Loopback Policy
  • Enable Remote Desktop
  • Create Desktop/Web Shortcuts
  • Browser Restrictions (Edge, Chrome, Firefox)
    • Block password saving
    • Cloud sync account sign-in
    • Insecure settings
  • Windows 10/11

SECURE THE ENVIRONMENT:

  • No user accounts with Domain Admin access
  • Disable LLMNR and NETBIOS
  • Disable SMBv1
  • Ensure file shares and NTFS permissions are secure and appropriate

RUN DC DIAGNOSTICS:

When you build Domain Controllers, you should run diagnostic commands on each DC, and save results of the commands:

  • Directory Server Diagnosis: DCDiag > C:\DCDiag_ServerName_Date.txt
  • DNS Diagnosis: DCDiag /Test:DNS > C:\DCDiagDNS_ServerName_Date.txt
  • AD Replication Status Last Attempt: Repadmin /Showreps > C:\RepadminSho_ServerName_Date.txt
  • AD Replication Status Summary: Repadmin /Replsum > C:\RepadminReplsm_ServerName_Date.txt
  • AD Sync with all Replication Partners: Repadmin /Syncall  > C:\RepadminSync_ServerName_Date.txt
  • Who are the FSMO role holders?: Netdom query fsmo > C:\NetdomFSMO_ServerName_Date.txt
  • What are the DCs?: Netdom query dc > C:\NetdomDC_ServerName_Date.txt

This ensures you have written documentation showing that, at the time your work was completed, the following conditions were verified: the domain controllers in place, the designated FSMO role holders, successful DNS and DCDIAG test results, and healthy replication across all DCs.

Found this useful? Share with others:

Follow by Email
LinkedIn
Share
X (Twitter)
Reddit
Facebook

people found this article helpful. What about you?