Windows Server 2025: Secure Single-DC Domain Build

 

Windows Server 2025: Secure Single-DC Domain Build (Contoso.com)

A start-to-finish, production-grade guide for deploying a fully secured Windows Server 2025 Domain Controller holding all FSMO roles, with DNS (DNSSEC), DHCP, and Certificate Services, designed as the first and only DC in the domain.

Architecture Overview

Domain: contoso.com
Server Name: DC01
Server IP: 10.10.10.224/24
Gateway: 10.10.10.1
Roles Installed:

  • Active Directory Domain Services (AD DS)

  • DNS Server (DNSSEC enabled)

  • DHCP Server

  • Active Directory Certificate Services (AD CS)

Security Design Principles Applied:

  • Tier 0 hardening

  • Secure DNS with DNSSEC

  • Least privilege

  • Secure service bindings

  • Modern crypto defaults

  • No legacy protocols

Phase 1 – Base OS Preparation

1. Install Windows Server 2025

  • Install Windows Server 2025 (Standard or Datacenter)

  • Choose Desktop Experience

  • Use NTFS for system volume

  • Apply all Windows Updates

2. Rename the Server

Rename-Computer -NewName DC01 -Restart

3. Configure Static IP

New-NetIPAddress -InterfaceAlias "Ethernet" -IPAddress 10.10.10.224 -PrefixLength 24 -DefaultGateway 10.10.10.1
Set-DnsClientServerAddress -InterfaceAlias "Ethernet" -ServerAddresses 127.0.0.1

4. Harden Network Stack (Early)

Disable-NetAdapterBinding -Name "Ethernet" -ComponentID ms_tcpip6

(IPv6 can be re-enabled later if required; disabled initially to avoid misbinding issues.)

Why this matters (Phase 1)

A clean, hardened base OS prevents configuration drift and identity corruption later. Most AD failures trace back to rushed network setup or post-promotion renames—both avoided here.

⚠️ Operational Callout – Failure Signals

If this breaks, here’s how you’ll know:

  • DC promotion fails with DNS errors

  • Event Viewer shows NetLogon or TCP/IP binding issues

  • Clients cannot resolve _ldap._tcp records

Real-world gotchas:

  • Forgetting to set DNS to localhost causes DC promotion failures

  • Renaming after promotion breaks certificates and SPNs

  • Early patching avoids schema-impacting hotfix surprises

Phase 2 – Active Directory Domain Services

5. Install AD DS & DNS

Install-WindowsFeature AD-Domain-Services,DNS -IncludeManagementTools

6. Promote to New Forest

Install-ADDSForest \
-DomainName "contoso.com" \
-DomainNetbiosName "CONTOSO" \
-InstallDNS \
-SafeModeAdministratorPassword (Read-Host -AsSecureString)

  • Server will reboot automatically

  • This DC now holds all FSMO roles by default

7. Verify FSMO Roles

netdom query fsmo

Why this matters (Phase 2)

AD DS is the security authority of your environment. Getting forest creation right ensures Kerberos, LDAP, and trust boundaries are sound for years.

⚠️ Operational Callout – Failure Signals

If this breaks, here’s how you’ll know:

  • Authentication loops or long login delays

  • Kerberos errors (Event ID 4768/4771)

  • FSMO role lookup failures

creation right ensures Kerberos, LDAP, and trust boundaries are sound for years.

Real-world gotchas:

  • Weak DSRM passwords are a recovery risk

  • Reboots during promotion are non-optional—plan downtime

  • FSMO roles are all here by design in single-DC forests

Phase 3 – DNS Hardening & DNSSEC

8. Validate DNS Configuration

Get-DnsServerZone

Ensure contoso.com is:

  • AD-integrated

  • Secure dynamic updates only

9. Enable DNSSEC Signing

Add-DnsServerSigningKey -ZoneName contoso.com -KeyProtocol RsaSha256 -KeyLength 2048 -Type KSK
Add-DnsServerSigningKey -ZoneName contoso.com -KeyProtocol RsaSha256 -KeyLength 1280 -Type ZSK

Invoke-DnsServerZoneSign -ZoneName contoso.com

10. Enforce Secure DNS Settings

Set-DnsServerRecursion -Enable $true
Set-DnsServerSetting -EnableDnsSec $true

11. Disable Zone Transfers

Set-DnsServerPrimaryZone -Name contoso.com -SecureSecondaries NoTransfer

Why this matters (Phase 3)

DNS is the backbone of Active Directory. DNSSEC prevents cache poisoning and spoofing attacks that can silently compromise authentication.

⚠️ Operational Callout – Failure Signals

If this breaks, here’s how you’ll know:

  • Clients fail to resolve names intermittently

  • Resolve-DnsName -DnsSecOk returns validation failures

  • External resolvers reject your signed zone

Real-world gotchas:

  • DNSSEC signing takes time—records may appear unsigned briefly

  • Some legacy devices fail DNSSEC validation

  • Zone transfers left open are a common breach vector

Phase 4 – DHCP Server Deployment

12. Install DHCP Role

Install-WindowsFeature DHCP -IncludeManagementTools

13. Authorize DHCP in AD

Add-DhcpServerInDC -DnsName DC01.contoso.com -IPAddress 10.10.10.224

14. Create DHCP Scope

Add-DhcpServerv4Scope \
-Name "Contoso LAN" \
-StartRange 10.10.10.50 \
-EndRange 10.10.10.200 \
-SubnetMask 255.255.255.0

15. Configure Scope Options

Set-DhcpServerv4OptionValue \
-DnsServer 10.10.10.224 \
-DnsDomain contoso.com \
-Router 10.10.10.1

16. Enable DHCP Auditing

Set-DhcpServerAuditLog -Enable $true

Why this matters (Phase 4)

Centralized, authorized DHCP prevents rogue devices from hijacking traffic and ensures clients always locate the correct DC.

Real-world gotchas:

  • DHCP must be AD-authorized or it silently fails

  • Scope options propagate only on lease renewal

  • Auditing is invaluable during incident response

Phase 5 – Active Directory Certificate Services

17. Install AD CS

Install-WindowsFeature ADCS-Cert-Authority -IncludeManagementTools

18. Configure Enterprise Root CA

Install-AdcsCertificationAuthority \
-CAType EnterpriseRootCA \
-CryptoProviderName "RSA#Microsoft Software Key Storage Provider" \
-KeyLength 4096 \
-HashAlgorithm SHA256 \
-ValidityPeriod Years \
-ValidityPeriodUnits 10

19. Enable Autoenrollment

Set-GPRegistryValue -Name "Default Domain Policy" \
-Key "HKLM\\Software\\Policies\\Microsoft\\Cryptography\\AutoEnrollment" \
-ValueName AEPolicy \
-Type DWord \
-Value 7

Why this matters (Phase 5)

AD CS enables secure LDAP, smart card logons, and certificate-based trust. Without PKI, modern zero-trust designs fall apart.

⚠️ Operational Callout – Failure Signals

If this breaks, here’s how you’ll know:

  • LDAPS bind failures

  • Autoenrollment does not issue certificates

  • Event ID 10016 or 13 in the CAPI2 log

Real-world gotchas:

  • Certificate autoenrollment can take hours to propagate

  • Incorrect CA crypto settings are irreversible

  • Back up the CA immediately after deployment

Phase 6 – Security Hardening (Tier 0)

20. Enforce Secure LDAP

New-ItemProperty -Path "HKLM:\\SYSTEM\\CurrentControlSet\\Services\\NTDS\\Parameters" \
-Name "LDAPServerIntegrity" -Value 2 -PropertyType DWORD

21. Disable Legacy Protocols

Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol

22. Harden NTLM

Set-ItemProperty "HKLM:\\SYSTEM\\CurrentControlSet\\Control\\Lsa" -Name LmCompatibilityLevel -Value 5

23. Restrict Admin Logons

  • Use Protected Users group

  • Enforce Smart Card / Certificate logon (optional but recommended)

Why this matters (Phase 6)

Tier 0 hardening directly reduces credential theft, pass-the-hash attacks, and lateral movement.

Real-world gotchas:

  • NTLM restrictions can break legacy apps

  • SMB1 disablement may impact old scanners or copiers

  • Protected Users require Kerberos-only authentication

Phase 7 – Validation & Testing

24. Health Checks

dcdiag /v
repadmin /replsummary

25. DNSSEC Validation

Resolve-DnsName contoso.com -DnsSecOk

26. Certificate Validation

certutil -config - -ping

Why this matters (Phase 7)

Validation confirms your identity platform is trustworthy before users depend on it. Skipping this step means discovering failures during an outage or breach.

Real-world gotchas:

  • DNSSEC validation may fail until caches expire

  • Certificate trust may require a reboot on clients

  • dcdiag warnings should be investigated, not ignored

Timeline: DNSSEC & Certificate Propagation Expectations

Time 0–5 min     AD DS promotion completes
10–30 min       DNS zones replicate & initial DNSSEC signing
30–90 min       DNSSEC trust anchors cached by resolvers
1–4 hours       Certificate autoenrollment begins
Up to 24 hours  Group Policy + PKI fully consistent

Expect intermittent validation failures during this window. This is normal.

Common Failure Modes (And Why They Happen)

  • “AD is slow” → DNSSEC signing or replication delay

  • LDAPS not working → Certificate not yet issued or bound

  • Clients can’t log in → DHCP options not renewed

  • Kerberos errors → Time skew or DNS resolution issues

  • Autoenrollment missing → GPO not applied yet

Most of these resolve with time, validation, and patience—not rebuilds.

❌ Do NOT Fix It This Way (Hard-Learned Lessons)

  • Do NOT demote and re-promote the DC because “something feels wrong”

  • Do NOT delete and recreate DNS zones to fix propagation delays

  • Do NOT regenerate the CA because autoenrollment is slow

  • Do NOT disable DNSSEC to "see if it helps" in production

  • Do NOT reset machine accounts during initial GPO convergence

These actions almost always make recovery harder and damage trust chains.

🕒 First 24 Hours Checklist (Print-Friendly)

Use this checklist after initial deployment before declaring success or failure.

Immediately After Promotion (0–1 Hour)

  • Server rebooted successfully after AD DS promotion

  • dcdiag /v completed with no critical errors

  • FSMO roles verified on DC01

  • DNS zones present and AD-integrated

  • Time service synced and stable

Short Wait Period (1–4 Hours)

  • DNSSEC signing completed without errors

  • Resolve-DnsName contoso.com -DnsSecOk succeeds

  • DHCP leases being issued correctly

  • No repeated Kerberos or NetLogon errors in Event Viewer

Extended Convergence Window (4–24 Hours)

  • Certificate autoenrollment issuing certificates

  • LDAPS responding on port 636

  • Group Policy applies without errors

  • No unresolved dcdiag warnings

If all items pass by hour 24, your domain is stable.

🧭 Is It Broken — Or Just Not Finished Yet?

SymptomLikely StatusWhat To Do
DNSSEC validation fails earlyNot finished yetWait, clear caches, re-test
No autoenrolled certsNot finished yetCheck GPO, wait up to 24h
DHCP clients missing optionsNot finished yetRenew lease
Repeated Kerberos failuresActually brokenCheck time, DNS, SPNs
LDAPS fails after 24hActually brokenVerify cert binding

Final State Summary

You now have a modern, security-first identity platform — not just a functioning domain controller.

This build represents a baseline identity architecture for 2025 and beyond: a hardened Tier 0 core that prioritizes integrity, cryptographic trust, and operational resilience from day one. By combining AD DS, DNSSEC, DHCP, and Enterprise PKI into a single, deliberately secured foundation, you’ve created an environment that can safely scale, be monitored, and be recovered when—not if—things go wrong.

This is not the end state; it’s the starting line. Every future capability—passwordless auth, Zero Trust access, SIEM-driven detection, disaster recovery, cloud integration—depends on this layer being done right. Build once, build correctly, and everything above it becomes easier, safer, and more predictable.

Location: Orangeburg, SC 29115, USA

Comments

Post a Comment

Got something to say? Drop a comment below — let’s chat!