journal

Building the domain controller — WS2025-DC01

📅 January 14, 2025
proxmox windows

Second VM milestone. WS2025-DC01 is up, domain controller for corp.local, fully operational.

VM setup

Created in Proxmox with these settings:

  • 4GB RAM, 2 vCPUs
  • 60GB disk on local-lvm
  • VirtIO SCSI controller
  • Network: VirtIO on vmbr0
  • QEMU Guest Agent: enabled (qm set 100 --agent enabled=1)

The VirtIO drivers are essential. Without them, the Windows installer can’t see the disk. I mounted the VirtIO ISO as a secondary CD-ROM and loaded vioscsi from w11/amd64 during the install wizard when it complained about no drives found.

AD DS

Used Install-WindowsFeature to get the role, then promoted:

Install-WindowsFeature AD-Domain-Services -IncludeManagementTools
Install-ADDSForest -DomainName "corp.local" -DomainNetbiosName "CORP" -InstallDns

Post-reboot, set static IP 192.168.8.20, pointed DNS to itself.

OUs and GPOs

Created four OUs:

  • OU=Servers,DC=corp,DC=local
  • OU=Workstations,DC=corp,DC=local
  • OU=Users,DC=corp,DC=local
  • OU=Groups,DC=corp,DC=local

Two GPOs:

  1. Baseline — applied domain-wide (screen lock, audit policy, disable NTLM if possible)
  2. PDC NTP — scoped to the PDC Emulator FSMO holder only

The NTP scoping thing

Made the mistake of applying the NTP GPO domain-wide first. That’s wrong — only the PDC Emulator should be configured with an external time source. Domain members sync from the DC via the domain hierarchy automatically. Applying W32tm settings to all machines breaks this.

Fixed by scoping the GPO to a security group containing only the DC computer account.

# Check who holds PDC Emulator role
Get-ADDomain | Select PDCEmulator

# Force resync (useful after snapshot restores)
w32tm /resync /force

Evaluation lifecycle

WS2025 evaluation runs 180 days. It can be rearmed up to 5 times (slmgr /rearm), giving about 3 years of runway. I’ll export users and GPOs periodically as a rebuild safety net:

# Export users
csvde -f C:\exports\users.csv -r "(objectClass=user)"

# Export GPOs
Backup-GPO -All -Path C:\exports\GPOBackups

Snapshot

Took a powered-off snapshot after confirming domain promotion. Live/RAM snapshots and AD don’t mix well — Kerberos tickets and replication metadata get confused when time jumps. Powered-off is the safe option.

Status: WS2025-DC01 — operational. corp.local domain live.

← Day 1 — Proxmox install and the NVMe confusion