Install AD DS on the First Forest Root Domain Controller with PowerShell

If you didn’t know, the default installation for Server 2012 is Server Core. You can still install the GUI, but if possible 2012 Core should be considered. Server Core has come along way, and is easy if you want to use less of the system processor, and less memory. Without the GUI, your servers are also less of a target to attacks. Less code means, less vulnerabilities. So how are you going to take care of your Core Servers? PowerShell of course!

In this article, we will be promoting a Windows 2012 server to a Domain Controller with PowerShell. Just like in my previous posts, the first thing we will need to do is install the Active Directory Domain Service Role.

AD DS Role Installation:

Get-WindowsFeature AD-Domain-Services

Get-WindowsFeature AD-Domain-Services | Install-WindowsFeature

If you have a Deployment Configuration Template file with features you want install, then use the following PowerShell command:

Install-WindowsFeature -ConfigurationFilePath .\desktop\DeploymentConfigTemplate.xml

Below the results of Get-WindowsFeature AD-Domain-Services | Install-WindowsFeature:

Just like with the GUI, we will need to do the prerequisite checks. The Prerequisites Check is a new feature in ADDS 2012 domain configuration. These checks will alert you with suggested repair options, and inform you of new security changes that will affect older operating systems. These test’s will also run during the installation process of a Domain Controller, so they don’t have to be run separately. However for today tutorial, we will run them.

Note: The domain controller promotion process cannot continue until all prerequisite tests pass.

Test-ADDSForestInstallation

Domain Controller Promotion:

If you haven’t already imported the ADDS Deployment module, we will have to do that first:

Import-Module ADDSDeployment

If you want all the defaults and quickly add a new Domain Controller to your environment just type the following:

Install-ADDSDomainController

Now since that won’t work for 99% of you, lets take a closer look at this cmdlet. By default, the cmdlet “Install-ADDSDomainController” will configure your Domain Controller with the following settings:

  • Read-only Domain Controller: No
  • Global Catalog: Yes
  • DNS Server: Yes*
  • Database Folder: C:\Windows\NTDS
  • Log File Folder: C:\Windows\NTDS
  • SYSVOL Folder: C:\Windows\SYSVOL

DNS Server

  • New forest: always install DNS
  • New child or new tree domain: if the parent/tree domain hosts DNS, install DNS
  • Replica: if the current domain hosts DNS, install DNS

Unless those settings work for you, I always recommend installing your Domain Controllers by a script.  This will allow a consistency throughout your environment, and make your life easier.

PowerShell Script

The script is fairly simple. Just fill in and configure your settings. You will also need to set the execution policy on the server before you can run any scripts on it. I’m going to use “Remote Signed“.

Set-ExecutionPolicy RemoteSigned
####################################################################
# PowerShell Script to Install First Forest Root Domain Controller #
####################################################################

Import-Module ADDSDeployment
Install-ADDSForest `
-CreateDnsDelegation:$false `
-DatabasePath "C:\Windows\NTDS" `
-DomainMode "Win2012R2" `
-DomainName "testlab.local" `
-DomainNetbiosName "TESTLAB" `
-ForestMode "Win2012R2" `
-InstallDns:$true `
-LogPath "C:\Windows\NTDS" `
-NoRebootOnCompletion:$false `
-SysvolPath "C:\Windows\SYSVOL" `
-Force:$true

As you see from the script above, I will be configuring the server with these settings.

  • CreateDnsDelegation:$false
  • DatabasePath “C:\Windows\NTDS”
  • DomainMode “Win2012R2”
  • DomainName “testlab.local”DomainNetbiosName “TESTLAB”
  • ForestMode “Win2012R2”
  • InstallDns:$true
  • LogPath “C:\Windows\NTDS”
  • NoRebootOnCompletion:$false
  • SysvolPath “C:\Windows\SYSVOL”
  • Site Name: “Nieuwegein”
  • Force:$true
  • For a full list of switches and settings, review this TechNet article.

Now that we have the script configured, save it as a “.ps1” file and run it.  Since we didn’t specify the “Safe Mode Administrator Password”, you will have to enter it in manually.

To fully automate this process just add the following argument “-safemodeadministratorpassword“, and password.

Validating environment and user input:

All tests completed successfully and installing new forest:

Operation completed successfully and reboot

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s