Installing a 2012 Domain Controller with PowerShell

If you didn’t know, the default installation for Server 2012 is Server Core.  You can still install the GUI, but if possible 2012 Core should be considered.  Server Core has come along way, and is a no brainer if you want to use less of the system processor, and less memory.  Without the GUI, your servers are also less of a target to attacks.  Less code means, less vulnerabilities.  So how are you going to take care of your Core Servers?  PowerShell of course!

In today’s article, we will be promoting a Windows 2012 server to a Domain Controller with PowerShell.  Exciting right!  Well maybe not, but you still need to know how to do it.  Okay, lets get started.

Just like in my pervious post, the first thing we will need to do is install the Active Directory Domain Service Role.

AD DS Role Installation:

PS C:\> Get-WindowsFeature AD-Doamin-Services

image

PS C:\> Get-WindowsFeature AD-Domain-Services | Install-WindowsFeature

image

Just like with the GUI, we will need to do the prerequisite checks.  The Prerequisites Check is a new feature in AD DS 2012 domain configuration.  These checks will alert you with suggested repair options, and inform you of new security changes that will affect older operating systems.  These test’s will also run during the installation process of a Domain Controller, so they don’t have to be run separately.  However for todays tutorial, we will run them.

Note: The domain controller promotion process cannot continue until all prerequisite tests pass.

 PS C:\> Test-ADDSForestInstallation

You will be prompted for your Domain Name, and the Safe Mode Administrator Password.

image

PS C:\> Test-ADDSDomainInstallation

image

Test-ADDSDomainControllerInstallation

image

AD Forest …Check

AD Domain…Check

DC…Check.

Mission Control, we are a GO…

Domain Controller Promotion:

If you haven’t already imported the ADDS Deployment module, we will have to do that first.

PS C:\> Import-Module ADDSDeployment

If you want all the defaults and quickly add a new Domain Controller to your environment just type the following.

PS C:\> Install-ADDSDomainController

Now since that won’t work for 99% of you, lets take a closer look at this cmdlet.  By default, the cmdlet “Install-ADDSDomainController” will configure your Domain Controller with the following settings:

  • Read-only Domain Controller: No
  • Global Catalog: Yes
  • DNS Server: Yes*
  • Database Folder: C:\Windows\NTDS
  • Log File Folder: C:\Windows\NTDS
  • SYSVOL Folder: C:\Windows\SYSVOL

*DNS Server

1. New forest: always install DNS
2. New child or new tree domain: if the parent/tree domain hosts DNS, install DNS
3. Replica: if the current domain hosts DNS, install DNS

Unless those settings work for you, I always recommend installing your Domain Controllers by a script.  This will allow a consistency throughout your environment, and make your life easier.

The Script

The script is fairly simple.  Just fill in and configure your settings.  You will also need to set the execution policy on the server before you can run any scripts on it.  I’m going to use “Remote Signed”.

 Set-ExecutionPolicy RemoteSigned

########################################
# PowerShell Script to Install Domain Controllers #
########################################

Import-Module ADDSDeployment
Install-ADDSDomainController `
-NoGlobalCatalog:$false `
-InstallDns:$false `
-CreateDnsDelegation:$false `
-CriticalReplicationOnly:$false `
-DatabasePath "C:\Windows\NTDS" `
-LogPath "C:\Windows\NTDS" `
-SysvolPath "C:\Windows\SYSVOL" `
-DomainName "contoso.local" `
-NoRebootOnCompletion:$false `
-SiteName "SiteName" `
-Force:$true

As you see from the script above, I will be configuring the server with these settings.

  • Read-only Domain Controller: No
  • Global Catalog: No
  • DNS Server: No
  • Create Dns Delegation: No
  • Database Folder: C:\Windows\NTDS
  • Log File Folder: C:\Windows\NTDS
  • SYSVOL Folder: C:\Windows\SYSVOL
  • No Reboot On Completion: No
  • Site Name: Name of site
  • For a full list of switches and settings, review this TechNet article.

Now that we have the script configured, save it as a “.ps1” file and run it.  Since we didn’t specify the “Safe Mode Administrator Password”, you will have to enter it in manually.  To fully automate this process just add the following argument “-safemodeadministratorpassword”, and password.

image

That’s it.  Go get a cup of coffee, or take the afternoon off.  When you get back, you should have a brand new 2012 Domain Controller.

3 Comments. Leave new

Not good where are you prompted for your domain qualifications. The local admin wont work.

Reply

Spell Check: Get-WindowsFeature AD-Domain-Services

Reply

Thank you very much for sharing Information. Great article.

Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Fill out this field
Fill out this field
Please enter a valid email address.

Menu