Académique Documents
Professionnel Documents
Culture Documents
Page 1 of 82
My Collection
This document is provided "as-is". Information and views expressed in this document, including URL and other Internet Web site references, may change without notice.
This document does not provide you with any legal rights to any intellectual property in any Microsoft product or product name. You may copy and use this document
for your internal, reference purposes. You may modify this document for your internal, reference purposes. 2015 Microsoft. All rights reserved. Terms of Use
(https://technet.microsoft.com/cc300389.aspx) | Trademarks (http://www.microsoft.com/library/toolbar/3.0/trademarks/en-us.mspx)
http://pabprod.blob.core.windows.net/books/5d6eb58c-a35e-465d-97e2-32494ab14d6... 28-04-2015
My Collection
Page 2 of 82
Table Of Contents
Chapter 1
Install Active Directory Domain Services (Level 100)
http://pabprod.blob.core.windows.net/books/5d6eb58c-a35e-465d-97e2-32494ab14d6... 28-04-2015
My Collection
Page 3 of 82
Chapter 1
Install Active Directory Domain Services (Level 100)
Published: April 28, 2012
Updated: April 14, 2014
Applies To: Windows Server 2012, Windows Server 2012 R2
This topic explains how to install AD DS in Windows Server 2012 by using any of the following methods:
Credential requirements to run Adprep.exe and install Active Directory Domain Services
Installing AD DS by Using Windows PowerShell
Installing AD DS by using Server Manager
Performing a Staged RODC Installation using the Graphical User Interface
Credential requirements to run Adprep.exe and install Active Directory Domain Services
The following credentials are required to run Adprep.exe and install AD DS.
To install a new forest, you must be logged on as the local Administrator for the computer.
To install a new child domain or new domain tree, you must be logged on as a member of the Enterprise Admins group.
To install an additional domain controller in an existing domain, you must be a member of the Domain Admins group.
Note
If you do not run adprep.exe command separately and you are installing the first domain controller that runs Windows Server 2012 in an existing domain
or forest, you will be prompted to supply credentials to run Adprep commands. The credential requirements are as follows:
To introduce the first Windows Server 2012 domain controller in the forest, you need to supply credentials for a member of Enterprise Admins
group, the Schema Admins group, and the Domain Admins group in the domain that hosts the schema master.
To introduce the first Windows Server 2012 domain controller in a domain, you need to supply credentials for a member of the Domain Admins
group.
To introduce the first read-only domain controller (RODC) in the forest, you need to supply credentials for a member of the Enterprise Admins
group.
Note
If you have already run adprep /rodcprep in Windows Server 2008 or Windows Server 2008 R2, you do not need to run it again for Windows
Server 2012.
http://pabprod.blob.core.windows.net/books/5d6eb58c-a35e-465d-97e2-32494ab14d6... 28-04-2015
My Collection
Page 4 of 82
default when you use Windows PowerShell. You need to specify IncludeManagementTools to manage the local server or install Remote Server Administration
Tools to manage a remote server.
Gethelp AddADDSReadOnlyDomainControllerAccount
Optional arguments appear in square brackets.
You can also download the latest Help examples and concepts for Windows PowerShell cmdlets. For more information, see about_Updatable_Help.
You can run Windows PowerShell cmdlets against remote servers:
In Windows PowerShell, use invoke-command with the ADDSDeployment cmdlet. For example, to install AD DS on a remote server named ConDC3 in the
contoso.com domain, type:
InstallDNS:$false
Similarly, because installdns has a default value of $False if you install a domain controller in an environment that does not host Windows Server DNS server, you
need to specify the following argument in order to install DNS server:
InstallDNS:$true
http://pabprod.blob.core.windows.net/books/5d6eb58c-a35e-465d-97e2-32494ab14d6... 28-04-2015
My Collection
Page 5 of 82
Argument
Description
Specifies the account with Enterprise Admins and Schema Admins group membership that can prepare
the forest, according to the rules of Get-Credential and a PSCredential object.
Note
AllowDomainControllerReinstall
Specifies whether to continue installing this writable domain controller, despite the fact that another
writable domain controller account with the same name is detected.
Use $True only if you are sure that the account is not currently used by another writable domain
controller.
The default is $False.
This argument is not valid for an RODC.
AllowDomainReinstall
Specifies the names of user accounts, group accounts, and computer accounts whose passwords can be
replicated to this RODC. Use an empty string "" if you want to keep the value empty. By default, only the
Allowed RODC Password Replication Group is allowed, and it is originally created empty.
Supply values as a string array. For example:
Note
There is no equivalent option in the UI. If you
install using the UI, or using IFM, then all
application partitions will be replicated.
Specifies the application directory partitions to replicate. This argument is applied only when you
specify the -InstallationMediaPath argument to install from media (IFM). By default, all application
partitions will replicate based on their own scopes.
Supply values as a string array. For example:
ApplicationPartitionsToReplicate "partition1","partition2","partition3"
Confirm
CreateDnsDelegation
Indicates whether to create a DNS delegation that references the new DNS server that you are installing
along with the domain controller. Valid for ActiveDirectoryintegrated DNS only. Delegation records
can be created only on Microsoft DNS servers that are online and accessible. Delegation records cannot
be created for domains that are immediately subordinate to top-level domains such as .com, .gov, .biz,
.edu or two-letter country code domains such as .nz and .au.
Note
You cannot specify this argument when you run
the Add-ADDSReadOnlyDomainController
cmdlet.
Note
Specifies the domain account that can logon to the domain, according to the rules of Get-Credential
and a PSCredential object.
If no value is specified, the credentials of the current user are used.
CriticalReplicationOnly
Specifies whether the ADDS installation operation performs only critical replication before reboot and
then continues. The noncritical replication happens after the installation finishes and the computer
reboots.
Using this argument is not recommended.
There is no equivalent for this option in the user interface (UI).
http://pabprod.blob.core.windows.net/books/5d6eb58c-a35e-465d-97e2-32494ab14d6... 28-04-2015
My Collection
DatabasePath <string>
Page 6 of 82
Specifies the fully qualified, nonUniversal Naming Convention (UNC) path to a directory on a fixed disk
of the local computer that contains the domain database, for example, C:\Windows\NTDS.
The default is %SYSTEMROOT%\NTDS.
Important
While you can store the AD DS database and log files on volume formatted with Resilient File System
(ReFS), there are no specific benefits for hosting AD DS on ReFS, other than the normal benefits of
resiliency you get for hosting any data on ReFS.
DelegatedAdministratorAccountName <string>
Specifies the name of the user or group that can install and administer the RODC.
By default, only members of the Domain Admins group can administer an RODC.
Specifies the names of user accounts, group accounts, and computer accounts whose passwords are not
to be replicated to this RODC. Use an empty string "" if you do not want to deny the replication of
credentials of any users or computers. By default, Administrators, Server Operators, Backup Operators,
Account Operators, and the Denied RODC Password Replication Group are denied. By default, the
Denied RODC Password Replication Group includes Cert Publishers, Domain Admins, Enterprise Admins,
Enterprise Domain Controllers, Enterprise Read-Only Domain Controllers, Group Policy Creator Owners,
the krbtgt account, and Schema Admins.
Supply values as a string array. For example:
DenyPasswordReplicationAccountName "RegionalAdmins","AdminPCs"
Specifies the user name and password for creating DNS delegation, according to the rules of GetCredential and a PSCredential object.
Note
You cannot specify this argument when you run
the Add-ADDSReadOnlyDomainController
cmdlet.
Specifies the domain functional level during the creation of a new domain.
The domain functional level cannot be lower than the forest functional level, but it can be higher.
DomainMode <DomainMode> {2 | 3 | 4 | 5 | 6}
The default value is automatically computed and set to the existing forest functional level or the value
that is set for -ForestMode.
DomainName
Specifies the FQDN of the domain in which you want to install an additional domain controller.
Use with Install-ADDSForest. Assigns a NetBIOS name to the new forest root domain.
Indicates the type of domain that you want to create: a new domain tree in an existing forest, a child of
an existing domain, or a new forest.
The default for DomainType is ChildDomain.
Force
When this parameter is specified any warnings that might normally appear during the installation and
addition of the domain controller will be suppressed to allow the cmdlet to complete its execution. This
parameter can be useful to include when scripting installation.
Specifies the forest functional level when you create a new forest.
The default value is Win2012.
Or
ForestMode <ForestMode> {2 | 3 | 4 | 5 | 6}
InstallationMediaPath
Indicates the location of the installation media that will be used to install a new domain controller.
InstallDns
Specifies whether the DNS Server service should be installed and configured on the domain controller.
For a new forest, the default is $True and DNS Server is installed.
http://pabprod.blob.core.windows.net/books/5d6eb58c-a35e-465d-97e2-32494ab14d6... 28-04-2015
My Collection
Page 7 of 82
For a new child domain or domain tree, if the parent domain (or forest root domain for a domain tree)
already hosts and stores the DNS names for the domain, then the default for this parameter is $True.
For a domain controller installation in an existing domain, if this parameter is left unspecified and the
current domain already hosts and stores the DNS names for the domain, then the default for this
parameter is $True. Otherwise, if DNS domain names are hosted outside of Active Directory, the default
is $False and no DNS Server is installed.
LogPath <string>
Specifies the fully qualified, non-UNC path to a directory on a fixed disk of the local computer that
contains the domain log files, for example, C:\Windows\Logs.
The default is %SYSTEMROOT%\NTDS.
Important
Do not store the Active Directory log files on a data volume formatted with Resilient File System
(ReFS).
MoveInfrastructureOperationMasterRoleIfNecessary
Specifies whether to transfer the infrastructure master operations master role (also known as flexible
single master operations or FSMO) to the domain controller that you are creatingin case it is currently
hosted on a global catalog serverand you do not plan to make the domain controller that you are
creating a global catalog server. Specify this parameter to transfer the infrastructure master role to the
domain controller that you are creating in case the transfer is needed; in this case, specify the
NoGlobalCatalog option if you want the infrastructure master role to remain where it currently is.
NewDomainName <string>
Note
For example, if you want to create a new child domain named emea.corp.fabrikam.com, you should
specify emea as the value of this argument.
NewDomainNetbiosName <string>
Required for Install-ADDSDomain if FQDN prefix
name is longer than 15 characters.
NoDnsOnNetwork
Use with Install-ADDSDomain. Assigns a NetBIOS name to the new domain. The default value is derived
from the value of NewDomainName.
Specifies that DNS service is not available on the network. This parameter is used only when the IP
setting of the network adapter for this computer is not configured with the name of a DNS server for
name resolution. It indicates that a DNS server will be installed on this computer for name resolution.
Otherwise, the IP settings of the network adapter must first be configured with the address of a DNS
server.
Omitting this parameter (the default) indicates that the TCP/IP client settings of the network adapter on
this server computer will be used to contact a DNS server. Therefore, if you are not specifying this
parameter, ensure that TCP/IP client settings are first configured with a preferred DNS server address.
NoGlobalCatalog
Specifies that you do not want the domain controller to be a global catalog server.
Domain controllers that run Windows Server 2012 are installed with the global catalog by default. In
other words, this runs automatically without computation, unless you specify:
NoGlobalCatalog
NoRebootOnCompletion
Specifies whether to restart the computer upon completion of the command, regardless of success. By
default, the computer will restart. To prevent the server from restarting, specify:
NoRebootOnCompletion:$True
There is no equivalent for this option in the user interface (UI).
ParentDomainName <string>
Note
Specifies the FQDN of an existing parent domain. You use this argument when you install a child
domain or new domain tree.
For example, if you want to create a new child domain named emea.corp.fabrikam.com, you should
specify corp.fabrikam.com as the value of this argument.
ReadOnlyReplica
ReplicationSourceDC <string>
http://pabprod.blob.core.windows.net/books/5d6eb58c-a35e-465d-97e2-32494ab14d6... 28-04-2015
My Collection
Page 8 of 82
Indicates the FQDN of the partner domain controller from which you replicate the domain information.
The default is automatically computed.
SafeModeAdministratorPassword
<securestring>
Supplies the password for the administrator account when the computer is started in Safe Mode or a
variant of Safe Mode, such as Directory Services Restore Mode.
The default is an empty password. You must supply a password. The password must be supplied in a
System.Security.SecureString format, such as that provided by read-host -assecurestring or ConvertToSecureString.
The SafeModeAdministratorPassword argument's operation is special:If not specified as an argument,
the cmdlet prompts you to enter and confirm a masked password. This is the preferred usage when
running the cmdlet interactively.If specified without a value, and there are no other arguments specified
to the cmdlet, the cmdlet prompts you to enter a masked password without confirmation. This is not
the preferred usage when running the cmdlet interactively.If specified with a value, the value must be a
secure string. This is not the preferred usage when running the cmdlet interactively.For example, you
can manually prompt for a password by using the Read-Host cmdlet to prompt the user for a secure
string:-safemodeadministratorpassword (read-host -prompt "Password:" -assecurestring)You can also
provide a secure string as a converted clear-text variable, although this is highly discouraged.
-safemodeadministratorpassword (convertto-securestring "Password1" -asplaintext -force)
SiteName <string>
Required for the Addaddsreadonlydomaincontrolleraccount cmdlet
Specifies the site where the domain controller will be installed. There is no sitename argument when
you run Install-ADDSForest because the first site created is Default-First-Site-Name.
The site name must already exist when provided as an argument to -sitename. The cmdlet will not
create the site.
SkipAutoConfigureDNS
Skips automatic configuration of DNS client settings, forwarders, and root hints. This argument is in
effect only if the DNS Server service is already installed or automatically installed with -InstallDNS.
SystemKey <string>
Specifies the system key for the media from which you replicate the data.
The default is none.
Data must be in format provided by read-host -assecurestring or ConvertTo-SecureString.
SysvolPath <string>
Specifies the fully qualified, non-UNC path to a directory on a fixed disk of the local computer, for
example, C:\Windows\SYSVOL.
The default is %SYSTEMROOT%\SYSVOL.
Important
SYSVOL cannot be stored on a data volume formatted with Resilient File System (ReFS).
SkipPreChecks
Does not run the prerequisite checks before starting installation. It is not advisable to use this setting.
WhatIf
Shows what would happen if the cmdlet runs. The cmdlet is not run.
Warning
As the previous option does not confirm the password, use extreme caution: the password is not visible.
You can also provide a secure string as a converted clear-text variable, although this is highly discouraged:
http://pabprod.blob.core.windows.net/books/5d6eb58c-a35e-465d-97e2-32494ab14d6... 28-04-2015
My Collection
Page 9 of 82
Warning
Providing or storing a clear text password is not recommended. Anyone running this command in a script or looking over your shoulder knows the DSRM
password of that domain controller. With that knowledge, they can impersonate the domain controller itself and elevate their privilege to the highest level in an
Active Directory forest.
Test cmdlet
Description
Test-ADDSForestInstallation
Test-ADDSDomainInstallation
Test-ADDSDomainControllerInstallation
Test-ADDSReadOnlyDomainControllerAccountCreation
Runs the prerequisites for adding a read-only domain controller (RODC) account.
Note
The -DomainNetBIOSName argument is required if you want to change the 15-character name that is automatically generated based on the DNS domain name
prefix or if the name exceeds 15 characters.
For example, to install a new forest named corp.contoso.com and be securely prompted to provide the DSRM password, type:
Note
DNS server is installed by default when you run Install-ADDSForest.
To install a new forest named corp.contoso.com, create a DNS delegation in the contoso.com domain, set domain functional level to Windows Server 2008 R2 and
set forest functional level to Windows Server 2008, install the Active Directory database and SYSVOL on the D:\ drive, install the log files on the E:\ drive, and be
prompted to provide the Directory Services Restore Mode password and type:
http://pabprod.blob.core.windows.net/books/5d6eb58c-a35e-465d-97e2-32494ab14d6... 28-04-2015
My Collection
Page 10 of 82
Note
The -credential argument is only required when you are not currently logged on as a member of the Enterprise Admins group.
The -NewDomainNetBIOSName argument is required if you want to change the automatically generated 15-character name based on the DNS domain name
prefix or if the name exceeds 15 characters.
For example, to use credentials of corp\EnterpriseAdmin1 to create a new child domain named child.corp.contoso.com, install DNS server, create a DNS delegation
in the corp.contoso.com domain, set domain functional level to Windows Server 2003, make the domain controller a global catalog server in a site named
Houston, use DC1.corp.contoso.com as the replication source domain controller, install the Active Directory database and SYSVOL on the D:\ drive, install the log
files on the E:\ drive, and be prompted to provide the Directory Services Restore Mode password but not prompted to confirm the command, type:
To install a domain controller and DNS server in the corp.contoso.com domain and be prompted to supply the domain Administrator credentials and the DSRM
password, type:
The command syntax to attach a server to an RODC account is as follows. Optional arguments appear within square brackets.
http://pabprod.blob.core.windows.net/books/5d6eb58c-a35e-465d-97e2-32494ab14d6... 28-04-2015
My Collection
Page 11 of 82
Then run the following commands on the server that you want to attach to the RODC1 account. The server cannot be joined to the domain. First, install the AD DS
server role and management tools:
Press Y to confirm or include the confirm argument to prevent the confirmation prompt.
Note
In order to manage a domain-joined computer using Server Manager on a workgroup server, or vice-versa, additional configuration steps are needed. For more
information, see Add and manage servers in workgroups in Add Servers to Server Manager.
Installing AD DS
Administrative credentials
The credential requirements to install AD DS vary depending on which deployment configuration you choose. For more information, see Credential requirements
to run Adprep.exe and install Active Directory Domain Services.
Use the following procedures to install AD DS using the GUI method. The steps can be performed locally or remotely. For more detailed explanation of these steps,
see the following topics:
Deploying a Forest with Server Manager
Install a Replica Windows Server 2012 Domain Controller in an Existing Domain (Level 200)
Install a New Windows Server 2012 Active Directory Child or Tree Domain (Level 200)
Install a Windows Server 2012 Active Directory Read-Only Domain Controller (RODC) (Level 200)
http://pabprod.blob.core.windows.net/books/5d6eb58c-a35e-465d-97e2-32494ab14d6... 28-04-2015
My Collection
Page 12 of 82
6. On the Select features page, select any additional features you want to install and click Next.
7. On the Active Directory Domain Services page, review the information and then click Next.
8. On the Confirm installation selections page, click Install.
9. On the Results page, verify that the installation succeeded, and click Promote this server to a domain controller to start the Active Directory Domain
Services Configuration Wizard.
Important
If you close Add Roles Wizard at this point without starting the Active Directory Domain Services Configuration Wizard, you can restart it by clicking
Tasks in Server Manager.
10. On the Deployment Configuration page, choose one of the following options:
If you are installing an additional domain controller in an existing domain, click Add a domain controller to an existing domain, and type the
name of the domain (for example, emea.corp.contoso.com) or click Select to choose a domain, and credentials (for example, specify an account
that is a member of the Domain Admins group) and then click Next.
Note
http://pabprod.blob.core.windows.net/books/5d6eb58c-a35e-465d-97e2-32494ab14d6... 28-04-2015
My Collection
Page 13 of 82
The name of the domain and current user credentials are supplied by default only if the machine is domain-joined and you are performing a
local installation. If you are installing AD DS on a remote server, you need to specify the credentials, by design. If current user credentials are
not sufficient to perform the installation, click Change in order to specify different credentials.
For more information, see Install a Replica Windows Server 2012 Domain Controller in an Existing Domain (Level 200).
If you are installing a new child domain, click Add a new domain to an existing forest, for Select domain type, select Child Domain, type or
browse to the name of the parent domain DNS name (for example, corp.contoso.com), type the relative name of the new child domain (for
example emea), type credentials to use to create the new domain, and then click Next.
For more information, see Install a New Windows Server 2012 Active Directory Child or Tree Domain (Level 200).
If you are installing a new domain tree, click Add new domain to an existing forest, for Select domain type, choose Tree Domain, type the
name of the root domain (for example, corp.contoso.com), type the DNS name of the new domain (for example, fabrikam.com), type credentials
to use to create the new domain, and then click Next.
For more information, see Install a New Windows Server 2012 Active Directory Child or Tree Domain (Level 200).
If you are installing a new forest, click Add a new forest and then type the name of the root domain (for example, corp.contoso.com).
For more information, see Install a New Windows Server 2012 Active Directory Forest (Level 200).
11. On the Domain Controller Options page, choose one of the following options:
If you are creating a new forest or domain, select the domain and forest functional levels, click Domain Name System (DNS) server, specify the
DSRM password, and then click Next.
If you are adding a domain controller to an existing domain, click Domain Name System (DNS) server, Global Catalog (GC), or Read Only
Domain Controller (RODC) as needed, choose the site name, and type the DSRM password and then click Next.
For more information about which options on this page are available or not available under different conditions, see Domain Controller Options.
12. On the DNS Options page (which appears only if you install a DNS server), click Update DNS delegation as needed. If you do, provide credentials that
have permission to create DNS delegation records in the parent DNS zone.
If a DNS server that hosts the parent zone cannot be contacted, the Update DNS Delegation option is not available.
For more information about whether you need to update the DNS delegation, see Understanding Zone Delegation. If you attempt to update the DNS
delegation and encounter an error, see DNS Options.
13. On the RODC Options page (which appears only if you install an RODC), specify the name of a group or user who will manage the RODC, add accounts
to or remove accounts from the Allowed or Denied password replication groups, and then click Next.
For more information, see Password Replication Policy.
14. On the Additional Options page, choose one of the following options:
If you are creating a new domain, type a new NetBIOS name or verify the default NetBIOS name of the domain, and then click Next.
If you are adding a domain controller to an existing domain, select the domain controller that you want to replicate the AD DS installation data
from (or allow the wizard to select any domain controller). If you are installing from media, click Install from media path type and verify the path
to the installation source files, and then click Next.
You cannot use install from media (IFM) to install the first domain controller in a domain. IFM does not work across different operating system
versions. In other words, in order to install an additional domain controller that runs Windows Server 2012 by using IFM, you must create the
backup media on a Windows Server 2012 domain controller. For more information about IFM, see Installing an Additional Domain Controller by
Using IFM.
15. On the Paths page, type the locations for the Active Directory database, log files, and SYSVOL folder (or accept default locations), and click Next.
Important
Do not store the Active Directory database, log files, or SYSVOL folder on a data volume formatted with Resilient File System (ReFS).
16. On the Preparation Options page, type credentials that are sufficient to run adprep. For more information, see Credential requirements to run
Adprep.exe and install Active Directory Domain Services.
17. On the Review Options page, confirm your selections, click View script if you want to export the settings to a Windows PowerShell script, and then click
Next.
18. On the Prerequisites Check page, confirm that prerequisite validation completed and then click Install.
19. On the Results page, verify that the server was successfully configured as a domain controller. The server will be restarted automatically to complete the
AD DS installation.
http://pabprod.blob.core.windows.net/books/5d6eb58c-a35e-465d-97e2-32494ab14d6... 28-04-2015
My Collection
Page 14 of 82
A staged RODC installation allows you to create an RODC in two stages. In the first stage, a member of the Domain Admins group creates an RODC account. In the
second stage, a server is attached to the RODC account. The second stage can be completed by a member of the Domain Admins group or a delegated domain user
or group.
After an RODC account is created, you can attach a server to account to complete the RODC installation. This second stage can be completed in the branch office
where the RODC will be located. The server where you perform this procedure must not be joined to the domain. Beginning in Windows Server 2012, you use the
Add Roles Wizard in Server Manager to attach a server to an RODC account.
http://pabprod.blob.core.windows.net/books/5d6eb58c-a35e-465d-97e2-32494ab14d6... 28-04-2015
My Collection
Page 15 of 82
Important
If you close Add Roles Wizard at this point without starting the Active Directory Domain Services Configuration Wizard, you can restart it by clicking
Tasks in Server Manager.
11. On the Deployment Configuration page, click Add a domain controller to an existing domain, type the name of the domain (for example,
emea.contoso.com) and credentials (for example, specify an account that is delegated to manage and install the RODC), and then click Next.
12. On the Domain Controller Options page, click Use existing RODC account, type and confirm the Directory Services Restore Mode password, and then
click Next.
13. On the Additional Options page, if you are installing from media, click Install from media path type and verify the path to the installation source files,
select the domain controller that you want to replicate the AD DS installation data from (or allow the wizard to select any domain controller) and then click
Next.
14. On the Paths page, type the locations for the Active Directory database, log files, and SYSVOL folder, or accept default locations, and then click Next.
15. On the Review Options page, confirm your selections, click View Script to export the settings to a Windows PowerShell script, and then click Next.
16. On the Prerequisites Check page, confirm that prerequisite validation completed and then click Install.
To complete the AD DS installation, the server will restart automatically.
See Also
Concepts
Troubleshooting Domain Controller Deployment
Install a New Windows Server 2012 Active Directory Forest (Level 200)
Install a New Windows Server 2012 Active Directory Child or Tree Domain (Level 200)
Install a Replica Windows Server 2012 Domain Controller in an Existing Domain (Level 200)
http://pabprod.blob.core.windows.net/books/5d6eb58c-a35e-465d-97e2-32494ab14d6... 28-04-2015
My Collection
Page 16 of 82
2015 Microsoft
This topic explains the new Windows Server 2012 Active Directory Domain Services domain controller promotion feature at an introductory level. In Windows Server
2012, ADDS replaces the Dcpromo tool with a Server Manager and Windows PowerShell-based deployment system.
Active Directory Domain Services Simplified Administration
Technical Overview
Deploying a Forest with Server Manager
Deploying a Forest with Windows PowerShell
Technical Overview
What You Should Know Before You Begin
This topic assumes familiarity with previous releases of Active Directory Domain Services, and does not provide foundational detail around their purpose and
functionality. For more information about AD DS, see the TechNet Portal pages linked below:
Active Directory Domain Services for Windows Server 2008 R2
Active Directory Domain Services for Windows Server 2008
Windows Server Technical Reference
http://pabprod.blob.core.windows.net/books/5d6eb58c-a35e-465d-97e2-32494ab14d6... 28-04-2015
My Collection
Page 17 of 82
Functional Descriptions
AD DS Role Installation
Active Directory Domain Services installation uses Server Manager and Windows PowerShell, like all other server roles and features in Windows Server 2012. The
Dcpromo.exe program no longer provides GUI configuration options.
You use a graphical wizard in Server Manager or the ServerManager module for Windows PowerShell in both local and remote installations. By running multiple
instances of those wizards or cmdlets and targeting different servers, you can deploy AD DS to multiple domain controllers simultaneously, all from one single
console. Although these new features are not backwards compatible with Windows Server 2008 R2 or earlier operating systems, you can also still use the
Dism.exe application introduced in Windows Server 2008 R2 for local role installation from the classic command-line.
AD DS Role Configuration
http://pabprod.blob.core.windows.net/books/5d6eb58c-a35e-465d-97e2-32494ab14d6... 28-04-2015
My Collection
Page 18 of 82
Active Directory Domain Services configuration previously known as DCPROMO is a now a discrete operation from role installation. After installing the AD
DS role, an administrator configures the server as a domain controller using a separate wizard within Server Manager or using the ADDSDeployment Windows
PowerShell module.
AD DS role configuration builds on twelve years of field experience and now configures domain controllers based on the most recent Microsoft best practices.
For example, Domain Name System and Global Catalogs install by default on every domain controller.
The Server Manager AD DS configuration wizard merges many individual dialogs into fewer prompts and no longer hides settings in an advanced mode. The
entire promotion process is in one expanding dialog box during installation. The wizard and the ADDSDeployment Windows PowerShell module show you
notable changes and security concerns, with links to further information.
The Dcpromo.exe remains in Windows Server 2012 for command-line unattended installations only, and no longer runs the graphical installation wizard. It is
highly recommended that you discontinue use of Dcpromo.exe for unattended installs and replace it with the ADDSDeployment module, as the nowdeprecated executable will not be included in the next version of Windows.
These new features are not backwards compatible to Windows Server 2008 R2 or older operating systems.
Important
Dcpromo.exe no longer contains a graphical wizard and no longer installs role or feature binaries. Attempting to run Dcpromo.exe from the Explorer shell
returns:
The Active Directory Domain Services Installation Wizard is relocated in Server Manager. For more information, see http://go.microsoft.com/fwlink/?
LinkId=220921.
Attempting to run Dcpromo.exe /unattend still installs the binaries, as in previous operating systems, but warns:
The dcpromo unattended operation is replaced by the ADDSDeployment module for Windows PowerShell. For more information, see
http://go.microsoft.com/fwlink/?LinkId=220924.
Windows Server 2012 deprecates dcpromo.exe and it will not be included with future versions of Windows, nor will it receive further enhancements in this
operating system. Administrators should discontinue its use and switch to the supported Windows PowerShell modules if they wish to create domain
controllers from the command-line.
Prerequisite Checking
Domain controller configuration also implements a prerequisite checking phase that evaluates the forest and domain prior to continuing with domain controller
promotion. This includes FSMO role availability, user privileges, extended schema compatibility and other requirements. This new design alleviates issues where
domain controller promotion starts and then halts midway with a fatal configuration error. This lessens the chance of orphaned domain controller metadata in
the forest or a server that incorrectly believes it is a domain controller.
http://pabprod.blob.core.windows.net/books/5d6eb58c-a35e-465d-97e2-32494ab14d6... 28-04-2015
My Collection
Page 19 of 82
This gives you three ways to add servers to the pool for use or grouping:
Active Directory search (uses LDAP, requires that the computers belong to a domain, allows operating system filtering and supports wildcards)
DNS search (uses DNS alias or IP address via ARP or NetBIOS broadcast or WINS lookup, does not allow operating system filtering or support wildcards)
Import (uses a text file list of servers separated by CR/LF)
Click Find Now to return a list of servers from that same Active Directory domain that the computer is joined to, Click one or more server names from the list of
servers. Click the right arrow to add the servers to the Selected list. Use the Add Servers dialog to add selected servers to dashboard role groups. Or Click
Manage, and then click Create Server Group, or click Create Server Group on the dashboard Welcome to Server Manager tile to create custom server
groups.
Note
http://pabprod.blob.core.windows.net/books/5d6eb58c-a35e-465d-97e2-32494ab14d6... 28-04-2015
My Collection
Page 20 of 82
The Add Servers procedure does not validate that a server is online or accessible. However, any unreachable servers flag in the Manageability view in Server
Manager at the next refresh
You can install roles remotely on any Windows Server 2012 computers added the pool, as shown:
You cannot fully manage servers running operating systems older than Windows Server 2012. The Add Roles and Features selection is running ServerManager
Windows PowerShell Module Install-WindowsFeature.
You can also use the Server Manager Dashboard on an existing domain controller to select remote server AD DS installation with the role already preselected by
right clicking the AD DS dashboard tile and selecting Add AD DS to Another Server. This is invoking Install-WindowsFeature AD-Domain-Services.
The computer you are running Server Manager on pools itself automatically. To install the AD DS role here, simply click the Manage menu and click Add Roles
and Features.
Installation Type
http://pabprod.blob.core.windows.net/books/5d6eb58c-a35e-465d-97e2-32494ab14d6... 28-04-2015
My Collection
Page 21 of 82
The Installation Type dialog provides an option that does not support Active Directory Domain Services: the Remote Desktop Services scenario basedinstallation. That option only allows Remote Desktop Service in a multi-server distributed workload. If you select it, AD DS cannot install.
Always leave the default selection in place when installing AD DS: Role-based or Feature-based Installation.
Server Selection
The Server Selection dialog enables you to choose from one of the servers previously added to the pool, as long as it is accessible. The local server running
Server Manager is automatically available.
In addition, you can select offline Hyper-V VHD files with the Windows Server 2012 operating system and Server Manager adds the role to them directly
through component servicing. This allows you to provision virtual servers with the necessary components before further configuring them.
http://pabprod.blob.core.windows.net/books/5d6eb58c-a35e-465d-97e2-32494ab14d6... 28-04-2015
My Collection
Page 22 of 82
Select the Active Directory Domain Services role if you intend to promote a domain controller. All Active Directory administration features and required
services install automatically, even if they are ostensibly part of another role or do not appear selected in the Server Manager interface.
Server Manager also presents an informational dialog that shows which management features this role implicitly installs; this is equivalent to the
-IncludeManagementTools argument.
http://pabprod.blob.core.windows.net/books/5d6eb58c-a35e-465d-97e2-32494ab14d6... 28-04-2015
My Collection
Page 23 of 82
The Active Directory Domain Services dialog provides limited information on requirements and best practices. It mainly acts as a confirmation that you chose
the AD DS role if this screen does not appear, you did not select AD DS.
Confirmation
The Confirmation dialog is the final checkpoint before role installation starts. It offers an option to restart the computer as needed after role installation, but
AD DS installation does not require a reboot.
By clicking Install, you confirm you are ready to begin role installation. You cannot cancel a role installation once it begins.
Results
http://pabprod.blob.core.windows.net/books/5d6eb58c-a35e-465d-97e2-32494ab14d6... 28-04-2015
My Collection
Page 24 of 82
The Results dialog shows the current installation progress and current installation status. Role installation continues regardless of whether Server Manager is
closed.
Verifying the installation results is still a best practice. If you close the Results dialog before installation completes, you can check the results using the Server
Manager notification flag. Server Manager also shows a warning message for any servers that have installed the AD DS role but not been further configured as
domain controllers.
Task Notifications
AD DS Details
Task Details
http://pabprod.blob.core.windows.net/books/5d6eb58c-a35e-465d-97e2-32494ab14d6... 28-04-2015
My Collection
Page 25 of 82
At the end of the AD DS role installation, you can continue with configuration by using the Promote this server to a domain controller link. This is required to
make the server a domain controller, but is not necessary to run the configuration wizard immediately. For example, you may only want to provision servers with
the AD DS binaries before sending them to another branch office for later configuration. By adding the AD DS role before shipping, you save time when it
reaches its destination. You also follow the best practice of not keeping a domain controller offline for days or weeks. Finally, this enables you to update
components before domain controller promotion, saving you at least one subsequent reboot.
Selecting this link later invokes the ADDSDeployment cmdlets: install-addsforest, install-addsdomain, or install-addsdomaincontroller.
Uninstalling/Disabling
You remove the AD DS role like any other role, regardless of whether you promoted the server to a domain controller. However, removing the AD DS role requires
a restart on completion.
Active Directory Domain Services role removal is different from installation, in that it requires domain controller demotion before it can complete. This is necessary
to prevent a domain controller from having its role binaries uninstalled without proper metadata cleanup in the forest. For more information, see Demoting
Domain Controllers and Domains (Level 200).
Warning
Removing the AD DS roles with Dism.exe or the Windows PowerShell DISM module after promotion to a Domain Controller is not supported and will prevent
the server from booting normally.
Unlike Server Manager or the AD DS Deployment module for Windows PowerShell, DISM is a native servicing system that has no inherent knowledge of AD DS
or its configuration. Do not use Dism.exe or the Windows PowerShell DISM module to uninstall the AD DS role unless the server is no longer a domain
controller.
http://pabprod.blob.core.windows.net/books/5d6eb58c-a35e-465d-97e2-32494ab14d6... 28-04-2015
My Collection
Page 26 of 82
Deployment Configuration
Server Manager begins every domain controller promotion with the Deployment Configuration page. The remaining options and required fields change on
this page and subsequent pages, depending on which deployment operation you select.
To create a new Active Directory forest, click Add a new forest. You must provide a valid root domain name; the name cannot be single-labeled (for example,
the name must be contoso.com or similar and not just contoso) and must use allowed DNS domain naming requirements.
For more information on valid domain names, see KB article Naming conventions in Active Directory for computers, domains, sites, and OUs.
Warning
Do not create new Active Directory forests with the same name as an external DNS name. For example, if your Internet DNS URL is http://contoso.com, you
must choose a different name for your internal forest to avoid future compatibility issues. That name should be unique and unlikely for web traffic. For
example: corp.contoso.com.
A new forest does not need new credentials for the domain's Administrator account. The domain controller promotion process uses the credentials of the builtin Administrator account from the first domain controller used to create the forest root. There is no way (by default) to disable or lock out the built-in
Administrator account and it may be the only entry point into a forest if the other administrative domain accounts are unusable. It is critical to know the
password before deploying a new forest.
DomainName requires a valid fully qualified domain DNS name and is required.
The Domain Controller Options enables you to configure the forest functional level and domain functional level for the new forest root domain. By default,
these settings are Windows Server 2012 in a new forest root domain. The Windows Server 2012 forest functional level does not provide any new functionality
over the Windows Server 2008 R2 forest functional level. The Windows Server 2012 domain functional level is required only in order to implement the new
Kerberos settings "always provide claims" and "Fail unarmored authentication requests." A primary use for functional levels in Windows Server 2012 is to restrict
participation in the domain to domain controllers that meet minimum-allowed operating system requirements. In other words, you can specify Windows Server
http://pabprod.blob.core.windows.net/books/5d6eb58c-a35e-465d-97e2-32494ab14d6... 28-04-2015
My Collection
Page 27 of 82
2012 domain functional level only domain controllers that run Windows Server 2012 can host the domain. Windows Server 2012 implements a new domain
controller flag called DS_WIN8_REQUIRED in the DSGetDcName function of NetLogon that exclusively locates Windows Server 2012 domain controllers. This
allows you the flexibility of a more homogeneous or heterogeneous forest in terms of which operating systems are permitted to be run on domain controllers.
For more information about domain controller Location, review Directory Service Functions.
The only configurable domain controller capability is the DNS server option. Microsoft recommends that all domain controllers provide DNS services for high
availability in distributed environments, which is why this option is selected by default when installing a domain controller in any mode or domain. The Global
Catalog and read only domain controller options are unavailable when creating a new forest root domain; the first domain controller must be a GC, and cannot
be a read only domain controller (RODC).
The specified Directory Services Restore Mode Password must adhere to the password policy applied to the server, which by default does not require a
strong password; only a non-blank one. Always choose a strong, complex password or preferably, a passphrase.
The DNS Options page enables you to configure DNS delegation and provide alternate DNS administrative credentials.
You cannot configure DNS options or delegation in the Active Directory Domain Services Configuration Wizard when installing a new Active Directory Forest
Root Domain where you selected the DNS server on the Domain Controller Options page. The Create DNS delegation option is available when creating a
new forest root DNS zone in an existing DNS server infrastructure. This option enables you to provide alternate DNS administrative credentials that have the
rights to update DNS zone.
For more information about whether you need to create a DNS delegation, see Understanding Zone Delegation.
Additional Options
The Additional Options page shows the NetBIOS name of the domain and enables you to override it. By default, the NetBIOS domain name matches the leftmost label of the fully qualified domain name provided on the Deployment Configuration page. For example, if you provided the fully qualified domain name
of corp.contoso.com, the default NetBIOS domain name is CORP.
If the name is 15 characters or less and does not conflict with another NetBIOS name, it is unaltered. If it does conflict with another NetBIOS name, a number is
appended to the name. If the name is more than 15 characters, the wizard provides a unique, truncated suggestion. In either case, the wizard first validates the
name is not already in use via a WINS lookup and NetBIOS broadcast.
For more information on valid domain names, see KB article Naming conventions in Active Directory for computers, domains, sites, and OUs.
Paths
http://pabprod.blob.core.windows.net/books/5d6eb58c-a35e-465d-97e2-32494ab14d6... 28-04-2015
My Collection
Page 28 of 82
The Paths page enables you to override the default folder locations of the AD DS database, the database transaction logs, and the SYSVOL share. The default
locations are always in subdirectories of %systemroot% (i.e. C:\Windows).
The Review Options page enables you to validate your settings and ensure they meet your requirements before you start the installation. This is not the last
opportunity to stop the installation when using Server Manager. This is simply an option to confirm your settings before continuing the configuration
The Review Options page in Server Manager also offers an optional View Script button to create a Unicode text file that contains the current
ADDSDeployment configuration as a single Windows PowerShell script. This enables you to use the Server Manager graphical interface as a Windows
PowerShell deployment studio. Use the Active Directory Domain Services Configuration Wizard to configure options, export the configuration, and then cancel
the wizard. This process creates a valid and syntactically correct sample for further modification or direct use. For example:
#
# Windows PowerShell Script for AD DS Deployment
#
ImportModule ADDSDeployment
InstallADDSForest `
CreateDNSDelegation `
DatabasePath "C:\Windows\NTDS" `
DomainMode "Win2012" `
DomainName "corp.contoso.com" `
DomainNetBIOSName "CORP" `
ForestMode "Win2012" `
InstallDNS:$true `
LogPath "C:\Windows\NTDS" `
NoRebootOnCompletion:$false `
SYSVOLPath "C:\Windows\SYSVOL"
Force:$true
Note
http://pabprod.blob.core.windows.net/books/5d6eb58c-a35e-465d-97e2-32494ab14d6... 28-04-2015
My Collection
Page 29 of 82
Server Manager generally fills in all arguments with values when promoting and does not rely on defaults (as they may change between future versions of
Windows or service packs). The one exception to this is the -safemodeadministratorpassword argument (which is deliberately omitted from the script). To
force a confirmation prompt, omit the value when running cmdlet interactively.
Prerequisites Check
The Prerequisites Check is a new feature in AD DS domain configuration. This new phase validates that the server configuration is capable of supporting a new
AD DS forest.
When installing a new forest root domain, the Server Manager Active Directory Domain Services Configuration Wizard invokes a series of modular tests. These
tests alert you with suggested repair options. You can run the tests as many times as required. The domain controller process cannot continue until all
prerequisite tests pass.
The Prerequisites Check also surfaces relevant information such as security changes that affect older operating systems.
For more information on the specific prerequisite checks, see Prerequisite Checking.
Installation
When the Installation page displays, the domain controller configuration begins and cannot be halted or canceled. Detailed operations display on this page
and are written to logs:
http://pabprod.blob.core.windows.net/books/5d6eb58c-a35e-465d-97e2-32494ab14d6... 28-04-2015
My Collection
Page 30 of 82
%systemroot%\debug\dcpromo.log
%systemroot%\debug\dcpromoui.log
Note
You can run multiple role installation and AD DS configuration wizards from the same Server Manager console simultaneously.
Results
The Results page shows the success or failure of the promotion and any important administrative information. The domain controller will automatically reboot
after 10 seconds.
ServerManager Cmdlet
Arguments (Bold arguments are required. Italicized arguments can be specified by using Windows PowerShell or the
AD DS Configuration Wizard.)
Install-WindowsFeature/AddWindowsFeature
-Name
-Restart
-IncludeAllSubFeature
-IncludeManagementTools
-Source
-ComputerName
-Credential
http://pabprod.blob.core.windows.net/books/5d6eb58c-a35e-465d-97e2-32494ab14d6... 28-04-2015
My Collection
Page 31 of 82
-LogPath
-Vhd
-ConfigurationFilePath
Note
While not required, the argument -IncludeManagementTools is highly recommended when installing the AD DS role binaries
The ServerManager module exposes role installation, status, and removal portions of the new DISM module for Windows PowerShell. This layering simplifies the
most tasks and reduces need for direct usage of the powerful (but dangerous when misused) DISM module.
Use Get-Command to export the aliases and cmdlets in ServerManager.
To add the Active Directory Domain Services role, simply run the Install-WindowsFeature with the AD DS role name as an argument. Like Server Manager, all
required services implicit to the AD DS role install automatically.
To list all features and roles with their installation status, use Get-WindowsFeature without arguments. Specify -ComputerName argument for the installation
status from a remote server.
GetWindowsFeature
Because Get-WindowsFeature does not have a filtering mechanism, you must use Where-Object with a pipeline to find specific features. The pipeline is a
channel used between multiple cmdlets to pass data and the Where-Object cmdlet acts as a filter. The built-in $_ variable acts as the current object passing
through the pipeline with any properties it may contain.
http://pabprod.blob.core.windows.net/books/5d6eb58c-a35e-465d-97e2-32494ab14d6... 28-04-2015
My Collection
Page 32 of 82
For more information about more Windows PowerShell operations with pipelines and Where-Object, see Piping and the Pipeline in Windows PowerShell.
Note also that Windows PowerShell 3.0 significantly simplified the command-line arguments needed in this pipeline operation. Windows PowerShell 2.0 would
have required:
InstallWindowsFeature | FormatList
InstallWindowsFeature | selectobject | FormatList
Note how using the Select-Object cmdlet with the -expandproperty argument returns interesting data:
Note
The Select-Object -expandproperty argument slows down overall installation performance slightly.
http://pabprod.blob.core.windows.net/books/5d6eb58c-a35e-465d-97e2-32494ab14d6... 28-04-2015
My Collection
Page 33 of 82
Installaddsforest
The Install-AddsForest cmdlet only has two phases (prerequisite checking and installation). The two figures below show the installation phase with the minimum
required argument of -domainname.
ADDSDeployment
Cmdlet
Install-Addsforest
Arguments (Bold arguments are required. Italicized arguments can be specified by using Windows PowerShell or the AD DS
Configuration Wizard.)
-Confirm
-CreateDNSDelegation
-DatabasePath
-DomainMode
-DomainName
-DomainNetBIOSName
-DNSDelegationCredential
-ForestMode
-Force
-InstallDNS
-LogPath
-NoDnsOnNetwork
-NoRebootOnCompletion
-SafeModeAdministratorPassword
-SkipAutoConfigureDNS
-SkipPreChecks
-SYSVOLPath
-Whatif
Note
The -DomainNetBIOSName argument is required if you want to change the automatically generated 15-character name based on the DNS domain name
prefix or if the name exceeds 15 characters.
The equivalent Server Manager Deployment Configuration ADDSDeployment cmdlet and arguments are:
InstallADDSForest
DomainName <string>
The equivalent Server Manager Domain Controller Options ADDSDeployment cmdlet arguments are:
The Install-ADDSForest arguments follow the same defaults as Server Manager if not specified.
The SafeModeAdministratorPassword argument's operation is special:
If not specified as an argument, the cmdlet prompts you to enter and confirm a masked password. This is the preferred usage when running the cmdlet
interactively.
For example, to create a new forest named corp.contoso.com and be prompted to enter and confirm a masked password:
http://pabprod.blob.core.windows.net/books/5d6eb58c-a35e-465d-97e2-32494ab14d6... 28-04-2015
My Collection
Page 34 of 82
If specified with a value, the value must be a secure string. This is not the preferred usage when running the cmdlet interactively.
For example, you can manually prompt for a password by using the Read-Host cmdlet to prompt the user for a secure string:
Warning
As the previous option does not confirm the password, use extreme caution: the password is not visible.
You can also provide a secure string as a converted clear-text variable, although this is highly discouraged.
$file = "c:\pw.txt"
$pw = readhost prompt "Password:" assecurestring
$pw | ConvertFromSecureString | SetContent $file
safemodeadministratorpassword (GetContent $File | ConvertToSecureString)
Warning
Providing or storing a clear or obfuscated text password is not recommended. Anyone running this command in a script or looking over your shoulder knows
the DSRM password of that domain controller. Anyone with access to the file could reverse that obfuscated password. With that knowledge, they can logon to a
DC started in DSRM and eventually impersonate the domain controller itself, elevating their privileges to the highest level in an Active Directory forest. An
additional set of steps using System.Security.Cryptography to encrypt the text file data is advisable but out of scope. The best practice is to totally avoid
password storage.
The ADDSDeployment cmdlet offers an additional option to skip automatic configuration of DNS client settings, forwarders, and root hints. You cannot skip this
configuration option when using Server Manager. This argument matters only if you installed the DNS Server role prior to configuring the domain controller:
SkipAutoConfigureDNS
The DomainNetBIOSName operation is also special:
If the DomainNetBIOSName argument is not specified with a NetBIOS domain name and the single-label prefix domain name in the DomainName
argument is 15 characters or fewer, then promotion continues with an automatically generated name.
If the DomainNetBIOSName argument is not specified with a NetBIOS domain name and the single-label prefix domain name in the DomainName
argument is 16 characters or more, then promotion fails.
If the DomainNetBIOSName argument is specified with a NetBIOS domain name of 15 characters or fewer, then promotion continues with that specified
name.
If the DomainNetBIOSName argument is specified with a NetBIOS domain name of 16 characters or more, then promotion fails.
The equivalent Server Manager Additional Options ADDSDeployment cmdlet argument is:
domainnetbiosname <string>
The equivalent Server Manager Paths ADDSDeployment cmdlet arguments are:
databasepath <string>
logpath <string>
sysvolpath <string>
Use the optional Whatif argument with the Install-ADDSForest cmdlet to review configuration information. This enables you to see the explicit and implicit
values of a cmdlet's arguments.
For example:
http://pabprod.blob.core.windows.net/books/5d6eb58c-a35e-465d-97e2-32494ab14d6... 28-04-2015
My Collection
Page 35 of 82
You cannot bypass the Prerequisite Check when using Server Manager, but you can skip the process when using the AD DS Deployment cmdlet using the
following argument:
skipprechecks
Warning
Microsoft discourages skipping the prerequisite check as it can lead to a partial domain controller promotion or damaged AD DS forest.
Note how, just like Server Manager, Install-ADDSForest reminds you that promotion will reboot the server automatically.
To accept the reboot prompt automatically, use the -force or -confirm:$false arguments with any ADDSDeployment Windows PowerShell cmdlet. To prevent the
server from automatically rebooting at the end of promotion, use the -norebootoncompletion argument.
Warning
Overriding the reboot is discouraged. The domain controller must reboot to function correctly.
http://pabprod.blob.core.windows.net/books/5d6eb58c-a35e-465d-97e2-32494ab14d6... 28-04-2015
My Collection
Page 36 of 82
See Also
Other Resources
Active Directory Domain Services (TechNet Portal)
Active Directory Domain Services for Windows Server 2008 R2
Active Directory Domain Services for Windows Server 2008
Windows Server Technical Reference (Windows Server 2003)
Active Directory Administrative Center: Getting Started (Windows Server 2008 R2)
Active Directory Administration with Windows PowerShell (Windows Server 2008 R2)
Ask the Directory Services Team (Official Microsoft Commercial Technical Support Blog)
2015 Microsoft
This topic covers the steps necessary to upgrade an existing forest or domain to Windows Server 2012, using either Server Manager or Windows PowerShell. It covers
how to add domain controllers that run Windows Server 2012 to an existing domain.
Upgrade and Replica Workflow
Upgrade and Replica Windows PowerShell
Deployment
ADDSDeployment Cmdlet
Arguments (Bold arguments are required. Italicized arguments can be specified by using Windows PowerShell or the AD DS
Configuration Wizard.)
InstallAddsDomainController
-SkipPreChecks
-DomainName
-SafeModeAdministratorPassword
-SiteName
-ADPrepCredential
-ApplicationPartitionsToReplicate
http://pabprod.blob.core.windows.net/books/5d6eb58c-a35e-465d-97e2-32494ab14d6... 28-04-2015
My Collection
Page 37 of 82
-AllowDomainControllerReinstall
-Confirm
-CreateDNSDelegation
-Credential
-CriticalReplicationOnly
-DatabasePath
-DNSDelegationCredential
-Force
-InstallationMediaPath
-InstallDNS
-LogPath
-MoveInfrastructureOperationMasterRoleIfNecessary
-NoDnsOnNetwork
-NoGlobalCatalog
-Norebootoncompletion
-ReplicationSourceDC
-SkipAutoConfigureDNS
-SiteName
-SystemKey
-SYSVOLPath
-UseExistingAccount
-Whatif
Note
The -credential argument is only required if you are not already logged on as a member of the Enterprise Admins and Schema Admins groups (if you are
upgrading the forest) or the Domain Admins group (if you are adding a new DC to an existing domain).
Deployment
Deployment Configuration
Server Manager begins every domain controller promotion with the Deployment Configuration page. The remaining options and required fields change on this
page and subsequent pages, depending on which deployment operation you select.
To upgrade an existing forest or add a writable domain controller to an existing domain, click Add a domain controller to an existing domain and click Select to
Specify the domain information for this domain. Server Manager prompts you for valid credentials if needed.
http://pabprod.blob.core.windows.net/books/5d6eb58c-a35e-465d-97e2-32494ab14d6... 28-04-2015
My Collection
Page 38 of 82
Upgrading the forest requires credentials that include group memberships in both the Enterprise Admins and Schema Admins groups in Windows Server 2012.
The Active Directory Domain Services Configuration Wizard prompts you later if your current credentials do not have adequate permissions or group
memberships.
The automatic Adprep process is the only operational difference between adding a domain controller to an existing Windows Server 2012 domain and a domain
where domain controllers run an earlier version of Windows Server.
The Deployment Configuration ADDSDeployment cmdlet and arguments are:
InstallAddsDomainController
domainname <string>
credential <pscredential>
Certain tests perform at each page, some of which repeat later as discrete prerequisite checks. For instance, if the selected domain does not meet the minimal
functional levels, you do not have to go all the way through promotion to the prerequisite check to find out:
http://pabprod.blob.core.windows.net/books/5d6eb58c-a35e-465d-97e2-32494ab14d6... 28-04-2015
My Collection
Page 39 of 82
The Domain Controller Options page specifies the domain controller capabilities for the new domain controller. The configurable domain controller capabilities
are DNS server, Global Catalog, and Read-only domain controller. Microsoft recommends that all domain controllers provide DNS and GC services for high
availability in distributed environments. GC is always selected by default and DNS server is selected by default if the current domain hosts DNS already on its DCs
based on Start of Authority query. The Domain Controller Options page also enables you to choose the appropriate Active Directory logical site name from the
forest configuration. By default, it selects the site with the most correct subnet. If there is only one site, it selects automatically.
Note
If the server does not belong to an Active Directory subnet and there is more than one Active Directory site, nothing is selected and the Next button is
unavailable until you choose a site from the list.
The specified Directory Services Restore Mode Password must adhere to the password policy applied to the server. Always choose a strong, complex password
or preferably, a passphrase.
The Domain Controller Options ADDSDeployment arguments are:
Important
The site name must already exist when provided as an argument to -sitename. The install-AddsDomainController cmdlet does not create sites. You can use
cmdlet new-adreplicationsite to create new sites.
Warning
As the previous option does not confirm the password, use extreme caution: the password is not visible.
http://pabprod.blob.core.windows.net/books/5d6eb58c-a35e-465d-97e2-32494ab14d6... 28-04-2015
My Collection
Page 40 of 82
You can also provide a secure string as a converted clear-text variable, although this is highly discouraged.
Finally, you could store the obfuscated password in a file, and then reuse it later, without the clear text password ever appearing. For example:
$file = "c:\pw.txt"
$pw = readhost prompt "Password:" assecurestring
$pw | ConvertFromSecureString | SetContent $file
safemodeadministratorpassword (GetContent $File | ConvertToSecureString)
Warning
Providing or storing a clear or obfuscated text password is not recommended. Anyone running this command in a script or looking over your shoulder knows
the DSRM password of that domain controller. Anyone with access to the file could reverse that obfuscated password. With that knowledge, they can logon to a
DC started in DSRM and eventually impersonate the domain controller itself, elevating their privileges to the highest level in an Active Directory forest. An
additional set of steps using System.Security.Cryptography to encrypt the text file data is advisable but out of scope. The best practice is to totally avoid
password storage.
The ADDSDeployment cmdlet offers an additional option to skip automatic configuration of DNS client settings, forwarders, and root hints. You cannot skip this
configuration option when using Server Manager. This argument matters only if you installed the DNS Server role prior to configuring the domain controller:
SkipAutoConfigureDNS
The Domain Controller Options page warns that you cannot create read only domain controllers if your existing domain controllers run Windows Server 2003.
This is expected, and you can dismiss the warning.
http://pabprod.blob.core.windows.net/books/5d6eb58c-a35e-465d-97e2-32494ab14d6... 28-04-2015
My Collection
Page 41 of 82
The DNS Options page enables you to configure DNS delegation if you selected the DNS server option on the Domain Controller Options page and if pointing to
a zone where DNS delegations are allowed. You may need to provide alternate credentials of a user that is a member of the DNS Admins group.
The DNS Options ADDSDeployment cmdlet arguments are:
creatednsdelegation
dnsdelegationcredential <pscredential>
For more information about whether you need to create a DNS delegation, see Understanding Zone Delegation.
Additional Options
The Additional Options page provides the configuration option to name a domain controller as the replication source, or you can use any domain controller as
the replication source.
You can also choose to install the domain controller using backed up media using the Install from media (IFM) option. The Install from media checkbox provides
a browse option once selected and you must click Verify to ensure the provided path is valid media. Media used by the IFM option is created with Windows Server
Backup or Ntdsutil.exe from another existing Windows Server 2012 computer only; you cannot use a Windows Server 2008 R2 or previous operating system to
create media for a Windows Server 2012 domain controller. For more information about changes in IFM, see Simplified Administration Appendix. If using media
protected with a SYSKEY, Server Manager prompts for the image's password during verification.
http://pabprod.blob.core.windows.net/books/5d6eb58c-a35e-465d-97e2-32494ab14d6... 28-04-2015
My Collection
Page 42 of 82
replicationsourcedc <string>
installationmediapath <string>
syskey <secure string>
Paths
The Paths page enables you to override the default folder locations of the AD DS database, the database transaction logs, and the SYSVOL share. The default
locations are always in subdirectories of %systemroot%.
The Active Directory Paths ADDSDeployment cmdlet arguments are:
databasepath <string>
logpath <string>
sysvolpath <string>
Preparation Options
http://pabprod.blob.core.windows.net/books/5d6eb58c-a35e-465d-97e2-32494ab14d6... 28-04-2015
My Collection
Page 43 of 82
The Preparation Options page alerts you that the AD DS configuration includes extending the Schema (forestprep) and updating the domain (domainprep). You
only see this page when the forest and domain have not been prepared by previous Windows Server 2012 domain controller installation or from manually running
Adprep.exe. For example, the Active Directory Domain Services Configuration Wizard suppresses this page if you add a new domain controller to an existing
Windows Server 2012 forest root domain.
Extending the Schema and updating the domain do not occur when you click Next. These events occur only during the installation phase. This page simply brings
awareness about the events that will occur later in the installation.
This page also validates that the current user credentials are members of the Schema Admin and Enterprise Admins groups, as you need membership in these
groups to extend the schema or prepare a domain. Click Change to provide the adequate user credentials if the page informs you that the current credentials do
not provide sufficient permissions.
adprepcredential <pscredential>
Important
As with previous versions of Windows Server, automated domain preparation for domain controllers that run Windows Server 2012 does not run GPPREP. Run
adprep.exe /gpprep manually for all domains that were not previously prepared for Windows Server 2003, Windows Server 2008, or Windows Server 2008 R2.
You should run GPPrep only once in the history of a domain, not with every upgrade. Adprep.exe does not run /gpprep automatically because its operation can
cause all files and folders in the SYSVOL folder to re-replicate on all domain controllers.
Automatic RODCPrep runs when you promote the first un-staged RODC in a domain. It does not occur when you promote the first writeable Windows Server
2012 domain controller. You can also still manually adprep.exe /rodcprep if you plan to deploy read-only domain controllers.
http://pabprod.blob.core.windows.net/books/5d6eb58c-a35e-465d-97e2-32494ab14d6... 28-04-2015
My Collection
Page 44 of 82
The Review Options page enables you to validate your settings and ensure that they meet your requirements before you start the installation. This is not the last
opportunity to stop the installation using Server Manager. This page simply enables you to review and confirm your settings before continuing the configuration.
The Review Options page in Server Manager also offers an optional View Script button to create a Unicode text file that contains the current ADDSDeployment
configuration as a single Windows PowerShell script. This enables you to use the Server Manager graphical interface as a Windows PowerShell deployment studio.
Use the Active Directory Domain Services Configuration Wizard to configure options, export the configuration, and then cancel the wizard. This process creates a
valid and syntactically correct sample for further modification or direct use.
For example:
#
# Windows PowerShell Script for AD DS Deployment
#
ImportModule ADDSDeployment
InstallADDSDomainController `
CreateDNSDelegation `
Credential (GetCredential) `
CriticalReplicationOnly:$false `
DatabasePath "C:\Windows\NTDS" `
DomainName "root.fabrikam.com" `
InstallDNS:$true `
LogPath "C:\Windows\NTDS" `
SiteName "DefaultFirstSiteName" `
SYSVOLPath "C:\Windows\SYSVOL"
Force:$true
Note
Server Manager generally fills in all arguments with values when promoting and does not rely on defaults (as they may change between future versions of
Windows or service packs). The one exception to this is the -safemodeadministratorpassword argument. To force a confirmation prompt omit the value when
running cmdlet interactively
Use the optional Whatif argument with the Install-ADDSDomainController cmdlet to review configuration information. This enables you to see the explicit
and implicit values of the arguments for a cmdlet.
http://pabprod.blob.core.windows.net/books/5d6eb58c-a35e-465d-97e2-32494ab14d6... 28-04-2015
My Collection
Page 45 of 82
Prerequisites Check
The Prerequisites Check is a new feature in AD DS domain configuration. This new phase validates that the domain and forest are capable of supporting a new
Windows Server 2012 domain controller.
When installing a new domain controller, the Server Manager Active Directory Domain Services Configuration Wizard invokes a series of serialized modular tests.
These tests alert you with suggested repair options. You can run the tests as many times as required. The domain controller process cannot continue until all
prerequisite tests pass.
The Prerequisites Check also surfaces relevant information such as security changes that affect older operating systems.
For more information about the specific prerequisite checks, see Prerequisite Checking.
You cannot bypass the Prerequisite Check when using Server Manager, but you can skip the process when using the AD DS Deployment cmdlet using the
following argument:
skipprechecks
Warning
Microsoft discourages skipping the prerequisite check as it can lead to a partial domain controller promotion or damaged AD DS forest.
Click Install to begin the domain controller promotion process. This is last opportunity to cancel the installation. You cannot cancel the promotion process once it
begins. The computer will reboot automatically at the end of promotion, regardless of the promotion results.The Prerequisites Check page displays any issues it
encountered during the process and guidance for resolving the issue.
http://pabprod.blob.core.windows.net/books/5d6eb58c-a35e-465d-97e2-32494ab14d6... 28-04-2015
My Collection
Page 46 of 82
Installation
When the Installation page displays, the domain controller configuration begins and cannot be halted or canceled. Detailed operations display on this page and
are written to logs:
%systemroot%\debug\dcpromo.log
%systemroot%\debug\dcpromoui.log
%systemroot%\debug\adprep\logs
%systemroot%\debug\netsetup.log (if server is in a workgroup)
To install a new Active Directory forest using the ADDSDeployment module, use the following cmdlet:
Install-addsdomaincontroller
See Upgrade and Replica Windows PowerShell for required and optional arguments.
The Install-AddsDomainController cmdlet only has two phases (prerequisite checking and installation). The two figures below show the installation phase with
the minimum required arguments of -domainname and -credential. Note how the Adprep operation happens automatically as part of adding the first Windows
Server 2012 domain controller to an existing Windows Server 2003 forest:
Note how, just like Server Manager, Install-ADDSDomainController reminds you that promotion will reboot the server automatically. To accept the reboot
prompt automatically, use the -force or -confirm:$false arguments with any ADDSDeployment Windows PowerShell cmdlet. To prevent the server from
automatically rebooting at the end of promotion, use the -norebootoncompletion argument.
Warning
Overriding the reboot is discouraged. The domain controller must reboot to function correctly.
http://pabprod.blob.core.windows.net/books/5d6eb58c-a35e-465d-97e2-32494ab14d6... 28-04-2015
My Collection
Page 47 of 82
To configure a domain controller remotely using Windows PowerShell, wrap the install-adddomaincontroller cmdlet inside of the invoke-command cmdlet. This
requires using the curly braces.
Note
For more information on how the installation and Adprep process works, see the Troubleshooting Domain Controller Deployment.
http://pabprod.blob.core.windows.net/books/5d6eb58c-a35e-465d-97e2-32494ab14d6... 28-04-2015
My Collection
Page 48 of 82
Results
The Results page shows the success or failure of the promotion and any important administrative information. If successful, the domain controller will
automatically reboot after 10 seconds.
As with previous versions of Windows Server, automated domain preparation for domain controllers that run Windows server 2012 does not run GPPREP. Run
adprep.exe /gpprep manually for all domains that were not previously prepared for Windows Server 2003, Windows Server 2008, or Windows Server 2008 R2.
You should run GPPrep only once in the history of a domain, not with every upgrade. Adprep.exe does not run /gpprep automatically because its operation can
cause all files and folders in the SYSVOL folder to re-replicate on all domain controllers.
2015 Microsoft
This topic explains how to add child and tree domains to an existing Windows Server 2012 forest, using Server Manager or Windows PowerShell.
Child and Tree Domain Workflow
Child and Tree Domain Windows PowerShell
Deployment
http://pabprod.blob.core.windows.net/books/5d6eb58c-a35e-465d-97e2-32494ab14d6... 28-04-2015
My Collection
Page 49 of 82
ADDSDeployment
Cmdlet
Arguments (Bold arguments are required. Italicized arguments can be specified by using Windows PowerShell or the AD DS
Configuration Wizard.)
Install-AddsDomain
-SkipPreChecks
-NewDomainName
-ParentDomainName
-SafeModeAdministratorPassword
-ADPrepCredential
-AllowDomainReinstall
-Confirm
-CreateDNSDelegation
-Credential
-DatabasePath
-DNSDelegationCredential
-NoDNSOnNetwork
-DomainMode
-DomainType
-Force
-InstallDNS
-LogPath
-NewDomainNetBIOSName
-NoGlobalCatalog
-NoNorebootoncompletion
-ReplicationSourceDC
-SiteName
-SkipAutoConfigureDNS
-SYSVOLPath
-Whatif
Note
The -credential argument is only required when you are not currently logged on as a member of the Enterprise Admins group.The -NewDomainNetBIOSName
argument is required if you want to change the automatically generated 15-character name based on the DNS domain name prefix or if the name exceeds 15
characters.
Deployment
Deployment Configuration
The following screenshot shows the options for adding a child domain:
http://pabprod.blob.core.windows.net/books/5d6eb58c-a35e-465d-97e2-32494ab14d6... 28-04-2015
My Collection
Page 50 of 82
The following screenshot shows the options for adding a tree domain:
Server Manager begins every domain controller promotion with the Deployment Configuration page. The remaining options and required fields change on this
page and subsequent pages, depending on which deployment operation you select.
This topic combines two discrete operations: child domain promotion and tree domain promotion. The only difference between the two operations is the domain
type that you choose to create. All of the other steps are identical between the two operations.
To create a new child domain, click Add a domain to an existing Forest and choose Child Domain. For Parent domain name, type or select the name of
the parent domain. Then type the name of the new domain in the New domain name box. Provide a valid, single-label child domain name; the name must
use DNS domain name requirements.
To create a tree domain within an existing forest, click Add a domain to an existing Forest and choose Tree Domain. Type the name of the forest root
domain, and then type the name of the new domain. Provide a valid, fully qualified root domain name; the name cannot be single-labeled and must use
DNS domain name requirements.
For more information about DNS names, see Naming conventions in Active Directory for computers, domains, sites, and OUs.
The Server Manager Active Directory Domain Services Configuration Wizard prompts you for domain credentials if your current credentials are not from the
domain. Click Change to provide domain credentials for the promotion operation.
The Deployment Configuration ADDSDeployment cmdlet and arguments are:
Install-AddsDomain
-domaintype <{childdomain | treedomain}>
-parentdomainname <string>
http://pabprod.blob.core.windows.net/books/5d6eb58c-a35e-465d-97e2-32494ab14d6... 28-04-2015
My Collection
Page 51 of 82
newdomainname <string>
credential <pscredential>
The Domain Controller Options page specifies the domain controller options for the new domain controller. The configurable domain controller options include
DNS server and Global Catalog; you cannot configure read-only domain controller as the first domain controller in a new domain.
Microsoft recommends that all domain controllers provide DNS and GC services for high availability in distributed environments. GC is always selected by default
and DNS is selected by default if the current domain hosts DNS already on its DCs, based on a Start-of-Authority query. You must also specify a Domain
functional level. The default functional level is Windows Server 2012, and you can choose any other value that is equal to or greater than the current forest
functional level.
The Domain Controller Options page also enables you to choose the appropriate Active Directory logical site name from the forest configuration. By default, the
site with the most correct subnet is selected. If there is only one site, it is selected automatically.
Important
If the server does not belong to an Active Directory subnet and there is more than one Active Directory site, nothing is selected and the Next button is
unavailable until you choose a site from the list.
The specified Directory Services Restore Mode Password must adhere to the password policy applied to the server. Always choose a strong, complex password
or preferably, a passphrase.
The Domain Controller Options ADDSDeployment cmdlet arguments are:
Important
The site name must already exist when provided as a value to the sitename argument. The install-AddsDomainController cmdlet does not create site names.
You can use the new-adreplicationsite cmdlet to create new sites.
The Install-ADDSDomainController cmdlet arguments follow the same defaults as Server Manager if not specified.
The SafeModeAdministratorPassword argument's operation is special:
http://pabprod.blob.core.windows.net/books/5d6eb58c-a35e-465d-97e2-32494ab14d6... 28-04-2015
My Collection
Page 52 of 82
If not specified as an argument, the cmdlet prompts you to enter and confirm a masked password. This is the preferred usage when running the cmdlet
interactively.
For example, to create a new child domain named NorthAmerica in the Contoso.com forest and be prompted to enter and confirm a masked password:
Warning
As the previous option does not confirm the password, use extreme caution: the password is not visible.
You can also provide a secure string as a converted clear-text variable, although this is highly discouraged.
Finally, you could store the obfuscated password in a file, and then reuse it later, without the clear text password ever appearing. For example:
$file = "c:\pw.txt"
$pw = readhost prompt "Password:" assecurestring
$pw | ConvertFromSecureString | SetContent $file
safemodeadministratorpassword (GetContent $File | ConvertToSecureString)
Warning
Providing or storing a clear or obfuscated text password is not recommended. Anyone running this command in a script or looking over your shoulder knows
the DSRM password of that domain controller. Anyone with access to the file could reverse that obfuscated password. With that knowledge, they can logon to a
DC started in DSRM and eventually impersonate the domain controller itself, elevating their privileges to the highest level in an AD forest. An additional set of
steps using System.Security.Cryptography to encrypt the text file data is advisable but out of scope. The best practice is to totally avoid password storage.
The ADDSDeployment module offers an additional option to skip automatic configuration of DNS client settings, forwarders, and root hints. This is not
configurable when using Server Manager. This argument matters only if you already installed the DNS Server service prior to configuring the domain controller:
SkipAutoConfigureDNS
http://pabprod.blob.core.windows.net/books/5d6eb58c-a35e-465d-97e2-32494ab14d6... 28-04-2015
My Collection
Page 53 of 82
The DNS Options page enables you to provide alternate DNS Admin credentials for delegation.
When installing a new domain in an existing forest - where you selected DNS installation on the Domain Controller Options page - you cannot configure any
options; the delegation happens automatically and irrevocably. You have the option to provide alternate DNS administrative credentials with rights to update that
structure.
The DNS Options ADDSDeployment Windows PowerShell arguments are:
creatednsdelegation
dnsdelegationcredential <pscredential>
For more information about DNS delegation, see Understanding Zone Delegation.
Additional Options
The Additional Options page shows the NetBIOS name of the domain and enables you to override it. By default, the NetBIOS domain name matches the leftmost label of the fully qualified domain name provided on the Deployment Configuration page. For example, if you provided the fully qualified domain name of
corp.contoso.com, the default NetBIOS domain name is CORP.
If the name is 15 characters or less and does not conflict with another NetBIOS name, it is unaltered. If it does conflict with another NetBIOS name, a number is
appended to the name. If the name is more than 15 characters, the wizard provides a unique, truncated suggestion. In either case, the wizard first validates the
name is not already in use via a WINS lookup and NetBIOS broadcast.
For more information about DNS names, see Naming conventions in Active Directory for computers, domains, sites, and OUs.
The Install-AddsDomain arguments follow the same defaults as Server Manager if not specified. The DomainNetBIOSName operation is special:
1. If the NewDomainNetBIOSName argument is not specified with a NetBIOS domain name and the single-label prefix domain name in the DomainName
argument is 15 characters or fewer, then promotion continues with an automatically generated name.
2. If the NewDomainNetBIOSName argument is not specified with a NetBIOS domain name and the single-label prefix domain name in the DomainName
argument is 16 characters or more, then promotion fails.
3. If the NewDomainNetBIOSName argument is specified with a NetBIOS domain name of 15 characters or fewer, then promotion continues with that
specified name.
4. If the NewDomainNetBIOSName argument is specified with a NetBIOS domain name of 16 characters or more, then promotion fails.
The Additional Options ADDSDeployment cmdlet argument is:
http://pabprod.blob.core.windows.net/books/5d6eb58c-a35e-465d-97e2-32494ab14d6... 28-04-2015
My Collection
Page 54 of 82
newdomainnetbiosname <string>
Paths
The Paths page enables you to override the default folder locations of the AD DS database, the data base transaction logs, and the SYSVOL share. The default
locations are always in subdirectories of %systemroot%.
The Paths ADDSDeployment cmdlet arguments are:
databasepath <string>
logpath <string>
sysvolpath <string>
The Review Options page enables you to validate your settings and ensure they meet your requirements before you start the installation. This is not the last
opportunity to stop the installation when using Server Manager. This is simply an option to confirm your settings before continuing the configuration
The Review Options page in Server Manager also offers an optional View Script button to create a Unicode text file that contains the current ADDSDeployment
configuration as a single Windows PowerShell script. This enables you to use the Server Manager graphical interface as a Windows PowerShell deployment studio.
Use the Active Directory Domain Services Configuration Wizard to configure options, export the configuration, and then cancel the wizard. This process creates a
valid and syntactically correct sample for further modification or direct use. For example:
#
# Windows PowerShell Script for AD DS Deployment
#
ImportModule ADDSDeployment
InstallADDSDomain `
NoGlobalCatalog:$false `
http://pabprod.blob.core.windows.net/books/5d6eb58c-a35e-465d-97e2-32494ab14d6... 28-04-2015
My Collection
Page 55 of 82
CreateDNSDelegation `
Credential (GetCredential) `
DatabasePath "C:\Windows\NTDS" `
DomainMode "Win2012" `
DomainType "ChildDomain" `
InstallDNS:$true `
LogPath "C:\Windows\NTDS" `
NewDomainName "research" `
NewDomainNetBIOSName "RESEARCH" `
ParentDomainName "corp.contoso.com" `
Norebootoncompletion:$false `
SiteName "DefaultFirstSiteName" `
SYSVOLPath "C:\Windows\SYSVOL"
Force:$true
Note
Server Manager generally fills in all arguments with values when promoting and does not rely on defaults (as they may change between future versions of
Windows or service packs). The one exception to this is the -safemodeadministratorpassword argument (which is deliberately omitted from the script). To
force a confirmation prompt, omit the value when running cmdlet interactively.
Use the optional Whatif argument with the Install-ADDSForest cmdlet to review configuration information. This enables you to see the explicit and implicit
values of the arguments for a cmdlet.
Prerequisites Check
http://pabprod.blob.core.windows.net/books/5d6eb58c-a35e-465d-97e2-32494ab14d6... 28-04-2015
My Collection
Page 56 of 82
The Prerequisites Check is a new feature in AD DS domain configuration. This new phase validates that the server configuration is capable of supporting a new
AD DS domain.
When installing a new forest root domain, the Server Manager Active Directory Domain Services Configuration Wizard invokes a series of serialized modular tests.
These tests alert you with suggested repair options. You can run the tests as many times as required. The domain controller process cannot continue until all
prerequisite tests pass.
The Prerequisites Check also surfaces relevant information such as security changes that affect older operating systems.
For more information on the specific prerequisite checks, see Prerequisite Checking.
You cannot bypass the Prerequisite Check when using Server Manager, but you can skip the process when using the AD DS Deployment cmdlet using the
following argument:
-skipprechecks
Warning
Microsoft discourages skipping the prerequisite check as it can lead to a partial domain controller promotion or damaged AD DS forest.
Click Install to begin the domain controller promotion process. This is last opportunity to cancel the installation. You cannot cancel the promotion process once it
begins. The computer will reboot automatically at the end of promotion, regardless of the promotion results.
Installation
When the Installation page displays, the domain controller configuration begins and cannot be halted or canceled. Detailed operations display on this page and
are written to logs:
http://pabprod.blob.core.windows.net/books/5d6eb58c-a35e-465d-97e2-32494ab14d6... 28-04-2015
My Collection
Page 57 of 82
%systemroot%\debug\dcpromo.log
%systemroot%\debug\dcpromoui.log
To install a new Active Directory domain using the ADDSDeployment module, use the following cmdlet:
Install-addsdomain
See Child and Tree Domain Windows PowerShell for required and optional arguments.The Install-addsdomain cmdlet only has two phases (prerequisite checking
and installation). The two figures below show the installation phase with the minimum required arguments of -domaintype, -newdomainname,
-parentdomainname, and -credential. Note how, just like Server Manager, Install-ADDSDomain reminds you that promotion will reboot the server
automatically.
To accept the reboot prompt automatically, use the -force or -confirm:$false arguments with any ADDSDeployment Windows PowerShell cmdlet. To prevent the
server from automatically rebooting at the end of promotion, use the -norebootoncompletion argument.
Warning
Overriding the reboot is not recommended. The domain controller must reboot to function correctly
Results
The Results page shows the success or failure of the promotion and any important administrative information. The domain controller will automatically reboot
after 10 seconds.
2015 Microsoft
http://pabprod.blob.core.windows.net/books/5d6eb58c-a35e-465d-97e2-32494ab14d6... 28-04-2015
My Collection
Page 58 of 82
This topic explains how to create a staged RODC account and then attach a server to that account during RODC installation. This topic also explains how to install an
RODC without performing a staged installation.
ADDSDeployment Cmdlet
Arguments (Bold arguments are required. Italicized arguments can be specified by using Windows PowerShell or the
AD DS Configuration Wizard.)
Addaddsreadonlydomaincontrolleraccount
-SkipPreChecks
-DomainControllerAccountName
-DomainName
-SiteName
-AllowPasswordReplicationAccountName
-Credential
-DelegatedAdministratorAccountName
-DenyPasswordReplicationAccountName
-NoGlobalCatalog
-InstallDNS
-ReplicationSourceDC
http://pabprod.blob.core.windows.net/books/5d6eb58c-a35e-465d-97e2-32494ab14d6... 28-04-2015
My Collection
Page 59 of 82
Note
The -credential argument is only required if you are not already logged on as a member of the Domain Admins group.
ADDSDeployment Cmdlet
Arguments (Bold arguments are required. Italicized arguments can be specified by using Windows PowerShell or the AD DS
Configuration Wizard.)
InstallAddsDomaincontroller
-SkipPreChecks
-DomainName
-SafeModeAdministratorPassword
-ApplicationPartitionsToReplicate
-CreateDNSDelegation
-Credential
-CriticalReplicationOnly
-DatabasePath
-DNSDelegationCredential
-InstallationMediaPath
-LogPath
-Norebootoncompletion
-ReplicationSourceDC
-SystemKey
-SYSVOLPath
-UseExistingAccount
Note
The -credential argument is only required if you are not already logged on as a member of the Domain Admins group.
Staging
http://pabprod.blob.core.windows.net/books/5d6eb58c-a35e-465d-97e2-32494ab14d6... 28-04-2015
My Collection
Page 60 of 82
You perform the staging operation of a read-only domain controller computer account by opening the Active Directory Administrative Center (Dsac.exe). Click the
name of the domain in the navigation pane. Double-click Domain Controllers in the management list. Click Pre-create a Read-only domain controller account in
the tasks pane.
For more information about the Active Directory Administrative Center, see Advanced AD DS Management Using Active Directory Administrative Center (Level 200)
and review Active Directory Administrative Center: Getting Started.
If you have experience creating read-only domain controllers, you will discover that the installation wizard has the same graphical interface as seen when using the
older Active Directory Users and Computers snap-in from Windows Server 2008 and uses the same code, which includes exporting the configuration in the unattend
file format used by the obsolete dcpromo.
Windows Server 2012 introduces a new ADDSDeployment cmdlet to stage RODC computer accounts, but the wizard does not use the cmdlet for its operation. The
following sections display the equivalent cmdlet and arguments in order to make the information associated with each easier to understand.
The Pre-create a Read-only domain controller account link in the Active Directory Administrative Centers task pane is equivalent to the ADDSDeployment
Windows PowerShell cmdlet:
Add-addsreadonlydomaincontrolleraccount
Welcome
The Welcome to the Active Directory Domain Services Installation Wizard dialog has one option named Use advanced mode installation. Select this option
and click Next to show password replication policy options. Clear this option to use the default values for password replication policy options (this is discussed in
further detail later in this section).
Network Credentials
http://pabprod.blob.core.windows.net/books/5d6eb58c-a35e-465d-97e2-32494ab14d6... 28-04-2015
My Collection
Page 61 of 82
The domain name option in the Network Credentials dialog displays the domain targeted by the Active Directory Administrative Center by default. Your current
credentials are used by default. If they do not include membership in the Domain Admins group, click Alternate Credentials, and click Set to provide the wizard
with a user name and password that is a member of Domain Admins.
The equivalent ADDSDeployment Windows PowerShell argument is:
-credential <pscredential>
Keep in mind that the staging system is a direct port from Windows Server 2008 R2 and does not provide the new Adprep functionality. If you plan to deploy
staged RODC accounts, you must either first deploy an un-staged RODC in that domain so that the automatic rodcprep operation runs, or manually run
adprep.exe /rodcprep first.
Otherwise, you will receive error "You will not be able to install a read-only domain controller in this domain because "adprep /rodcprep" was not yet run".
The Specify the Computer Name dialog requires you to enter the single-label Computer name of a domain controller that does not exist. The domain controller
you configure and attach to this account later must have the same name, or the promotion operation will not detect the staged account.
The equivalent ADDSDeployment Windows PowerShell argument is:
-domaincontrolleraccountname <string>
http://pabprod.blob.core.windows.net/books/5d6eb58c-a35e-465d-97e2-32494ab14d6... 28-04-2015
My Collection
Page 62 of 82
Select a Site
The Select a Site dialog shows a list of Active Directory sites for the current forest. The staged read-only domain controller operation requires you to select a
single site from the list. The RODC uses this information to create its NTDS Settings object in the Configuration partition and join itself to the correct site when it
starts for the first time after being deployed.
The equivalent ADDSDeployment Windows PowerShell argument is:
-sitename <string>
The Additional Domain Controller Options dialog enables you to specify that a domain controller include running as a DNS Server and a Global Catalog.
Microsoft recommends that read-only domain controllers provide DNS and GC services, so both are installed by default; one intention of the RODC role is branch
office scenarios where the wide area network may not be available and without those DNS and global catalog services, computers in the branch will not be able to
use AD DS resources and functionality.
The Read-only domain controller (RODC) option is pre-selected and cannot be disabled. The equivalent ADDSDeployment Windows PowerShell arguments are:
-installdns <string>
-NoGlobalCatalog <{$true | $false}>
Note
By default, the NoGlobalCatalog value is $false, which means the domain controller will be a global catalog server if the argument is not specified.
http://pabprod.blob.core.windows.net/books/5d6eb58c-a35e-465d-97e2-32494ab14d6... 28-04-2015
My Collection
Page 63 of 82
The Specify the Password Replication Policy dialog enables you to modify the default list of accounts that are allowed to cache their passwords on this readonly domain controller. Accounts in the list configured with Deny or that are not in the list (implicit) do not cache their password. Accounts that are not allowed to
cache passwords on the RODC and cannot connect and authenticate to a writable domain controller cannot access resources or functionality provided by Active
Directory.
Important
The wizard shows this dialog only if you select the Use Advanced Mode Installation check box on the welcome screen. If you clear this check box, then the
wizard uses following default groups and values:
Administrators - Deny
Server Operators - Deny
Backup Operators - Deny
Account Operators - Deny
Denied RODC Password Replication Group - Deny
Allowed RODC Password Replication Group - Allow
http://pabprod.blob.core.windows.net/books/5d6eb58c-a35e-465d-97e2-32494ab14d6... 28-04-2015
My Collection
Page 64 of 82
The Delegation of RODC Installation and Administration dialog enables you to configure a user or group containing users who are allowed to attach the server
to the RODC computer account. Click Set to browse the domain for a user or group. The user or group specified in this dialog gains local administrative
permissions to the RODC. The specified user or members of the specified group can perform operations on the RODC with privileges equivalent to the computers
Administrators group. They are not members of the Domain Admins or domain built-in Administrators groups.
Use this option to delegate branch office administration without granting the branch administrator membership to the Domain Admins group. Delegating RODC
administration is not required.
The equivalent ADDSDeployment Windows PowerShell argument is:
-delegatedadministratoraccountname <string>
Summary
The Summary dialog enables you to confirm your settings. This is the last opportunity to stop the installation before the wizard creates the staged account. Click
Next when you are ready to create the staged RODC computer account. Click Export Settings to save an answer file in the obsolete dcpromo unattend file
format.
Creation
http://pabprod.blob.core.windows.net/books/5d6eb58c-a35e-465d-97e2-32494ab14d6... 28-04-2015
My Collection
Page 65 of 82
The Active Directory Domain Services Installation Wizard creates the staged read-only domain controller in Active Directory. You cannot cancel this operation
after it starts.
Use the following cmdlet to stage a read-only domain controller computer account using the ADDSDeployment Windows PowerShell module:
Add-addsreadonlydomaincontrolleraccount
See Stage RODC Windows PowerShell for required and optional arguments.
Because Add-addsreadonlydomaincontrolleraccount only has one action with two phases (prerequisite checking and installation), the following screen shots
show the installation phase with the minimum required arguments.
The stage RODC operation creates the RODC computer account in Active Directory. The Active Directory Administrative Center shows the Domain Controller
Type as an Unoccupied Domain Controller Account. This domain controller types indicates that staged RODC account is ready for a server to attach to it as a
read only domain controller.
http://pabprod.blob.core.windows.net/books/5d6eb58c-a35e-465d-97e2-32494ab14d6... 28-04-2015
My Collection
Page 66 of 82
Important
The Active Directory Administrative Center is no longer required to attach a server to a read-only domain controller computer account. Use Server Manager and
the Active Directory Domain Services Configuration Wizard or the ADDSDeployment Windows PowerShell module cmdlet Install-AddsDomainController to
attach a new RODC to its staged account. The steps are similar to adding a new writable domain controller to an existing domain, with the exception that the
staged RODC computer account contains configuration options decided at the time you staged the RODC computer account.
Attaching
Deployment Configuration
Server Manager begins every domain controller promotion with the Deployment Configuration page. The remaining options and required fields change on this
page and subsequent pages, depending on which deployment operation you select.
To add a read-only domain controller to an existing domain, select Add a domain controller to an existing domain and click the Select button to Specify the
domain information for this domain. Server Manager automatically prompts you for valid credentials, or you can click Change.
Attaching an RODC requires membership in the Domain Admins groups in Windows Server 2012. The Active Directory Domain Services Configuration Wizard
prompts you later if your current credentials do not have adequate permissions or group memberships.
The Deployment Configuration ADDSDeployment Windows PowerShell cmdlet and arguments are:
InstallAddsDomainController
domainname <string>
credential <pscredential>
http://pabprod.blob.core.windows.net/books/5d6eb58c-a35e-465d-97e2-32494ab14d6... 28-04-2015
My Collection
Page 67 of 82
The Domain Controller Options page shows the domain controller options for the new domain controller. When this page loads, the Active Directory Domain
Services Configuration Wizard sends an LDAP query to an existing domain controller to check for unoccupied accounts. If the query finds an unoccupied domain
controller computer account that shares the same name as the current computer, then the wizard displays an informational message at the top of the page that
reads "A Pre-created RODC account that matches the name of the target server exists in the directory. Choose whether to use this existing RODC account
or reinstall this domain controller." The wizard uses the Use existing RODC account as the default configuration.
Important
You can use the Reinstall this domain controller option when a domain controller has suffered a physical problem and cannot return to functionality. This
saves time when configuring the replacement domain controller, by leaving the domain controller computer account and object metadata in Active Directory.
Install the new computer with the same name, and promote it as a domain controller in the domain. The Reinstall this domain controller option is unavailable
if you removed the domain controller objects metadata from Active Directory (metadata cleanup).
You cannot configure domain controller options when you are attaching a server to an RODC computer account. You configure domain controller options when
you create the staged RODC computer account.
The specified Directory Services Restore Mode Password must adhere to the password policy applied to the server. Always choose a strong, complex password
or preferably, a passphrase.
The Domain Controller Options ADDSDeployment Windows PowerShell arguments are:
Important
The site name must already exist when provided as an argument to -sitename. The install-AddsDomainController cmdlet does not create site names. You can
use cmdlet new-adreplicationsite to create new sites.
The Install-ADDSDomainController arguments follow the same defaults as Server Manager if not specified.
The SafeModeAdministratorPassword argument's operation is special:
If not specified as an argument, the cmdlet prompts you to enter and confirm a masked password. This is the preferred usage when running the cmdlet
interactively.
For example, to create a new RODC in the corp.contoso.com and be prompted to enter and confirm a masked password:
http://pabprod.blob.core.windows.net/books/5d6eb58c-a35e-465d-97e2-32494ab14d6... 28-04-2015
My Collection
Page 68 of 82
Warning
As the previous option does not confirm the password, use extreme caution: the password is not visible.
You can also provide a secure string as a converted clear-text variable, although this is highly discouraged.
$file = "c:\pw.txt"
$pw = readhost prompt "Password:" assecurestring
$pw | ConvertFromSecureString | SetContent $file
safemodeadministratorpassword (GetContent $File | ConvertToSecureString)
Warning
Providing or storing a clear or obfuscated text password is not recommended. Anyone running this command in a script or looking over your shoulder knows
the DSRM password of that domain controller. Anyone with access to the file could reverse that obfuscated password. With that knowledge, they can logon to a
DC started in DSRM and eventually impersonate the domain controller itself, elevating their privileges to the highest level in an AD forest. An additional set of
steps using System.Security.Cryptography to encrypt the text file data is advisable but out of scope. The best practice is to totally avoid password storage.
Additional Options
The Additional Options page provides configuration options to name a domain controller as the replication source, or you can use any domain controller as the
replication source.
You can also choose to install the domain controller using backed up media using the Install from media (IFM) option. The Install from media checkbox provides
a browse option once selected and you must click Verify to ensure the provided path is valid media. Media used by the IFM option is created with Windows Server
Backup or Ntdsutil.exe from another existing Windows Server 2012 computer only; you cannot use a Windows Server 2008 R2 or previous operating system to
create media for a Windows Server 2012 domain controller. For more information about changes in IFM, see Ntdsutil.exe Install from Media Changes. If using
media protected with a SYSKEY, Server Manager prompts for the image's password during verification.
http://pabprod.blob.core.windows.net/books/5d6eb58c-a35e-465d-97e2-32494ab14d6... 28-04-2015
My Collection
Page 69 of 82
replicationsourcedc <string>
installationmediapath <string>
systemkey <secure string>
Paths
The Paths page enables you to override the default folder locations of the AD DS database, the database transaction logs, and the SYSVOL share. The default
locations are always in subdirectories of %systemroot%. The Paths ADDSDeployment cmdlet arguments are:
databasepath <string>
logpath <string>
sysvolpath <string>
http://pabprod.blob.core.windows.net/books/5d6eb58c-a35e-465d-97e2-32494ab14d6... 28-04-2015
My Collection
Page 70 of 82
The Review Options page enables you to validate your settings and ensure that they meet your requirements before you start the installation. This is not the last
opportunity to stop the installation using Server Manager. This page simply enables you to review and confirm your settings before continuing the configuration.
The Review Options page in Server Manager also offers an optional View Script button to create a Unicode text file that contains the current ADDSDeployment
configuration as a single Windows PowerShell script. This enables you to use the Server Manager graphical interface as a Windows PowerShell deployment studio.
Use the Active Directory Domain Services Configuration Wizard to configure options, export the configuration, and then cancel the wizard. This process creates a
valid and syntactically correct sample for further modification or direct use. For example:
#
# Windows PowerShell Script for AD DS Deployment
#
ImportModule ADDSDeployment
InstallADDSDomainController `
Credential (GetCredential) `
CriticalReplicationOnly:$false `
DatabasePath "C:\Windows\NTDS" `
DomainName "corp.contoso.com" `
LogPath "C:\Windows\NTDS" `
SYSVOLPath "C:\Windows\SYSVOL" `
UseExistingAccount:$true `
Norebootoncompletion:$false
Force:$true
Note
Server Manager generally fills in all arguments with values when promoting and does not rely on defaults (as they may change between future versions of
Windows or service packs). The one exception to this is the -safemodeadministratorpassword argument. To force a confirmation prompt omit the value when
running cmdlet interactively
Use the optional Whatif argument with the Install-ADDSDomainController cmdlet to review configuration information. This enables you to see the explicit and
implicit values of the arguments for a cmdlet.
http://pabprod.blob.core.windows.net/books/5d6eb58c-a35e-465d-97e2-32494ab14d6... 28-04-2015
My Collection
Page 71 of 82
Prerequisites Check
The Prerequisites Check is a new feature in AD DS domain configuration. This new phase validates that the server configuration is capable of supporting a new
AD DS forest.
When installing a new forest root domain, the Server Manager Active Directory Domain Services Configuration Wizard invokes a series of serialized modular tests.
These tests alert you with suggested repair options. You can run the tests as many times as required. The domain controller installation process cannot continue
until all prerequisite tests pass.
The Prerequisites Check also surfaces relevant information such as security changes that affect older operating systems. For more information about the
prerequisite checks, see Prerequisite Checking.
You cannot bypass the Prerequisite Check when using Server Manager, but you can skip the process when using the AD DS Deployment cmdlet using the
following argument:
skipprechecks
Warning
Microsoft discourages skipping the prerequisite check as it can lead to a partial domain controller promotion or damaged AD DS forest.
Click Install to begin the domain controller promotion process. This is last opportunity to cancel the installation. You cannot cancel the promotion process once it
begins. The computer will reboot automatically at the end of promotion, regardless of the promotion results.
http://pabprod.blob.core.windows.net/books/5d6eb58c-a35e-465d-97e2-32494ab14d6... 28-04-2015
My Collection
Page 72 of 82
Installation
When the Installation page displays, the domain controller configuration begins and cannot be halted or canceled. Detailed operations display on this page and
are written to logs:
%systemroot%\debug\dcpromo.log
%systemroot%\debug\dcpromoui.log
To install a new Active Directory forest using the ADDSDeployment module, use the following cmdlet:
Installaddsdomaincontroller
See Attach RODC Windows PowerShell for required and optional arguments.
The Install-addsdomaincontroller cmdlet only has two phases (prerequisite checking and installation). The two figures below show the installation phase with the
minimum required arguments of -domainname, -useexistingaccount, and -credential. Note how, just like Server Manager, Install-ADDSDomainController
reminds you that promotion will reboot the server automatically:
To accept the reboot prompt automatically, use the -force or -confirm:$false arguments with any ADDSDeployment Windows PowerShell cmdlet. To prevent the
server from automatically rebooting at the end of promotion, use the -norebootoncompletion argument.
Warning
Overriding the reboot is discouraged. The domain controller must reboot to function correctly.
http://pabprod.blob.core.windows.net/books/5d6eb58c-a35e-465d-97e2-32494ab14d6... 28-04-2015
My Collection
Page 73 of 82
Results
The Results page shows the success or failure of the promotion and any important administrative information. The domain controller will automatically reboot
after 10 seconds.
ADDSDeployment Cmdlet
Arguments (Bold arguments are required. Italicized arguments can be specified by using Windows PowerShell or the AD DS
Configuration Wizard.)
InstallAddsDomainController
-SkipPreChecks
-DomainName
-SafeModeAdministratorPassword
-SiteName
-ApplicationPartitionsToReplicate
-CreateDNSDelegation
-Credential
-CriticalReplicationOnly
-DatabasePath
-DNSDelegationCredential
http://pabprod.blob.core.windows.net/books/5d6eb58c-a35e-465d-97e2-32494ab14d6... 28-04-2015
My Collection
Page 74 of 82
-DNSOnNetwork
-InstallationMediaPath
-InstallDNS
-LogPath
-MoveInfrastructureOperationMasterRoleIfNecessary
-NoGlobalCatalog
-Norebootoncompletion
-ReplicationSourceDC
-SkipAutoConfigureDNS
-SystemKey
-SYSVOLPath
-AllowPasswordReplicationAccountName
-DelegatedAdministratorAccountName
-DenyPasswordReplicationAccountName
-ReadOnlyReplica
Note
The -credential argument is only required if you are not already logged on as a member of the Domain Admins group.
Server Manager begins every domain controller promotion with the Deployment Configuration page. The remaining options and required fields change on this
page and subsequent pages, depending on which deployment operation you select.
To add an un-staged read-only domain controller to an existing Windows Server 2012 domain, select Add a domain controller to an existing domain and click
the Select button to Specify the domain information for this domain. Server Manager automatically prompts you for valid credentials, or you can click Change.
Attaching an RODC requires membership in the Domain Admins groups in Windows Server 2012. The Active Directory Domain Services Configuration Wizard
prompts you later if your current credentials do not have adequate permissions or group memberships.
The Deployment Configuration ADDSDeployment Windows PowerShell cmdlet and arguments are:
InstallAddsDomainController
domainname <string>
credential <pscredential>
http://pabprod.blob.core.windows.net/books/5d6eb58c-a35e-465d-97e2-32494ab14d6... 28-04-2015
My Collection
Page 75 of 82
The Domain Controller Options page specifies the domain controller capabilities for the new domain controller. The configurable domain controller capabilities
are DNS server, Global Catalog, and Read-only domain controller. Microsoft recommends that all domain controllers provide DNS and GC services for high
availability in distributed environments. GC is always selected by default and DNS server is selected by default if the current domain hosts DNS already on its DCs
based on Start of Authority query.
The Domain Controller Options page also enables you to choose the appropriate Active Directory logical site name from the forest configuration. By default, it
selects the site with the most correct subnet. If there is only one site, it selects that site automatically.
Important
If the server does not belong to an Active Directory subnet and there is more than one Active Directory site, nothing is selected and the Next button is
unavailable until you choose a site from the list.
The specified Directory Services Restore Mode Password must adhere to the password policy applied to the server. Always choose a strong, complex password
or preferably, a passphrase.The Domain Controller Options ADDSDeployment Windows PowerShell arguments are:
Important
The site name must already exist when provided as an argument to -sitename. The install-AddsDomainController cmdlet does not create site names. You can
use cmdlet new-adreplicationsite to create new sites.
The Install-ADDSDomainController arguments follow the same defaults as Server Manager if not specified.
The SafeModeAdministratorPassword argument's operation is special:
If not specified as an argument, the cmdlet prompts you to enter and confirm a masked password. This is the preferred usage when running the cmdlet
interactively.
For example, to create a new RODC in the corp.contoso.com and be prompted to enter and confirm a masked password:
Warning
http://pabprod.blob.core.windows.net/books/5d6eb58c-a35e-465d-97e2-32494ab14d6... 28-04-2015
My Collection
Page 76 of 82
As the previous option does not confirm the password, use extreme caution: the password is not visible.
You can also provide a secure string as a converted clear-text variable, although this is highly discouraged.
$file = "c:\pw.txt"
$pw = readhost prompt "Password:" assecurestring
$pw | ConvertFromSecureString | SetContent $file
safemodeadministratorpassword (GetContent $File | ConvertToSecureString)
Warning
Providing or storing a clear or obfuscated text password is not recommended. Anyone running this command in a script or looking over your shoulder knows
the DSRM password of that domain controller. Anyone with access to the file could reverse that obfuscated password. With that knowledge, they can logon to a
DC started in DSRM and eventually impersonate the domain controller itself, elevating their privileges to the highest level in an AD forest. An additional set of
steps using System.Security.Cryptography to encrypt the text file data is advisable but out of scope. The best practice is to totally avoid password storage.
RODC Options
delegatedadministratoraccountname <string>
Accounts that are not allowed to cache passwords on the RODC and cannot connect and authenticate to a writable domain controller cannot access resources or
functionality provided by Active Directory.
http://pabprod.blob.core.windows.net/books/5d6eb58c-a35e-465d-97e2-32494ab14d6... 28-04-2015
My Collection
Page 77 of 82
Important
If not modified, the default groups and settings are used:
Administrators - Deny
Server Operators - Deny
Backup Operators - Deny
Account Operators - Deny
Denied RODC Password Replication Group - Deny
Allowed RODC Password Replication Group - Allow
Additional Options
The Additional Options page provides configuration options to name a domain controller as the replication source, or you can use any domain controller as the
replication source.
You can also choose to install the domain controller using backed up media using the Install from media (IFM) option. The Install from media checkbox provides
a browse option once selected and you must click Verify to ensure the provided path is valid media. Media used by the IFM option is created with Windows Server
Backup or Ntdsutil.exe from another existing Windows Server 2012 computer only; you cannot use a Windows Server 2008 R2 or previous operating system to
create media for a Windows Server 2012 domain controller. The Appendices provides more information on changes in IFM. If using media protected with a
SYSKEY, Server Manager prompts for the image's password during verification.
http://pabprod.blob.core.windows.net/books/5d6eb58c-a35e-465d-97e2-32494ab14d6... 28-04-2015
My Collection
Page 78 of 82
replicationsourcedc <string>
installationmediapath <string>
systemkey <secure string>
Paths
The Paths page enables you to override the default folder locations of the AD DS database, the database transaction logs, and the SYSVOL share. The default
locations are always in subdirectories of %systemroot%. The Paths ADDSDeployment cmdlet arguments are:
databasepath <string>
logpath <string>
sysvolpath <string>
Preparation Options
http://pabprod.blob.core.windows.net/books/5d6eb58c-a35e-465d-97e2-32494ab14d6... 28-04-2015
My Collection
Page 79 of 82
The Preparation Options page alerts you that the AD DS configuration includes extending the Schema (forestprep) and updating the domain (domainprep). You
only see this page when the forest or domain has not been prepared by previous Windows Server 2012 domain controller installation or from manually running
Adprep.exe. For example, the Active Directory Domain Services Configuration Wizard suppresses this page if you add a new replica domain controller to an
existing Windows Server 2012 forest root domain.
Extending the Schema and updating the domain do not occur when you click Next. These events occur only during the installation phase. This page simply brings
awareness about the events that will occur later in the installation.
This page also validates that the current user credentials are members of the Schema Admin and Enterprise Admins groups, as you need membership in these
groups to extend the schema or prepare a domain. Click Change to provide the adequate user credentials if the page informs you that the current credentials do
not provide sufficient permissions.
The Additional Options ADDSDeployment cmdlet argument is:
adprepcredential <pscredential>
Important
As with previous versions of Windows Server, Windows Server 2012's automated domain preparation does not run GPPREP. Run adprep.exe /gpprep manually
for all domains that were not previously prepared for Windows Server 2003, Windows Server 2008, or Windows Server 2008 R2. You should run GPPrep only
once in the history of a domain, not with every upgrade. Adprep.exe does not run /gpprep automatically because its operation can cause all files and folders in
the SYSVOL folder to re-replicate on all domain controllers.
Automatic RODCPrep runs when you promote the first un-staged RODC in a domain. It does not occur when you promote the first writeable Windows Server
2012 domain controller. You can also still manually run adprep.exe /rodcprep if you plan to deploy read-only domain controllers.
The Review Options page enables you to validate your settings and ensure that they meet your requirements before you start the installation. This is not the last
opportunity to stop the installation using Server Manager. This page simply enables you to review and confirm your settings before continuing the configuration.
The Review Options page in Server Manager also offers an optional View Script button to create a Unicode text file that contains the current ADDSDeployment
configuration as a single Windows PowerShell script. This enables you to use the Server Manager graphical interface as a Windows PowerShell deployment studio.
Use the Active Directory Domain Services Configuration Wizard to configure options, export the configuration, and then cancel the wizard. This process creates a
valid and syntactically correct sample for further modification or direct use. For example:
#
# Windows PowerShell Script for AD DS Deployment
#
ImportModule ADDSDeployment
InstallADDSDomainController `
AllowPasswordReplicationAccountName @("CORP\Allowed RODC Password Replication Group", "CORP\Chicago RODC Admins", "CORP\C
Credential (GetCredential) `
CriticalReplicationOnly:$false `
DatabasePath "C:\Windows\NTDS" `
DelegatedAdministratorAccountName "CORP\Chicago RODC Admins" `
DenyPasswordReplicationAccountName @("BUILTIN\Administrators", "BUILTIN\Server Operators", "BUILTIN\Backup Operators", "B
DomainName "corp.contoso.com" `
InstallDNS:$true `
LogPath "C:\Windows\NTDS" `
http://pabprod.blob.core.windows.net/books/5d6eb58c-a35e-465d-97e2-32494ab14d6... 28-04-2015
My Collection
Page 80 of 82
SiteName "DefaultFirstSiteName" `
SYSVOLPath "C:\Windows\SYSVOL"
Force:$true
Note
Server Manager generally fills in all arguments with values when promoting and does not rely on defaults (as they may change between future versions of
Windows or service packs). The one exception to this is the -safemodeadministratorpassword argument. To force a confirmation prompt, omit the value
when running cmdlet interactively.
Use the optional Whatif argument with the Install-ADDSDomainController cmdlet to review configuration information. This enables you to see the explicit and
implicit values of the arguments for a cmdlet.
Prerequisites Check
The Prerequisites Check is a new feature in AD DS domain configuration. This new phase validates that the server configuration is capable of supporting a new
AD DS forest.
http://pabprod.blob.core.windows.net/books/5d6eb58c-a35e-465d-97e2-32494ab14d6... 28-04-2015
My Collection
Page 81 of 82
When installing a new forest root domain, the Server Manager Active Directory Domain Services Configuration Wizard invokes a series of serialized modular tests.
These tests alert you with suggested repair options. You can run the tests as many times as required. The domain controller process cannot continue until all
prerequisite tests pass.
The Prerequisites Check also surfaces relevant information such as security changes that affect older operating systems.
You cannot bypass the Prerequisite Check when using Server Manager, but you can skip the process when using the AD DS Deployment cmdlet using the
following argument:
-skipprechecks
Click Install to begin the domain controller promotion process. This is last opportunity to cancel the installation. You cannot cancel the promotion process once it
begins. The computer will reboot automatically at the end of promotion, regardless of the promotion results.
Installation
When the Installation page displays, the domain controller configuration begins and cannot be halted or canceled. Detailed operations display on this page and
are written to logs:
%systemroot%\debug\dcpromo.log
%systemroot%\debug\dcpromoui.log
To install a new Active Directory forest using the ADDSDeployment module, use the following cmdlet:
Install-addsdomaincontroller
See the ADDSDeployment Cmdlet table at the begininng of this section for required and optional arguments.
The Install-addsdomaincontroller cmdlet only has two phases (prerequisite checking and installation). The two figures below show the installation phase with the
minimum required arguments of -domainname, -readonlyreplica, -sitename, and -credential. Note how, just like Server Manager, InstallADDSDomainController reminds you that promotion will reboot the server automatically:
http://pabprod.blob.core.windows.net/books/5d6eb58c-a35e-465d-97e2-32494ab14d6... 28-04-2015
My Collection
Page 82 of 82
To accept the reboot prompt automatically, use the -force or -confirm:$false arguments with any ADDSDeployment Windows PowerShell cmdlet. To prevent the
server from automatically rebooting at the end of promotion, use the -norebootoncompletion argument.
Warning
Overriding the reboot is not recommended. The domain controller must reboot to function correctly. If you log off the domain controller, you cannot log back
on interactively until you restart it.
Results
The Results page shows the success or failure of the promotion and any important administrative information. The domain controller will automatically reboot
after 10 seconds.
2015 Microsoft
http://pabprod.blob.core.windows.net/books/5d6eb58c-a35e-465d-97e2-32494ab14d6... 28-04-2015