Deploying Domain Controllers using Power shell
This approach to domain controller deployment can be particularly useful in large enterprise environments, data centers, and cloud-computing scenarios.
Using Windows PowerShell to deploy Server Core domain controllers is an ideal combination for a data center.
Problem in powershell for remote managing the DC deployment.
The difficulty, however, is that Windows PowerShell remoting is primarily intended for remotely managing domain-joined computers;
and if you are preparing to deploy the first domain controller in a new forest, there is no domain yet to join! In other words, the remote
server that will be promoted to a domain controller is initially in a workgroup.
The solution is to prepare your environment by enabling the two standalone computers to talk to each other using the WS-Management protocol.
So, the remote server first be added to the TrustedHosts list on the local server before you can manage the remote server from the local server.
You can use the Set-Item cmdlet to do this:
PS C:\> Set-Item wsman:\localhost\Client\TrustedHosts -Value SEA-SRV-1
Then you can use the Get-item cmdlet to verify the result:
PS C:\> Get-Item wsman:\\localhost\Client\TrustedHosts
Tips for Set-iem:
If you need to add another remote server to the TrustedHosts list on your local computer, include the –Concatenate parameter when you use Set-Item the second time so that you don’t end up overwriting the current contents of the list.You can also suppress the Yes/No prompt with the Set-Item cmdlet by adding the –Force parameter to it.
Preparing for deploying additional domain controllers in the new forest
Deploying Windows Server 2012 domain controllers in a forest whose domain controllers are running an earlier version of Windows Server can also be done using Windows PowerShell as follows:
1. Install a Windows Server 2012 server, and join the server to an existing domain.
2. Use the Install-WindowsFeature cmdlet to install the AD DS role together with its role-management tools as follows:
Install-WindowsFeature -name AD-Domain-Services –IncludeManagementTools
3. Run commands from the ADDSDeployment module on the server to remotely install AD DS on other domain-joined Windows Server 2012 servers
The Windows PowerShell cmdlets for installing a forest, installing domains, deploying domain controllers, and performing similar deployment tasks are found in the ADDSDeployment module. To see a list of the available cmdlets in this module, use the Get-Command cmdlet as follows:
PS C:\> Get-Command -Module ADDSDeployment
The result will be:
CommandType Name ModuleName ----------- ---- ---------- Cmdlet Add-ADDSReadOnlyDomainControllerAccount ADDSDeployment Cmdlet Install-ADDSDomain ADDSDeployment Cmdlet Install-ADDSDomainController ADDSDeployment Cmdlet Install-ADDSForest ADDSDeployment Cmdlet Test-ADDSDomainControllerInstallation ADDSDeployment Cmdlet Test-ADDSDomainControllerUninstallation ADDSDeployment Cmdlet Test-ADDSDomainInstallation ADDSDeployment Cmdlet Test-ADDSForestInstallation ADDSDeployment Cmdlet Test-ADDSReadOnlyDomainControllerAccountCreation ADDSDeployment Cmdlet Uninstall-ADDSDomainController ADDSDeployment
CMDlets used to run a prerequisites: Test-ADDS*
For a remote Win12 server, use Invoke-Command {Test-ADDSForestInstallation -DomainName FQDN.com}
Promote first DC in the forest root domain (corp.adatum.com):
1. Begin by logging on to a local server running Windows Server 2012 using your administrator credentials, and open an elevated Windows PowerShell prompt. (If you are logged on with the built-in Administrator account, any Windows PowerShell prompt you open will be elevated )
2. Change the script execution policy on the local server to Unrestricted by running the following command:
Set-Execution Policy Unrestricted
3. This will allow you to run Windows PowerShell scripts (.ps1 fles) on the local server. By using Windows PowerShell remoting, you will also be able to run scripts on the remote server
4. Open Notepad, and type the following two commands:
Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools Install-ADDSForest -DomainName corp.adatum.com -InstallDNS
The frst command installs AD DS together with the role-management tools on the targeted server.
The second command promotes the targeted server as the first domain controller in the forest root domain corp adatum com Note that the name of the targeted server has not been specifed in this script. Use Notepad to save the script with the fle name script1.ps1 in the folder C:\scripts or some other suitable location on the local server.
5. Run the following command on the local server to execute your script on the remote server SEA-SRV-1:
Invoke-Command -ComputerName SEA-SRV-1 -FilePath C:\scripts\script1.ps1
6. When the AD DS role has fnished installing on SEA-SRV-1, you will be prompted to specify a Safe Mode(recovery mode) Administrator Password. After this, you will need to press Y and Enter to confirm that you want to promote the server as a DC. eliminate the need to press Y followed by ENTER by including the –Force parameter.
About the credential
If you want to use local administrator credentials instead of domain administrator credentials for this process, omit the –Credential parameter as follows:
Install-ADDSDomainController -InstallDns -DomainName corp.adatum.com
If you want to be prompted to supply the credentials needed to install and promote the domain controller, use the following command instead:
Install-ADDSDomainController -InstallDns -Credential ` (Get-Credential) -DomainName corp.adatum.com
The Backtick ` is an escape character in Windows PowerShell that is appended to a line to indicate that the command continues on the next line.
First domain controller in a child or tree domain
You can use the Install-ADDSDomain cmdlet to install a new child or tree domain in an existing forest by deploying the first domain controller for the new domain. For example, to install and promote a server to become the first domain controller of a child domain hq in the parent domain corp.adatum.com, use this command:
Install-ADDSDomain -Credential (Get-Credential CORP\Administrator) ` -NewDomainName hq -ParentDomainName corp.adatum.com -DomainType ChildDomain ` -InstallDNS -CreateDNSDelegation
Read only DC
You can use the Install-ADDSDomainController cmdlet with the –ReadOnlyReplica parameter to deploy a new RODC in an existing domain.
Verify the DC Deployment
You can use Powershell to verify the result. Using Invoke-Command on local server SEA-HOST-2 to execute the Invoke-BPAModule cmdlet on remote server SEA-SRV-1:
PS C:\> Invoke-Command -ComputerName SEA-SRV-1 -ScriptBlock `
{Invoke-BpaModel -ModelId Microsoft/Windows/DirectoryServices}
You can then execute the Get-BPAResult cmdlet on the remote server to display the results:
PS C:\> Invoke-Command -ComputerName SEA-SRV-1 -ScriptBlock `
{Get-BpaResult Microsoft/Windows/DirectoryServices}
The output from this command will be quite extensive, so you might try piping it into the Where-Object cmdlet to display only results whose severity level is Error:
PS C:\Users\Administrator> Invoke-Command -ComputerName SEA-SRV-1 -ScriptBlock `
{Get-BpaResult Microsoft/Windows/DirectoyServices} | Where-Object Severity -eq Error
Uninstalling AD DS
Finally, you can use the Uninstall-ADDSDomainController cmdlet to remove the AD DS role and demote a domain controller to a member server in the domain.