Installing Domain Controllers via PowerShell

The installation of a Domain Controller is now a two step process.


  1. Install the AD DS Binaries
  2. Promote the Domain Controller and add to or create a Forest/Domain


Installing via powershell:


Install-WindowsFeature -Name AD-Domain-Services –IncludeManagementTools
Install-ADDSDomainController -InstallDns -Credential (Get-Credential icuazuretest\Administrator) -DomainName "icuazuretest.local"


Or for a core install, drop the -Includmanagement tools

Install-WindowsFeature -Name AD-Domain-Services
Install-ADDSDomainController -InstallDns -Credential (Get-Credential icuazuretest\Administrator) -DomainName "icuazuretest.local"


For a list of commands: 

Get-command -module ActiveDirectory


Test vs Install


Before running the command to promote a Domain Controller the process can be tested (and should be tested before actually promoting)




First DC in Forest

Test-ADDSForestInstallation -DomainName -CreateDNSDelegation
-DomainMode Win2008 -ForestMode Win2008R2 -DatabasePath "D:\NTDS" -SysvolPath
"D:\SYSVOL" -LogPath "E:\Logs"


Install-ADDSForest -DomainName -CreateDNSDelegation -DomainMode Win2008
-ForestMode Win2008R2 -DatabasePath "D:\NTDS" -SysvolPath "D:\SYSVOL" -LogPath "E:\Logs"

Adding a DC to existing domain

Test-ADDSDomainControllerInstallation -InstallDns -Credential (Get-Credential CORP\
Administrator) -DomainName ""


Install-ADDSDomainController -InstallDns -Credential (Get-Credential CORP\Administrator)
-DomainName ""

New domain , existing forest

Test-ADDSDomainInstallation -Credential (Get-Credential CORP\EnterpriseAdmin1)
-NewDomainName child -ParentDomainName -InstallDNS -CreateDNSDelegation
-DomainMode Win2003 -ReplicationSourceDC -SiteName Houston
-DatabasePath "D:\NTDS" -SYSVOLPath "D:\SYSVOL" -LogPath "E:\Logs" -NoRebootOnCompletion


Install-ADDSDomain -Credential (Get-Credential CORP\EnterpriseAdmin1) -NewDomainName
child -ParentDomainName -InstallDNS -CreateDNSDelegation -DomainMode
Win2003 -ReplicationSourceDC -SiteName Houston -DatabasePath
"D:\NTDS" -SYSVOLPath "D:\SYSVOL" -LogPath "E:\Logs" -NoRebootOnCompletion

Adding a RODC Account


This is used to pre-stage the RODC account in Active Directory.

TEST-ADDSReadOnlyDomainControllerAccount -DomainControllerAccountName RODC1 -DomainName -SiteName NorthAmerica -DelegatedAdministratorAccountName corp.contoso.


Add-ADDSReadOnlyDomainControllerAccount -DomainControllerAccountName RODC1 -DomainName -SiteName NorthAmerica -DelegatedAdministratorAccountName corp.contoso.

Un-install a Domain Controller 


Use the Test-ADDSDomainControllerUninstallation and Uninstall-ADDSDomainController cmdlets to uninstall a domain controller. Unlike the previous cmdlets, these cmdlets can be used without any parameters. If you do so, you will be prompted to supply a local Administrator password.


Cloning Domain Controllers



  1. Source and Target DC must be a virtual machine
  2. Source cannot be the PDC Emulator
  3. PDC Emulator must be Windows Server 2012 + (can by physical or virtual)
  4. Source VM must be placed in the Clone able Domain Controllers AD Group.



First a check must be run via PowerShell to ensure there are not applications that will conflict. 




If there are apps, they should be checked with the vendor to ensure safe to clone.


An Exclusions list needs to be created if so by running:


Get-ADDCCloningExcludedApplicationsList -GenerateXml -Path C:\Windows\NTDS -Force


Main Command


New-ADDCCloneConfigFile -Static -IPv4Address -IPv4DefaultGateway -IPv4SubnetMask -IPv4DNSResolver, -CloneComputerName DCTarget -SiteName Default-First-Site-Name


Shut Down the DC.


In Hyper-V, export the Virtual Machine. 


Start the Source DC


Import the Virtual Machine from the file created from the export


Remember to select create new VM with new SIDs

(The locations of the new VM components must be in different folders)


And also for the VHDX file


PowerShell Commands for export/import of VMs


Export-VM –Name DCSource –Path C:\VMExports


Import-VM -Path 'C:\VMExports\Virtual Machines\8F148B6D-C674-413E-9FCC-4FBED185C52D.XML' –

Copy -GenerateNewId

Find Password Expiry Dates for Active Directory Users

Get-ADUser -identity username -properties *

So the property names we are interested in are: PasswordLastSet and PasswordNeverExpires. So we can run the command specifying these properties only and output the results in a table.
Type: get-aduser -filter * -properties passwordlastset, passwordneverexpires |ft Name, passwordlastset, Passwordneverexpires

So we can now see when a user last changed their password and if it is set to never expire.
To make things easier to find in a big environment you may want to sort the list by name.
Type: get-aduser -filter * -properties passwordlastset, passwordneverexpires | sort name | ft Name, passwordlastset, Passwordneverexpires

And finally, lets export the list to CSV so we can work on it in Excel. In this example we substitute, format table (ft) for select-object.

Type: Get-ADUser -filter * -properties passwordlastset, passwordneverexpires | sort-object name | select-object Name, passwordlastset, passwordneverexpires | Export-csv -path c:\temp\user-password-info-20131119.csv

Modify MaxNegPhaseCorrection and MaxPosPhaseCorrection

  1. Open the Group Policy Management snap-in. To open Group Policy Management, click Start, click Administrative Tools, and then click Group Policy Management.
  2. In the console tree, select the Group Policy object (GPO) for the Windows Time service that is linked to this domain controller and then open the Group Policy Management Editor snap-in. To open the Group Policy Management Editor, right-click the selected GPO, and then click Edit.


It is not recommended to link your Windows Time Service GPO to the entire domain (in other words, linking it to all domain controllers and member servers in this domain). If you want to configure Windows Time Service for a selected domain controller through Group Policy, we recommend that you create a GPO for Windows Time Service and link it to that specific domain controller.

  1. In the console tree, expand Computer Configuration, expand Policies, expand Administrative Templates, expand System, and then expand Windows Time Service.
  2. In the details pane, double-click Global Configuration Settings.
  3. In Global Configuration Settings, under Options, navigate to MaxNegPhaseCorrection, set the value to 172800 (a decimal value for 48 hours), and then click OK.

If the Windows Time service Group Policy settings have not been applied to this domain controller, you can use the following procedure to update the value of MaxNegPhaseCorrection through the registry.

To update the value of the MaxNegPhaseCorrection registry key

  1. Open the Registry Editor. To open the Registry Editor, click Start, click Run, and then type regedit.
  2. In the Registry Editor, navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\MaxNegPhaseCorrection.
  3. Set the value of MaxNegPhaseCorrection to 172800 (a decimal value for 48 hours).


Protect all OUs from accidental deletion

To protect all existing OUs in your domain from accidental deletion by using the Get-ADOrganizationalUnit and Set-ADOrganizationalUnit cmdlets

  1. Click Start, click Administrative Tools, right-click Active Directory Module for Windows PowerShell, and then click Run as administrator.
  2. At the Active Directory module command prompt, type the following command to check with OUs are not protected, and then press ENTER:
    Get-ADOrganizationalUnit -filter * -Properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $false} | ft
  3. At the Active Directory module command prompt, type the following command to protect the OUs that you identified in Step 2, and then press ENTER:
    Get-ADOrganizationalUnit -filter * -Properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $false} | Set-ADOrganizationalUnit -ProtectedFromAccidentalDeletion $true
  4. Run the command in Step 2 again to verify the OUs are protected.
    For more information about the 
    Get-ADOrganizationalUnit and Set-ADOrganizationalUnit cmdlets, at the Active Directory module command prompt, type Get-Help Get-ADOrganizationalUnit or Get-Help Set-ADOrganizationalUnit, and then press ENTER.