Installing Domain Controllers via PowerShell

The installation of a Domain Controller is now a two step process.

 

  1. Install the AD DS Binaries
  2. Promote the Domain Controller and add to or create a Forest/Domain

 

Installing via powershell:

 

Install-WindowsFeature -Name AD-Domain-Services –IncludeManagementTools
Install-ADDSDomainController -InstallDns -Credential (Get-Credential icuazuretest\Administrator) -DomainName "icuazuretest.local"

 

Or for a core install, drop the -Includmanagement tools

Install-WindowsFeature -Name AD-Domain-Services
Install-ADDSDomainController -InstallDns -Credential (Get-Credential icuazuretest\Administrator) -DomainName "icuazuretest.local"

 

For a list of commands: 

Get-command -module ActiveDirectory

 

Test vs Install

 

Before running the command to promote a Domain Controller the process can be tested (and should be tested before actually promoting)

 

Outcome

Command

First DC in Forest

Test-ADDSForestInstallation -DomainName corp.contoso.com -CreateDNSDelegation
-DomainMode Win2008 -ForestMode Win2008R2 -DatabasePath "D:\NTDS" -SysvolPath
"D:\SYSVOL" -LogPath "E:\Logs"

 

Install-ADDSForest -DomainName corp.contoso.com -CreateDNSDelegation -DomainMode Win2008
-ForestMode Win2008R2 -DatabasePath "D:\NTDS" -SysvolPath "D:\SYSVOL" -LogPath "E:\Logs"

Adding a DC to existing domain

Test-ADDSDomainControllerInstallation -InstallDns -Credential (Get-Credential CORP\
Administrator) -DomainName "corp.contoso.com"

 

Install-ADDSDomainController -InstallDns -Credential (Get-Credential CORP\Administrator)
-DomainName "corp.contoso.com"

New domain , existing forest

Test-ADDSDomainInstallation -Credential (Get-Credential CORP\EnterpriseAdmin1)
-NewDomainName child -ParentDomainName corp.contoso.com -InstallDNS -CreateDNSDelegation
-DomainMode Win2003 -ReplicationSourceDC DC1.corp.contoso.com -SiteName Houston
-DatabasePath "D:\NTDS" -SYSVOLPath "D:\SYSVOL" -LogPath "E:\Logs" -NoRebootOnCompletion

 

Install-ADDSDomain -Credential (Get-Credential CORP\EnterpriseAdmin1) -NewDomainName
child -ParentDomainName corp.contoso.com -InstallDNS -CreateDNSDelegation -DomainMode
Win2003 -ReplicationSourceDC DC1.corp.contoso.com -SiteName Houston -DatabasePath
"D:\NTDS" -SYSVOLPath "D:\SYSVOL" -LogPath "E:\Logs" -NoRebootOnCompletion

Adding a RODC Account

 

This is used to pre-stage the RODC account in Active Directory.

TEST-ADDSReadOnlyDomainControllerAccount -DomainControllerAccountName RODC1 -DomainName
corp.contoso.com -SiteName NorthAmerica -DelegatedAdministratorAccountName corp.contoso.
com\User1

 

Add-ADDSReadOnlyDomainControllerAccount -DomainControllerAccountName RODC1 -DomainName
corp.contoso.com -SiteName NorthAmerica -DelegatedAdministratorAccountName corp.contoso.
com\User1

Un-install a Domain Controller 

 

Use the Test-ADDSDomainControllerUninstallation and Uninstall-ADDSDomainController cmdlets to uninstall a domain controller. Unlike the previous cmdlets, these cmdlets can be used without any parameters. If you do so, you will be prompted to supply a local Administrator password.

 

Cloning Domain Controllers

Prerequisites

 

  1. Source and Target DC must be a virtual machine
  2. Source cannot be the PDC Emulator
  3. PDC Emulator must be Windows Server 2012 + (can by physical or virtual)
  4. Source VM must be placed in the Clone able Domain Controllers AD Group.

 

 

First a check must be run via PowerShell to ensure there are not applications that will conflict. 

 

Get-ADDCCloningExcludedApplicationsList 

 

If there are apps, they should be checked with the vendor to ensure safe to clone.

 

An Exclusions list needs to be created if so by running:

 

Get-ADDCCloningExcludedApplicationsList -GenerateXml -Path C:\Windows\NTDS -Force

 

Main Command

 

New-ADDCCloneConfigFile -Static -IPv4Address 192.168.0.51 -IPv4DefaultGateway 192.168.0.1 -IPv4SubnetMask 255.255.255.0 -IPv4DNSResolver 192.168.0.99,192.168.0.98 -CloneComputerName DCTarget -SiteName Default-First-Site-Name

 

Shut Down the DC.

 

In Hyper-V, export the Virtual Machine. 

 

Start the Source DC

 

Import the Virtual Machine from the file created from the export

 

Remember to select create new VM with new SIDs


(The locations of the new VM components must be in different folders)


 

And also for the VHDX file

 

PowerShell Commands for export/import of VMs

 

Export-VM –Name DCSource –Path C:\VMExports

 

Import-VM -Path 'C:\VMExports\Virtual Machines\8F148B6D-C674-413E-9FCC-4FBED185C52D.XML' –

Copy -GenerateNewId


Find Password Expiry Dates for Active Directory Users

Get-ADUser -identity username -properties *

So the property names we are interested in are: PasswordLastSet and PasswordNeverExpires. So we can run the command specifying these properties only and output the results in a table.
Type: get-aduser -filter * -properties passwordlastset, passwordneverexpires |ft Name, passwordlastset, Passwordneverexpires

So we can now see when a user last changed their password and if it is set to never expire.
To make things easier to find in a big environment you may want to sort the list by name.
Type: get-aduser -filter * -properties passwordlastset, passwordneverexpires | sort name | ft Name, passwordlastset, Passwordneverexpires

And finally, lets export the list to CSV so we can work on it in Excel. In this example we substitute, format table (ft) for select-object.

Type: Get-ADUser -filter * -properties passwordlastset, passwordneverexpires | sort-object name | select-object Name, passwordlastset, passwordneverexpires | Export-csv -path c:\temp\user-password-info-20131119.csv


Modify MaxNegPhaseCorrection and MaxPosPhaseCorrection

  1. Open the Group Policy Management snap-in. To open Group Policy Management, click Start, click Administrative Tools, and then click Group Policy Management.
  2. In the console tree, select the Group Policy object (GPO) for the Windows Time service that is linked to this domain controller and then open the Group Policy Management Editor snap-in. To open the Group Policy Management Editor, right-click the selected GPO, and then click Edit.

Note

It is not recommended to link your Windows Time Service GPO to the entire domain (in other words, linking it to all domain controllers and member servers in this domain). If you want to configure Windows Time Service for a selected domain controller through Group Policy, we recommend that you create a GPO for Windows Time Service and link it to that specific domain controller.

  1. In the console tree, expand Computer Configuration, expand Policies, expand Administrative Templates, expand System, and then expand Windows Time Service.
  2. In the details pane, double-click Global Configuration Settings.
  3. In Global Configuration Settings, under Options, navigate to MaxNegPhaseCorrection, set the value to 172800 (a decimal value for 48 hours), and then click OK.

If the Windows Time service Group Policy settings have not been applied to this domain controller, you can use the following procedure to update the value of MaxNegPhaseCorrection through the registry.

To update the value of the MaxNegPhaseCorrection registry key

  1. Open the Registry Editor. To open the Registry Editor, click Start, click Run, and then type regedit.
  2. In the Registry Editor, navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\MaxNegPhaseCorrection.
  3. Set the value of MaxNegPhaseCorrection to 172800 (a decimal value for 48 hours).

 

Protect all OUs from accidental deletion


To protect all existing OUs in your domain from accidental deletion by using the Get-ADOrganizationalUnit and Set-ADOrganizationalUnit cmdlets

  1. Click Start, click Administrative Tools, right-click Active Directory Module for Windows PowerShell, and then click Run as administrator.
  2. At the Active Directory module command prompt, type the following command to check with OUs are not protected, and then press ENTER:
    Get-ADOrganizationalUnit -filter * -Properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $false} | ft
  3. At the Active Directory module command prompt, type the following command to protect the OUs that you identified in Step 2, and then press ENTER:
    Get-ADOrganizationalUnit -filter * -Properties ProtectedFromAccidentalDeletion | where {$_.ProtectedFromAccidentalDeletion -eq $false} | Set-ADOrganizationalUnit -ProtectedFromAccidentalDeletion $true
  4. Run the command in Step 2 again to verify the OUs are protected.
    For more information about the 
    Get-ADOrganizationalUnit and Set-ADOrganizationalUnit cmdlets, at the Active Directory module command prompt, type Get-Help Get-ADOrganizationalUnit or Get-Help Set-ADOrganizationalUnit, and then press ENTER.