In this article we are going to show you how to setup active directory domain services with PowerShell script. Deploying Active Directory Domain Services was not so simple but the power of PowerShell made it so
easy and straight forward.
easy and straight forward.
There are prerequisites that must be met and multiple items that need to be configured.
One of the first things that might need to be accomplished is setting the script execution policy. Whereas the easiest way to do this is to set it via Group Policy, if you are configuring the first domain controller in the first domain in a new forest, you do not have that luxury. To set the script execution policy, use the Set-ExecutiionPolicy cmdlet and set it to something like remotesigned.
Following command must be executed with Admin rights, but more than likely you are logged on as Administrator anyway as you are just beginning your configuration.
Start > Run > PowerShell. enter the following command to set execution policy.
Set-ExecutionPolicy remotesigned -force
Some of the infrastructure prerequisites are listed here.
- Ensure the server has the correct name.
- Set a static IP address configuration.
- Ensure DNS is deployed and configured.
- Active Directory module for Windows PowerShell
- Active Directory Administrative Center tools
- AD DS snap-ins and command-line tools
The AD-prereqs.ps1 script sets a static IP address by using the New-NetIPAddress cmdlet. To determine the interface index, the Get-NetAdapter cmdlet is used.
After the new IP address is assigned, the Rename-Computer cmdlet assigns a new name to the computer. The Rename-Computer cmdlet has a restart parameter, but the AD-prereqs.ps1 script holds off rebooting the script until the end, and therefore, the restart parameter is not used.
This is our first script. Open Notepad and enter the following contents, you are free to change according to your environment. Save and name it AD-prereqs.ps1
This is our first PowerShell script AD-Prereqs.ps1
# Set Static IP Address
New-NetIPAddress -IPAddress 172.22.10.100 `
-PrefixLength 24 `
-InterfaceIndex (Get-NetAdapter).ifIndex `
-DefaultGateway 172.22.10.1
# Set DNS Client
Set-DnsClientServerAddress -InterfaceIndex (Get-NetAdapter).ifIndex `
-ServerAddresses 172.22.10.100
# Install Features
New-Item C:\log\newlog.txt -ItemType file -Force
Add-WindowsFeature RSAT-AD-Tools -LogPath C:\log\newlog.txt
Get-WindowsFeature | Where installed >> C:\log\newlog.txt
# Rename The Computer
Rename-Computer -NewName PDCWINSRV –force
# Restart The Computer
Restart-Computer
Lets execute above script. Go to Start > Search > Windows PowerShell ISE
Figure1
From the File menu, open your first script.
Figure2
Click run to execute your first script.
Once the computer reboots, log on and verify. The Server Manager utility launches and provides feedback that the name change and the IP address change completed successfully.
This is silent script which installs the features in the background, no progress bars appear in the foreground. Each of the Add-WindowsFeature commands include all of the feature subfeatures and also include the management tools.This is a great way to ensure you obtain the bits your specific feature needs. You can always fine-tune it at a later time by analyzing log file.
This is our second PowerShell script AD-Feature.ps1
# Installing AD-DS, DNS and GPMC Roles and Features
start-job -Name Add-Roles-Feature -ScriptBlock {
Add-WindowsFeature -Name "ad-domain-services" -IncludeAllSubFeature -IncludeManagementTools
Add-WindowsFeature -Name "dns" -IncludeAllSubFeature -IncludeManagementTools
Add-WindowsFeature -Name "gpmc" -IncludeAllSubFeature -IncludeManagementTools -LogPath C:\log\featurelog.txt }
Wait-Job -Name Add-Roles-Feature
Get-WindowsFeature | Where installed >> C:\log\featurelog.txt
Lets execute our second script.
Figure5
Since you have installed AD-DS roles and features successfully, it is time to create the new forest. The tool required appears in the ADDSDeployment module. The AD-Forest.ps1 script is essentially one cmdlet—the Install-ADDSForest. The domain name and the netbios domain name appear as variables. Following the installation, the function automatically reboots the computer to complete configuration.
This is our third PowerShell scipt AD-Forest.ps1
# Creating New Forest - First Domain Controller
Import-Module ADDSDeployment
Install-ADDSForest -CreateDnsDelegation:$false `
-DatabasePath "C:\Windows\NTDS" `
-DomainMode "Win2012" -DomainName "iCracy.com" `
-DomainNetbiosName "iCracy" `
-ForestMode "Win2012" `
-InstallDns:$true `
-LogPath "C:\Windows\NTDS" `
-NoRebootOnCompletion:$false `
-SysvolPath "C:\Windows\SYSVOL" `
-Force:$true `
-SafeModeAdministratorPassword (ConvertTo-SecureString "Passw0rd" -AsPlainText -force)
This is our third PowerShell scipt AD-Forest.ps1
# Creating New Forest - First Domain Controller
Import-Module ADDSDeployment
Install-ADDSForest -CreateDnsDelegation:$false `
-DatabasePath "C:\Windows\NTDS" `
-DomainMode "Win2012" -DomainName "iCracy.com" `
-DomainNetbiosName "iCracy" `
-ForestMode "Win2012" `
-InstallDns:$true `
-LogPath "C:\Windows\NTDS" `
-NoRebootOnCompletion:$false `
-SysvolPath "C:\Windows\SYSVOL" `
-Force:$true `
-SafeModeAdministratorPassword (ConvertTo-SecureString "Passw0rd" -AsPlainText -force)
You can omit SafeModeAdministratorPassword from script and it will prompt you to enter password manually.
Lets execute our third script.
Figure6
Once the computer reboots, log on and verify. The Server Manager utility launches and provides feedback that the Active Directory Forest installation completed.
Figure7
You can also verify from Active Directory Users And Computer console.
Figure8
You have successfully completed scripted installation of Active Directory Forest.
Now lets look at the at Active Directory demotion script. If you want to demote your domain controller, following script will help to demote your Active Directory Domain.
# Windows PowerShell script for demoting Active Directory Domain
#
Import-Module ADDSDeployment
Uninstall-ADDSDomainController `
-DemoteOperationMasterRole:$true `
-IgnoreLastDnsServerForZone:$true `
-LastDomainControllerInDomain:$true `
-RemoveApplicationPartitions:$true `
-Force:$true `
-LocalAdministratorPassword (ConvertTo-SecureString "Passw0rd" -AsPlainText -force)
Warning: Use above highlighted command at your own risk!
Figure9
As you can see in image below, we have successfully demoted our domain controller.
Figure10
No comments: