How to Use PowerShell Script to Deploy a New Active Directory Forest

In this article we are going to show you how to setup active directory domain services with PowerShell script. Deploying Active Directory Domain Services was not so simple but the power of PowerShell made it so
easy and straight forward.

There are prerequisites that must be met and multiple items that need to be configured.

One of the first things that might need to be accomplished is setting the script execution policy. Whereas the easiest way to do this is to set it via Group Policy, if you are configuring the first domain controller in the first domain in a new forest, you do not have that luxury. To set the script execution policy, use the Set-ExecutiionPolicy cmdlet and set it to something like remotesigned.

Following command must be executed with Admin rights, but more than likely you are logged on as Administrator anyway as you are just beginning your configuration.

Start > Run > PowerShell. enter the following command to set execution policy.

Set-ExecutionPolicy remotesigned -force

Some of the infrastructure prerequisites are listed here.
  1. Ensure the server has the correct name.
  2. Set a static IP address configuration.
  3. Ensure DNS is deployed and configured.
In addition to infrastructure prerequisites, there are role-based prerequisites that need to be deployed. These role-based prerequisites are shown here.
  1. Active Directory module for Windows PowerShell
  2. Active Directory Administrative Center tools
  3. AD DS snap-ins and command-line tools
No worry, all of the above tools are installable via the ServerManager module and the Add-WindowsFeature cmdlet. In fact, from a Windows feature stand point, the RSAT-AD-Tools feature group gets everything you need here.

The AD-prereqs.ps1 script sets a static IP address by using the New-NetIPAddress cmdlet. To determine the interface index, the Get-NetAdapter cmdlet is used.

After the new IP address is assigned, the Rename-Computer cmdlet assigns a new name to the computer. The Rename-Computer cmdlet has a restart parameter, but the AD-prereqs.ps1 script holds off rebooting the script until the end, and therefore, the restart parameter is not used.

This is our first script. Open Notepad and enter the following contents, you are free to change according to your environment. Save and name it AD-prereqs.ps1

This is our first PowerShell script AD-Prereqs.ps1

# Set Static IP Address
New-NetIPAddress -IPAddress `
-PrefixLength 24 `
-InterfaceIndex (Get-NetAdapter).ifIndex `

# Set DNS Client
Set-DnsClientServerAddress -InterfaceIndex (Get-NetAdapter).ifIndex `

# Install Features
New-Item C:\log\newlog.txt -ItemType file -Force
Add-WindowsFeature RSAT-AD-Tools -LogPath C:\log\newlog.txt
Get-WindowsFeature | Where installed >> C:\log\newlog.txt

# Rename The Computer
Rename-Computer -NewName PDCWINSRV –force

# Restart The Computer

Lets execute above script. Go to Start > Search > Windows PowerShell ISE


From the File menu, open your first script.


Click run to execute your first script.


Once the computer reboots, log on and verify. The Server Manager utility launches and provides feedback that the name change and the IP address change completed successfully.

Since you have renamed your computer with a static IP address and the Active Directory Domain Services RSAT tools are installed, it is time to add the Active Directory Domain Services role, the DNS Server role, and the Group Policy management feature.

This is silent script which installs the features in the background, no progress bars appear in the foreground. Each of the Add-WindowsFeature commands include all of the feature subfeatures and also include the management tools.This is a great way to ensure you obtain the bits your specific feature needs. You can always fine-tune it at a later time by analyzing log file.

This is our second PowerShell script AD-Feature.ps1

# Installing AD-DS, DNS and GPMC Roles and Features
start-job -Name Add-Roles-Feature -ScriptBlock {
Add-WindowsFeature -Name "ad-domain-services" -IncludeAllSubFeature -IncludeManagementTools
Add-WindowsFeature -Name "dns" -IncludeAllSubFeature -IncludeManagementTools
Add-WindowsFeature -Name "gpmc" -IncludeAllSubFeature -IncludeManagementTools -LogPath C:\log\featurelog.txt }
Wait-Job -Name Add-Roles-Feature
Get-WindowsFeature | Where installed >> C:\log\featurelog.txt

Lets execute our second script.


Since you have installed AD-DS roles and features successfully, it is time to create the new forest. The tool required appears in the ADDSDeployment module. The AD-Forest.ps1 script is essentially one cmdlet—the Install-ADDSForest. The domain name and the netbios domain name appear as variables. Following the installation, the function automatically reboots the computer to complete configuration.

This is our third PowerShell scipt AD-Forest.ps1

# Creating New Forest - First Domain Controller
Import-Module ADDSDeployment
Install-ADDSForest -CreateDnsDelegation:$false `
-DatabasePath "C:\Windows\NTDS" `
-DomainMode "Win2012" -DomainName "" `
-DomainNetbiosName "iCracy" `
-ForestMode "Win2012" `
-InstallDns:$true `
-LogPath "C:\Windows\NTDS" `
-NoRebootOnCompletion:$false `
-SysvolPath "C:\Windows\SYSVOL" `
-Force:$true `
-SafeModeAdministratorPassword (ConvertTo-SecureString "Passw0rd" -AsPlainText -force)

You can omit SafeModeAdministratorPassword from script and it will prompt you to enter password manually.

Lets execute our third script.


Once the computer reboots, log on and verify. The Server Manager utility launches and provides feedback that the Active Directory Forest installation completed.


You can also verify from Active Directory Users And Computer console.


You have successfully completed scripted installation of Active Directory Forest.

Now lets look at the at Active Directory demotion script. If you want to demote your domain controller, following script will help to demote your Active Directory Domain.

# Windows PowerShell script for demoting Active Directory Domain
Import-Module ADDSDeployment
Uninstall-ADDSDomainController `
-DemoteOperationMasterRole:$true `
-IgnoreLastDnsServerForZone:$true `
-LastDomainControllerInDomain:$true `
-RemoveApplicationPartitions:$true `
-Force:$true `
-LocalAdministratorPassword (ConvertTo-SecureString "Passw0rd" -AsPlainText -force)

Warning: Use above highlighted command at your own risk! 


 As you can see in image below, we have successfully demoted our domain controller.


No comments:

Powered by Blogger.