«

»

Jun 02

Active Directory 2012 DCPromo

Starting with Windows Server 2012, DCPromo is no longer used to promote a member server to be a Domain Controller. Since DCPromo no longer works (Microsoft calls this featured deprecated), there is a new GUI option and associated Powershell commandlets.

There are major changes to the promotion process which integrate the process. This simplified process includes:

  • AD DS role deployment is now part of the new Server Manager architecture and allows remote installation.
  • The AD DS deployment and configuration engine is now Windows PowerShell, even when using a graphical setup.
  • Promotion now includes prerequisite checking that validates forest and domain readiness for the new domain controller, lowering the chance of failed promotions.
  • The Windows Server 2012 forest functional level does not implement new features and domain functional level is required only for a subset of new Kerberos features, relieving administrators of the frequent need for a homogenous domain controller environment.

NOTE: The new “DCPromo” GUI takes longer than before since it performs many more checks than in the past. Since the GUI provides the PowerShell script code, it’s a great idea to script the promotion of all new 2012 DCs.

Install the Active Directory Domain Services (ADDS) role:

  1. Install the role “Active Directory Domain Services (ADDS)” on the target server (local or remote).
  2. Check the Restart checkbox.
  3. Click on Export Configuration Settings to get the Powershell command line equivalent.

Powershell command:

Add-WindowsFeature AD-Domain-Services

Promote the server to DC:

  1. Run the Active Directory Domain Services Configuration Wizard.
  2. Select Add a Domain Controller to an Existing Domain.
  3. Select the appropriate DC options and enter the DSRM password.
  4. Change any options on the following pages as appropriate.
  5. Click on View Script to view the Powershell script command.
  6. Click Install.

Here’s the Powershell script the GUI creates when creating a new forest accepting all defaults:

Import-Module ADDSDeployment
Install-ADDSForest `
-CreateDNSDelegation:$False `
-DatabasePath “c:\Windows\NTDS” `
-DomainMode “Win2012″ `
-DomainName “MCLab.net” `
-DomainNetbiosName “MCLAB” `
-ForestMode “Win2012″ `
-InstallDNS:$true `
-LogPath “C:\Windows\NTDS” `
-NoRebootOnCompletion:$false `
-Sysvolpath “C:\Windows\SYSVOL” `
-Force:$true

Here’s the Powershell script the GUI creates when adding a new Domain Controller to an existing domain accepting all defaults:

Import-Module ADDSDeployment
$SafeModeAdministratorPasswordText = ‘&P@ssw0rd2013&’
$SafeModeAdministratorPassword = ConvertTo-SecureString -AsPlainText $SafeModeAdministratorPasswordText -Force

Install-ADDSDomainController `
-NoGlobalCatalog:$false `
-CreateDNSDelegation:$false `
-Credential (Get-Credential) `
-CriticalReplication:$false `
-DatabasePath “C:\Windows\NTDS” `
-DomainName “mcdevlab.net” `
-InstallDNS:$true `
-LogPath “C:\Windows\NTDS\Logs” `
-SiteName “Default-First-Site-Name” `
-SYSVOLPath “C:\Windows\SYSVOL” `
-Force:$true `
-SafeModeAdministratorPassword $SafeModeAdministratorPassword

Powershell AD commands (with switches):

Install-ADDSDomainController

-ADPrepCredential
-AllowDomainControllerReinstall
-AllowPasswordReplicationAccountName
-ApplicationPartitionsToReplicate
-CreateDnsDelegation
-Credential
-CriticalReplicationOnly
-DatabasePath
-DelegatedAdministratorAccountName
-DenyPasswordReplicationAccountName
-DnsDelegationCredential
-DomainName **
-Force
-InstallationMediaPath
-InstallDns
-LogPath
-MoveInfrastructureOperationMasterRoleIfNecessary
-NoDnsOnNetwork
-NoGlobalCatalog
-NoRebootOnCompletion
-ReadOnlyReplica
-ReplicationSourceDC
-SafeModeAdministratorPassword
-SiteName
-SkipAutoConfigureDns
-SkipPreChecks
-SystemKey
-SysvolPath
-UseExistingAccount
-Confirm
-WhatIf

Install-ADDSForest

-Confirm
-CreateDNSDelegation
-DatabasePath
-DomainMode
-DomainName **
-DomainNetBIOSName **
-DNSDelegationCredential
-ForestMode
-Force
-InstallDNS
-LogPath
-NoDnsOnNetwork
-NoRebootOnCompletion
-SafeModeAdministratorPassword
-SkipAutoConfigureDNS
-SkipPreChecks
-SYSVOLPath
-Whatif

Install-ADDSDomain

-ADPrepCredential
-AllowDomainReinstall
-CreateDnsDelegation
-Credential
-DatabasePath
-DnsDelegationCredential
-DomainMode
-DomainType
-Force
-InstallDns
-LogPath
-NewDomainName **
-NewDomainNetbiosName
-NoDnsOnNetwork
-NoGlobalCatalog
-NoRebootOnCompletion
-ParentDomainName **
-ReplicationSourceDC
-SafeModeAdministratorPassword
-SiteName
-SkipAutoConfigureDns
-SkipPreChecks
-SysvolPath
-Confirm
-WhatIf

** Required Powershell switches

DC Prerequisite Checking:
Domain controller configuration also implements a prerequisite checking phase that evaluates the forest and domain prior to continuing with domain controller promotion. This includes FSMO role availability, user privileges, extended schema compatibility and other requirements. This new design alleviates issues where domain controller promotion starts and then halts midway with a fatal configuration error. This lessens the chance of orphaned domain controller metadata in the forest or a server that incorrectly believes it is a domain controller.

The following tools are installed as part of the DC promotion:

  • Active Directory Administrative Center
  • Active Directory Domains and Trusts
  • Active Directory Module for Windows PowerShell
  • Active Directory Sites and Services
  • Active Directory Users and Computers
  • ADSI Edit
  • DNS
  • Group Policy Management

NOTE: Running dcpromo /unattend still installs the binaries as before, but produces a warning.
References:



Trimarc helps companies and organizations improve their security to better protect against and detect attacks.
Visit TrimarcSecurity.com for more information.


(Visited 677 times, 1 visits today)