This topic provides the information needed to install and configure AD DS on Server Core Server using PowerShell. It assumes that you already have installed the server in Server Core mode and configured basic settings, such as IP settings etc.. There is also a quick PowerShell reference table of common AD DS Administration tasks included.
Installing AD DS Role
First you have always to install the AD DS Role on the server:
install-windowsfeature AD-Domain-Services
After the AD DS role is added to the server, you can configure the server as:
- New Active Directory Forest
- New Domain in an existing Forest
- Additional Domaincontroller in an existing domain
Configuring the AD DS Role
Deploying a new Active Directory Forest
Run PowerShell cmdlet (the system will reboot) :
Install-ADDSForest -DomainName <String> -DomainNetbiosName <String> -DomainMode <String> -ForestMode <String> –InstallDns
Parameters | Description |
-ForestMode< Win8 |Win2008R2 | Win2003>-DomainMode< Win8 |Win2008R2 | Win2003> | Specifies the domain functional level of the first domain in the creation of a new forest. The default is Windows Server 2012 (Win8). |
-DomainName<String> | Specifies the fully qualified domain name (FQDN) for the root (first) domain in the forest. |
-DomainNetbiosName<String> | Specifies the NetBIOS name for the root domain in the new forest. |
-CreateDnsDelegation | Indicates whether to create a DNS delegation that references the new DNS server that you are installing along with the domain controller. |
-InstallDns | Specifies whether the DNS Server service should be installed and configured for the new forest. For forest installation, the default is $true (a new DNS server will be installed and configured). |
Deploying a new Active Directory domain in existing Forest
Run PowerShell cmdlet:
Install-ADDSDomain -NewDomainName <String> -ParentDomainName <String> [-CreateDnsDelegation] [-DomainMode <DomainMode> ] [-DomainType <DomainType> [-InstallDns] [-NewDomainNetbiosName <String> [-SiteName <String> ]
Parameters | Description |
-DomainType< TreeDomain | ChildDomain > | Indicates the type of domain that you want to create |
-InstallDns | Specifies whether the DNS Server service should be installed and configured for the domain or domain tree. |
-NewDomainName<String> | If the value set for -DomainType is set to "TreeDomain", this parameter can be used to specify the fully qualified domain name (FQDN) for the new domain tree (for example, "contoso.com"). If the value set for -DomainType is set to "ChildDomain", this parameter can be used to specify a single label domain name for the child domain (for example, specify "corp" to make a new doman "corp.contoso.com" if the new domain is in the contoso.com domain tree). |
-ParentDomainName<String> | Specifies the fully qualified domain name (FQDN) of an existing parent domain. |
-SiteName<String> | Specifies the name of an existing site where you can place the new domain controller. |
Deploying additional domain controller
Run PowerShell cmdlet:
Install-ADDSDomainController -DomainName <String> [-InstallDns] [-MoveInfrastructureOperationMasterRoleIfNecessary] [-SkipAutoConfigureDns]
Uninstalling a domain controller
Run PowerShell cmdlet:
Uninstall-ADDSDomainController -LocalAdministratorPassword <SecureString> [-IgnoreLastDCInDomainMismatch] [-IgnoreLastDNSServerForZone] [-LastDomainControllerInDomain] [-NoRebootOnCompletion] [-RemoveApplicationPartitions] [-RemoveDNSDelegation] [-RetainDCMetadata]
Using GUI to add /configure AD DS Role
You can also simplified add/configure AD DS Role by graphically tools, such as Server Manager provided by RSAT. Server Manager provides a single source for role configuration, and managing all roles installed on the server. You can use Server Manager and other GUI tools from a client PC by installing the Remote Server Administration Tools.
AD DS Administration common tasks by PowerShell
Creating a User | New-ADUser -SamAccountName U1 -Name "User 1" -AccountPassword (ConvertTo-SecureString -AsPlainText "p@ssw0rd" -Force) -Enabled $true -Path ‘OU=Test,DC=FABRIKAM,DC=COM’Get-Help New-ADUser –detailed |
Setting a User’s Password | Setting a User’s Password |
Unlocking a User Account | Unlock-ADAccount -Identity "CN=U1,OU=Test,DC=FABRIKAM,DC=COM" |
Creating a Group | New-ADGroup -Name "RODC Admins" -SamAccountName RODCAdmins -GroupCategory Security -GroupScope Global -DisplayName "RODC Administrators" -Path "CN=Users,DC=Fabrikam,DC=Com" |
Viewing the Nested Members of a Group | Get-ADGroupMember G1 -Recursive | FT Name,ObjectClass -A |
Viewing the Direct Members of a Group | Get-ADGroupMember G1 | FT Name,ObjectClass -A |
Adding and Removing Members of a Group | Add-ADGroupMember -Identity SvcAccPSOGroup -Member SaraDavisRemove-ADGroupMember -Identity SvcAccPSOGroup -Member SaraDavis |
Listing the OUs in a Domain | Get-ADOrganizationalUnit -Filter {Name -like ‘*’} | FT Name, DistinguishedName -A |
Listing the Objects in an OU | Get-ADObject -Filter ‘Name -like "*"’ -Searchbase ‘OU=UserAccounts,DC=Fabrikam,DC=com’ |
Creating an OU | New-ADOrganizationalUnit -Name UserAccounts -Path "DC=FABRIKAM,DC=COM” |
Renaming an OU | Rename-ADObject "OU=ManagedGroups,OU=Managed,DC=Fabrikam,DC=Com" -NewName Groups |
Protecting All OUs in the Domain from Accidental Deletion | Get-ADOrganizationalUnit -Filter ‘Name -like "*"’ | Set-ADOrganizationalUnit -ProtectedFromAccidentalDeletion $true |
Creating an x (Site) Object | New-ADObject -Name ‘BO3’ -Type site -Description ‘Branch Office 3’ -Path ‘CN=Sites,CN=Configuration,DC=FABRIKAM,DC=COM’Get-Help New-ADObject –detailed |
Finding the Domain Controllers for a Domain | Get-ADDomainController -Discover -DomainName FABRIKAM.COM |
Finding the Operations Master Role Holders | Get-ADForest Fabrikam.com | FT SchemaMaster,DomainNamingMasteror:Get-ADDomain Fabrikam.com | FT PDCEmulator,RIDMaster,InfrastructureMaster |
Transferring an Operations Master Role | Move-ADDirectoryServerOperationMasterRole -Identity FABRIKAM-DC1 -OperationMasterRole RIDMaster,InfrastructureMaster,DomainNamingMaster |
Get all users under the container | Get-ADUser -Filter * -SearchBase "OU=Finance,OU=UserAccounts,DC=FABRIKAM,DC=COM" |
rename the default first site name | Get-ADReplicationSite | Rename-ADObject -NewName “DataCenter” |
Add subnet to the datacenter site | New-ADReplicationSubnet -Name “192.168.1.0/24″ -Site DataCenter |