HOW TO: Setup Active Directory Domain Services (AD DS) in Windows 2012 Using PowerShell

If you're looking to create an unattended installation scenario for active directory one approach would be to script your installation using PowerShell. This article describes the installation steps for Active Directory Domain Services on Windows Server 2012. There are several steps that are common across all future domain controllers (DC) and then the configuration options vary based on the state of your domain.

Preparation Steps for All Future Domain Controllers
  • Set Timezone Appropriately Using tzutil. 
    • This is important as Active Directory is heavily dependent on system time across servers for multiple factors. You may be able to skip this step but it’s always good to be sure, especially if you’re infrastructure is geographically dispersed.
    • See: http://technet.microsoft.com/en-us/library/hh825053.aspx
    • Command: tzutil /s “Eastern Standard Time”
  • Install AD DS Windows Role
    • This step prepares the server to become a domain controller.
    • Command: Install-WindowsFeature -name AD-Domain-Services –IncludeManagementTools
  • Ensure AD DS Windows Service is set to Automatic
    • This is a simple check to ensure that you don’t encounter future setup issues. It may or may not be required depending on your scenario but costs very little and helps avoid problems. 
    • Command: Set-Service -Name "NTDS" -StartupType "Automatic"
  • Enable “File & Printer Sharing for Microsoft Networks”
    • This is a simple check to ensure that you don’t encounter future setup issues. It may or may not be required depending on your scenario but costs very little and helps avoid problems. This will ensure that the sysvol can be properly replicated across your domain controllers.
    • Command: netsh firewall set service type="fileandprint" mode=enable profile=domain

Configuring the Initial Domain Controller (Creating a New Forest)
  • Create the New Forest
    • This step will configure directory services and create a new forest. If you’re not familiar with the forest concept think of it this way; a domain is a tree of objects that exists in a forest possibly with other domain trees. A domain must exist in a forest and if you want to create a new domain you will also create a new forest. This can all be done with one simple PowerShell command. 
    • Command: $secureRestoreModePassword = ConvertTo-SecureString -string <<Password>> -AsPlainText –Force
      Install-ADDSForest `
       -CreateDnsDelegation:$false `
      -DatabasePath "<<NTDS Path>>" `
      -DomainMode Win2012 `
      -DomainName "<<Domain Name>>.local" `
      -DomainNetbiosName "<<Domain Name>>" `
      -ForestMode Win2012 `
      -InstallDNS:$true `
      -LogPath "<<NTDS Path>>" `
      -NoRebootOnCompletion:$false `
      -SafeModeAdministratorPassword $secureRestoreModePassword `
      -SysvolPath "<<SYSVOL Path>>"  `
      -Force:$true
    • Note(s): Replace <<Password>> with the plain text password you want to use as the recovery password for the domain. Replace <<Domain Name>> with the name of the domain you want to create. Be aware that in Server 2012 a FQDN name is required. Hence the script below assumes that suffix local is applied to the selected domain name. The suffix “local” could be replaced with a more appropriate value for your scenario. Replace <<NTDS Path> with the appropriate path for your NTDS store. I recommend placing this on a non-system drive “D:\Windows\NTDS” for example. Replace <<SYSVOL Path> with the appropriate path for your sys volume. Again I recommend a non-system drive “D:\Windows\SYSVOL” for example. Final note, this command assumes you want to host DNS on your DC, very common, and that you want your domain to operate at the Windows 2012 function level.
  • Restart Computer
    • Command: Restart-Computer
  • Create Key Distribution Server Root Key
    • This will prepare the server to be able to support Managed Service Accounts (MSA). Note that this key may take up to 24 hours to become usable even with the effective immediately option. This doesn’t affect your installation unless you need to create a MSA as part of the process.
    • Command: Add-KdsRootKey –EffectiveImmediately

Configuring Subsequent Domain Controller (Adding a DC to an Existing Domain)
  • Create New Domain Controller
    • Command: $secureRestoreModePassword = ConvertTo-SecureString -string <<Password>> -AsPlainText –Force
      Install-ADDSDomainController `
      -NoGlobalCatalog:$false `
      -CreateDnsDelegation:$false `
      -CriticalReplicationOnly:$false `
      -DatabasePath "<<NTDS Path>>" `
      -DomainName "<<Domain Name>>.local" `
      -InstallDns:$true `
      -LogPath "<<NTDS Path>>" `
      -NoRebootOnCompletion:$false `
      -SafeModeAdministratorPassword $secureRestoreModePassword `
      -SysvolPath "<<SYSVOL Path>>"  `
      -Force:$true
    • Note(s): Replace <<Password>> with the plain text password you want to use as the recovery password for the domain. Replace <<Domain Name>> with the name of the domain you want to create. Be aware that in Server 2012 a FQDN name is required. Hence the script below assumes that suffix local is applied to the selected domain name. The suffix “local” could be replaced with a more appropriate value for your scenario. Replace <<NTDS Path> with the appropriate path for your NTDS store. I recommend placing this on a non-system drive “D:\Windows\NTDS” for example. Replace <<SYSVOL Path> with the appropriate path for your sys volume. Again I recommend a non-system drive “D:\Windows\SYSVOL” for example. Final note, this command assumes you want to host DNS on your DC, very common, and that you want your domain to operate at the Windows 2012 function level.
  • Restart Computer 
    • Command: Restart-Computer