Install a Windows Server 2012 Active Directory Read-Merely Domain Controller (RODC) (Level 200)

Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

This topic explains how to create a staged RODC account and so attach a server to that account during RODC installation. This topic as well explains how to install an RODC without performing a staged installation.

Phase RODC Workflow

A staged read only domain controller (RODC) installation works in 2 discrete phases:

  1. Staging an unoccupied figurer account

  2. Attaching an RODC to that business relationship during promotion

The following diagram illustrates the Active Directory Domain Services Read-Only Domain Controller staging process, where you create an empty RODC calculator account in the domain using the Active Directory Administrative Center (Dsac.exe).

Diagram showing the Active Directory Domain Services Read-Only Domain Controller staging process described above.

Phase RODC Windows PowerShell

ADDSDeployment Cmdlet Arguments (Assuming arguments are required. Italicized arguments can be specified by using Windows PowerShell or the Ad DS Configuration Magician.)
Add-addsreadonlydomaincontrolleraccount -SkipPreChecks

-DomainControllerAccountName

-DomainName

-SiteName

-AllowPasswordReplicationAccountName

-Credential

-DelegatedAdministratorAccountName

-DenyPasswordReplicationAccountName

-NoGlobalCatalog

-InstallDNS

-ReplicationSourceDC

Note

The -credential statement is just required if you are non already logged on as a member of the Domain Admins group.

Attach RODC Workflow

The diagram below illustrates the Active Directory Domain Services configuration process, where you already installed the AD DS role, you lot staged the RODC business relationship, and started Promote this Server to a Domain Controller using Server Manager to create a new RODC in an existing domain, attaching it to the staged computer account.

Diagram showing the Active Directory Domain Services configuration process described above.

Attach RODC Windows PowerShell

ADDSDeployment Cmdlet Arguments (Bold arguments are required. Italicized arguments can exist specified past using Windows PowerShell or the Ad DS Configuration Wizard.)
Install-AddsDomaincontroller -SkipPreChecks

-DomainName

-SafeModeAdministratorPassword

-ApplicationPartitionsToReplicate

-CreateDNSDelegation

-Credential

-CriticalReplicationOnly

-DatabasePath

-DNSDelegationCredential

-InstallationMediaPath

-LogPath

-Norebootoncompletion

-ReplicationSourceDC

-SystemKey

-SYSVOLPath

-UseExistingAccount

Annotation

The -credential argument is only required if you lot are non already logged on as a member of the Domain Admins group.

Staging

Screenshot of the Active Directory Administrative Center showing the Pre-create a Read-only domain controller account option highlighted in the Tasks pane.

Y'all perform the staging functioning of a read-just domain controller reckoner business relationship past opening the Agile Directory Administrative Eye (Dsac.exe). Click the name of the domain in the navigation pane. Double-click Domain Controllers in the management list. Click Pre-create a Read-only domain controller account in the tasks pane.

For more than data about the Active Directory Administrative Centre, run across Advanced AD DS Management Using Active Directory Administrative Heart (Level 200) and review Agile Directory Authoritative Middle: Getting Started.

If y'all have experience creating read-only domain controllers, y'all will discover that the installation sorcerer has the aforementioned graphical interface equally seen when using the older Active Directory Users and Computers snap-in from Windows Server 2008 and uses the aforementioned code, which includes exporting the configuration in the unattend file format used past the obsolete dcpromo.

Windows Server 2012 introduces a new ADDSDeployment cmdlet to phase RODC reckoner accounts, just the wizard does not employ the cmdlet for its operation. The following sections display the equivalent cmdlet and arguments in social club to make the data associated with each easier to empathise.

The Pre-create a Read-only domain controller business relationship link in the Active Directory Administrative Center'southward chore pane is equivalent to the ADDSDeployment Windows PowerShell cmdlet:

              Add-addsreadonlydomaincontrolleraccount                          

Welcome

Screenshot of the Welcome page of the Azure Directory Domain Services Installation Wizard showing the Use advanced mode installation option selected.

The Welcome to the Active Directory Domain Services Installation Wizard dialog has one pick named Use advanced mode installation. Select this pick and click Next to bear witness password replication policy options. Clear this option to apply the default values for password replication policy options (this is discussed in farther detail later in this section).

Network Credentials

Screenshot of the Network Credentials page of the Azure Directory Domain Services Installation Wizard.

The domain name option in the Network Credentials dialog displays the domain targeted by the Active Directory Administrative Center by default. Your current credentials are used by default. If they do non include membership in the Domain Admins grouping, click Alternate Credentials, and click Set to provide the wizard with a user name and countersign that is a member of Domain Admins.

The equivalent ADDSDeployment Windows PowerShell argument is:

              -credential <pscredential>                          

Proceed in mind that the staging system is a direct port from Windows Server 2008 R2 and does non provide the new Adprep functionality. If y'all programme to deploy staged RODC accounts, y'all must either first deploy an un-staged RODC in that domain so that the automatic rodcprep functioning runs, or manually run adprep.exe /rodcprep first.

Otherwise, you volition receive mistake You will not be able to install a read-only domain controller in this domain considering adprep /rodcprep was not yet run.

Screenshot of the warning message of the Azure Directory Domain Services Installation Wizard stating that adprep /rodcprep was not yet run.

Specify the Calculator Name

Screenshot of the Specify the Computer Name page of the Azure Directory Domain Services Installation Wizard.

The Specify the Computer Name dialog requires you to enter the single-label Reckoner proper name of a domain controller that does not be. The domain controller you configure and attach to this account later must have the same proper noun, or the promotion operation will not discover the staged account.

The equivalent ADDSDeployment Windows PowerShell argument is:

              -domaincontrolleraccountname <string>                          

Select a Site

Screenshot of the Select a Site page of the Azure Directory Domain Services Installation Wizard.

The Select a Site dialog shows a list of Active Directory sites for the current forest. The staged read-only domain controller operation requires y'all to select a unmarried site from the list. The RODC uses this information to create its NTDS Settings object in the Configuration sectionalization and join itself to the correct site when it starts for the first time after being deployed.

The equivalent ADDSDeployment Windows PowerShell statement is:

              -sitename <string>                          

Additional Domain Controller Options

Screenshot of the Specify the Domain Controller Options page of the Azure Directory Domain Services Installation Wizard.

The Additional Domain Controller Options dialog enables you to specify that a domain controller include running as a DNS Server and a Global Catalog. Microsoft recommends that read-only domain controllers provide DNS and GC services, and then both are installed by default; one intention of the RODC role is co-operative office scenarios where the broad area network may not be bachelor and without those DNS and global catalog services, computers in the branch will non be able to use AD DS resources and functionality.

The Read-only domain controller (RODC) option is pre-selected and cannot be disabled. The equivalent ADDSDeployment Windows PowerShell arguments are:

              -installdns <string> -NoGlobalCatalog <{$true | $false}>                          

Note

By default, the -NoGlobalCatalog value is $false, which ways the domain controller will be a global catalog server if the argument is non specified.

Specify the Password Replication Policy

Screenshot of the Specify the Password Replication policy page of the Azure Directory Domain Services Installation Wizard.

The Specify the Password Replication Policy dialog enables y'all to modify the default list of accounts that are allowed to cache their passwords on this read-only domain controller. Accounts in the list configured with Deny or that are not in the list (implicit) do not cache their countersign. Accounts that are non immune to cache passwords on the RODC and cannot connect and authenticate to a writable domain controller cannot access resources or functionality provided past Active Directory.

Important

The wizard shows this dialog only if you select the Apply Advanced Mode Installation bank check box on the welcome screen. If y'all clear this check box, and so the magician uses post-obit default groups and values:

  • Administrators - Deny
  • Server Operators - Deny
  • Backup Operators - Deny
  • Business relationship Operators - Deny
  • Denied RODC Password Replication Grouping - Deny
  • Allowed RODC Password Replication Group - Permit

The equivalent ADDSDeployment Windows PowerShell arguments are:

              -allowpasswordreplicationaccountname <cord []> -denypasswordreplicationaccountname <string []>                          

Screenshot of the Add Groups, Users and Computers dialog box.

Delegation of RODC Installation and Administration

Screenshot of the Delegation of RODC Installation and Administration page of the Azure Directory Domain Services Installation Wizard.

The Delegation of RODC Installation and Administration dialog enables you to configure a user or group containing users who are allowed to attach the server to the RODC computer account. Click Set to browse the domain for a user or group. The user or group specified in this dialog gains local administrative permissions to the RODC. The specified user or members of the specified group can perform operations on the RODC with privileges equivalent to the computer's Administrators group. They are non members of the Domain Admins or domain congenital-in Administrators groups.

Use this option to delegate branch office administration without granting the branch administrator membership to the Domain Admins group. Delegating RODC administration is not required.

The equivalent ADDSDeployment Windows PowerShell argument is:

              -delegatedadministratoraccountname <cord>                          

Summary

Screenshot of the Summary page of the Azure Directory Domain Services Installation Wizard.

The Summary dialog enables yous to confirm your settings. This is the last opportunity to terminate the installation before the wizard creates the staged account. Click Side by side when yous are ready to create the staged RODC calculator account. Click Consign Settings to save an reply file in the obsolete dcpromo unattend file format.

Creation

Screenshot of the progress page of the Azure Directory Domain Services Installation Wizard.

The Active Directory Domain Services Installation Wizard creates the staged read-only domain controller in Active Directory. You cannot cancel this functioning afterward it starts.

Screenshot of the last page of the Azure Directory Domain Services Installation Wizard.

Utilize the following cmdlet to phase a read-simply domain controller computer account using the ADDSDeployment Windows PowerShell module:

              Add together-addsreadonlydomaincontrolleraccount                          

See Phase RODC Windows PowerShell for required and optional arguments.

Because Add-addsreadonlydomaincontrolleraccount only has 1 action with two phases (prerequisite checking and installation), the following screenshots testify the installation stage with the minimum required arguments.

Screenshot of the PowerShell window showing the full Add-addsreadonlydomaincontrolleraccount cmdlet.

Screenshot of the PowerShell window showing the result of the Add-addsreadonlydomaincontrolleraccount cmdlet.

The stage RODC operation creates the RODC computer account in Active Directory. The Active Directory Administrative Eye shows the Domain Controller Blazon as an Unoccupied Domain Controller Account. This domain controller types indicates that staged RODC business relationship is fix for a server to attach to information technology as a read only domain controller.

Screenshot of the Active Directory Administrative Center showing Unoccupied Domain Controller Account highlighted.

Important

The Agile Directory Administrative Center is no longer required to attach a server to a read-but domain controller computer business relationship. Utilise Server Director and the Agile Directory Domain Services Configuration Wizard or the ADDSDeployment Windows PowerShell module cmdlet Install-AddsDomainController to adhere a new RODC to its staged account. The steps are similar to adding a new writable domain controller to an existing domain, with the exception that the staged RODC calculator account contains configuration options decided at the time you staged the RODC reckoner business relationship.

Attaching

Deployment Configuration

Screenshot of the Deployment Configuration page of the Active Directory Domain Services Configuration Wizard.

Server Manager begins every domain controller promotion with the Deployment Configuration page. The remaining options and required fields alter on this page and subsequent pages, depending on which deployment functioning you select.

To add together a read-but domain controller to an existing domain, select Add a domain controller to an existing domain and click the Select button to Specify the domain information for this domain. Server Managing director automatically prompts you for valid credentials, or you can click Alter.

Attaching an RODC requires membership in the Domain Admins groups in Windows Server 2012. The Active Directory Domain Services Configuration Wizard prompts you later if your electric current credentials do non have acceptable permissions or group memberships.

The Deployment Configuration ADDSDeployment Windows PowerShell cmdlet and arguments are:

              Install-AddsDomainController -domainname <string> -credential <pscredential>                          

Domain Controller Options

Screenshot of the Domain Controller Options page of the Active Directory Domain Services Configuration Wizard.

The Domain Controller Options folio shows the domain controller options for the new domain controller. When this page loads, the Active Directory Domain Services Configuration Wizard sends an LDAP query to an existing domain controller to cheque for unoccupied accounts. If the query finds an unoccupied domain controller computer account that shares the same name equally the electric current computer, and so the wizard displays an informational message at the tiptop of the folio that reads A Pre-created RODC business relationship that matches the name of the target server exists in the directory. Choose whether to employ this existing RODC account or reinstall this domain controller. The sorcerer uses the Utilise existing RODC business relationship equally the default configuration.

Of import

You can use the Reinstall this domain controller option when a domain controller has suffered a physical problem and cannot render to functionality. This saves time when configuring the replacement domain controller, by leaving the domain controller computer business relationship and object metadata in Agile Directory. Install the new calculator with the same proper name, and promote information technology as a domain controller in the domain. The Reinstall this domain controller pick is unavailable if you removed the domain controller object'southward metadata from Active Directory (metadata cleanup).

You lot cannot configure domain controller options when you are attaching a server to an RODC computer account. You configure domain controller options when you lot create the staged RODC reckoner account.

The specified Directory Services Restore Style Countersign must adhere to the password policy applied to the server. Always cull a strong, complex password or preferably, a passphrase.

The Domain Controller Options ADDSDeployment Windows PowerShell arguments are:

              -UseExistingAccount <{$truthful | $simulated}> -SafeModeAdministratorPassword <secure cord>                          

Important

The site proper noun must already exist when provided equally an argument to -sitename. The install-AddsDomainController cmdlet does not create site names. You can use cmdlet new-adreplicationsite to create new sites.

The Install-ADDSDomainController arguments follow the same defaults as Server Manager if non specified.

The SafeModeAdministratorPassword argument's operation is special:

  • If non specified as an argument, the cmdlet prompts you to enter and ostend a masked password. This is the preferred usage when running the cmdlet interactively.

    For example, to create a new RODC in the corp.contoso.com and be prompted to enter and confirm a masked countersign:

                      Install-ADDSDomainController -DomainName corp.contoso.com -credential (become-credential)                                  
  • If specified with a value, the value must exist a secure string. This is non the preferred usage when running the cmdlet interactively.

For example, you lot tin can manually prompt for a password by using the Read-Host cmdlet to prompt the user for a secure string:

              -safemodeadministratorpassword (read-host -prompt Password: -assecurestring)                          

Warning

Equally the previous option does not confirm the password, use extreme circumspection: the countersign is non visible.

Y'all tin can also provide a secure string as a converted clear-text variable, although this is highly discouraged.

              -safemodeadministratorpassword (convertto-securestring Password1 -asplaintext -force)                          

Finally, you could shop the obfuscated password in a file, and so reuse it afterward, without the articulate text password ever actualization. For example:

              $file = c:\prisoner of war.txt $pw = read-host -prompt Password: -assecurestring $pw | ConvertFrom-SecureString | Ready-Content $file  -safemodeadministratorpassword (Get-Content $File | ConvertTo-SecureString)                          

Alert

Providing or storing a clear or obfuscated text password is not recommended. Anyone running this command in a script or looking over your shoulder knows the DSRM countersign of that domain controller. Anyone with access to the file could opposite that obfuscated password. With that knowledge, they tin logon to a DC started in DSRM and somewhen impersonate the domain controller itself, elevating their privileges to the highest level in an AD forest. An additional set of steps using Arrangement.Security.Cryptography to encrypt the text file information is advisable only out of scope. The best do is to totally avert password storage.

Boosted Options

Screenshot of the Additional Options page of the Active Directory Domain Services Configuration Wizard.

The Additional Options folio provides configuration options to proper noun a domain controller as the replication source, or you can use any domain controller equally the replication source.

You can also choose to install the domain controller using backed upwardly media using the Install from media (IFM) option. The Install from media checkbox provides a scan option one time selected and yous must click Verify to ensure the provided path is valid media.

Guidelines for the IFM source:

  • Media used past the IFM option is created with Windows Server Backup or Ntdsutil.exe from another existing Windows Server Domain Controller with the same operating system version only. For example, you cannot use a Windows Server 2008 R2 or previous operating system to create media for a Windows Server 2012 domain controller.
  • The IFM source data should be from a writable Domain Controller. While a source from RODC volition technically work to create a new RODC, in that location are false positive replication warnings that the IFM source RODC is not replicating.

For more data about changes in IFM, see Ntdsutil.exe Install from Media Changes. If using media protected with a SYSKEY, Server Manager prompts for the paradigm'south password during verification.

Screenshot of the Command Prompt window showing the results of running ntdsutil.

The Additional Options ADDSDeployment cmdlet arguments are:

              -replicationsourcedc <string> -installationmediapath <string> -systemkey <secure string>                          

Paths

Screenshot of the Paths page of the Active Directory Domain Services Configuration Wizard.

The Paths page enables yous to override the default binder locations of the AD DS database, the database transaction logs, and the SYSVOL share. The default locations are e'er in subdirectories of %systemroot%. The Paths ADDSDeployment cmdlet arguments are:

              -databasepath <string> -logpath <string> -sysvolpath <string>                          

Review Options and View Script

Screenshot of the Review Options page of the Active Directory Domain Services Configuration Wizard.

The Review Options page enables you to validate your settings and ensure that they encounter your requirements earlier you lot starting time the installation. This is not the final opportunity to stop the installation using Server Manager. This page simply enables you to review and confirm your settings before continuing the configuration. The Review Options page in Server Manager as well offers an optional View Script button to create a Unicode text file that contains the current ADDSDeployment configuration every bit a single Windows PowerShell script. This enables you to use the Server Director graphical interface equally a Windows PowerShell deployment studio. Use the Active Directory Domain Services Configuration Magician to configure options, export the configuration, and so abolish the sorcerer. This process creates a valid and syntactically correct sample for further modification or direct use. For example:

              # # Windows PowerShell Script for Advertizing DS Deployment #  Import-Module ADDSDeployment Install-ADDSDomainController ` -Credential (Become-Credential) ` -CriticalReplicationOnly:$false ` -DatabasePath C:\Windows\NTDS ` -DomainName corp.contoso.com ` -LogPath C:\Windows\NTDS ` -SYSVOLPath C:\Windows\SYSVOL ` -UseExistingAccount:$truthful ` -Norebootoncompletion:$simulated -Force:$true                          

Note

Server Manager generally fills in all arguments with values when promoting and does not rely on defaults (equally they may change between future versions of Windows or service packs). The one exception to this is the -safemodeadministratorpassword argument. To forcefulness a confirmation prompt omit the value when running cmdlet interactively

Use the optional Whatif argument with the Install-ADDSDomainController cmdlet to review configuration information. This enables yous to see the explicit and implicit values of the arguments for a cmdlet.

Screenshot of the PowerShell window showing the results of the Install-ADDSDomainController cmdlet.

Prerequisites Check

Screenshot of the Prerequisites Check page of the Active Directory Domain Services Configuration Wizard.

The Prerequisites Bank check is a new feature in Advert DS domain configuration. This new phase validates that the server configuration is capable of supporting a new AD DS wood.

When installing a new wood root domain, the Server Director Active Directory Domain Services Configuration Wizard invokes a serial of serialized modular tests. These tests alarm you with suggested repair options. You can run the tests every bit many times as required. The domain controller installation procedure cannot continue until all prerequisite tests pass.

The Prerequisites Check also surfaces relevant information such as security changes that affect older operating systems. For more information most the prerequisite checks, see Prerequisite Checking.

You cannot bypass the Prerequisite Check when using Server Manager, merely you can skip the process when using the Advertizing DS Deployment cmdlet using the post-obit statement:

              -skipprechecks                          

Alert

Microsoft discourages skipping the prerequisite check equally information technology tin can lead to a partial domain controller promotion or damaged AD DS forest.

Click Install to begin the domain controller promotion process. This is terminal opportunity to abolish the installation. You cannot cancel the promotion process once it begins. The computer volition reboot automatically at the end of promotion, regardless of the promotion results.

Installation

Screenshot of the Installation page of the Active Directory Domain Services Configuration Wizard.

When the Installation page displays, the domain controller configuration begins and cannot be halted or canceled. Detailed operations brandish on this page and are written to logs:

  • %systemroot%\debug\dcpromo.log

  • %systemroot%\debug\dcpromoui.log

To install a new Active Directory woods using the ADDSDeployment module, use the post-obit cmdlet:

              Install-addsdomaincontroller                          

See Adhere RODC Windows PowerShell for required and optional arguments.

The Install-addsdomaincontroller cmdlet only has 2 phases (prerequisite checking and installation). The two figures below show the installation stage with the minimum required arguments of -domainname, -useexistingaccount, and -credential. Annotation how, just similar Server Manager, Install-ADDSDomainController reminds you that promotion will reboot the server automatically:

Screenshot of the PowerShell window showing the result of the Install-addsdomaincontroller cmdlet.

Screenshot of the PowerShell window showing the progress of the validation and installation.

To accept the reboot prompt automatically, employ the -force or -confirm:$false arguments with whatever ADDSDeployment Windows PowerShell cmdlet. To prevent the server from automatically rebooting at the end of promotion, use the -norebootoncompletion statement.

Warning

Overriding the reboot is discouraged. The domain controller must reboot to part correctly.

Results

Screenshot of the Results page of the Active Directory Domain Services Configuration Wizard.

The Results folio shows the success or failure of the promotion and any of import administrative data. The domain controller will automatically reboot after x seconds.

RODC without Staging Workflow

The following diagram illustrates the Active Directory Domain Services configuration procedure, when you previously installed the AD DS office and you have started the Active Directory Domain Services Configuration Wizard using Server Manager to create a new non-staged read-only domain controller in an existing Windows Server 2012 domain.

Diagram showing the Active Directory Domain Services Read-Only Domain Controller process, as described above, without the staging workflow.

RODC without Staging Windows PowerShell

ADDSDeployment Cmdlet Arguments (Assuming arguments are required. Italicized arguments tin can exist specified by using Windows PowerShell or the Advertizing DS Configuration Magician.)
Install-AddsDomainController -SkipPreChecks

-DomainName

-SafeModeAdministratorPassword

-SiteName

-ApplicationPartitionsToReplicate

-CreateDNSDelegation

-Credential

-CriticalReplicationOnly

-DatabasePath

-DNSDelegationCredential

-DNSOnNetwork

-InstallationMediaPath

-InstallDNS

-LogPath

-MoveInfrastructureOperationMasterRoleIfNecessary

-NoGlobalCatalog

-Norebootoncompletion

-ReplicationSourceDC

-SkipAutoConfigureDNS

-SystemKey

-SYSVOLPath

-AllowPasswordReplicationAccountName

-DelegatedAdministratorAccountName

-DenyPasswordReplicationAccountName

-ReadOnlyReplica

Note

The -credential argument is only required if you are not already logged on as a member of the Domain Admins group.

RODC without Staging Deployment

Deployment Configuration

Screenshot of the Deployment Configuration page of the Active Directory Domain Services Configuration Wizard when there is no staging deployment.

Server Managing director begins every domain controller promotion with the Deployment Configuration folio. The remaining options and required fields modify on this page and subsequent pages, depending on which deployment operation you select.

To add together an un-staged read-simply domain controller to an existing Windows Server 2012 domain, select Add a domain controller to an existing domain and click the Select button to Specify the domain information for this domain. Server Manager automatically prompts y'all for valid credentials, or you can click Change.

Attaching an RODC requires membership in the Domain Admins groups in Windows Server 2012. The Agile Directory Domain Services Configuration Sorcerer prompts y'all later if your current credentials do non accept adequate permissions or group memberships.

The Deployment Configuration ADDSDeployment Windows PowerShell cmdlet and arguments are:

              Install-AddsDomainController -domainname <string> -credential <pscredential>                          

Domain Controller Options

Screenshot of the Domain Controller Options page of the Active Directory Domain Services Configuration Wizard when there is no staging deployment.

The Domain Controller Options page specifies the domain controller capabilities for the new domain controller. The configurable domain controller capabilities are DNS server, Global Catalog, and Read-simply domain controller. Microsoft recommends that all domain controllers provide DNS and GC services for high availability in distributed environments. GC is ever selected by default and DNS server is selected past default if the current domain hosts DNS already on its DCs based on Commencement of Authority query.

The Domain Controller Options folio also enables you to cull the appropriate Active Directory logical site proper name from the forest configuration. By default, it selects the site with the well-nigh correct subnet. If there is only one site, information technology selects that site automatically.

Important

If the server does non belong to an Agile Directory subnet and there is more than one Active Directory site, nix is selected and the Next push is unavailable until you lot choose a site from the list.

The specified Directory Services Restore Fashion Countersign must adhere to the password policy practical to the server. Ever choose a stiff, circuitous password or preferably, a passphrase.The Domain Controller Options ADDSDeployment Windows PowerShell arguments are:

              -UseExistingAccount <{$true | $simulated}> -SafeModeAdministratorPassword <secure string>                          

Important

The site proper name must already exist when provided equally an argument to -sitename. The install-AddsDomainController cmdlet does non create site names. You can utilize cmdlet new-adreplicationsite to create new sites.

The Install-ADDSDomainController arguments follow the same defaults as Server Managing director if not specified.

The SafeModeAdministratorPassword argument's performance is special:

  • If not specified as an argument, the cmdlet prompts y'all to enter and ostend a masked password. This is the preferred usage when running the cmdlet interactively.

    For example, to create a new RODC in the corp.contoso.com and be prompted to enter and ostend a masked password:

                      Install-ADDSDomainController -DomainName corp.contoso.com -credential (become-credential)                                  
  • If specified with a value, the value must be a secure string. This is not the preferred usage when running the cmdlet interactively.

For example, you can manually prompt for a password by using the Read-Host cmdlet to prompt the user for a secure string:

              -safemodeadministratorpassword (read-host -prompt Password: -assecurestring)                          

Alert

Equally the previous option does not confirm the password, utilize farthermost circumspection: the password is non visible.

Y'all tin can besides provide a secure string as a converted clear-text variable, although this is highly discouraged.

              -safemodeadministratorpassword (convertto-securestring Password1 -asplaintext -force)                          

Finally, yous could store the obfuscated password in a file, and then reuse it later, without the articulate text password e'er appearing. For example:

              $file = c:\pw.txt $pw = read-host -prompt Password: -assecurestring $pow | ConvertFrom-SecureString | Set-Content $file  -safemodeadministratorpassword (Get-Content $File | ConvertTo-SecureString)                          

Warning

Providing or storing a articulate or obfuscated text password is not recommended. Anyone running this control in a script or looking over your shoulder knows the DSRM password of that domain controller. Anyone with access to the file could opposite that obfuscated countersign. With that cognition, they can logon to a DC started in DSRM and somewhen impersonate the domain controller itself, elevating their privileges to the highest level in an Ad forest. An additional set up of steps using System.Security.Cryptography to encrypt the text file data is advisable but out of telescopic. The best practice is to totally avoid password storage.

RODC Options

Screenshot of the RODC Options page of the Active Directory Domain Services Configuration Wizard when there is no staging deployment.

The RODC Options page enables y'all to modify the settings:

  • Delegated Ambassador Account

  • Accounts that are immune to replicate passwords to the RODC

  • Accounts that are denied from replicating passwords to the RODC

Delegated administrator accounts gain local administrative permissions to the RODC. These users can operate with privileges equivalent to the local computer's Administrators group. They are non members of the Domain Admins or the domain built-in Administrators groups. This option is useful for delegating branch part administration without giving out domain administrative permissions. Configuring delegation of administration is not required.

The equivalent ADDSDeployment Windows PowerShell argument is:

              -delegatedadministratoraccountname <string>                          

Accounts that are not allowed to cache passwords on the RODC and cannot connect and authenticate to a writable domain controller cannot access resources or functionality provided past Active Directory.

Important

If not modified, the default groups and settings are used:

  • Administrators - Deny
  • Server Operators - Deny
  • Fill-in Operators - Deny
  • Account Operators - Deny
  • Denied RODC Password Replication Group - Deny
  • Allowed RODC Password Replication Group - Permit

The equivalent ADDSDeployment Windows PowerShell arguments are:

              -allowpasswordreplicationaccountname <string []> -denypasswordreplicationaccountname <cord []>                          

Screenshot of the Select User, Computer, Service Account dialog box.

Additional Options

Screenshot of the Additional Options page of the Active Directory Domain Services Configuration Wizard when there is no staging deployment.

The Additional Options page provides configuration options to name a domain controller as the replication source, or you can use any domain controller equally the replication source.

You can also choose to install the domain controller using backed up media using the Install from media (IFM) selection. The Install from media checkbox provides a browse option once selected and yous must click Verify to ensure the provided path is valid media.

Guidelines for the IFM source:

  • Media used past the IFM option is created with Windows Server Backup or Ntdsutil.exe from another existing Windows Server Domain Controller with the aforementioned operating system version only. For case, you cannot use a Windows Server 2008 R2 or previous operating system to create media for a Windows Server 2012 domain controller.
  • The IFM source data should exist from a writable Domain Controller. While a source from RODC volition technically piece of work to create a new RODC, there are false positive replication warnings that the IFM source RODC is non replicating.

For more information about changes in IFM, see Ntdsutil.exe Install from Media Changes. If using media protected with a SYSKEY, Server Managing director prompts for the epitome's countersign during verification.

Screenshot of the Command Prompt window showing the results of running ntdsutil when there is no staging deployment.

The Additional Options ADDSDeployment cmdlet arguments are:

              -replicationsourcedc <string> -installationmediapath <string> -systemkey <secure cord>                          

Paths

Screenshot of the Paths page of the Active Directory Domain Services Configuration Wizard when there is no staging deployment.

The Paths page enables y'all to override the default folder locations of the AD DS database, the database transaction logs, and the SYSVOL share. The default locations are always in subdirectories of %systemroot%. The Paths ADDSDeployment cmdlet arguments are:

              -databasepath <string> -logpath <string> -sysvolpath <cord>                          

Preparation Options

Screenshot of the Preparation Options page of the Active Directory Domain Services Configuration Wizard when there is no staging deployment.

The Training Options page alerts you that the AD DS configuration includes extending the Schema (forestprep) and updating the domain (domainprep). You only encounter this page when the forest or domain has non been prepared past previous Windows Server 2012 domain controller installation or from manually running Adprep.exe. For example, the Agile Directory Domain Services Configuration Wizard suppresses this page if you add together a new replica domain controller to an existing Windows Server 2012 woods root domain.

Extending the Schema and updating the domain do not occur when y'all click Next. These events occur only during the installation phase. This folio only brings awareness about the events that will occur subsequently in the installation.

This page also validates that the electric current user credentials are members of the Schema Admin and Enterprise Admins groups, as y'all need membership in these groups to extend the schema or prepare a domain. Click Change to provide the adequate user credentials if the page informs yous that the current credentials exercise not provide sufficient permissions.

The Additional Options ADDSDeployment cmdlet argument is:

              -adprepcredential <pscredential>                          

Of import

Every bit with previous versions of Windows Server, Windows Server 2012's automated domain training does non run GPPREP. Run adprep.exe /gpprep manually for all domains that were non previously prepared for Windows Server 2003, Windows Server 2008, or Windows Server 2008 R2. Y'all should run GPPrep but once in the history of a domain, not with every upgrade. Adprep.exe does not run /gpprep automatically because its operation tin can cause all files and folders in the SYSVOL folder to re-replicate on all domain controllers.

Automatic RODCPrep runs when you promote the first un-staged RODC in a domain. It does non occur when you promote the get-go writeable Windows Server 2012 domain controller. You tin can also still manually run adprep.exe /rodcprep if yous plan to deploy read-only domain controllers.

Review Options and View Script

Screenshot of the Review Options page of the Active Directory Domain Services Configuration Wizard when there is no staging deployment.

The Review Options folio enables you to validate your settings and ensure that they meet your requirements before you start the installation. This is non the last opportunity to finish the installation using Server Director. This page simply enables you to review and confirm your settings earlier standing the configuration.

The Review Options page in Server Manager also offers an optional View Script button to create a Unicode text file that contains the current ADDSDeployment configuration as a single Windows PowerShell script. This enables y'all to utilise the Server Manager graphical interface as a Windows PowerShell deployment studio. Employ the Active Directory Domain Services Configuration Wizard to configure options, consign the configuration, and so cancel the wizard. This process creates a valid and syntactically correct sample for further modification or direct use. For example:

              # # Windows PowerShell Script for Advertisement DS Deployment #  Import-Module ADDSDeployment Install-ADDSDomainController ` -AllowPasswordReplicationAccountName @(CORP\Allowed RODC Password Replication Grouping, CORP\Chicago RODC Admins, CORP\Chicago RODC Users and Computers) ` -Credential (Go-Credential) ` -CriticalReplicationOnly:$faux ` -DatabasePath C:\Windows\NTDS ` -DelegatedAdministratorAccountName CORP\Chicago RODC Admins ` -DenyPasswordReplicationAccountName @(BUILTIN\Administrators, BUILTIN\Server Operators, BUILTIN\Fill-in Operators, BUILTIN\Account Operators, CORP\Denied RODC Password Replication Group) ` -DomainName corp.contoso.com ` -InstallDNS:$true ` -LogPath C:\Windows\NTDS ` -ReadOnlyReplica:$true ` -SiteName Default-First-Site-Proper name ` -SYSVOLPath C:\Windows\SYSVOL -Force:$true                          

Annotation

Server Manager generally fills in all arguments with values when promoting and does non rely on defaults (as they may change between future versions of Windows or service packs). The one exception to this is the -safemodeadministratorpassword statement. To strength a confirmation prompt, omit the value when running cmdlet interactively.

Employ the optional Whatif argument with the Install-ADDSDomainController cmdlet to review configuration information. This enables yous to see the explicit and implicit values of the arguments for a cmdlet.

Screenshot of the PowerShell window showing the results of the Install-ADDSDomainController cmdlet when there is no staging deployment.

Prerequisites Check

Screenshot of the Prerequisites Check page of the Active Directory Domain Services Configuration Wizard when there is no staging deployment.

The Prerequisites Bank check is a new feature in Advertisement DS domain configuration. This new stage validates that the server configuration is capable of supporting a new AD DS forest.

When installing a new forest root domain, the Server Manager Active Directory Domain Services Configuration Magician invokes a series of serialized modular tests. These tests alert yous with suggested repair options. You lot can run the tests as many times every bit required. The domain controller procedure cannot keep until all prerequisite tests pass.

The Prerequisites Cheque also surfaces relevant data such as security changes that affect older operating systems.

You lot cannot bypass the Prerequisite Check when using Server Director, merely you lot can skip the process when using the AD DS Deployment cmdlet using the following argument:

              -skipprechecks                          

Click Install to begin the domain controller promotion process. This is last opportunity to cancel the installation. Y'all cannot cancel the promotion process once it begins. The computer will reboot automatically at the end of promotion, regardless of the promotion results.

Installation

Screenshot of the Installation page of the Active Directory Domain Services Configuration Wizard when there is no staging deployment.

When the Installation page displays, the domain controller configuration begins and cannot be halted or canceled. Detailed operations brandish on this page and are written to logs:

  • %systemroot%\debug\dcpromo.log

  • %systemroot%\debug\dcpromoui.log

To install a new Agile Directory forest using the ADDSDeployment module, use the following cmdlet:

              Install-addsdomaincontroller                          

See the ADDSDeployment Cmdlet tabular array at the outset of this section for required and optional arguments.

The Install-addsdomaincontroller cmdlet only has two phases (prerequisite checking and installation). The two figures beneath show the installation stage with the minimum required arguments of -domainname, -readonlyreplica, -sitename, and -credential. Note how, just similar Server Director, Install-ADDSDomainController reminds you that promotion volition reboot the server automatically:

Screenshot of the PowerShell window showing the result of the Install-addsdomaincontroller cmdlet when there is no staging deployment.

Screenshot of the PowerShell window showing the progress of the validation and installation when there is no staging deployment.

To take the reboot prompt automatically, apply the -force or -ostend:$fake arguments with any ADDSDeployment Windows PowerShell cmdlet. To prevent the server from automatically rebooting at the finish of promotion, utilise the -norebootoncompletion statement.

Alarm

Overriding the reboot is non recommended. The domain controller must reboot to function correctly. If you log off the domain controller, you cannot log back on interactively until you restart it.

Results

Screenshot of the Results page of the Active Directory Domain Services Configuration Wizard when there is no staging deployment.

The Results page shows the success or failure of the promotion and any important administrative data. The domain controller will automatically reboot afterwards ten seconds.