Problem solve Get help with specific problems with your technologies, process and projects.

Scripting domain controller installations: A must for Server Core

DC installation scripts have always been around, but only now are admins likely to use them. Learn how to install a DC from the command line in Windows Server 2008.

Scripts for the automated installation of Microsoft Active Directory have been around since Windows 2000. At the...

same time, not many administrators have ever come across the need to script the installation of a domain controller (DC). While it's true that some large environments with hundreds or thousands of DCs may have used these scripts during massive rollouts, the majority of us have never gone further with the command line than typing "dcpromo" into a Windows Server's Run box … until now.

You see, Server Core in Windows Server 2008 arrives without a graphical user interface (GUI). This means that the bits and bytes that make up dcpromo's user interface simply can't be displayed on a Server Core instance. As such, the only way to turn a Server Core member server into a Server Core DC is through the command line. Server Core's minimal operating system combines perfectly with the typical DC's lightweight resource needs -- especially for virtualized DCs.

Let's take a look at a few examples of how to accomplish this.

First, the dcpromo command itself must be run from the command line. Running the command dcpromo /unattend:{pathToFile} will launch dcpromo and instruct it to gather its unattended installation parameters from the file at {pathToFile}. Be aware that running this command with the associated unattended installation file involves no further interaction by the administrator. For this reason, be very careful with the parameters you pass to dcpromo.

Below you'll see a basic unattended installation file for creating a brand new domain controller as the first DC in a new forest and domain, both named

; DCPROMO unattend file (automatically generated by dcpromo)
; New forest promotion
; Set SafeModeAdminPassword to the correct value prior to using the unattend file
; Run-time flags (optional)
; RebootOnCompletion=Yes

You'll notice that the above file creates a new domain controller (as opposed to a replica DC) in a new forest. The DNS and NetBIOS names for the domain are both set in this file. The settings for ForestLevel and DomainLevel correspond to the Forest Functional Level and Domain Functional Level of Windows Server 2008. A setting of 2 or 1 here would correspond to Windows Server 2003 and Windows Server 2000 Native Mode. This creation script is also configured to create a Global Catalog, the DNS delegation and the NTDS files in their default locations.

Be sure to enter a strong password for Directory Services Safe Mode into the SafeModeAdminPassword line. If you don't, running the script will bring forward a dialog box that requires you to enter that password, preventing this script from running fully unattended.

Here's a second example. If you need to add a second domain controller to an existing domain, you can use the following unattended installation file:

; DCPROMO unattend file (automatically generated by dcpromo)
; You may need to fill in password fields prior to using the unattend file.
; If you leave the values for "Password" and/or "DNSDelegationPassword"
; as "*", then you will be asked for credentials at runtime.
; Replica DC promotion
; Set SafeModeAdminPassword to the correct value prior to using the unattend file
; Run-time flags (optional)
; CriticalReplicationOnly=Yes
; RebootOnCompletion=Yes

This file creates a replica DC for the domain in the Default-First-Site-Name site. The server is configured with both DNS and Global Catalog services and replication of Active Directory objects is handled over the network. As before, usernames and passwords are needed for SafeModeAdminPassword, but here they are also required to authenticate to the domain. Enter the appropriate username and password for that domain authentication into the appropriate fields above.

Now where did I get these scripts? Did I code them by hand? No. I'll admit that I cheated, and you should as well. In Windows Server 2008, the very last screen of the dcpromo wizard on a full Windows system has been updated with a new button. That new button, marked Export settings, makes the process of generating the script above very simple.

Here's a trick for creating your own script without any scripting:

  1. First, log on to an existing full instance of Windows Server 2008 and run the dcpromo command.
  2. Answer the questions in the wizard as if you were answering them on your candidate Server Core DC.
  3. When you complete the wizard, do not click to continue past its final screen. Instead, click the Export settings button to save your settings into an unattended installation file.
  4. Transfer this file to your Server Core instance and use it with the dcpromo command to run the DC installation there.

By completing this series of actions, you can easily create the necessary unattended installation with little fear of missing necessary steps. The Export settings button logs each of the necessary configurations to an unattended installation file for you. Once created, simply adjust any settings as necessary as you reuse the file across multiple DC installations.

If you need more settings that aren't part of the default script, see Microsoft's extremely detailed knowledgebase article on how to use unattended mode to remove and install ADDS.

Greg Shields, MCSE, is an independent author and consultant based in Denver with many years of IT architecture and enterprise administration experience. He is an IT trainer and speaker on such IT topics as Microsoft administration, systems management and monitoring, and virtualization. His recent book Windows Server 2008: What's New/What's Changed is available from Sapien Press.


This was last published in February 2009

Dig Deeper on Microsoft Active Directory Scripting



Find more PRO+ content and other member only offers, here.

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.