Scripting domain controller installations: A must for Server Core

DC installation scripts have always been around, but only now are admins likely to use them. Learn how to install a DC from the command line in Windows Server 2008.

This Content Component encountered an error

Scripts for the automated installation of Microsoft Active Directory have been around since Windows 2000. At the same time, not many administrators have ever come across the need to script the installation of a domain controller (DC). While it's true that some large environments with hundreds or thousands of DCs may have used these scripts during massive rollouts, the majority of us have never gone further with the command line than...

typing "dcpromo" into a Windows Server's Run box … until now.

You see, Server Core in Windows Server 2008 arrives without a graphical user interface (GUI). This means that the bits and bytes that make up dcpromo's user interface simply can't be displayed on a Server Core instance. As such, the only way to turn a Server Core member server into a Server Core DC is through the command line. Server Core's minimal operating system combines perfectly with the typical DC's lightweight resource needs -- especially for virtualized DCs.

Let's take a look at a few examples of how to accomplish this.

First, the dcpromo command itself must be run from the command line. Running the command dcpromo /unattend:{pathToFile} will launch dcpromo and instruct it to gather its unattended installation parameters from the file at {pathToFile}. Be aware that running this command with the associated unattended installation file involves no further interaction by the administrator. For this reason, be very careful with the parameters you pass to dcpromo.

Below you'll see a basic unattended installation file for creating a brand new domain controller as the first DC in a new forest and domain, both named contoso.com:

; DCPROMO unattend file (automatically generated by dcpromo)
;
[DCInstall]
; New forest promotion
ReplicaOrNewDomain=Domain
NewDomain=Forest
NewDomainDNSName=contoso.com
ForestLevel=3
DomainNetbiosName=CONTOSO
DomainLevel=3
InstallDNS=Yes
ConfirmGc=Yes
CreateDNSDelegation=Yes
DNSDelegationUserName= contoso.com\administrator
DNSDelegationPassword=*
DatabasePath="C:\Windows\NTDS"
LogPath="C:\Windows\NTDS"
SYSVOLPath="C:\Windows\SYSVOL"
; Set SafeModeAdminPassword to the correct value prior to using the unattend file
SafeModeAdminPassword=
; Run-time flags (optional)
; RebootOnCompletion=Yes

You'll notice that the above file creates a new domain controller (as opposed to a replica DC) in a new forest. The DNS and NetBIOS names for the domain are both set in this file. The settings for ForestLevel and DomainLevel correspond to the Forest Functional Level and Domain Functional Level of Windows Server 2008. A setting of 2 or 1 here would correspond to Windows Server 2003 and Windows Server 2000 Native Mode. This creation script is also configured to create a Global Catalog, the DNS delegation and the NTDS files in their default locations.

Be sure to enter a strong password for Directory Services Safe Mode into the SafeModeAdminPassword line. If you don't, running the script will bring forward a dialog box that requires you to enter that password, preventing this script from running fully unattended.

Here's a second example. If you need to add a second domain controller to an existing domain, you can use the following unattended installation file:
 

; DCPROMO unattend file (automatically generated by dcpromo)
;
; You may need to fill in password fields prior to using the unattend file.
; If you leave the values for "Password" and/or "DNSDelegationPassword"
; as "*", then you will be asked for credentials at runtime.
;
[DCInstall]
; Replica DC promotion
ReplicaOrNewDomain=Replica
ReplicaDomainDNSName=contoso.com
SiteName=Default-First-Site-Name
InstallDNS=Yes
ConfirmGc=Yes
CreateDNSDelegation=No
UserDomain=contoso.com
UserName=*
Password=*
DatabasePath="C:\Windows\NTDS"
LogPath="C:\Windows\NTDS"
SYSVOLPath="C:\Windows\SYSVOL"
; Set SafeModeAdminPassword to the correct value prior to using the unattend file
SafeModeAdminPassword=
; Run-time flags (optional)
; CriticalReplicationOnly=Yes
; RebootOnCompletion=Yes

This file creates a replica DC for the contoso.com domain in the Default-First-Site-Name site. The server is configured with both DNS and Global Catalog services and replication of Active Directory objects is handled over the network. As before, usernames and passwords are needed for SafeModeAdminPassword, but here they are also required to authenticate to the domain. Enter the appropriate username and password for that domain authentication into the appropriate fields above.

Now where did I get these scripts? Did I code them by hand? No. I'll admit that I cheated, and you should as well. In Windows Server 2008, the very last screen of the dcpromo wizard on a full Windows system has been updated with a new button. That new button, marked Export settings, makes the process of generating the script above very simple.

Here's a trick for creating your own script without any scripting:

  1. First, log on to an existing full instance of Windows Server 2008 and run the dcpromo command.
  2. Answer the questions in the wizard as if you were answering them on your candidate Server Core DC.
  3. When you complete the wizard, do not click to continue past its final screen. Instead, click the Export settings button to save your settings into an unattended installation file.
  4. Transfer this file to your Server Core instance and use it with the dcpromo command to run the DC installation there.

By completing this series of actions, you can easily create the necessary unattended installation with little fear of missing necessary steps. The Export settings button logs each of the necessary configurations to an unattended installation file for you. Once created, simply adjust any settings as necessary as you reuse the file across multiple DC installations.

If you need more settings that aren't part of the default script, see Microsoft's extremely detailed knowledgebase article on how to use unattended mode to remove and install ADDS.

 
Greg Shields, MCSE, is an independent author and consultant based in Denver with many years of IT architecture and enterprise administration experience. He is an IT trainer and speaker on such IT topics as Microsoft administration, systems management and monitoring, and virtualization. His recent book Windows Server 2008: What's New/What's Changed is available from Sapien Press.
 

 

This was first published in February 2009

Dig deeper on Microsoft Active Directory Scripting

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchServerVirtualization

SearchCloudComputing

SearchExchange

SearchSQLServer

SearchWinIT

SearchEnterpriseDesktop

SearchVirtualDesktop

Close