-
Notifications
You must be signed in to change notification settings - Fork 140
ADDomainController
dscbot edited this page Aug 18, 2024
·
6 revisions
| Parameter | Attribute | DataType | Description | Allowed Values |
|---|---|---|---|---|
| DomainName | Key | String | The fully qualified domain name (FQDN) of the domain the Domain Controller will be joining. | |
| Credential | Required | PSCredential | The credentials (as a 'PSCredential' object) of a user that has Domain Administrator rights to add the Domain Controller to the domain. | |
| SafemodeAdministratorPassword | Required | PSCredential | The 'PSCredential' object containing the password to use for Directory Services Restore Mode (DSRM). | |
| DatabasePath | Write | String | The path where the database will be stored. | |
| LogPath | Write | String | The path where the logs will be stored. | |
| SysvolPath | Write | String | The path where the Sysvol will be stored. | |
| SiteName | Write | String | The name of the site this Domain Controller will be added to. | |
| InstallationMediaPath | Write | String | The path of the media you want to use install the Domain Controller. | |
| IsGlobalCatalog | Write | Boolean | Specifies if the domain controller will be a Global Catalog (GC). | |
| Ensure | Read | String | Returns the state of the Domain Controller. | |
| ReadOnlyReplica | Write | Boolean | Indicates that the resource installs the domain controller as an Read-Only Domain Controller (RODC) for an existing domain. | |
| DelegatedAdministratorAccountName | Write | String | Specifies the user or group that is the delegated administrator of this Read-Only Domain Controller (RODC). | |
| AllowPasswordReplicationAccountName | Write | StringArray[] | Specifies an array of names of user accounts, group accounts, and computer accounts whose passwords can be replicated to this Read-Only Domain Controller (RODC). | |
| DenyPasswordReplicationAccountName | Write | StringArray[] | Specifies the names of user accounts, group accounts, and computer accounts whose passwords are not to be replicated to this Read-Only Domain Controller (RODC). | |
| FlexibleSingleMasterOperationRole | Write | StringArray[] | Specifies one or more Flexible Single Master Operation (FSMO) roles to move to this domain controller. The current owner must be online and responding for the move to be allowed. |
DomainNamingMaster, SchemaMaster, InfrastructureMaster, PDCEmulator, RIDMaster
|
| InstallDns | Write | Boolean | Specifies if the DNS Server service should be installed and configured on the Domain Controller. If this is not set the default value of the parameter InstallDns of the cmdlet Install-ADDSDomainController is used. This parameter is only used during the provisioning of a domain controller. The parameter cannot be used to install or uninstall the DNS server on an already provisioned domain controller. |
|
| UseExistingAccount | Write | Boolean | Indicates that the resource attaches a server to an existing Read-Only Domain Controller (RODC) account. If specified, a member of the Domain Admins group or a delegated user can apply this resource. |
The ADDomainController DSC resource will install and configure domain controllers in Active Directory. Installation of Read-Only Domain Controllers (RODC) is also supported.
Promotion of a Domain Controller using an existing DNS is available using
the InstallDns parameter. The parameter specifies if the DNS Server service
should be installed and configured on the domain controller. If this is
not set the default value of the parameter InstallDns of the cmdlet
Install-ADDSDomainController
is used. The parameter InstallDns is only used during the provisioning
of a domain controller. The parameter cannot be used to install or uninstall
the DNS server on an already provisioned domain controller.
Note: If the account used for the parameter
Credentialcannot connect to another domain controller, for example using a credential without the domain name, then the cmdletInstall-ADDSDomainControllerwill seemingly halt (without reporting an error) when trying to replicate information from another domain controller. Make sure to use a correct domain account with the correct permission as the account for the parameterCredential.
The parameter FlexibleSingleMasterOperationRole is ignored until
the node has been provisioned as a domain controller. Take extra care
to make sure the Flexible Single Master Operation (FSMO) roles are moved
accordingly to avoid that two domain controller try to get to be the
owner of the same role (potential "ping-pong"-behavior).
The resource does not support seizing of Flexible Single Master Operation (FSMO) roles
- Target machine must be running Windows Server 2008 R2 or later.
This configuration will add a domain controller to the domain contoso.com.
Configuration ADDomainController_AddDomainControllerToDomainMinimal_Config
{
param
(
[Parameter(Mandatory = $true)]
[ValidateNotNullOrEmpty()]
[System.Management.Automation.PSCredential]
$Credential,
[Parameter(Mandatory = $true)]
[ValidateNotNullOrEmpty()]
[System.Management.Automation.PSCredential]
$SafeModePassword
)
Import-DscResource -ModuleName PSDesiredStateConfiguration
Import-DscResource -ModuleName ActiveDirectoryDsc
node localhost
{
WindowsFeature 'InstallADDomainServicesFeature'
{
Ensure = 'Present'
Name = 'AD-Domain-Services'
}
WindowsFeature 'RSATADPowerShell'
{
Ensure = 'Present'
Name = 'RSAT-AD-PowerShell'
DependsOn = '[WindowsFeature]InstallADDomainServicesFeature'
}
WaitForADDomain 'WaitForestAvailability'
{
DomainName = 'contoso.com'
Credential = $Credential
DependsOn = '[WindowsFeature]RSATADPowerShell'
}
ADDomainController 'DomainControllerMinimal'
{
DomainName = 'contoso.com'
Credential = $Credential
SafeModeAdministratorPassword = $SafeModePassword
DependsOn = '[WaitForADDomain]WaitForestAvailability'
}
}
}This configuration will add a domain controller to the domain contoso.com, specifying all properties of the resource.
Configuration ADDomainController_AddDomainControllerToDomainAllProperties_Config
{
param
(
[Parameter(Mandatory = $true)]
[ValidateNotNullOrEmpty()]
[System.Management.Automation.PSCredential]
$Credential,
[Parameter(Mandatory = $true)]
[ValidateNotNullOrEmpty()]
[System.Management.Automation.PSCredential]
$SafeModePassword
)
Import-DscResource -ModuleName PSDesiredStateConfiguration
Import-DscResource -ModuleName ActiveDirectoryDsc
node localhost
{
WindowsFeature 'InstallADDomainServicesFeature'
{
Ensure = 'Present'
Name = 'AD-Domain-Services'
}
WindowsFeature 'RSATADPowerShell'
{
Ensure = 'Present'
Name = 'RSAT-AD-PowerShell'
DependsOn = '[WindowsFeature]InstallADDomainServicesFeature'
}
WaitForADDomain 'WaitForestAvailability'
{
DomainName = 'contoso.com'
Credential = $Credential
DependsOn = '[WindowsFeature]RSATADPowerShell'
}
ADDomainController 'DomainControllerAllProperties'
{
DomainName = 'contoso.com'
Credential = $Credential
SafeModeAdministratorPassword = $SafeModePassword
DatabasePath = 'C:\Windows\NTDS'
LogPath = 'C:\Windows\Logs'
SysvolPath = 'C:\Windows\SYSVOL'
SiteName = 'Europe'
IsGlobalCatalog = $true
DependsOn = '[WaitForADDomain]WaitForestAvailability'
}
}
}This configuration will add a domain controller to the domain contoso.com using the information from media.
Configuration ADDomainController_AddDomainControllerToDomainUsingIFM_Config
{
param
(
[Parameter(Mandatory = $true)]
[ValidateNotNullOrEmpty()]
[System.Management.Automation.PSCredential]
$Credential,
[Parameter(Mandatory = $true)]
[ValidateNotNullOrEmpty()]
[System.Management.Automation.PSCredential]
$SafeModePassword
)
Import-DscResource -ModuleName PSDesiredStateConfiguration
Import-DscResource -ModuleName ActiveDirectoryDsc
node localhost
{
WindowsFeature 'InstallADDomainServicesFeature'
{
Ensure = 'Present'
Name = 'AD-Domain-Services'
}
WindowsFeature 'RSATADPowerShell'
{
Ensure = 'Present'
Name = 'RSAT-AD-PowerShell'
DependsOn = '[WindowsFeature]InstallADDomainServicesFeature'
}
WaitForADDomain 'WaitForestAvailability'
{
DomainName = 'contoso.com'
Credential = $Credential
DependsOn = '[WindowsFeature]RSATADPowerShell'
}
ADDomainController 'DomainControllerWithIFM'
{
DomainName = 'contoso.com'
Credential = $Credential
SafeModeAdministratorPassword = $SafeModePassword
InstallationMediaPath = 'F:\IFM'
DependsOn = '[WaitForADDomain]WaitForestAvailability'
}
}
}This configuration will add a read-only domain controller to the domain contoso.com and specify a list of account, whose passwords are allowed/denied for synchronisation.
Configuration ADDomainController_AddReadOnlyDomainController_Config
{
param
(
[Parameter(Mandatory = $true)]
[ValidateNotNullOrEmpty()]
[System.Management.Automation.PSCredential]
$Credential,
[Parameter(Mandatory = $true)]
[ValidateNotNullOrEmpty()]
[System.Management.Automation.PSCredential]
$SafeModePassword
)
Import-DscResource -ModuleName PSDesiredStateConfiguration
Import-DscResource -ModuleName ActiveDirectoryDsc
node localhost
{
WindowsFeature 'InstallADDomainServicesFeature'
{
Ensure = 'Present'
Name = 'AD-Domain-Services'
}
WindowsFeature 'RSATADPowerShell'
{
Ensure = 'Present'
Name = 'RSAT-AD-PowerShell'
DependsOn = '[WindowsFeature]InstallADDomainServicesFeature'
}
WaitForADDomain 'WaitForestAvailability'
{
DomainName = 'contoso.com'
Credential = $Credential
DependsOn = '[WindowsFeature]RSATADPowerShell'
}
ADDomainController 'Read-OnlyDomainController(RODC)'
{
DomainName = 'contoso.com'
Credential = $Credential
SafeModeAdministratorPassword = $SafeModePassword
ReadOnlyReplica = $true
SiteName = 'Default-First-Site-Name'
DelegatedAdministratorAccountName = 'contoso\adm.pvdi'
AllowPasswordReplicationAccountName = @('pvdi.test1', 'pvdi.test')
DenyPasswordReplicationAccountName = @('SVC_PVS', 'TA2SCVMM')
DependsOn = '[WaitForADDomain]WaitForestAvailability'
}
}
}This configuration will add a domain controller to the domain contoso.com, and when the configuration is enforced it will move the Flexible Single Master Operation (FSMO) role 'RIDMaster' from the current owner to this domain controller.
Configuration ADDomainController_AddDomainControllerAndMoveRole_Config
{
param
(
[Parameter(Mandatory = $true)]
[ValidateNotNullOrEmpty()]
[System.Management.Automation.PSCredential]
$Credential,
[Parameter(Mandatory = $true)]
[ValidateNotNullOrEmpty()]
[System.Management.Automation.PSCredential]
$SafeModePassword
)
Import-DscResource -ModuleName PSDesiredStateConfiguration
Import-DscResource -ModuleName ActiveDirectoryDsc
node localhost
{
WindowsFeature 'InstallADDomainServicesFeature'
{
Ensure = 'Present'
Name = 'AD-Domain-Services'
}
WindowsFeature 'RSATADPowerShell'
{
Ensure = 'Present'
Name = 'RSAT-AD-PowerShell'
DependsOn = '[WindowsFeature]InstallADDomainServicesFeature'
}
WaitForADDomain 'WaitForestAvailability'
{
DomainName = 'contoso.com'
Credential = $Credential
DependsOn = '[WindowsFeature]RSATADPowerShell'
}
ADDomainController 'DomainControllerMinimal'
{
DomainName = 'contoso.com'
Credential = $Credential
SafeModeAdministratorPassword = $SafeModePassword
FlexibleSingleMasterOperationRole = @('RIDMaster')
DependsOn = '[WaitForADDomain]WaitForestAvailability'
}
}
}This configuration will add a domain controller to the domain contoso.com without installing the local DNS server service and using the one in the existing domain.
Configuration ADDomainController_AddDomainControllerUsingInstallDns_Config
{
param
(
[Parameter(Mandatory = $true)]
[ValidateNotNullOrEmpty()]
[System.Management.Automation.PSCredential]
$Credential
)
Import-DscResource -ModuleName PSDesiredStateConfiguration
Import-DscResource -ModuleName ActiveDirectoryDsc
node localhost
{
WindowsFeature 'InstallADDomainServicesFeature'
{
Ensure = 'Present'
Name = 'AD-Domain-Services'
}
WindowsFeature 'RSATADPowerShell'
{
Ensure = 'Present'
Name = 'RSAT-AD-PowerShell'
DependsOn = '[WindowsFeature]InstallADDomainServicesFeature'
}
WaitForADDomain 'WaitForestAvailability'
{
DomainName = 'contoso.com'
Credential = $Credential
DependsOn = '[WindowsFeature]RSATADPowerShell'
}
ADDomainController 'DomainControllerUsingExistingDNSServer'
{
DomainName = 'contoso.com'
Credential = $Credential
SafeModeAdministratorPassword = $Credential
InstallDns = $false
DependsOn = '[WaitForADDomain]WaitForestAvailability'
}
}
}- ADComputer
- ADDomain
- ADDomainController
- ADDomainControllerProperties
- ADDomainDefaultPasswordPolicy
- ADDomainFunctionalLevel
- ADDomainTrust
- ADFineGrainedPasswordPolicy
- ADForestFunctionalLevel
- ADForestProperties
- ADGroup
- ADKDSKey
- ADManagedServiceAccount
- ADObjectEnabledState
- ADObjectPermissionEntry
- ADOptionalFeature
- ADOrganizationalUnit
- ADReadOnlyDomainControllerAccount
- ADReplicationSite
- ADReplicationSiteLink
- ADReplicationSubnet
- ADServicePrincipalName
- ADUser
- Home
- WaitForADDomain