Deploy Your First Active Directory Forest and Domain | Microsoft Press Store

Deploy your first forest

Most Windows organization administrators will probably never have to create a new forest in an environment where there has never been one earlier. Most of us join a company and an environment that has been up and running for some time, and our tasks are focused on maintaining that existing environment—adding users and groups, adding sphere controllers to existing domains, and evening adding new domains to an existing forest. I ’ ll cover all of those tasks in this book, and you can surely jump ahead to the chapter that covers what you want to accomplish. But for those who are tasked with creating a raw environment, it ’ sulfur crucial to do the job properly, and that means planning first .
This is not a book on how to plan a new namespace and Active Directory forest. rather of covering that here, I suggest that you read Chapters 3 and 4 of Windows Server 2008 Administrator ’ south Companion ( Microsoft Press, 2008 ). Yes, it ’ randomness been a while since I wrote those chapters, but they ’ re still valid nowadays and will give you a solid sympathize of the work .
Before you begin, make sure you have identified all the elements you ’ ll necessitate to configure as you set up the server you ’ ll use to create your newfangled forest and domain, and what the values for those are. The accurate list you ’ ll want will vary depending on the results of the preliminary plan you ’ ve done, and your network shape, but it will probably include at least the follow :

  • Server IP address
  • Server name
  • Domain Name System (DNS) namespace for the root domain of the new forest
  • Domain name for the root domain of the new forest
  • DNS server type (Active Directory–integrated, or stand-alone)

A gloss here about the server IP address : your domain controllers should ideally all use inactive IP addresses, but decidedly your first knowledge domain restrainer should be at a repair IP address .

Configure the server IP address

You can configure the server ’ south name before the IP address, but when you do, it costs an extra boot because the name change requires a boot, so I like to do the IP address first base. Setting a cook IP address for a computer requires four commands—one to get the identify and index of the network adapter you ’ re determine to a fixed IP address, and three to configure the settings for that adapter .

Get the adapter alias and index

Before you can configure new settings for a network adapter, you need to know either the arranger ’ s interface alias ( name ) or interface exponent. The interface alias corresponds to the name shown in the Network Connections dialogue box ( ncpa.cpl ). To determine the interface alias and interface index, use the Get-NetAdapter cmdlet .

Name        InterfaceDescription    ifIndex Status      MacAddress         LinkSpeed 
----        --------------------    ------- ------      ----------          --------- 
10 Network  Microsoft Hyper-V              
            Network Adapter #2      4       Up          00-15-5D-32-10-02    10 Gbps
50 Network  Microsoft Hyper-V  
            Network Adapter         3       Disabled    00-15-5D-32-50-02    1 Gbps

The default option output from Get-NetAdapter uses the Name column for the InterfaceAlias property and the ifIndex column for the InterfaceIndex property. To view all the properties and the actions associated with Get-NetAdapter, use the succeed .

Get-NetAdapter | Get-Member

Set a fixed IP address

To set a fixate IP address for this first base domain restrainer in the forest, you need to first disable Dynamic Host Configuration Protocol ( DHCP ) and then set the IPv4 and IPv6 addresses. For the lab network used in this book, I have chosen as the IPv4 subnet, and 2001 : db8:0:10 : :/64 as the IPv6 subnet .
To disable DHCP on the 10 Network adapter, use the following command .

Set-NetIPInterface -InterfaceAlias “10 Network” -DHCP Disabled -PassThru

The Set-NetIPInterface cmdlet is a quieten cmdlet that doesn ’ deoxythymidine monophosphate return anything by nonpayment, so I added the -PassThru parameter to have it report back on the status of the IP interface .
future, set the electrostatic IPv4 address to by using the be command .

New-NetIPAddress ` 
     -AddressFamily IPv4 ` 
     -InterfaceAlias “10 Network” ` 
     -IPAddress ` 
     -PrefixLength 24 ` 

immediately set the IPv6 address to 2001 : db8:0:10 : :2 by using the follow control .

New-NetIPAddress ` 
     -AddressFamily IPv6 ` 
     -InterfaceAlias “10 Network” ` 
     -IPAddress 2001:db8:0:10::2 ` 
     -PrefixLength 64 ` 
     -DefaultGateway 2001:db8:0:10::1

The New-NetIPAddress cmdlet automatically selects the IPv4 or IPv6 address family based on the settings in the command, so you can omit the -AddressFamily argument from the preceding commands if you want .

Set the DNS server addresses

The concluding partially of setting a fasten IP address is to set the DNS server addresses. Because your first base sphere control in the modern forest should besides be your DNS server, that ’ s reasonably easy to do by using the Set-DnsClientServerAddress cmdlet .

Set-DnsClientServerAddress ` 
     -InterfaceAlias “10 Network” ` 

so, when you pull all that together and run it on the beginning world accountant in your fresh forest, you can then run Get-NetIPAddress and get something like the succeed .

Get-NetIPAddress -InterfaceAlias “10 Network”
IPAddress         : 2001:db8:0:10::2 
InterfaceIndex    : 4 
InterfaceAlias    : 10 Network 
AddressFamily     : IPv6 
Type              : Unicast 
PrefixLength      : 64 
PrefixOrigin      : Manual 
SuffixOrigin      : Manual 
AddressState      : Preferred 
ValidLifetime     : Infinite ([TimeSpan]::MaxValue) 
PreferredLifetime : Infinite ([TimeSpan]::MaxValue) 
SkipAsSource      : False 
PolicyStore       : ActiveStore 
IPAddress         : 
InterfaceIndex    : 4 
InterfaceAlias    : 10 Network 
AddressFamily     : IPv4 
Type              : Unicast 
PrefixLength      : 24 
PrefixOrigin      : Manual 
SuffixOrigin      : Manual 
AddressState      : Preferred 
ValidLifetime     : Infinite ([TimeSpan]::MaxValue) 
PreferredLifetime : Infinite ([TimeSpan]::MaxValue) 
SkipAsSource      : False 
PolicyStore       : ActiveStore

Set the server name

Before you actually deploy your new forest, you should set the name of your sphere accountant to match your naming convention. Changing the list of a computer causes a boot, which is why you should delay that change until after all the IP cover set is done. To change the diagnose of the new server to trey-dc-02, use the Rename-Computer cmdlet by using the following syntax .

Rename-Computer -NewName trey-dc-02 -Restart -Force -PassThru

This changes the identify of the waiter and automatically restarts it. The -Force parameter suppresses the ratification motivate, and the -PassThru parameter returns the results of the command. After the server restarts, you ’ re ready to actually deploy your forest .

Install Active Directory Domain Services

Before you can promote the server to be a sphere restrainer, you need to install the Active Directory Domain Services function on the server. Installing a character or feature uses the Install-WindowsFeature cmdlet. This cmdlet replaces the Add-WindowsFeature cmdlet used in Windows Server 2008 R2. For compatibility, Add-WindowsFeature is an alias to Install-WindowsFeature. The command to install AD DS, including the management tools required, is as follows .

Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools

This installs AD DS on the waiter and includes both the graphic and Windows PowerShell tools that are used to manage and deploy Active Directory. For the purposes of this book, this includes two Windows PowerShell modules—ActiveDirectory and ADDSDeployment .
The Install-WindowsFeature cmdlet includes extra parameters not shown here. The ones of most interest are the -IncludeAllSubfeature, -Credential, -ComputerName, and -Vhd parameters. The -Vhd parameter deserves some explanation. By using this argument, you can use Install-WindowsFeature to add Windows Server roles and features to an offline VHD file, allowing you to “ pre-load ” features without having to bring the virtual machine ( VM ) on-line. The VHD file can be local or remote. If it is distant, the Universal Naming Convention ( UNC ) way to the VHD is the value of the parameter. When the -Vhd parameter is combined with the -ComputerName parameter, the VHD can actually be modified from the outside calculator .

Create the forest (dcpromo)

Beginning with Windows Server 2000, and right up until Windows Server 2012, the command-line direction to create a modern sphere control was to use the dcpromo command. But beginning with Windows Server 2012, dcpromo has been replaced with the ADDSDeployment module. This module supports remoting so that you can promote a server to a domain control, create a new knowledge domain, or even create a fresh forest, without logging on to the server that is being promoted. To view the cmdlets in this module, use the follow syntax .

Get-Command -Module ADDSDeployment | Format-Table Name

As you can tell, about all of the diverse promote/demote/test possibilities are included in the module. The five Test cmdlets need a morsel of explanation. Each of these cmdlets allows you to actually test whether all prerequisites are met before you run the Install or Add cmdlet of the lapp noun. This means you can amply test your environment before committing. The Install and Add nouns actually perform these same tests and will error out if any of them fail. however, the meter to find out that you ’ ve got a problem is not the weekend you ’ re actually performing the facility, but well ahead, so that you can correct any deficiencies and be prepared for achiever .

Update Windows PowerShell help

Before you go any promote, it ’ s a commodity idea to update your Windows PowerShell aid files. unfortunately, there are lone stub help files ( man pages ) included with Windows PowerShell. This allows Microsoft to update the serve files on a even basis, but it isn ’ metric ton terribly helpful if you ’ re using an unfamiliar command. The entirely fully aid file included with Windows PowerShell is that for the Update-Help cmdlet .
You need to be running with administrative privileges to update the aid files. You can update immediately from Microsoft ( the default option ) or update from a network share. The basic dominate is the play along .


Yes, it is just that bare. This download and installs help files for all modules in the current session and for any modules found in the $ PSModulePath locations. If you run it on a computer that already has the assistant files installed, it will check the stream version against the update version and install only those that are new. You can install help files from a network share by using the -SourcePath argument :

Update-Help -SourcePath \\trey-dc-02\PSHelp

It ’ s a full idea to get in the habit of updating aid files whenever you add newly modules to a server. If you have servers that don ’ t have Internet access, or if you merely want to control your Internet bandwidth, you can use the Save-Help cmdlet to download and save the newest help files to a net share. The command to force an update to the current aid files and then save them to the \\trey-dc-02\PSHelp share is the follow .

Save-Help -DestinationPath \\trey-dc-02\PSHelp -force

Test the forest creation

Before you start your weekend forest creation, only to discover in the middle of the process that you don ’ t have the necessary prerequisites, it ’ s a effective practice to use the appropriate Test cmdlet to verify your environment. For creating the first afforest in this reserve, that means using the Test-ADDSForestInstallation cmdlet. To test the trey-dc-02 server, which is sitting in a completely disjunct lab environment and has no DNS on the network, use the Test-myForestCreate.ps1 script .

Import-Module ADDSDeployment 
Test-ADDSForestInstallation ` 
     -DomainName '’ ` 
     -DomainNetBiosName 'TREYRESEARCH’ ` 
     -DomainMode 6 ` 
     -ForestMode 6 ` 
     -NoDnsOnNetwork ` 

This script imports the ADDSDeployment module into the current session and then tests the environment to find out whether installing the new forest will succeed. ( And before I get comments—yes, I know that the Import-Module tone is no long required. But it ’ s a dependable habit from the old days to explicitly load a nonstandard module when I know I ’ m going to need it. ) The results of the test are shown in Figure 1-1 .
As you can tell, the Test-ADDSForestInstallation cmdlet returns two warnings. One is about the security settings ; it warns about compatibility with some older versions of Windows NT due to a change in the cryptography. This is convention and expected, and it can be ignored unless you have computers or devices on your network that necessitate settings that are compatible with Windows NT 4.0. The second is a deputation warning for DNS. This is besides expected in most cases. Neither warning is sufficient to stop the facility or create problems, so you ’ re cook to proceed .

Deploy the first domain controller and forest

At this point, you ’ ve configured your waiter, added the necessary Windows PowerShell modules and the Windows Server roles, and tested your environment. All is ready to do the actual initial deployment of your first knowledge domain accountant and root AD DS forest .
The actual command to install the new afforest and sphere is about identical to the Test-ADDSForestInstallation instruction in the Test-myForest script. The main difference is that this clock time, you do want to reboot the server when the facility is finished, and because you just ran the tests, you can skip them .

Install-ADDSForest ` 
     -DomainName '’ ` 
     -DomainNetBiosName 'TREYRESEARCH’ ` 
     -DomainMode 6 ` 
     -ForestMode 6 ` 
     -NoDnsOnNetwork ` 
     -SkipPreChecks ` 

The early thing added hera is a -Force parameter to suppress any confirmation prompts. You ’ ll distillery be prompted for the prize of the Directory Services Restore Mode ( DSRM ) password. You can avoid tied that by using the -SafeModeAdministratorPassword argument with a SecureString value equivalent to your password. If you ’ re automating a batch of forest ( or world ) creations, such as in a lab environment, use this syntax to set the DSRM password to a value of P @ ssw0rd ! .

$pwdSS = ConvertTo-SecureString -String 'P@ssw0rd!’ -AsPlainText -Force

This is a good time to point out the remainder between individual quotation marks and doubling quotation marks in Windows PowerShell. Both are used to identify strings, but a single quote doesn ’ metric ton allow the expansion or rendition of especial characters or variables inside the quotation marks, whereas double citation marks do admit expansion. It ’ s broadly considered good practice to use single citation marks unless you actually need varying expansion, but I don ’ thyroxine always follow that practice. here, however, it ’ s a particularly good idea to use single citation marks around a password chain to avoid any interpretation of special characters .
The acceptable values for ForestMode and DomainMode are shown in table 1-1 .

Table 1-1 Acceptable DomainMode and ForestMode values

Functional level Numeric String
Windows Server 2003 2 Win2003
Windows Server 2008 3 Win2008
Windows Server 2008 R2 4 Win2008R2
Windows Server 2012 5 Win2012
Windows Server 2012 R2 6 Win2012R2

The default forest functional horizontal surface for Windows Server is typically the same as the Windows Server interpretation, with the exception that the default for Windows Server 2008 R2 is a forest functional floor of Windows Server 2003 .
The world functional level can never be less than the forest functional level, but it can be higher. If the DomainMode international relations and security network ’ thymine specified, it is computed from the environment .
MORE information

For more data about AD DS functional levels, see the “ Under­standing Active Directory Domain Services ( AD DS ) Functional Levels ” TechNet article at hypertext transfer protocol : // .
When you create the newfangled afforest, the waiter is rebooted, and the lone score active on the server is the TREYRESEARCH\Administrator score, which has the same password as the safe mode password you used with Install-ADDSForest .
To find out what Forest Mode, Domain Mode, and Schema Version you ’ ve equitable created, use the follow .

Get the current Schema version and Forest and Domain Modes 
The Get-myADVersion script queries the AD to discover the current AD schema version,
and the forest mode and domain mode. If run without parameters, it will query the  
current AD context, or if a Domain Controller is specified, it will query against  
that DC’s context. Must be run as a user with sufficient privileges to query AD DS.  
Queries against the current AD context.  
Get-myADVersion -DomainController Trey-DC-02 
Gets the AD versions for the Domain Controller “Trey-DC-02” 
.Parameter DomainController 
Specifies the domain controller to query. This will change the response to match  
the AD context of the DC.  
    Author: Charlie Russel 
 Copyright: 2015 by Charlie Russel 
          : Permission to use is granted but attribution is appreciated 
   Initial: 3/7/2015 (cpr) 
if ($DomainController) {  
   $AD = Get-ADRootDSE -Server $DomainController 
   Get-ADObject $AD.SchemaNamingContext -Server $DomainController ` 
                                        -Property ObjectVersion 
} else { 
   $AD = Get-ADRootDSE 
   Get-ADObject $AD.SchemaNamingContext -Property ObjectVersion 
$Forest = $AD.ForestFunctionality 
$Domain = $AD.DomainFunctionality 
# Use a Here-String to print out the result. 
$VersionCodes = @” 
Forest: $Forest 
Domain: $Domain 
Where the Schema version is: 
72 = Windows Server Technical Preview Build 9841 
69 = Windows Server 2012 R2 
56 = Windows Server 2012 
47 = Windows Server 2008 R2 
44 = Windows Server 2008 
31 = Windows Server 2003 R2 
30 = Windows Server 2003 
13 = Windows 2000 

The leave of running Get-myADVersion is shown in Figure 1-2 .

Figure 1-2
figure 1-2 Results show that the outline translation for Preview Build 9841 is 72
Install-ADDSForest has some extra options that might be useful in your environment and that allow you to tweak the initial configuration. board 1-2 shows a full list of the options for Install-ADDSForest .

Table 1-2 Key parameters for Install-ADDSForest

Parameter Type Description
-DomainName String The fully qualify domain name of the newly sphere ( in this book ’ second exercise ) .
[ -CreateDnsDelegation ] boolean Attempts to create a DNS deputation to the new DNS server .
[ -DatabasePath ] String The location to store the domain database. Must be a localfixed disk .
[ -DnsDelegationCredential ] PSCredential A certificate object with license to create the DNSdelegation .
[ -DomainMode ] DomainMode The AD DS domain functional level of the new domain .
[ -DomainNetbiosName ] String The NetBIOS name of the new knowledge domain ( TREYRESEARCH in thisbook ’ s exemplar ) .
[ -ForestMode ] ForestMode The AD DS forest functional flat of the new afforest .
[ -Force ] boolean Suppresses confirmation prompts .
[ -InstallDns ] boolean Installs Active Directory Integrated DNS server. Defaultvalue is calculated based on the environment .
[ -LogPath ] String path to the log of the install .
[ -NoDnsOnNetwork ] boolean Specifies that there are no DNS servers present on thenetwork. active Directory Integrated DNS is installed, and the networkadapter or adapters are configured to use and : :1 as the DNSserver .
[ -NoRebootOnCompletion ] boolean Prevents the server from rebooting after the initiation completes. Fair warning—the server is in an interim state and is not stable. Using this switch is truly a bad idea .
[ -SafeModeAdministratorPassword ] SecureString Sets the DSRM password. If it is not specified, the user is prompted for the password and a confirm password .
[ -SkipAutoConfigureDns ] boolean Skips automatic shape of DNS settings. Used if the DNS Server serve is already installed .
[ -SkipPreChecks ] boolean Doesn ’ triiodothyronine test the environment to find out whether the installation will succeed. only recommended when you ’ re individually running Test-ADDSForestInstallation.

[ -SysvolPath ] String amply qualify local way to the fixed magnetic disk where the SYSVOL file is written .
source :
Category : Tech

About admin

I am the owner of the website, my purpose is to bring all the most useful information to users.

Check Also


Manage participants in a zoom meeting webinar

Call the people who attend the meet as follows Alternate host host Who scheduled the …

Leave a Reply

Your email address will not be published.