Some PowerShell commands to quickly build a Windows Server 2012 R2 DC for a new forest/domain in a lab environment. This includes some configuration changes to DNS, setting an external time source, building an OU structure, and creating administrative user accounts.
Setting up the NIC, Renaming the Computer, and Rebooting
# Define the Computer Name $computerName = "dc1" # Define the IPv4 Addressing $IPv4Address = "10.10.100.25" $IPv4Prefix = "24" $IPv4GW = "10.10.100.1" $IPv4DNS = "8.8.8.8" # Get the Network Adapter's Prefix $ipIF = (Get-NetAdapter).ifIndex # Turn off IPv6 Random & Temporary IP Assignments Set-NetIPv6Protocol -RandomizeIdentifiers Disabled Set-NetIPv6Protocol -UseTemporaryAddresses Disabled # Turn off IPv6 Transition Technologies Set-Net6to4Configuration -State Disabled Set-NetIsatapConfiguration -State Disabled Set-NetTeredoConfiguration -Type Disabled # Add IPv4 Address, Gateway, and DNS New-NetIPAddress -InterfaceIndex $ipIF -IPAddress $IPv4Address -PrefixLength $IPv4Prefix -DefaultGateway $IPv4GW Set-DNSClientServerAddress –interfaceIndex $ipIF –ServerAddresses $IPv4DNS # Rename the Computer, and Restart Rename-Computer -NewName $computerName -force Restart-Computer
Install the ADDS Bits and Promote
$domainName = "contoso.com"
$netBIOSname = "CONTOSO"
$mode = "Win2012R2"
Install-WindowsFeature AD-Domain-Services -IncludeAllSubFeature -IncludeManagementTools
Import-Module ADDSDeployment
$forestProperties = @{
DomainName = $domainName
DomainNetbiosName = $netBIOSname
ForestMode = $mode
DomainMode = $mode
CreateDnsDelegation = $false
InstallDns = $true
DatabasePath = "C:\Windows\NTDS"
LogPath = "C:\Windows\NTDS"
SysvolPath = "C:\Windows\SYSVOL"
NoRebootOnCompletion = $false
Force = $true
}
Install-ADDSForest @forestProperties
Note: When prompted, enter a Safe Mode Administrator password.
DNS, Sites & Services, and Time Keeping
# Define DNS and Sites & Services Settings
$IPv4netID = "10.10.100.0/24"
$siteName = "LAB"
$location = "New Lab City"
# Define Authoritative Internet Time Servers
$timePeerList = "0.us.pool.ntp.org 1.us.pool.ntp.org"
# Add DNS Reverse Lookup Zones
Add-DNSServerPrimaryZone -NetworkID $IPv4netID -ReplicationScope 'Forest' -DynamicUpdate 'Secure'
# Make Changes to Sites & Services
$defaultSite = Get-ADReplicationSite | Select DistinguishedName
Rename-ADObject $defaultSite.DistinguishedName -NewName $siteName
New-ADReplicationSubnet -Name $IPv4netID -site $siteName -Location $location
# Re-Register DC's DNS Records
Register-DnsClient
# Enable Default Aging/Scavenging Settings for All Zones and this DNS Server
Set-DnsServerScavenging –ScavengingState $True –ScavengingInterval 7:00:00:00 –ApplyOnAllZones
$Zones = Get-DnsServerZone | Where-Object {$_.IsAutoCreated -eq $False -and $_.ZoneName -ne 'TrustAnchors'}
$Zones | Set-DnsServerZoneAging -Aging $True
# Set Time Configuration
w32tm /config /manualpeerlist:$timePeerList /syncfromflags:manual /reliable:yes /update
Build an OU Structure
$baseDN = "DC=contoso,DC=com" $resourcesDN = "OU=Resources," + $baseDN New-ADOrganizationalUnit "Resources" -path $baseDN New-ADOrganizationalUnit "Admin Users" -path $resourcesDN New-ADOrganizationalUnit "Groups Security" -path $resourcesDN New-ADOrganizationalUnit "Service Accounts" -path $resourcesDN New-ADOrganizationalUnit "Workstations" -path $resourcesDN New-ADOrganizationalUnit "Servers" -path $resourcesDN New-ADOrganizationalUnit "Users" -path $resourcesDN
Enable the Recycle Bin
$ForestFQDN = "contoso.com" $SchemaDC = "dc1.contoso.com" Enable-ADOptionalFeature –Identity 'Recycle Bin Feature' –Scope ForestOrConfigurationSet –Target $ForestFQDN -Server $SchemaDC -confirm:$false
Create User Accounts
# Prompt for a Password $Password = Read-Host -assecurestring "User Password"
# Create a Privileged Account
$userProperties = @{
Name = "John Dougherty EA"
GivenName = "John"
Surname = "Dougherty EA"
DisplayName = "John Dougherty EA"
Path = "OU=Admin Users,OU=Resources,DC=Contoso,DC=com"
SamAccountName = "dougherty-ea"
UserPrincipalName = "dougherty-ea@contoso.com"
AccountPassword = $Password
PasswordNeverExpires = $True
Enabled = $True
Description = "Contoso Enterprise Admin"
}
New-ADUser @userProperties
# Add Privileged Account to EA, DA, & SA Groups
Add-ADGroupMember "Domain Admins" $userProperties.SamAccountName
Add-ADGroupMember "Enterprise Admins" $userProperties.SamAccountName
Add-ADGroupMember "Schema Admins" $userProperties.SamAccountName
# Create a Non-Privileged User Account
$userProperties = @{
Name = "John Dougherty"
GivenName = "John"
Surname = "Dougherty"
DisplayName = "John Dougherty"
Path = "OU=Users,OU=Resources,DC=Contoso,DC=com"
SamAccountName = "john.dougherty"
UserPrincipalName = "john.dougherty@contoso.com"
AccountPassword = $Password
PasswordNeverExpires = $True
Enabled = $True
Description = "Contoso User"
}
New-ADUser @userProperties
Secure & Disable the Administrator Account
Set-ADUser Administrator -AccountNotDelegated:$true -SmartcardLogonRequired:$true -Enabled:$false
Create an Active Directory Snapshot
C:\Windows\system32\ntdsutil.exe snapshot "activate instance ntds" create quit quit