Build

The fist thing I do when creating a new environment is to create the domain controllers. I spin up a Windows Server with a GUI as DC1 and run the following script to install the correct software.

Install-WindowsFeature -name AD-Domain-Services –IncludeManagementTools

Import-Module ADDSDeployment
Install-ADDSForest `
-CreateDnsDelegation:$false `
-DatabasePath "C:\Windows\NTDS" `
-DomainMode "WinThreshold" `
-DomainName "ads.kmn.ie" `
-DomainNetbiosName "ads" `
-ForestMode "WinThreshold" `
-InstallDns:$true `
-LogPath "C:\Windows\NTDS" `
-NoRebootOnCompletion:$false `
-SysvolPath "C:\Windows\SYSVOL" `
-Force:$true

Shutdown /r /t 0

Next I need to configure the domain controller. Note I use variables where possible, it reduce the risk of human error.

$SERVERNAME = "dc1"
$FOREST = "ads.kmn.ie"
$DNSNAME = $SERVERNAME + "." + $FOREST

# Set the IP address for the DC
Rename-Computer -NewName $SERVERNAME
Get-NetIPAddress
New-NetIPAddress -InterfaceIndex 16 -IPAddress 172.27.6.11 -PrefixLength 24 -DefaultGateway 172.27.6.20
Restart-Computer

# Configure AD, DNS
Install-ADDSForest -DomainName $FOREST
Install-WindowsFeature DHCP -IncludeManagementTools

# Configure DHCP, add a single scope
Add-DhcpServerInDC -DnsName $DNSNAME -IPAddress 172.27.6.11
Add-DhcpServerv4Scope -Name InfraServers -StartRange 172.27.6.150 -EndRange 172.27.6.199 -SubnetMask 255.255.255.0

# Set time to sync'h with a local NTP server.
w32tm /config /manualpeerlist:172.27.15.254 /syncfromflags:manual /update

We always have a second DC, in this case I use Windows Core and the following script.

$SERVERNAME = "dc2"
$FOREST = "ads.kmn.ie"
$DNSNAME = $SERVERNAME + "." + $FOREST

# Set the IP address for the DC
Rename-Computer -NewName $SERVERNAME
Get-NetIPAddress
New-NetIPAddress -InterfaceIndex 9 -IPAddress 172.27.6.12 -PrefixLength 24 -DefaultGateway 172.27.6.20
Set-DnsClientServerAddress -InterfaceIndex 9 -ServerAddresses 172.27.6.11
Restart-Computer

# Join the existing Domain
Add-Computer -DomainName $FOREST -Restart

# Install software
Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools

# Add this as a second DC
Install-ADDSDomainController -DomainName $FOREST -InstallDns:$true -Credential (Get-Credential "janus\administrator")

# Configure DHCP
Install-WindowsFeature DHCP -IncludeManagementTools
Add-DhcpServerInDC -DnsName $DNSNAME -IPAddress 172.27.6.12

I verify each DNS using Resolve-Dnsname

The graphic is for a different system from that configured above.

Demote a DC

If I'm deprecating a DC, I need to do so cleanly. Its really messy to remove a DC from the directory if it is no longer bootable.

<#
Remote server setup script.
Demotes a DC
Run one line at a time, under supervision!
#>
$REMOTE_SERVER = 'server-1'

# Connect to server-1
Enter-PSSession $REMOTE_SERVER

Import-Module ADDSDeployment
Uninstall-ADDSDomainController -DemoteOperationMasterRole:$true -ForceRemoval:$true -Force:$true

Exit-PSSession

I may then get the computer to leave the domain.

Remove-Computer -UnjoinDomaincredential ads\Administrator -PassThru -Verbose -Force