Install Active Directory Domain Services (Level 100)
Install Active Directory Domain Services (Level 100)
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
This topic explains how to install AD DS in Windows Server 2012 by using any of the following
methods:
Credential requirements to run Adprep.exe and install Active Directory Domain Services
Installing AD DS by Using Windows PowerShell
Installing AD DS by using Server Manager
Performing a Staged RODC Installation using the Graphical User Interface
To install a new forest, you must be logged on as the local Administrator for the computer.
To install a new child domain or new domain tree, you must be logged on as a member of the
Enterprise Admins group.
To install an additional domain controller in an existing domain, you must be a member of the
Domain Admins group.
Note
If you do not run adprep.exe command separately and you are installing the first domain
controller that runs Windows Server 2012 in an existing domain or forest, you will be prompted
to supply credentials to run Adprep commands. The credential requirements are as follows:
o To introduce the first Windows Server 2012 domain controller in the forest, you need to
supply credentials for a member of Enterprise Admins group, the Schema Admins group, and
the Domain Admins group in the domain that hosts the schema master.
o To introduce the first Windows Server 2012 domain controller in a domain, you need to
supply credentials for a member of the Domain Admins group.
o To introduce the first read-only domain controller (RODC) in the forest, you need to supply
credentials for a member of the Enterprise Admins group.
Note
If you have already run adprep /rodcprep in Windows Server 2008 or Windows Server 2008
R2, you do not need to run it again for Windows Server 2012 .
For more information about removing AD DS using Windows PowerShell, see Remove AD DS using
Windows PowerShell.
Start with adding the role using Windows PowerShell. This command installs the AD DS server role
and installs the AD DS and AD LDS server administration tools, including GUI-based tools such as
Active Directory Users and Computers and command-line tools such as dcdia.exe. Server
administration tools are not installed by default when you use Windows PowerShell. You need to
specify "IncludeManagementTools to manage the local server or install Remote Server
Administration Tools to manage a remote server.
You can then run this command to see the available cmdlets in the ADDSDeployment module.
To see the list of arguments that can be specified for a cmdlets and syntax:
For example, to see the arguments for creating an unoccupied read-only domain controller (RODC)
account, type
Get-Help Add-ADDSReadOnlyDomainControllerAccount
You can also download the latest Help examples and concepts for Windows PowerShell cmdlets. For
more information, see about_Updatable_Help.
-or-
In Server Manager, create a server group that includes the remote server. Right-click the name
of the remote server and click Windows PowerShell.
The next sections explain how to run ADDSDeployment module cmdlets to install AD DS.
The following table lists arguments for the ADDSDeployment cmdlets in Windows PowerShell.
Arguments in bold are required. Equivalent arguments for dcpromo.exe are listed in parentheses if
they are named different in Windows PowerShell.
Windows PowerShell switches accept $TRUE or $FALSE arguments. Arguments that are $TRUE by
default do not need to be specified.
To override default values, you can specify the argument with a $False value. For example, because -
installdns is automatically run for a new forest installation if it is not specified, the only way
to prevent DNS installation when you install a new forest is to use:
-InstallDNS:$false
Similarly, because "installdns has a default value of $False if you install a domain controller in an
environment that does not host Windows Server DNS server, you need to specify the following
argument in order to install DNS server:
-InstallDNS:$true
Argument Description
ADPrepCredential Note: Required if you are Specifies the account with Enterprise Admins and
installing the first Windows Server 2012 Schema Admins group membership that can prepare
domain controller in a domain or forest and the the forest, according to the rules of Get-
credentials of the current user are insufficient to Credential and a PSCredential object.
perform the operation.
If no value is specified, the value of
the "credentialargument is used.
Use $True only if you are sure that the account is not
currently used by another writable domain controller.
Code -AllowPasswordReplicationAccountName
"JSmith","JSmithPC","Branch Users"
Code -
Argument Description
-ApplicationPartitionsToReplicate
"partition1","partition2","partition3"
CreateDnsDelegation Note: You cannot Indicates whether to create a DNS delegation that
specify this argument when you run the Add- references the new DNS server that you are installing
ADDSReadOnlyDomainController cmdlet. along with the domain controller. Valid for Active
Directory"integrated DNS only. Delegation records
can be created only on Microsoft DNS servers that
are online and accessible. Delegation records cannot
be created for domains that are immediately
subordinate to top-level domains such as .com, .gov,
.biz, .edu or two-letter country code domains such as
.nz and .au.
Credential Note: Required only if the Specifies the domain account that can logon to the
credentials of the current user are insufficient to domain, according to the rules of Get-Credentialand a
perform the operation. PSCredential object.
The default
is %SYSTEMROOT%\NTDS. Important:While
you can store the AD DS database and log files on
Argument Description
Code -
-DenyPasswordReplicationAccountName
"RegionalAdmins","AdminPCs"
DnsDelegationCredential Note: You cannot Specifies the user name and password for creating
specify this argument when you run the Add- DNS delegation, according to the rules of Get-
ADDSReadOnlyDomainController cmdlet. Credential and a PSCredential object.
DomainMode {Win2003 | Win2008 | Specifies the domain functional level during the
Win2008R2 | Win2012 | Win2012R2} creation of a new domain.
DomainType {ChildDomain | TreeDomain} or Indicates the type of domain that you want to create:
{child | tree} a new domain tree in an existing forest, a child of an
existing domain, or a new forest.
ForestMode {Win2003 | Win2008 | Win2008R2 Specifies the forest functional level when you create
| Win2012 | Win2012R2} a new forest.
ForestMode {2 | 3 | 4 | 5 | 6}
The default
is %SYSTEMROOT%\NTDS. Important:Do not
store the Active Directory log files on a data volume
formatted with Resilient File System (ReFS).
NewDomainName Note: Required only for Specifies the single domain name for the new
Install-ADDSDomain. domain.
Code -
-NoGlobalCatalog
Code -
-NoRebootOnCompletion:$True
ParentDomainName Note: Required for Specifies the FQDN of an existing parent domain.
Install-ADDSDomain cmdlet You use this argument when you install a child
domain or new domain tree.
SystemKey Specifies the system key for the media from which
you replicate the data.
The default
is %SYSTEMROOT%\SYSVOL. Important: SYS
VOL cannot be stored on a data volume formatted
with Resilient File System (ReFS).
You can specify credentials without revealing them in plain text on screen by using Get-credential.
If not specified as an argument, the cmdlet prompts you to enter and confirm a masked
password. This is the preferred usage when running the cmdlet interactively.
If specified with a value, the value must be a secure string. This is not the preferred usage when
running the cmdlet interactively.
For example, you can manually prompt for a password by using the Read-Host cmdlet to prompt the
user for a secure string
Warning
As the previous option does not confirm the password, use extreme caution: the password is not
visible.
You can also provide a secure string as a converted clear-text variable, although this is highly
discouraged:
Warning
Providing or storing a clear text password is not recommended. Anyone running this command in a
script or looking over your shoulder knows the DSRM password of that domain controller. With that
knowledge, they can impersonate the domain controller itself and elevate their privilege to the
highest level in an Active Directory forest.
Each ADDSDeployment cmdlet has a corresponding test cmdlet. The test cmdlets runs only the
prerequisite checks for the installation operation; no installation settings are configured. The
arguments for each test cmdlet are the same as for the corresponding installation cmdlet,
but "SkipPreChecks is not available for test cmdlets.
Test cmdlet Description
The command syntax for installing a new forest is as follows. Optional arguments appear within
square brackets.
Note
The -DomainNetBIOSName argument is required if you want to change the 15-character name that is
automatically generated based on the DNS domain name prefix or if the name exceeds 15 characters.
For example, to install a new forest named corp.contoso.com and be securely prompted to provide
the DSRM password, type:
Note
DNS server is installed by default when you run Install-ADDSForest.
To install a new forest named corp.contoso.com, create a DNS delegation in the contoso.com domain,
set domain functional level to Windows Server 2008 R2 and set forest functional level to Windows
Server 2008, install the Active Directory database and SYSVOL on the D:\ drive, install the log files on
the E:\ drive, and be prompted to provide the Directory Services Restore Mode password and type:
The command syntax for installing a new domain is as follows. Optional arguments appear within
square brackets.
Note
The -credential argument is only required when you are not currently logged on as a member of the
Enterprise Admins group.
The -NewDomainNetBIOSName argument is required if you want to change the automatically
generated 15-character name based on the DNS domain name prefix or if the name exceeds 15
characters.
For example, to use credentials of corp\EnterpriseAdmin1 to create a new child domain named
child.corp.contoso.com, install DNS server, create a DNS delegation in the corp.contoso.com domain,
set domain functional level to Windows Server 2003, make the domain controller a global catalog
server in a site named Houston, use DC1.corp.contoso.com as the replication source domain
controller, install the Active Directory database and SYSVOL on the D:\ drive, install the log files on the
E:\ drive, and be prompted to provide the Directory Services Restore Mode password but not
prompted to confirm the command, type:
The command syntax for installing an additional domain controller is as follows. Optional arguments
appear within square brackets.
To install a domain controller and DNS server in the corp.contoso.com domain and be prompted to
supply the domain Administrator credentials and the DSRM password, type:
If the computer is already domain joined and you are a member of the Domain Admins group, you
can use:
The command syntax to create an RODC account is as follows. Optional arguments appear within
square brackets.
The command syntax to attach a server to an RODC account is as follows. Optional arguments appear
within square brackets.
Then run the following commands on the server that you want to attach to the RODC1 account. The
server cannot be joined to the domain. First, install the AD DS server role and management tools:
Press Y to confirm or include the "confirm argument to prevent the confirmation prompt.
The following sections explain how to create server pools in order to install and manage AD DS on
multiple servers, and how to use the wizards to install AD DS.
Server Manager can pool other servers on the network as long as they are accessible from the
computer running Server Manager. Once pooled, you choose those servers for remote installation of
AD DS or any other configuration options possible within Server Manager. The computer running
Server Manager automatically pools itself. For more information about server pools, see Add Servers
to Server Manager.
Note
In order to manage a domain-joined computer using Server Manager on a workgroup server, or vice-
versa, additional configuration steps are needed. For more information, see "Add and manage servers
in workgroups" in Add Servers to Server Manager.
Installing AD DS
Administrative credentials
The credential requirements to install AD DS vary depending on which deployment configuration you
choose. For more information, see Credential requirements to run Adprep.exe and install Active
Directory Domain Services.
Use the following procedures to install AD DS using the GUI method. The steps can be performed
locally or remotely. For more detailed explanation of these steps, see the following topics:
1. In Server Manager, click Manage and click Add Roles and Features to start the Add Roles
Wizard.
2. On the Before you begin page, click Next.
3. On the Select installation type page, click Role-based or feature-based installationand then
click Next.
4. On the Select destination server page, click Select a server from the server pool, click the
name of the server where you want to install AD DS and then click Next.
To select remote servers, first create a server pool and add the remote servers to it. For more
information about creating server pools, see Add Servers to Server Manager.
5. On the Select server roles page, click Active Directory Domain Services, then on the Add
Roles and Features Wizard dialog box, click Add Features, and then click Next.
6. On the Select features page, select any additional features you want to install and click Next.
7. On the Active Directory Domain Services page, review the information and then click Next.
8. On the Confirm installation selections page, click Install.
9. On the Results page, verify that the installation succeeded, and click Promote this server to a
domain controller to start the Active Directory Domain Services Configuration Wizard.
Important
If you close Add Roles Wizard at this point without starting the Active Directory Domain Services
Configuration Wizard, you can restart it by clicking Tasks in Server Manager.
10. On the Deployment Configuration page, choose one of the following options:
If you are installing an additional domain controller in an existing domain, click Add a
domain controller to an existing domain, and type the name of the domain (for
example, emea.corp.contoso.com) or click Select... to choose a domain, and credentials
(for example, specify an account that is a member of the Domain Admins group) and then
click Next.
Note
The name of the domain and current user credentials are supplied by default only if the
machine is domain-joined and you are performing a local installation. If you are installing
AD DS on a remote server, you need to specify the credentials, by design. If current user
credentials are not sufficient to perform the installation, click Change... in order to specify
different credentials.
For more information, see Install a Replica Windows Server 2012 Domain Controller in an
Existing Domain (Level 200).
If you are installing a new child domain, click Add a new domain to an existing forest,
for Select domain type, select Child Domain, type or browse to the name of the parent
domain DNS name (for example, corp.contoso.com), type the relative name of the new
child domain (for example emea), type credentials to use to create the new domain, and
then click Next.
For more information, see Install a New Windows Server 2012 Active Directory Child or
Tree Domain (Level 200).
If you are installing a new domain tree, click Add new domain to an existing forest,
for Select domain type, choose Tree Domain, type the name of the root domain (for
example, corp.contoso.com), type the DNS name of the new domain (for example,
fabrikam.com), type credentials to use to create the new domain, and then click Next.
For more information, see Install a New Windows Server 2012 Active Directory Child or
Tree Domain (Level 200).
If you are installing a new forest, click Add a new forest and then type the name of the
root domain (for example, corp.contoso.com).
For more information, see Install a New Windows Server 2012 Active Directory Forest (Level
200).
11. On the Domain Controller Options page, choose one of the following options:
If you are creating a new forest or domain, select the domain and forest functional levels,
click Domain Name System (DNS) server, specify the DSRM password, and then
click Next.
If you are adding a domain controller to an existing domain, click Domain Name System
(DNS) server, Global Catalog (GC), or Read Only Domain Controller (RODC) as
needed, choose the site name, and type the DSRM password and then click Next.
For more information about which options on this page are available or not available under
different conditions, see Domain Controller Options.
12. On the DNS Options page (which appears only if you install a DNS server), click Update DNS
delegation as needed. If you do, provide credentials that have permission to create DNS
delegation records in the parent DNS zone.
If a DNS server that hosts the parent zone cannot be contacted, the Update DNS
Delegation option is not available.
For more information about whether you need to update the DNS delegation,
see Understanding Zone Delegation. If you attempt to update the DNS delegation and
encounter an error, see DNS Options.
13. On the RODC Options page (which appears only if you install an RODC), specify the name of a
group or user who will manage the RODC, add accounts to or remove accounts from the
Allowed or Denied password replication groups, and then click Next.
14. On the Additional Options page, choose one of the following options:
If you are creating a new domain, type a new NetBIOS name or verify the default NetBIOS
name of the domain, and then click Next.
If you are adding a domain controller to an existing domain, select the domain controller
that you want to replicate the AD DS installation data from (or allow the wizard to select
any domain controller). If you are installing from media, click Install from media path type
and verify the path to the installation source files, and then click Next.
You cannot use install from media (IFM) to install the first domain controller in a domain.
IFM does not work across different operating system versions. In other words, in order to
install an additional domain controller that runs Windows Server 2012 by using IFM, you
must create the backup media on a Windows Server 2012 domain controller. For more
information about IFM, see Installing an Additional Domain Controller by Using IFM.
15. On the Paths page, type the locations for the Active Directory database, log files, and SYSVOL
folder (or accept default locations), and click Next.
Important
Do not store the Active Directory database, log files, or SYSVOL folder on a data volume
formatted with Resilient File System (ReFS).
16. On the Preparation Options page, type credentials that are sufficient to run adprep. For more
information, see Credential requirements to run Adprep.exe and install Active Directory Domain
Services.
17. On the Review Options page, confirm your selections, click View script if you want to export
the settings to a Windows PowerShell script, and then click Next.
18. On the Prerequisites Check page, confirm that prerequisite validation completed and then
click Install.
19. On the Results page, verify that the server was successfully configured as a domain controller.
The server will be restarted automatically to complete the AD DS installation.
1. You can create the RODC account using Active Directory Administrative Center or Active
Directory Users and Computers.
a. Click Start, click Administrative Tools, and then click Active Directory Administrative
Center.
b. In the navigation pane (left pane), click the name of the domain.
c. In the Management list (center pane), click the Domain Controllers OU.
d. In the Tasks Pane (right pane), click Pre-create a read-only domain controller account.
-Or-
e. Click Start, click Administrative Tools, and then click Active Directory Users and
Computers.
f. Either right-click the Domain Controllers organizational unit (OU) or click the Domain
Controllers OU, and then click Action.
g. Click Pre-create Read-only Domain Controller account.
2. On the Welcome to the Active Directory Domain Services Installation Wizard page, if you
want to modify the default the Password Replication Policy (PRP), select Use advanced mode
installation, and then click Next.
3. On the Network Credentials page, under Specify the account credentials to use to perform
the installation, click My current logged on credentials or click Alternate credentials, and
then click Set. In the Windows Security dialog box, provide the user name and password for an
account that can install the additional domain controller. To install an additional domain
controller, you must be a member of the Enterprise Admins group or the Domain Admins group.
When you are finished providing credentials, click Next.
4. On the Specify the Computer Name page, type the computer name of the server that will be
the RODC.
5. On the Select a Site page, select a site from the list or select the option to install the domain
controller in the site that corresponds to the IP address of the computer on which you are
running the wizard, and then click Next.
6. On the Additional Domain Controller Options page, make the following selections, and then
click Next:
DNS server: This option is selected by default so that your domain controller can function
as a Domain Name System (DNS) server. If you do not want the domain controller to be a
DNS server, clear this option. However, if you do not install the DNS server role on the
RODC and the RODC is the only domain controller in the branch office, users in the branch
office will not be able to perform name resolution when the wide area network (WAN) to
the hub site is offline.
Global catalog: This option is selected by default. It adds the global catalog, read-only
directory partitions to the domain controller, and it enables global catalog search
functionality. If you do not want the domain controller to be a global catalog server, clear
this option. However, if you do not install a global catalog server in the branch office or
enable universal group membership caching for the site that includes the RODC, users in
the branch office will not be able to log on to the domain when the WAN to the hub site is
offline.
Read-only domain controller. When you create an RODC account, this option is selected
by default and you cannot clear it.
7. If you selected the Use advanced mode installation check box on the Welcome page,
the Specify the Password Replication Policy page appears. By default, no account passwords
are replicated to the RODC, and security-sensitive accounts (such as members of the Domain
Admins group) are explicitly denied from ever having their passwords replicated to the RODC.
To add other accounts to policy, click Add, then click Allow passwords for the account to
replicate to this RODC or click Deny passwords for the account from replicating to this
RODC and then select the accounts.
8. On the Delegation of RODC Installation and Administration page, type the name of the user
or the group who will attach the server to the RODC account that you are creating. You can type
the name of only one security principal.
To search the directory for a specific user or group, click Set. In Select User or Group, type the
name of the user or group. We recommend that you delegate RODC installation and
administration to a group.
This user or group will also have local administrative rights on the RODC after the installation. If
you do not specify a user or group, only members of the Domain Admins group or the
Enterprise Admins group will be able to attach the server to the account.
9. On the Summary page, review your selections. Click Back to change any selections, if
necessary.
To save the settings that you selected to an answer file that you can use to automate
subsequent AD DS operations, click Export settings. Type a name for your answer file, and then
click Save.
When you are sure that your selections are accurate, click Next to create the RODC account.
10. On the Completing the Active Directory Domain Services Installation Wizard page,
click Finish.
After an RODC account is created, you can attach a server to account to complete the RODC
installation. This second stage can be completed in the branch office where the RODC will be located.
The server where you perform this procedure must not be joined to the domain. Beginning in
Windows Server 2012 , you use the Add Roles Wizard in Server Manager to attach a server to an
RODC account.
(media/Install-Active-Directory-Domain-Services--Level-100-/ADDS_SMI_Tasks.gif)
11. On the Deployment Configuration page, click Add a domain controller to an existing
domain, type the name of the domain (for example, emea.contoso.com) and credentials (for
example, specify an account that is delegated to manage and install the RODC), and then
click Next.
12. On the Domain Controller Options page, click Use existing RODC account, type and confirm
the Directory Services Restore Mode password, and then click Next.
13. On the Additional Options page, if you are installing from media, click Install from media
path type and verify the path to the installation source files, select the domain controller that
you want to replicate the AD DS installation data from (or allow the wizard to select any domain
controller) and then click Next.
14. On the Paths page, type the locations for the Active Directory database, log files, and SYSVOL
folder, or accept default locations, and then click Next.
15. On the Review Options page, confirm your selections, click View Script to export the settings
to a Windows PowerShell script, and then click Next.
16. On the Prerequisites Check page, confirm that prerequisite validation completed and then
click Install.