{"id":2651,"date":"2013-10-28T00:01:00","date_gmt":"2013-10-28T00:01:00","guid":{"rendered":"https:\/\/blogs.technet.microsoft.com\/heyscriptingguy\/2013\/10\/28\/building-a-demo-active-directory-part-1\/"},"modified":"2013-10-28T00:01:00","modified_gmt":"2013-10-28T00:01:00","slug":"building-a-demo-active-directory-part-1","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/scripting\/building-a-demo-active-directory-part-1\/","title":{"rendered":"Building a Demo Active Directory: Part 1"},"content":{"rendered":"

Summary<\/strong>: Leverage Windows PowerShell in Windows Server 2012 to create a new Active Directory forest.<\/p>\n

\"Hey, Hey, Scripting Guy!<\/p>\n

I often have to put together demo environments, and I need a new empty Active Directory forest. Is there any way I can do this faster than by using the GUI…maybe with Windows PowerShell?<\/p>\n

—TM<\/p>\n

\"Hey, Hello TM,<\/p>\n

Honorary Scripting Guy, Sean Kearney here, filling in for our good friend, Ed.<\/p>\n

I’ve also had to build demo environments—sometimes as a proof of concept for a client, and sometimes as an environment when I’m doing presentations.<\/p>\n

In the old days, the way I had to do it was either by using the GUI or learn the DCPromo command. But in Windows Server 2012, life got so much better. The GUI and Windows PowerShell produce a far better team.<\/p>\n

So here we have a blank server. The only thing that has been done is that the static IP address has been configured, and it has been named CONTOSO-DC.<\/p>\n

Promoting this to a domain controller by using Windows PowerShell is actually pretty easy. I can do this with the GUI of course, but that would be about five or six pretty pictures, which I can replace with a few lines in Windows PowerShell.<\/p>\n

Our first process is to enable the Active Directory Domain Services on the server. In Windows PowerShell, we can just execute this command:<\/p>\n

Install-WindowsFeature AD-Domain-Services –IncludeManagementTools –IncludeAllSubFeature<\/p>\n

Now I need to show you a really cool feature that was introduced in Windows Server 2012—which is why I love using it more than previous versions. Let’s run through the wizard and turn this into a full domain controller in a new domain called…well…CONTOSO.LOCAL.<\/p>\n

After the domain services are added, you’ll see a yellow triangle with an exclamation point near the top of the new Server Manager. Click that, and you’ll see a Post Deployment Configuration<\/strong> option. Click Promote this server to a domain controller<\/strong>.<\/p>\n

\"Image<\/a><\/p>\n

We’ll expand this task and select the hyperlink under Action<\/strong>.<\/p>\n

\"Image<\/a><\/p>\n

From this point, we should see some familiar screens. We’re going to add the new forest called CONTOSO.LOCAL.<\/p>\n

\"Image<\/a><\/p>\n

We’re also going to go cutting edge and choose our forest and domain functional level at Windows Server 2012. We’ve also populated our Directory Services Restore Mode password. And now the most insecure thing ever! Here’s the password: Secret321!<\/em><\/strong><\/p>\n

There is no previous domain, so of course we’ll be skipping by that screen. We’ll verify the NETBIOS name for our domain as shown in the following screen.<\/p>\n

\"Image<\/a><\/p>\n

And verify our paths. (OK! You in the back! Stop yawning.)<\/p>\n

\"Image<\/a><\/p>\n

And now the coolest screen of all in Windows Server 2012—the Review Options<\/strong> screen:<\/p>\n

\"Image<\/a><\/p>\n

The reason for its coolness is the View Script<\/strong> button in the lower-right. Clicking it shows us the Windows PowerShell script that is about to run.<\/p>\n

\"Image<\/a><\/p>\n

What we’re going to do now is cancel the wizard and paste this into our Windows PowerShell Console to see what it does. I’m looking, and I don’t see my password anywhere.<\/p>\n

\"Image<\/a><\/p>\n

Aha! It’s prompting for the password. But I’ll bet there is a parameter we can supply the password to. Because the prompt is SafeModeAdministratorPassword<\/strong>, that would usually be the missing parameter.<\/p>\n

I’m going to guess that we have to convert this password to a secure string because most commands from Microsoft won’t accept a clear text password directly. So we’ll drop the following command inside our parameter called -SafeModeAdministratorPassword<\/strong>:<\/p>\n

(CONVERTTO-SecureString “Secret321!” –asplaintext –force)<\/p>\n

So the really cool part with this prebuilt script is that we can easily modify it to have our variables at the top of the script to simply substitute into the command. With it designed in this way, a person with no administrative knowledge could actually spin up their own domain controller in a lab by only to knowing three key details:<\/p>\n