Created: 12/22/19

Updated: 12/29/19

Always wanted to make a Powershell script that would automate the deployment of the very 1st domain controller on a newly created forest.

This script below will rename the server, apply IP information, set the time, and then reboot the server. Next you can run the script to create the 1st Forest DC for the domain, set up all of the OU groups and then create a Privileged account and a non-privileged account.

Additionally, there is another script that creates the Secondary DC to this Primary DC, here. This Secondary DC after it created with the script moves the Schema and Domain Naming Operations Masters to itself thus keeping the PDC, RID, and Infrastructure Master on the Primary DC.

Lastly, before you can dig into the script below, here, is the script as a .zip file. Feel free to modify it to your liking. 🙂

# ********STEP 1***********

# Define properties, setting adapter settings, setting time, renaming hostname and restarting
#

# Define the Computer Name
$hostname = “DC50”

# Define the IPv4 Addressing
$IPAddress = “172.16.30.246”
$SubnetMask = “24”
$GW = “172.16.30.1”
$DNS1 = “172.16.30.248”
$DNS2 = “172.16.30.249”

# Get the Network Adapter’s Prefix
$IPAdapter = (Get-NetAdapter).ifIndex

# Disable IPv6 Random & Temporary IP Assignments
Set-NetIPv6Protocol -RandomizeIdentifiers Disabled
Set-NetIPv6Protocol -UseTemporaryAddresses Disabled

# Disable IPv6 Transition
Set-Net6to4Configuration -State Disabled
Set-NetIsatapConfiguration -State Disabled
Set-NetTeredoConfiguration -Type Disabled

# Add IPv4 Address, Gateway, and DNS
New-NetIPAddress -InterfaceIndex $IPAdapter -IPAddress $IPAddress -PrefixLength $SubnetMask -DefaultGateway $GW
Set-DNSClientServerAddress –interfaceIndex $IPAdapter –ServerAddresses $DNS1, $DNS2

# Internet Time Servers
$time = “0.us.pool.ntp.org 1.us.pool.ntp.org”

# Set Time Configuration
w32tm /config /manualpeerlist:$time /syncfromflags:manual /reliable:yes /update

# Enable ICMP Ping via PowerShell
Import-Module NetSecurity
Set-NetFirewallRule -DisplayName “File and Printer Sharing (Echo Request – ICMPv4-In)” -enabled True # allows ICMP for IP v4
Set-NetFirewallRule -DisplayName “File and Printer Sharing (Echo Request – ICMPv6-In)” -enabled True # allows ICMP for IP v6
New-NetFirewallRule -Name Allow_Ping -DisplayName “Allow Ping” -Description “Packet Internet Groper ICMPv4” -Protocol ICMPv4 -IcmpType 8 -Enabled True -Profile Any -Action Allow

# Name the Computer, and Reboot
Rename-Computer -NewName $hostname -force
[ValidateSet(‘Yes’, ‘No’)]$Reboot = Read-Host “Want to Restart $($hostname) ? Enter Yes/No”
If ($Reboot -eq ‘Yes’) { Restart-Computer -Force }

# ******************* Step 2*******************

#
# Install the ADDS Bits and configured saved variables
#

$domainName = “G15IT.broken”
$netBIOSname = “G15ITB”
$Forestmode = “Windows2016Forest”
$Domainmode = “Windows2016Domain”

Install-WindowsFeature AD-Domain-Services -IncludeAllSubFeature -IncludeManagementTools

# This saves the Diretory Services Restore Mode into a string to be used in the creation of the domain controller

$DSRMPassword = Read-Host -Prompt ‘Enter DSRM Admin Password’ -AsSecureString

#
# Install-ADDSForest = is used to create a new forest domain and promotes a server to be the 1st domain controller
# Install-ADDSDomainController = is used when you create a second DC to a domain that is already created
#
Import-Module ADDSDeployment
Install-ADDSForest
-CreateDnsDelegation:$false
-DatabasePath C:\Windows\NTDS
-DomainMode = $Domainmode
-DomainName = $domainName
-DomainNetbiosName = $netBIOSname
-ForestMode = $Forestmode
-InstallDns:$true
-LogPath C:\Windows\NTDS
-NoRebootOnCompletion:$true
-SafeModeAdministratorPassword $DSRMPassword
-SysvolPath C:\Windows\SYSVOL
-Force:$true

[ValidateSet(‘Yes’, ‘No’)]$RebootDC = Read-Host “Want to Restart $($Hostname) ? Enter Yes/No”
If ($RebootDC -eq ‘Yes’) { Restart-Computer -Force }

# Reboot server if the server doesn’t do it by itself

# ***************Step 3*****************

#
# DNS, and Sites
#

# Define DNS and Sites & Services Settings

$siteID = “172.16.30.0/24”
$siteName = “LAB”
$location = “Mad Scientist Lair”

# Add DNS Reverse Lookup Zones
Add-DNSServerPrimaryZone -NetworkID $siteID -ReplicationScope ‘Forest’ -DynamicUpdate ‘Secure’

# Make Changes to Sites & Services
$defaultSite = Get-ADReplicationSite | Select DistinguishedName
Rename-ADObject $defaultSite.DistinguishedName -NewName $siteName
New-ADReplicationSubnet -Name $siteID -site $siteName -Location $location

# Re-Register DC’s DNS Records
Register-DnsClient

# Enable Default Aging/Scavenging Settings for All Zones and this DNS Server
Set-DnsServerScavenging –ScavengingState $True –ScavengingInterval 7:00:00:00 –ApplyOnAllZones
$Zones = Get-DnsServerZone | Where-Object {$_.IsAutoCreated -eq $False -and $_.ZoneName -ne ‘TrustAnchors’}
$Zones | Set-DnsServerZoneAging -Aging $True

#
# Build an AD OU Structure
#

$baseDN = “DC=G15IT,DC=broken”
$resourcesDN = “OU=Domain Units,” + $baseDN

New-ADOrganizationalUnit “Domain Units” -path $baseDN
New-ADOrganizationalUnit “IT Users” -path $resourcesDN
New-ADOrganizationalUnit “Groups Security” -path $resourcesDN
New-ADOrganizationalUnit “Service Accounts” -path $resourcesDN
New-ADOrganizationalUnit “Servers” -path $resourcesDN
New-ADOrganizationalUnit “Desktops” -path $resourcesDN
New-ADOrganizationalUnit “Domain Users” -path $resourcesDN

#
# Enable the AD Recycle Bin
#

$ForestFQDN = “G15IT.broken”
$SchemaDC = “DC50.G15IT.broken”

Enable-ADOptionalFeature –Identity ‘Recycle Bin Feature’ –Scope ForestOrConfigurationSet –Target $ForestFQDN -Server $SchemaDC -confirm:$false

#
# Create AD Enterprise Admin (Privileged) and Standard User (Non-privileged) Accounts
#

# Prompt for a EA Password
$PasswordEA = Read-Host -assecurestring “User Password”
# Create a Privileged Account
$userProperties = @{

Name = “Mad Scientist EA”
GivenName = “Mad”
Surname = “Mad Scientist EA”
DisplayName = “Mad Enterprise Admin”
Path = “OU=IT Users,OU=Domain Units,DC=G15IT,DC=broken”
SamAccountName = “Mad-EA”
UserPrincipalName = “[email protected]
AccountPassword = $PasswordEA
PasswordNeverExpires = $True
Enabled = $True
Description = “Mad Enterprise Admin”

}

New-ADUser @userProperties

# Add Privileged Account to EA, DA, & SA Groups
Add-ADGroupMember “Domain Admins” $userProperties.SamAccountName
Add-ADGroupMember “Enterprise Admins” $userProperties.SamAccountName
Add-ADGroupMember “Schema Admins” $userProperties.SamAccountName
#
#
#
#
# Prompt for a Non-Privileged Password
$PasswordNonP = Read-Host -assecurestring “User Password”

# Create a Non-Privileged User Account
$userProperties = @{

Name = “Mad Scientist”
GivenName = “Mad”
Surname = “Scientist”
DisplayName = “Mad Scientist”
Path = “OU=Domain Users,OU=Domain Units,DC=G15IT,DC=broken”
SamAccountName = “Mad.Scientist”
UserPrincipalName = “[email protected]
AccountPassword = $PasswordNonP
PasswordNeverExpires = $True
Enabled = $True
Description = “Mad User”

}

New-ADUser @userProperties

#
# Disable the Local Built-In Administrator Account
#

Set-ADUser Administrator -AccountNotDelegated:$true -SmartcardLogonRequired:$true -Enabled:$false

#
# Create an Active Directory Backup with a Snapshot
#

C:\Windows\system32\ntdsutil.exe snapshot “activate instance ntds” create quit quit

I hope this script is useful to someone. This has been tested with Windows Server 2016. In order for this to work for Server 2019, you’d need to replace the DomainMode & ForestMode with WinThreshold.

Cheers!