DSCResources/MSFT_ADDomainController/en-US/about_ADDomainController.help.txt
.NAME
ADDomainController .DESCRIPTION The ADDomainController DSC resource will install and configure domain controllers in Active Directory. Installation of Read-Only Domain Controllers (RODC) is also supported. Promotion of a Domain Controller using an existing DNS is available using the `InstallDns` parameter. The parameter specifies if the DNS Server service should be installed and configured on the domain controller. If this is not set the default value of the parameter `InstallDns` of the cmdlet [`Install-ADDSDomainController`](https://docs.microsoft.com/en-us/powershell/module/addsdeployment/install-addsdomaincontroller) is used. The parameter `InstallDns` is only used during the provisioning of a domain controller. The parameter cannot be used to install or uninstall the DNS server on an already provisioned domain controller. >**Note:** If the account used for the parameter `Credential` >cannot connect to another domain controller, for example using a credential >without the domain name, then the cmdlet `Install-ADDSDomainController` will >seemingly halt (without reporting an error) when trying to replicate >information from another domain controller. >Make sure to use a correct domain account with the correct permission as >the account for the parameter `Credential`. The parameter `FlexibleSingleMasterOperationRole` is ignored until the node has been provisioned as a domain controller. Take extra care to make sure the Flexible Single Master Operation (FSMO) roles are moved accordingly to avoid that two domain controller try to get to be the owner of the same role (potential "ping-pong"-behavior). >The resource does not support seizing of Flexible Single Master Operation >(FSMO) roles ## Requirements * Target machine must be running Windows Server 2008 R2 or later. .PARAMETER DomainName Key - String The fully qualified domain name (FQDN) of the domain the Domain Controller will be joining. .PARAMETER Credential Required - String The credentials (as a 'PSCredential' object) of a user that has Domain Administrator rights to add the Domain Controller to the domain. .PARAMETER SafemodeAdministratorPassword Required - String The 'PSCredential' object containing the password to use for Directory Services Restore Mode (DSRM). .PARAMETER DatabasePath Write - String The path where the database will be stored. .PARAMETER LogPath Write - String The path where the logs will be stored. .PARAMETER SysvolPath Write - String The path where the Sysvol will be stored. .PARAMETER SiteName Write - String The name of the site this Domain Controller will be added to. .PARAMETER InstallationMediaPath Write - String The path of the media you want to use install the Domain Controller. .PARAMETER IsGlobalCatalog Write - Boolean Specifies if the domain controller will be a Global Catalog (GC). .PARAMETER Ensure Read - String Returns the state of the Domain Controller. .PARAMETER ReadOnlyReplica Write - Boolean Indicates that the cmdlet installs the domain controller as an Read-Only Domain Controller (RODC) for an existing domain. .PARAMETER AllowPasswordReplicationAccountName Write - String Specifies an array of names of user accounts, group accounts, and computer accounts whose passwords can be replicated to this Read-Only Domain Controller (RODC). .PARAMETER DenyPasswordReplicationAccountName Write - String Specifies the names of user accounts, group accounts, and computer accounts whose passwords are not to be replicated to this Read-Only Domain Controller (RODC). .PARAMETER FlexibleSingleMasterOperationRole Write - String Allowed values: DomainNamingMaster, SchemaMaster, InfrastructureMaster, PDCEmulator, RIDMaster Specifies one or more Flexible Single Master Operation (FSMO) roles to move to this domain controller. The current owner must be online and responding for the move to be allowed. .PARAMETER InstallDns Write - Boolean Specifies if the DNS Server service should be installed and configured on the Domain Controller. If this is not set the default value of the parameter `InstallDns` of the cmdlet Install-ADDSDomainController is used. This parameter is only used during the provisioning of a domain controller. The parameter cannot be used to install or uninstall the DNS server on an already provisioned domain controller. .EXAMPLE 1 This configuration will add a domain controller to the domain contoso.com. Configuration ADDomainController_AddDomainControllerToDomainMinimal_Config { param ( [Parameter(Mandatory = $true)] [ValidateNotNullOrEmpty()] [System.Management.Automation.PSCredential] $Credential, [Parameter(Mandatory = $true)] [ValidateNotNullOrEmpty()] [System.Management.Automation.PSCredential] $SafeModePassword ) Import-DscResource -ModuleName PSDscResources Import-DscResource -ModuleName ActiveDirectoryDsc node localhost { WindowsFeature 'InstallADDomainServicesFeature' { Ensure = 'Present' Name = 'AD-Domain-Services' } WindowsFeature 'RSATADPowerShell' { Ensure = 'Present' Name = 'RSAT-AD-PowerShell' DependsOn = '[WindowsFeature]InstallADDomainServicesFeature' } WaitForADDomain 'WaitForestAvailability' { DomainName = 'contoso.com' Credential = $Credential DependsOn = '[WindowsFeature]RSATADPowerShell' } ADDomainController 'DomainControllerMinimal' { DomainName = 'contoso.com' Credential = $Credential SafeModeAdministratorPassword = $SafeModePassword DependsOn = '[WaitForADDomain]WaitForestAvailability' } } } .EXAMPLE 2 This configuration will add a domain controller to the domain contoso.com, specifying all properties of the resource. Configuration ADDomainController_AddDomainControllerToDomainAllProperties_Config { param ( [Parameter(Mandatory = $true)] [ValidateNotNullOrEmpty()] [System.Management.Automation.PSCredential] $Credential, [Parameter(Mandatory = $true)] [ValidateNotNullOrEmpty()] [System.Management.Automation.PSCredential] $SafeModePassword ) Import-DscResource -ModuleName PSDscResources Import-DscResource -ModuleName ActiveDirectoryDsc node localhost { WindowsFeature 'InstallADDomainServicesFeature' { Ensure = 'Present' Name = 'AD-Domain-Services' } WindowsFeature 'RSATADPowerShell' { Ensure = 'Present' Name = 'RSAT-AD-PowerShell' DependsOn = '[WindowsFeature]InstallADDomainServicesFeature' } WaitForADDomain 'WaitForestAvailability' { DomainName = 'contoso.com' Credential = $Credential DependsOn = '[WindowsFeature]RSATADPowerShell' } ADDomainController 'DomainControllerAllProperties' { DomainName = 'contoso.com' Credential = $Credential SafeModeAdministratorPassword = $SafeModePassword DatabasePath = 'C:\Windows\NTDS' LogPath = 'C:\Windows\Logs' SysvolPath = 'C:\Windows\SYSVOL' SiteName = 'Europe' IsGlobalCatalog = $true DependsOn = '[WaitForADDomain]WaitForestAvailability' } } } .EXAMPLE 3 This configuration will add a domain controller to the domain contoso.com using the information from media. Configuration ADDomainController_AddDomainControllerToDomainUsingIFM_Config { param ( [Parameter(Mandatory = $true)] [ValidateNotNullOrEmpty()] [System.Management.Automation.PSCredential] $Credential, [Parameter(Mandatory = $true)] [ValidateNotNullOrEmpty()] [System.Management.Automation.PSCredential] $SafeModePassword ) Import-DscResource -ModuleName PSDscResources Import-DscResource -ModuleName ActiveDirectoryDsc node localhost { WindowsFeature 'InstallADDomainServicesFeature' { Ensure = 'Present' Name = 'AD-Domain-Services' } WindowsFeature 'RSATADPowerShell' { Ensure = 'Present' Name = 'RSAT-AD-PowerShell' DependsOn = '[WindowsFeature]InstallADDomainServicesFeature' } WaitForADDomain 'WaitForestAvailability' { DomainName = 'contoso.com' Credential = $Credential DependsOn = '[WindowsFeature]RSATADPowerShell' } ADDomainController 'DomainControllerWithIFM' { DomainName = 'contoso.com' Credential = $Credential SafeModeAdministratorPassword = $SafeModePassword InstallationMediaPath = 'F:\IFM' DependsOn = '[WaitForADDomain]WaitForestAvailability' } } } .EXAMPLE 4 This configuration will add a read-only domain controller to the domain contoso.com and specify a list of account, whose passwords are allowed/denied for synchronisation. Configuration ADDomainController_AddReadOnlyDomainController_Config { param ( [Parameter(Mandatory = $true)] [ValidateNotNullOrEmpty()] [System.Management.Automation.PSCredential] $Credential, [Parameter(Mandatory = $true)] [ValidateNotNullOrEmpty()] [System.Management.Automation.PSCredential] $SafeModePassword ) Import-DscResource -ModuleName PSDscResources Import-DscResource -ModuleName ActiveDirectoryDsc node localhost { WindowsFeature 'InstallADDomainServicesFeature' { Ensure = 'Present' Name = 'AD-Domain-Services' } WindowsFeature 'RSATADPowerShell' { Ensure = 'Present' Name = 'RSAT-AD-PowerShell' DependsOn = '[WindowsFeature]InstallADDomainServicesFeature' } WaitForADDomain 'WaitForestAvailability' { DomainName = 'contoso.com' Credential = $Credential DependsOn = '[WindowsFeature]RSATADPowerShell' } ADDomainController 'Read-OnlyDomainController(RODC)' { DomainName = 'contoso.com' Credential = $Credential SafeModeAdministratorPassword = $SafeModePassword ReadOnlyReplica = $true SiteName = 'Default-First-Site-Name' AllowPasswordReplicationAccountName = @('pvdi.test1', 'pvdi.test') DenyPasswordReplicationAccountName = @('SVC_PVS', 'TA2SCVMM') DependsOn = '[WaitForADDomain]WaitForestAvailability' } } } .EXAMPLE 5 This configuration will add a domain controller to the domain contoso.com, and when the configuration is enforced it will move the Flexible Single Master Operation (FSMO) role 'RIDMaster' from the current owner to this domain controller. Configuration ADDomainController_AddDomainControllerAndMoveRole_Config { param ( [Parameter(Mandatory = $true)] [ValidateNotNullOrEmpty()] [System.Management.Automation.PSCredential] $Credential, [Parameter(Mandatory = $true)] [ValidateNotNullOrEmpty()] [System.Management.Automation.PSCredential] $SafeModePassword ) Import-DscResource -ModuleName PSDscResources Import-DscResource -ModuleName ActiveDirectoryDsc node localhost { WindowsFeature 'InstallADDomainServicesFeature' { Ensure = 'Present' Name = 'AD-Domain-Services' } WindowsFeature 'RSATADPowerShell' { Ensure = 'Present' Name = 'RSAT-AD-PowerShell' DependsOn = '[WindowsFeature]InstallADDomainServicesFeature' } WaitForADDomain 'WaitForestAvailability' { DomainName = 'contoso.com' Credential = $Credential DependsOn = '[WindowsFeature]RSATADPowerShell' } ADDomainController 'DomainControllerMinimal' { DomainName = 'contoso.com' Credential = $Credential SafeModeAdministratorPassword = $SafeModePassword FlexibleSingleMasterOperationRole = @('RIDMaster') DependsOn = '[WaitForADDomain]WaitForestAvailability' } } } .EXAMPLE 6 This configuration will add a domain controller to the domain contoso.com without installing the local DNS server service and using the one in the existing domain. Configuration ADDomainController_AddDomainControllerUsingInstallDns_Config { param ( [Parameter(Mandatory = $true)] [ValidateNotNullOrEmpty()] [System.Management.Automation.PSCredential] $Credential ) Import-DscResource -ModuleName PSDscResources Import-DscResource -ModuleName ActiveDirectoryDsc node localhost { WindowsFeature 'InstallADDomainServicesFeature' { Ensure = 'Present' Name = 'AD-Domain-Services' } WindowsFeature 'RSATADPowerShell' { Ensure = 'Present' Name = 'RSAT-AD-PowerShell' DependsOn = '[WindowsFeature]InstallADDomainServicesFeature' } WaitForADDomain 'WaitForestAvailability' { DomainName = 'contoso.com' Credential = $Credential DependsOn = '[WindowsFeature]RSATADPowerShell' } ADDomainController 'DomainControllerUsingExistingDNSServer' { DomainName = 'contoso.com' Credential = $Credential SafeModeAdministratorPassword = $Credential InstallDns = $false DependsOn = '[WaitForADDomain]WaitForestAvailability' } } } |