DSCResources/MSFT_ADDomainController/en-US/about_ADDomainController.help.txt
|
.NAME
ADDomainController .DESCRIPTION The ADDomainController DSC resource will install and configure domain controllers in Active Directory. Installation of Read-Only Domain Controllers (RODC) is also supported. Promotion of a Domain Controller using an existing DNS is available using the InstallDns parameter. The parameter specifies if the DNS Server service should be installed and configured on the domain controller. If this is not set the default value of the parameter InstallDns of the cmdlet https://docs.microsoft.com/en-us/powershell/module/addsdeployment/install-addsdomaincontroller is used. The parameter InstallDns is only used during the provisioning of a domain controller. The parameter cannot be used to install or uninstall the DNS server on an already provisioned domain controller. > Note: If the account used for the parameter Credential > cannot connect to another domain controller, for example using a credential > without the domain name, then the cmdlet Install-ADDSDomainController will > seemingly halt (without reporting an error) when trying to replicate > information from another domain controller. > Make sure to use a correct domain account with the correct permission as > the account for the parameter Credential. The parameter FlexibleSingleMasterOperationRole is ignored until the node has been provisioned as a domain controller. Take extra care to make sure the Flexible Single Master Operation (FSMO) roles are moved accordingly to avoid that two domain controller try to get to be the owner of the same role (potential "ping-pong"-behavior). > The resource does not support seizing of Flexible Single Master Operation > (FSMO) roles ## Requirements * Target machine must be running Windows Server 2008 R2 or later. .PARAMETER DomainName Key - String The fully qualified domain name (FQDN) of the domain the Domain Controller will be joining. .PARAMETER Credential Required - Instance The credentials (as a 'PSCredential' object) of a user that has Domain Administrator rights to add the Domain Controller to the domain. .PARAMETER SafemodeAdministratorPassword Required - Instance The 'PSCredential' object containing the password to use for Directory Services Restore Mode (DSRM). .PARAMETER DatabasePath Write - String The path where the database will be stored. .PARAMETER LogPath Write - String The path where the logs will be stored. .PARAMETER SysvolPath Write - String The path where the Sysvol will be stored. .PARAMETER SiteName Write - String The name of the site this Domain Controller will be added to. .PARAMETER InstallationMediaPath Write - String The path of the media you want to use install the Domain Controller. .PARAMETER IsGlobalCatalog Write - Boolean Specifies if the domain controller will be a Global Catalog (GC). .PARAMETER Ensure Read - String Returns the state of the Domain Controller. .PARAMETER ReadOnlyReplica Write - Boolean Indicates that the resource installs the domain controller as an Read-Only Domain Controller (RODC) for an existing domain. .PARAMETER DelegatedAdministratorAccountName Write - String Specifies the user or group that is the delegated administrator of this Read-Only Domain Controller (RODC). .PARAMETER AllowPasswordReplicationAccountName Write - StringArray Specifies an array of names of user accounts, group accounts, and computer accounts whose passwords can be replicated to this Read-Only Domain Controller (RODC). .PARAMETER DenyPasswordReplicationAccountName Write - StringArray Specifies the names of user accounts, group accounts, and computer accounts whose passwords are not to be replicated to this Read-Only Domain Controller (RODC). .PARAMETER FlexibleSingleMasterOperationRole Write - StringArray Allowed values: DomainNamingMaster, SchemaMaster, InfrastructureMaster, PDCEmulator, RIDMaster Specifies one or more Flexible Single Master Operation (FSMO) roles to move to this domain controller. The current owner must be online and responding for the move to be allowed. .PARAMETER InstallDns Write - Boolean Specifies if the DNS Server service should be installed and configured on the Domain Controller. If this is not set the default value of the parameter InstallDns of the cmdlet Install-ADDSDomainController is used. This parameter is only used during the provisioning of a domain controller. The parameter cannot be used to install or uninstall the DNS server on an already provisioned domain controller. .PARAMETER UseExistingAccount Write - Boolean Indicates that the resource attaches a server to an existing Read-Only Domain Controller (RODC) account. If specified, a member of the Domain Admins group or a delegated user can apply this resource. .EXAMPLE 1 This configuration will add a domain controller to the domain contoso.com. Configuration ADDomainController_AddDomainControllerToDomainMinimal_Config { param ( [Parameter(Mandatory = $true)] [ValidateNotNullOrEmpty()] [System.Management.Automation.PSCredential] $Credential, [Parameter(Mandatory = $true)] [ValidateNotNullOrEmpty()] [System.Management.Automation.PSCredential] $SafeModePassword ) Import-DscResource -ModuleName PSDesiredStateConfiguration Import-DscResource -ModuleName ActiveDirectoryDsc node localhost { WindowsFeature 'InstallADDomainServicesFeature' { Ensure = 'Present' Name = 'AD-Domain-Services' } WindowsFeature 'RSATADPowerShell' { Ensure = 'Present' Name = 'RSAT-AD-PowerShell' DependsOn = '[WindowsFeature]InstallADDomainServicesFeature' } WaitForADDomain 'WaitForestAvailability' { DomainName = 'contoso.com' Credential = $Credential DependsOn = '[WindowsFeature]RSATADPowerShell' } ADDomainController 'DomainControllerMinimal' { DomainName = 'contoso.com' Credential = $Credential SafeModeAdministratorPassword = $SafeModePassword DependsOn = '[WaitForADDomain]WaitForestAvailability' } } } .EXAMPLE 2 This configuration will add a domain controller to the domain contoso.com, specifying all properties of the resource. Configuration ADDomainController_AddDomainControllerToDomainAllProperties_Config { param ( [Parameter(Mandatory = $true)] [ValidateNotNullOrEmpty()] [System.Management.Automation.PSCredential] $Credential, [Parameter(Mandatory = $true)] [ValidateNotNullOrEmpty()] [System.Management.Automation.PSCredential] $SafeModePassword ) Import-DscResource -ModuleName PSDesiredStateConfiguration Import-DscResource -ModuleName ActiveDirectoryDsc node localhost { WindowsFeature 'InstallADDomainServicesFeature' { Ensure = 'Present' Name = 'AD-Domain-Services' } WindowsFeature 'RSATADPowerShell' { Ensure = 'Present' Name = 'RSAT-AD-PowerShell' DependsOn = '[WindowsFeature]InstallADDomainServicesFeature' } WaitForADDomain 'WaitForestAvailability' { DomainName = 'contoso.com' Credential = $Credential DependsOn = '[WindowsFeature]RSATADPowerShell' } ADDomainController 'DomainControllerAllProperties' { DomainName = 'contoso.com' Credential = $Credential SafeModeAdministratorPassword = $SafeModePassword DatabasePath = 'C:\Windows\NTDS' LogPath = 'C:\Windows\Logs' SysvolPath = 'C:\Windows\SYSVOL' SiteName = 'Europe' IsGlobalCatalog = $true DependsOn = '[WaitForADDomain]WaitForestAvailability' } } } .EXAMPLE 3 This configuration will add a domain controller to the domain contoso.com using the information from media. Configuration ADDomainController_AddDomainControllerToDomainUsingIFM_Config { param ( [Parameter(Mandatory = $true)] [ValidateNotNullOrEmpty()] [System.Management.Automation.PSCredential] $Credential, [Parameter(Mandatory = $true)] [ValidateNotNullOrEmpty()] [System.Management.Automation.PSCredential] $SafeModePassword ) Import-DscResource -ModuleName PSDesiredStateConfiguration Import-DscResource -ModuleName ActiveDirectoryDsc node localhost { WindowsFeature 'InstallADDomainServicesFeature' { Ensure = 'Present' Name = 'AD-Domain-Services' } WindowsFeature 'RSATADPowerShell' { Ensure = 'Present' Name = 'RSAT-AD-PowerShell' DependsOn = '[WindowsFeature]InstallADDomainServicesFeature' } WaitForADDomain 'WaitForestAvailability' { DomainName = 'contoso.com' Credential = $Credential DependsOn = '[WindowsFeature]RSATADPowerShell' } ADDomainController 'DomainControllerWithIFM' { DomainName = 'contoso.com' Credential = $Credential SafeModeAdministratorPassword = $SafeModePassword InstallationMediaPath = 'F:\IFM' DependsOn = '[WaitForADDomain]WaitForestAvailability' } } } .EXAMPLE 4 This configuration will add a read-only domain controller to the domain contoso.com and specify a list of account, whose passwords are allowed/denied for synchronisation. Configuration ADDomainController_AddReadOnlyDomainController_Config { param ( [Parameter(Mandatory = $true)] [ValidateNotNullOrEmpty()] [System.Management.Automation.PSCredential] $Credential, [Parameter(Mandatory = $true)] [ValidateNotNullOrEmpty()] [System.Management.Automation.PSCredential] $SafeModePassword ) Import-DscResource -ModuleName PSDesiredStateConfiguration Import-DscResource -ModuleName ActiveDirectoryDsc node localhost { WindowsFeature 'InstallADDomainServicesFeature' { Ensure = 'Present' Name = 'AD-Domain-Services' } WindowsFeature 'RSATADPowerShell' { Ensure = 'Present' Name = 'RSAT-AD-PowerShell' DependsOn = '[WindowsFeature]InstallADDomainServicesFeature' } WaitForADDomain 'WaitForestAvailability' { DomainName = 'contoso.com' Credential = $Credential DependsOn = '[WindowsFeature]RSATADPowerShell' } ADDomainController 'Read-OnlyDomainController(RODC)' { DomainName = 'contoso.com' Credential = $Credential SafeModeAdministratorPassword = $SafeModePassword ReadOnlyReplica = $true SiteName = 'Default-First-Site-Name' DelegatedAdministratorAccountName = 'contoso\adm.pvdi' AllowPasswordReplicationAccountName = @('pvdi.test1', 'pvdi.test') DenyPasswordReplicationAccountName = @('SVC_PVS', 'TA2SCVMM') DependsOn = '[WaitForADDomain]WaitForestAvailability' } } } .EXAMPLE 5 This configuration will add a domain controller to the domain contoso.com, and when the configuration is enforced it will move the Flexible Single Master Operation (FSMO) role 'RIDMaster' from the current owner to this domain controller. Configuration ADDomainController_AddDomainControllerAndMoveRole_Config { param ( [Parameter(Mandatory = $true)] [ValidateNotNullOrEmpty()] [System.Management.Automation.PSCredential] $Credential, [Parameter(Mandatory = $true)] [ValidateNotNullOrEmpty()] [System.Management.Automation.PSCredential] $SafeModePassword ) Import-DscResource -ModuleName PSDesiredStateConfiguration Import-DscResource -ModuleName ActiveDirectoryDsc node localhost { WindowsFeature 'InstallADDomainServicesFeature' { Ensure = 'Present' Name = 'AD-Domain-Services' } WindowsFeature 'RSATADPowerShell' { Ensure = 'Present' Name = 'RSAT-AD-PowerShell' DependsOn = '[WindowsFeature]InstallADDomainServicesFeature' } WaitForADDomain 'WaitForestAvailability' { DomainName = 'contoso.com' Credential = $Credential DependsOn = '[WindowsFeature]RSATADPowerShell' } ADDomainController 'DomainControllerMinimal' { DomainName = 'contoso.com' Credential = $Credential SafeModeAdministratorPassword = $SafeModePassword FlexibleSingleMasterOperationRole = @('RIDMaster') DependsOn = '[WaitForADDomain]WaitForestAvailability' } } } .EXAMPLE 6 This configuration will add a domain controller to the domain contoso.com without installing the local DNS server service and using the one in the existing domain. Configuration ADDomainController_AddDomainControllerUsingInstallDns_Config { param ( [Parameter(Mandatory = $true)] [ValidateNotNullOrEmpty()] [System.Management.Automation.PSCredential] $Credential ) Import-DscResource -ModuleName PSDesiredStateConfiguration Import-DscResource -ModuleName ActiveDirectoryDsc node localhost { WindowsFeature 'InstallADDomainServicesFeature' { Ensure = 'Present' Name = 'AD-Domain-Services' } WindowsFeature 'RSATADPowerShell' { Ensure = 'Present' Name = 'RSAT-AD-PowerShell' DependsOn = '[WindowsFeature]InstallADDomainServicesFeature' } WaitForADDomain 'WaitForestAvailability' { DomainName = 'contoso.com' Credential = $Credential DependsOn = '[WindowsFeature]RSATADPowerShell' } ADDomainController 'DomainControllerUsingExistingDNSServer' { DomainName = 'contoso.com' Credential = $Credential SafeModeAdministratorPassword = $Credential InstallDns = $false DependsOn = '[WaitForADDomain]WaitForestAvailability' } } } |