Windows/Powershell: Automating the configuration of a Secondary Domain Controller for a newly created domain

Created: 12/22/19

Updated: 12/29/19

Below is a script to create a Secondary Domain Controller to a Primary Domain Controller that was also created via Powershell: here.

This script is shorter compared to that one and this one for the Secondary DC moves the Schema and Domain Naming Operations Master from Primary DC so that the FSMO roles are evenly and strategically balanced.

Lastly, below is the script that you can dig into. Feel free to modify it to your liking, here, is the script as a .zip file. 🙂

# Step 1 #

#
# Test Primary Domain (DC50) to make sure port 445 and 389 are reachable
#

Resolve-DnsName -Name DC50.G15IT.broken -Server DC50.G15It.broken -Type A
Test-NetConnection -ComputerName DC50.G15IT.broken -port 445
Test-NetConnection -ComputerName DC50.G15IT.broken -port 389

#
# Define properties, setting up the NIC, naming the local host, and restarting
#

# Define the Computer Name
$SecondaryDChostname = “DC51”

# Define the IPv4 Addressing
$IPAddress = “172.16.30.247”
$SubnetMask = “24”
$GW = “172.16.30.1”
$DNS1 = “172.16.30.246”
$DNS2 = “172.16.30.247”

# Get the Network Adapter’s Prefix
$IPAdapter = (Get-NetAdapter).ifIndex

# Disable IPv6 Random & Temporary IP Assignments
Set-NetIPv6Protocol -RandomizeIdentifiers Disabled
Set-NetIPv6Protocol -UseTemporaryAddresses Disabled

# Disable IPv6 Transition
Set-Net6to4Configuration -State Disabled
Set-NetIsatapConfiguration -State Disabled
Set-NetTeredoConfiguration -Type Disabled

# Add IPv4 Address, Gateway, and DNS
New-NetIPAddress -InterfaceIndex $IPAdapter -IPAddress $IPAddress -PrefixLength $SubnetMask -DefaultGateway $GW
Set-DNSClientServerAddress –interfaceIndex $IPAdapter –ServerAddresses $DNS1, $DNS2

# Name the Computer, Join Domain and Reboot
Rename-Computer -NewName $SecondaryDChostname -force
Add-Computer -DomainName G15IT.broken -DomainCredential G15ITB\administrator

# Enable ICMP Ping via PowerShell
Import-Module NetSecurity
Set-NetFirewallRule -DisplayName “File and Printer Sharing (Echo Request – ICMPv4-In)” -enabled True # allows ICMP for IP v4
Set-NetFirewallRule -DisplayName “File and Printer Sharing (Echo Request – ICMPv6-In)” -enabled True # allows ICMP for IP v6
New-NetFirewallRule -Name Allow_Ping -DisplayName “Allow Ping” -Description “Packet Internet Groper ICMPv4” -Protocol ICMPv4 -IcmpType 8 -Enabled True -Profile Any -Action Allow

[ValidateSet(‘Yes’, ‘No’)]$RebootDC = Read-Host “Want to Restart $($SecondaryDChostname) ? Enter Yes/No”
If ($RebootDC -eq ‘Yes’) { Restart-Computer -Force }

# Step 2 #

#
# ADDS Input Variables
#

$domainName = “G15IT.broken”
$netBIOSname = “G15ITB”
$Forestmode = “Windows2016Forest”
$Domainmode = “Windows2016Domain”

# This saves the Diretory Services Restore Mode into a string to be used in the creation of the domain controller

$DSRMPassword = Read-Host -Prompt ‘Enter DSRM Admin Password’ -AsSecureString

#
# Install the ADDS Bits and Promote
#

Install-WindowsFeature AD-Domain-Services, DNS, RSAT-AD-Tools, RSAT-DNS-Server, RSAT-DHCP, RSAT-RemoteAccess -IncludeAllSubFeature -IncludeManagementTools

Import-Module ADDSDeployment
Install-ADDSDomainController
-NoGlobalCatalog:$false
-CreateDnsDelegation:$true
-CriticalReplicationOnly:$false
-DatabasePath “C:\Windows\NTDS”
-DomainName = $domainName
-InstallDns:$true
-LogPath ”C:\Windows\NTDS”
-NoRebootOnComPletion:$true
-SafeModeAdministratorPassword $DSRMPassword
-ReplicationSourceDC “DC50.$domainName”
-SiteName “LAB”
-SysvolPath “C:\Windows\SYSVOL”
-Force:$true

[ValidateSet(‘Yes’, ‘No’)]$RebootDC = Read-Host “Want to Restart $($SecondaryDChostname) ? Enter Yes/No”
If ($RebootDC -eq ‘Yes’) { Restart-Computer -Force }

# Step 3 #

#
# DNS, Sites, and Time
#

$siteID = “172.16.30.0/24”
$siteName = “LAB”
$location = “Mad Scientist Lair”

# Internet Time Servers
$time = “0.us.pool.ntp.org 1.us.pool.ntp.org”

# Add DNS Reverse Lookup Zones
Add-DNSServerPrimaryZone -NetworkID $siteID -ReplicationScope ‘Forest’ -DynamicUpdate ‘Secure’

# Set Time Configuration
w32tm /config /manualpeerlist:$time /syncfromflags:manual /reliable:yes /update

#
# Move Schema and Domain Naming FSMO Operation Masters to Secondary DC to Balance FSMO roles
#

regsvr32 /s schmmgmt.dll
$SecondaryFSMOServer = Get-ADDomainController -Identity “$SecondaryDChostname.$domainName”
Move-ADDirectoryServerOperationMasterRole -Identity $SecondaryFSMOServer -OperationMasterRole SchemaMaster, DomainNamingMaster

#
# Enable the Recycle Bin
#

$ForestFQDN = “G15IT.broken”
$SchemaDC = “dc50.G15IT.broken”

Enable-ADOptionalFeature –Identity ‘Recycle Bin Feature’ –Scope ForestOrConfigurationSet –Target $ForestFQDN -Server $SchemaDC -confirm:$false

#
# Create an Active Directory Backup with a Snapshot
#

C:\Windows\system32\ntdsutil.exe snapshot “activate instance ntds” create quit quit

I hope this helps someone make a Powershell script on making a 2nd DC for a domain. Feel free to modify it to your needs. 🙂

Cheers!