Powershell Howto: Promoting a New DC


So, as returning readers will know, I had a failed DC in the home lab some time ago. One of my previous posts covered seizing the FSMO roles from said DC with Powershell, and can be found here.

I have since completed the needed Metadata cleanup steps (detailed in this TechNet article if you’re interested), built a Server 2012 replacement DC, added it to the domain, and I am now ready to promote it to be an official ADDS Domain Controller.

One major change in the promotion methodology is that the old standby tool to complete this step (DCPROMO) is now deprecated, and no longer supported. The preferred way to complete the needed steps to promote a DC is to either use Server 2012 Server Manager or Powershell.

The Server Manager Method is self explanatory enough, so we’ll be covering the Powershell way of doing this today.

Why do I need to use Powershell if I have Server Manager you may ask? Well….  Maybe you don’t have Server Manager available. Maybe, this is the first DC in the forest and it happens to be a 2012 Server Core box with no GUI management tools.

Or maybe you just wanted to be cool and learn some Powershell goodness!

Regardless, Let’s review.

First thing I need to do is verify that the AD Directory Services binaries are installed and available. I can first run the below command to see if they are currently installed.


As shown, the role is not currently installed. I can do so with the Install-WindowsFeature cmdlet.


As we can see, the role is now installed, no reboot is needed, and we’ll ignore the warning regarding windows updates as I’ll be configuring WSUS to update this box in a later post.

Now assuming you don’t need to run ADprep on your domain (outside the scope of this post), the only remaining thing to do at this point is to run the Install-ADDSDomainController cmdlet.

Lots of possible options for this cmdlet as shown by the Get-Help cmdlet.

NAME     Install-ADDSDomainController

SYNOPSIS     Installs a domain controller in Active Directory.

SYNTAX     Install-ADDSDomainController [-ADPrepCredential <PSCredential>] [-AllowDomainControllerReinstall]     [-ApplicationPartitionsToReplicate <String[]>] [-CreateDnsDelegation] [-Credential <PSCredential>]     [-CriticalReplicationOnly] [-DatabasePath <String>] [-DnsDelegationCredential <PSCredential>] [-Force]     [-InstallationMediaPath <String>] [-InstallDns] [-LogPath <String>]     [-MoveInfrastructureOperationMasterRoleIfNecessary] [-NoDnsOnNetwork] [-NoGlobalCatalog] [-NoRebootOnCompletion]     [-ReplicationSourceDC <String>] [-SafeModeAdministratorPassword <SecureString>] [-SiteName <String>]     [-SkipAutoConfigureDns] [-SkipPreChecks] [-SystemKey <SecureString>] [-SysvolPath <String>] -DomainName <String>     [-Confirm] [-WhatIf] [<CommonParameters>]

    Install-ADDSDomainController [-ADPrepCredential <PSCredential>] [-ApplicationPartitionsToReplicate <String[]>]     [-Credential <PSCredential>] [-CriticalReplicationOnly] [-DatabasePath <String>] [-Force] [-InstallationMediaPath     <String>] [-LogPath <String>] [-NoDnsOnNetwork] [-NoRebootOnCompletion] [-ReplicationSourceDC <String>]     [-SafeModeAdministratorPassword <SecureString>] [-SkipAutoConfigureDns] [-SkipPreChecks] [-SystemKey     <SecureString>] [-SysvolPath <String>] [-UseExistingAccount] -DomainName <String> [-Confirm] [-WhatIf]     [<CommonParameters>]

    Install-ADDSDomainController [-ADPrepCredential <PSCredential>] [-AllowDomainControllerReinstall]     [-AllowPasswordReplicationAccountName <String[]>] [-ApplicationPartitionsToReplicate <String[]>]     [-CreateDnsDelegation] [-Credential <PSCredential>] [-CriticalReplicationOnly] [-DatabasePath <String>]     [-DelegatedAdministratorAccountName <String>] [-DenyPasswordReplicationAccountName <String[]>]     [-DnsDelegationCredential <PSCredential>] [-Force] [-InstallationMediaPath <String>] [-InstallDns] [-LogPath     <String>] [-MoveInfrastructureOperationMasterRoleIfNecessary] [-NoDnsOnNetwork] [-NoGlobalCatalog]     [-NoRebootOnCompletion] [-ReadOnlyReplica] [-ReplicationSourceDC <String>] [-SafeModeAdministratorPassword     <SecureString>] [-SkipAutoConfigureDns] [-SkipPreChecks] [-SystemKey <SecureString>] [-SysvolPath <String>]     -DomainName <String> -SiteName <String> [-Confirm] [-WhatIf] [<CommonParameters>]

DESCRIPTION     The Install-ADDSDomainController cmdlet installs a domain controller in Active Directory.

RELATED LINKS     Online Version: http://go.microsoft.com/fwlink/?LinkId=216564     Add-ADDSReadOnlyDomainControllerAccount     Install-ADDSDomain     Install-ADDSForest

Just about any promotion situation can be handled as needed.

In my case I need to run the below command.


This command will add this server as a DC to the ANDONET.LCL domain. You will be prompted for the DSRM password during the promotion process. The -InstallDns flag will force installation and synchronization of the DNS role, and the other thing of note to mention is that the new DC will be a Global Catalog by default. There is a flag to disable GC if needed however.

Also, depending on your situation you may have to force the command to be run by a specific account. You can do so by adding the below option to your command.

     -Credential (Get-Credential YourDomain\AdminUser)

Upon completion of the promotion a reboot will occur. Once completed ADUC shows that I now have the new DC present in my domain. Life is good!



Also, one other thing I’d like to point out.

If this DC is going to be the first DC in a domain or forest, check out the Install-ADDSForest and Install-ADDSDomain cmdlets respectively. I will also plan on covering those in a future post.

Thanks all!

Share Button