In the past two Inside Out columns, I've discussed how to create simple batch files that let you automatically configure machines to set up domain controllers (DCs)—and in the process, domains, trees, and forests. Such batch files are tremendously useful for several reasons. First, a good disaster-recovery plan will mandate this sort of batch file because it lets you start from a freshly installed copy of Windows Server 2003 or Windows 2000 Server. By typing a few commands, you end up with a fully functional forest, rebuilt from scratch. Second, even if you never need disaster-recovery tools, you can still use the batch file to build small test networks that mimic your enterprise network and let you try things out in a safe environment. Third, this batch file effectively illustrates the power of batch automation: On a fresh system, you can type one command, walk away, then return 15 minutes later to find a perfectly configured IP stack, DNS server network, and Active Directory (AD) domain.
So far, I've shown you how to create a batch file that configures an IP stack and a DNS server network. This time, I show you how to use a batch file to create AD domains.
The Answer File
To create a domain, tree, or forest, you simply need to create the first DC in that domain, tree, or forest—and to create a DC, all you need to do is run Dcpromo (aka the Active Directory Installation Wizard). Like all wizards, Dcpromo demands attention, if only to repeatedly click Next. But a script can provide that attention. Microsoft has quietly furnished Dcpromo with full-featured scriptability. You can script Dcpromo in both Windows 2003 and Win2K, although the script commands are a bit different between the two OSs. (I use the Windows 2003 command set for this article's examples.)
To run Dcpromo with a script, you use the /answer option, as follows:
dcpromo /answer:<nameofanswerfile>
The answer file is simply an ASCII text file that contains answers to a few basic but essential questions. In general, answer files are case insensitive, except for any passwords that you might need to include. (You can build an answer file in Notepad quite easily.) The questions that a Dcpromo answer file needs answers to are
Will this DC be the first DC in a domain (thereby creating a domain), or will it simply help out in an existing domain (i.e., will it serve as a replica DC)?
If Dcpromo is creating a domain, what will that domain be called, and how will it fit in the existing forest? Should Dcpromo create not only a new domain but also a new forest?
If Dcpromo isn't creating a domain, do you have the proper credentials to create new DCs in an existing domain or to create a new domain in an existing forest?
In what location should Dcpromo place the AD database file ntds.dit, the transaction log files, and Sysvol?
How should Dcpromo handle DNS errors? If the existing DNS infrastructure is invalid for AD, should Dcpromo create a new DNS structure or simply fail with an error condition?
New Domain
To create a brand-new forest, you can use the answer file that Listing 1 shows. This answer file creates the first DC in the first domain in a forest. Following the example of the past two columns, we'll call that first domain bigfirm.biz.
In just 13 lines, the answer file provides much functionality. It starts with the [DCINSTALL] statement, which starts all Dcpromo answer files. Next is the ReplicaOrNewDomain statement, which specifies whether you're creating a new domain or adding a DC to an existing domain. The acceptable answers are Domain, which creates a new domain, and Replica, which adds a DC to an existing domain. We're creating a new domain rather than a replica DC, so that domain needs a DNS name (e.g., bigfirm.biz), a NetBIOS name (e.g., bigfirm), and a Directory Services Restore Mode (DSRM) password. The NewDomainDNSName, DomainNetBIOSName, and SafeModeAdminPassword statements specify those values.
But where does the new domain fit in a forest? The NewDomain statement has three possible values. Forest tells Dcpromo to create the first domain in a forest, Tree tells Dcpromo to create the first domain in a new tree that's part of an existing forest, and Child tells Dcpromo to create a new child domain in an existing tree (which implies that the tree is a member of an existing forest). In this example, I'm creating the first domain in a forest, so Forest is the correct value.
The next three statements—DatabasePath, LogPath, and SysvolPath—appear in every Dcpromo answer file, no matter what the DC's role, because every DC needs a copy of the AD database (and therefore must know in what location to put the database and log files) and a Sysvol. In this simple example, I've used %systemroot% as the path for each. You almost certainly wouldn't use the same path on a real-world DC; you can dramatically improve a DC's performance by putting the database and log files on separate physical drives. The %systemroot% environment variable simply refers to the drive and directory (e.g., C:\winnt, D:\windows) on which you've installed the OS.
An often irreverent look at some of the week's other news, including some more Windows 7 sales momentum, some Sophos stupidity, Microsoft's cloud computing self-loathing, more whining from the browser makers, Zoho's "Fake Office," and much, much more ...
Let Your Users Reset Their Own Passwords: Free Download Try a 30 day free trial of Desktop Authority Password Self-Service – it provides an easy-to-use, robust system for allowing users to reset their own forgotten passwords or locked accounts.
Get Windows IT Pro & Mark Minasi’s Favorite Power Tools Guide Order Windows IT Pro now and get "More of Mark Minasi's Favorite Power Tools"--a in-depth guide to the most useful Windows commands --FREE with your paid order! Subscribe today, and save 58% off the cover price!
Deep Dive into VMware vSphere, eLearning Series Join John Savill to explore the major functionality capabilities of the vSphere virtualization platform, including identification of the changes from ESX 3.5.
Previous
Register
