Pete Hinchley: Create a New Active Directory Domain using PowerShell

In this post we will use PowerShell to convert a Windows Server 2012 R2 workgroup server into the first domain controller of a new domain in a new Active Directory forest. We will then create a simple organisational unit structure and create two new user accounts.

Let's start by logging onto the workgroup server, opening an elevated PowerShell prompt, and running the following command to install the Active Directory domain services feature:

Add-WindowsFeature -Name AD-Domain-Services

To create a new domain named within a new forest, where both the forest and domain are deployed with a functional level of Windows Server 2012 R2, run the following command:

Install-ADDSForest -DomainName "" -DomainNetBiosName "LAB" -ForestMode "Win2012R2" -DomainMode "Win2012R2" -InstallDns:$true -Confirm:$false

Provide a SafeModeAdministratorPassword when prompted.

The command will configure the domain with a NetBIOS name of LAB, automatically install and configure DNS, and restart the server.

After the server has restarted, log in as the new domain administrator (the password is unchanged from the workgroup administrator account previously used), and open an elevated PowerShell prompt.

We will now create a collection of organisational units for holding Users, Groups, Servers, Workstations, Administrators and Service Accounts by running the following command:

@('User Accounts', 'Groups', 'Servers', 'Workstations', 'Administrator Accounts', 'Service Accounts') | %{
  New-ADOrganizationalUnit -Name $_

We will now create a new standard user within the Users organisational unit named phinchley with the following command:

New-ADUser -Name phinchley -SamAccountName phinchley -DisplayName "Peter Hinchley" -GivenName Peter -Surname Hinchley -UserPrincipalName -Path "ou=User Accounts,dc=lab,dc=hinchley,dc=net" -AccountPassword (Read-Host "Password" -AsSecureString) -ChangePasswordAtLogon $false -Enabled $true

Enter the password to be assigned to the user when prompted.

We will use a similar command to create an administrator named phinchley.a in the Administrators organisational unit:

New-ADUser -Name phinchley.a -SamAccountName phinchley.a -DisplayName "Peter Hinchley (Admin)" -GivenName Peter -Surname Hinchley -UserPrincipalName -Path "ou=Administrator Accounts,dc=lab,dc=hinchley,dc=net" -AccountPassword (Read-Host "Password" -AsSecureString) -ChangePasswordAtLogon $false -Enabled $true

And on a side note, if you need to add an additional domain controller into the domain:

Install-ADDSDomainController -DomainName "" -InstallDns:$true -Credential (Get-Credential) -Confirm:$false

That's it until next time.