Creating an Unattend Installation File for DCPROMO in Windows Server 2008

Leave a comment

July 29, 2011 by Rakesh Boraiah


This article describes the syntax that you use to build answer files to perform unattended installations of Active Directory Domain Services on Windows Server 2008-based domain controllers. Performing an unattended installation using an answer file is not as hard as it sounds, and can be performed without any user interaction. Using the answer (or sometimes referred to as the unattend) file eliminates the need for an administrator to interact with the DCPROMO wizard, and is most important when using a server core machine to act as a DC. You can read more about Active Directory on Windows Server 2008 core installations on my “Installing Active Directory on Windows 2008 Server Core” article. You can also use the answer files to remove AD DS in unattended mode. Note that a similar article exists that describes the basics of the unattend file in Windows 2000/2003 – “How do I automatically upgrade a server to a domain controller during installation?”.

One method of creating the unattend file is by manually copying a sample text and pasting it into a text file. You can read more about this process in the next section below. Another method of creating the file is by running the DCPROMO wizard on a different server, then, when finished, saving the configuration into a text file, and then pressing Cancel. You can read more about this method below.

Manually creating the unattend file

The unattend file can be manually created, and the fields in it properly populated. Here are some examples.

Note: Fields in the “[DCInstall]” section of the answer file specify the details of the installation or removal operation. In this article I will only discuss installation options, however you can read more about other options in KB 947034 (http://support.microsoft.com/kb/947034).

The following list provides the common fields that are used for each operation. The default values are used if the option is not specified.

[DCINSTALL]
InstallDNS=yes
NewDomain=forest
NewDomainDNSName=petrilab.local
DomainNetBiosName=petrilab
SiteName=Default-First-Site-Name
ReplicaOrNewDomain=domain
ForestLevel=3
DomainLevel=3
DatabasePath=”%systemroot%\NTDS”
LogPath=”%systemroot%\NTDS”
RebootOnCompletion=yes
SYSVOLPath=”%systemroot%\SYSVOL”
SafeModeAdminPassword=P@ssw0rd1

A note about some of the fields appearing in the above example:

DomainLevel – This entry specifies the domain functional level. This entry is based on the levels that exist in the forest when a new domain is created in an existing forest. Value descriptions are as follows:

  • 0 = Windows 2000 Server native mode
  • 2 = Windows Server 2003
  • 3 = Windows Server 2008

ForestLevel – This entry specifies the forest functional level when a new domain is created in a new forest as follows:

  • 0 = Windows 2000 Server
  • 2 = Windows Server 2003
  • 3 = Windows Server 2008

You must not use this entry when you install a new domain controller in an existing forest. The ForestLevel entry replaces the SetForestVersion entry that is available in Windows Server 2003.

RebootOnSuccess – This entry specifies whether the computer must be restarted after AD DS has been installed or removed successfully. A restart is always required to complete a change in an AD DS role. Possible values are Yes | No | NoAndNoPromptEither.

For child domain installations:

[DCINSTALL]
ParentDomainDNSName=petrilab.local
UserName=administrator
UserDomain=petrilab
Password=P@ssw0rd1
NewDomain=child
ChildName=test
SiteName=Default-First-Site-Name
DomainNetBiosName=test
ReplicaOrNewDomain=domain
DomainLevel=3
DatabasePath=”%systemroot%\NTDS”
LogPath=”%systemroot%\NTDS”
SYSVOLPath=”%systemroot%\SYSVOL”
InstallDNS=yes
CreateDNSDelegation=yes
DNSDelegationUserName=administrator
DNSDelegationPassword= P@ssw0rd1
SafeModeAdminPassword=P@ssw0rd1
RebootOnCompletion=yes

A note about some of the fields appearing in the above example:

CreateDNSDelegation – This entry indicates whether to create a DNS delegation that references this new DNS server. This entry is valid for AD DS–integrated DNS only.

DNSDelegationPassword – This entry specifies the password for the user account that is used to create or remove the DNS delegation. Specify * to prompt the user to enter credentials.

DNSDelegationUserName – This entry specifies the user name to be used when the DNS delegation is created or removed. If you do not specify a value, the account credentials that you specify for the installation or removal of AD DS are used for the DNS delegation.

SiteName – The default is “Default-First-Site-Name”. This entry specifies the site name when you install a new forest. For a new forest, the default is Default-First-Site-Name. For all other scenarios, a site will be selected by using the current site and the subnet configuration of the forest.

For a new tree in existing forest installations:

[DCINSTALL]
UserName=administrator
UserDomain=petrilab
Password=P@ssw0rd1
NewDomain=tree
NewDomainDNSName=otherlab.local
SiteName=Default-First-Site-Name
DomainNetBiosName=otherlab
ReplicaOrNewDomain=domain
DomainLevel=3
DatabasePath=”%systemroot%\NTDS”
LogPath=”%systemroot%\NTDS”
SYSVOLPath=”%systemroot%\SYSVOL”
InstallDNS=yes
CreateDNSDelegation=yes
DNSDelegationUserName=administrator
DNSDelegationPassword= P@ssw0rd1
SafeModeAdminPassword=P@ssw0rd1
RebootOnCompletion=yes

For additional domain controller installations:

[DCINSTALL]
UserName=administrator
UserDomain=petrilab
Password=P@ssw0rd1
SiteName=Default-First-Site-Name
ReplicaOrNewDomain=replica
DatabasePath=”%systemroot%\NTDS”
LogPath=”%systemroot%\NTDS”
SYSVOLPath=”%systemroot%\SYSVOL”
InstallDNS=yes
ConfirmGC=yes
SafeModeAdminPassword=P@ssw0rd1
RebootOnCompletion=yes

For additional domain controller installations that use the Install From Media (IFM) method:

[DCINSTALL]
UserName=administrator
UserDomain=petrilab
Password=P@ssw0rd1
DatabasePath=”%systemroot%\NTDS”
LogPath=”%systemroot%\NTDS”
SYSVOLPath=”%systemroot%\SYSVOL”
SafeModeAdminPassword=P@ssw0rd1
CriticalReplicationOnly=no
SiteName=Default-First-Site-Name
ReplicaOrNewDomain=replica
ReplicaDomainDNSName=petrilab.local
ReplicationSourceDC=dc1.petrilab.local
ReplicateFromMedia=yes
ReplicationSourcePath=<The local drive and the path of the backup>
RebootOnCompletion=yes

A note about some of the fields appearing in the above example:

ReplicateFromMedia – Instructs the process to pick up the Active Directory information from an Install From Media (IFM) file.

ReplicationSourcePath – This entry specifies the location of the installation files (the IFM files) that are used to create a new domain controller.

For Read Only Domain Controller (RODC) installations:

[DCINSTALL]
UserName=administrator
UserDomain=petrilab
Password=P@ssw0rd1
PasswordReplicationDenied=<The names of the user, group, and computer accounts whose passwords are not to be replicated to this RODC>
PasswordReplicationAllowed =<The names of the user, group, and computer accounts whose passwords can be replicated to this RODC>
DelegatedAdmin=<The user or group account name that will install and administer the RODC>
SiteName=Default-First-Site-Name
CreateDNSDelegation=no
CriticalReplicationOnly=yes
ReplicaOrNewDomain=ReadOnlyReplica
ReplicaDomainDNSName=petrilab.local
DatabasePath=”%systemroot%\NTDS”
LogPath=”%systemroot%\NTDS”
SYSVOLPath=”%systemroot%\SYSVOL”
InstallDNS=yes
ConfirmGC=yes
RebootOnCompletion=yes

A note about some of the fields appearing in the above example:

PasswordReplicationAllowed – This entry specifies the names of computer accounts and user accounts whose passwords can be replicated to this RODC. Specify “NONE” (no quotation marks) if you want to keep the value empty. By default, no user credentials will be cached on this RODC. To specify more than one security principal, add the entry multiple times.

PasswordReplicationDenied – This entry specifies the names of the user, group, and computer accounts whose passwords are not to be replicated to the RODC. Specify “NONE” (no quotation marks) if you do not want to deny the replication of credentials for any users or computers. To specify more than one security principal, add the entry multiple times.

Save the file as a text file, give it any name you want.

Creating the unattend file through DCPROMO

Another method of creating the file is by running the DCPROMO wizard on a different server, then, when finished, saving the configuration into a text file, and then pressing Cancel. This is a feature new to Windows Server 2008. Logon as an administrator to a demo server, and run DCPROMO from the command prompt or Run menu. Follow up with the wizard, providing the necessary information as you pass from screen to screen.

Then at the Summary screen, press the Export Settings button:

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

The only issue with using this method is that the DCPROMO wizard will not let you continue through the various pages without performing a requirements check as you go from screen to screen. That is, you cannot use a running DC to run DCPROMO just to create the unattend file. Also, you cannot use DCPROMO to create an unattend file for a replica DC if you still don’t have your Active Directory up and running.

Running the DCPROMO process with the unattend file

To run the Active Directory Domain Services Installation Wizard in unattended mode, use the following command at a command prompt:

dcpromo /unattend:<path of the answer file>

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: