2K8 Unattended DCPROMO

Help and Support

How to use unattended mode to install and remove Active Directory

Domain Services on Windows Server 2008-based domain controllers

Beta Information

This article discusses a beta release of a Microsoft product. The information in

this article is provided as-is and is subject to change without notice.

No formal product support is available from Microsoft for this beta product. For

information about how to obtain support for a beta release, see the documentation that is included with the beta

product files, or check the Web location where you downloaded the release.

On This Page

Article ID : 947034

Last Review : February 5, 2008

Revision : 1.3

SUMMARY

INTRODUCTION

MORE INFORMATION

Field values

Field definitions

Installation operation parameters

Removal operation parameters

Unattended installation return codes

REFERENCES

SUMMARY

This article describes the syntax that you use to build answer files to perform unattended installations of Active

Directory Domain Services on Windows Server 2008-based domain controllers. You can also use the answer

files to remove AD DS in unattended mode.

INTRODUCTION

The Active Directory Domain Services Installation Wizard (Dcpromo.exe) performs the following tasks:

You can use this wizard together with an answer file to perform these tasks in unattended mode.

MORE INFORMATION

The answer file is an ASCII text file that provides automated user input for each page of the Active Directory Domain

Services Installation Wizard.

To run the Active Directory Domain Services Installation Wizard in unattended mode, use the following command at a

command prompt:

dcpromo /unattend:<path of the answer file>

Note The <path of the answer file> placeholder represents the path of the answer file that will be used to install or

remove AD DS. You must be logged on as a local administrator for the computer to run this command.

Field values

Fields in the "[DCInstall]" section of the answer file specify the details of the installation or removal operation. The

following list provides the common fields that are used for each operation. The default values are used if the option is

not specified. The default values for these fields are described in the "Field definitions" section.

• Installs Active Directory Domain Services (AD DS) on Windows Server 2008-based workgroup servers and

member servers

• Removes AD DS from Windows Server 2008-based domain controllers

of 11How to use unattended mode to install and remove Active Directory Domain Services on ...

4/29/2008http://support.microsoft.com/kb/947034

• For new forest installations, the following options apply:

[DCINSTALL]

InstallDNS=yes

NewDomain=forest

NewDomainDNSName=<The fully qualified Domain Name System (DNS) name>

DomainNetBiosName=<By default, the first label of the fully qualified DNS name>

SiteName=<Default-First-Site-Name>

ReplicaOrNewDomain=domain

ForestLevel=<The forest functional level number>

DomainLevel=<The domain functional level number>

DatabasePath="<The path of a folder on a local volume>"

LogPath="<The path of a folder on a local volume>"

RebootOnCompletion=yes

SYSVOLPath="<The path of a folder on a local volume>"

SafeModeAdminPassword=<The password for an offline administrator account>

• For child domain installations, the following options apply:

[DCINSTALL]

ParentDomainDNSName=<Fully qualified DNS name of parent domain>

UserName=<The administrative account in the parent domain>

UserDomain=<The name of the domain of the user account>

Password=<The password for the user account> Specify * to prompt the user for credentials during the

installation.

NewDomain=child

ChildName=<The single-label DNS name of the new domain>

SiteName=<The name of the AD DS site in which this domain controller will reside> This site must be

created in advance in the Dssites.msc snap-in.

DomainNetBiosName=<The first label of the fully qualified DNS name>


DomainLevel=<The domain functional level number> This value cannot be less than the current value of

the forest functional level.




InstallDNS=yes

CreateDNSDelegation=yes

DNSDelegationUserName= <The account that has permissions to create a DNS delegation> The account

that is being used to install AD DS may differ from the account in the parent domain that has the

permissions that are required to create a DNS delegation. In this case, specify the account that can

create the DNS delegation for this parameter. Specify * to prompt the user for credentials during the

installation.

DNSDelegationPassword= <The password for the account that is specified for

DNSDelegationUserName> Specify * to prompt the user for a password during the installation.



• For a new tree in existing forest installations, the following options apply:

[DCINSTALL]

UserName=<An administrative account in the parent domain>


Password=<The password for the adminstrative account> Specify * to prompt the user for credentials

during the installation.

NewDomain=tree

NewDomainDNSName=<The fully qualified DNS name of the new domain>



DomainNetBiosName=<The first label of the fully qualified DNS name>


DomainLevel=<The domain functional level number>




InstallDNS=yes



CreateDNSDelegation=yes

DNSDelegationUserName= <The account that has permissions to create a DNS delegation> The account

that is being used to install AD DS may differ from the account in the parent domain that has the

permissions that are required to create a DNS delegation. In this case, specify the account that can

create the DNS delegation for this parameter. Specify * to prompt the user for credentials during the

installation.

DNSDelegationPassword=<The password for the account that is specified for DNSDelegationUserName>

Specify * to prompt the user for a password during the installation.



• For additional domain controller installations, the following options apply:

[DCINSTALL]

UserName=<The administrative account in the domain of the new domain controller>

UserDomain=<The name of the domain of the new domain controller>

Password=<The password for the UserName account>



ReplicaOrNewDomain=replica




InstallDNS=yes

ConfirmGC=yes



• For additional domain controller installations that use the Install From Media (IFM) method, the following

options apply:

[DCINSTALL]



UserDomain=<The name of the domain of the UserName account>




SafeModeAdminPassword=<The password of an offline administrator account>

CriticalReplicationOnly=no



ReplicaOrNewDomain=replica

ReplicaDomainDNSName=<The fully qualified domain name (FQDN) of the domain in which you want to

add an additional domain controller>

ReplicationSourceDC=<An existing domain controller in the domain>

ReplicateFromMedia=yes

ReplicationSourcePath=<The local drive and the path of the backup>


• For read-only domain controller (RODC) installations, the following options apply:

[DCINSTALL]



PasswordReplicationDenied=<The names of the user, group, and computer accounts whose passwords

are not to be replicated to this RODC>

PasswordReplicationAllowed =<The names of the user, group, and computer accounts whose passwords

can be replicated to this RODC>

DelegatedAdmin=<The user or group account name that will install and administer the RODC>

SiteName=Default-First-Site-Name

CreateDNSDelegation=no

CriticalReplicationOnly=yes


ReplicaOrNewDomain=ReadOnlyReplica

ReplicaDomainDNSName=<The FQDN of the domain in which you want to add an additional domain



Field definitions

This section describes the fields and the entries that you can use in the answer file. The default value for each entry

appears in bold text.

Installation operation parameters

AllowDomainReinstall

controller>

DatabasePath= "<The path of a folder on a local volume>"



InstallDNS=yes

ConfirmGC=yes


• For removal of AD DS, the following options apply:

[DCINSTALL]

UserName=<An administrative account in the domain>

UserDomain=<The domain name of the administrative account>


AdministratorPassword=<The local administrator password for the server>

RemoveApplicationPartitions=yes

RemoveDNSDelegation=yes

DNSDelegationUserName=<The DNS server administrative account for the DNS zone that contains the

DNS delegation>

DNSDelegationPassword=<The password for the DNSDelegationUserName account>


• For removal of AD DS from the last domain controller in a domain, the following options apply:

[DCINSTALL]


UserDomain=<The domain name of the UserName account>

Password=<The password for the UserName account> Specify * to prompt the user for credentials


IsLastDCInDomain=yes


RemoveApplicationPartitions=If you want to remove the partitions, specify "yes" (no quotation marks)

for this entry. If you want to keep the partitions, this entry is optional.



DNS delegation>

DNSDelegationPassword=<The password for the DNS server administrative account>


• For removal of the last domain controller in a forest, the following options apply:

[DCINSTALL]


UserDomain=<The domain name of the UserName account>

Password=<The password for the UserName account> Specify * to prompt the user for credentials


IsLastDCInDomain=yes


RemoveApplicationPartitions=If you want to remove the partitions, specify "yes" (no quotation marks)

for this entry. If you want to keep the partitions, this entry is optional.



DNS delegation>

DNSDelegationPassword=<The password for the DNS server administrative account>


• Yes | No



AllowDomainControllerReinstall

ApplicationPartitionsToReplicate

ChildName

ConfirmGc

CreateDNSDelegation

CriticalReplicationOnly

DatabasePath

DelegatedAdmin

DNSDelegationPassword

• This entry specifies whether an existing domain is re-created.

• Yes | No

• This entry specifies whether to continue to install this domain controller even though an active domain

controller account that uses the same name is detected. Specify "Yes" (no quotation marks) only if you are

sure that the account is no longer being used.

• No default

• This entry specifies the application partitions that have to be replicated in the format ""partition1" "partition2"".

If * is specified, all application partitions will be replicated. Use space-separated or comma-and-space-

separated distinguished names. Enclose the whole string in quotation marks.

• No default

• This is the name of the subordinate domain that is appended to the ParentDomainDNSName entry. If the

parent domain is "A.COM," and the subordinate domain is "B," enter "B.A.COM and B" ( no quotation marks)

for ChildName.

• Yes | No

• This entry specifies whether the replica is also a global catalog. "Yes" makes the replica a global catalog if the

backup was a global catalog. "No" does not make the replica a global catalog. (These entries do not require

quotation marks.)

• Yes | No

• No default

• This entry indicates whether to create a DNS delegation that references this new DNS server. This entry is valid

for AD DS–integrated DNS only.

• Yes | No

• This entry specifies whether the installation operation performs only important replication before a restart and

then skips the noncritical and potentially lengthy part of replication. The noncritical replication occurs after the

role installation is complete, and the computer restarts.

• %systemroot%\NTDS

• This entry is the path of the fully qualified, non-Universal Naming Convention (UNC) directory on a hard disk of

the local computer. This directory will host the AD DS database (NTDS.DIT). If the directory exists, it must be

empty. If it does not exist, it will be created. Free disk space on the logical drive that is selected must be 200

megabytes (MB). To accommodate rounding errors or all objects in the domain, free disk space may have to be

larger. For best performance, locate the directory on a dedicated hard disk.

• No default

• This entry specifies the name of the user or the group who will install and administer the RODC. If no value is

specified, only members of the Domain Admins group or the Enterprise Admins group can install and

administer the RODC.



DNSDelegationUserName

DNSOnNetwork

DomainLevel

DomainNetbiosName

ForestLevel

InstallDNS

LogPath

• <Password> | *

• No default

• This entry specifies the password for the user account that is used to create or remove the DNS delegation.

Specify * to prompt the user to enter credentials.

• No default

• This entry specifies the user name to be used when the DNS delegation is created or removed. If you do not

specify a value, the account credentials that you specify for the installation or removal of AD DS are used for

the DNS delegation.

• Yes | No

• This entry specifies whether the DNS service is available on the network. This entry is used only when the

network adapter for this computer is not configured to use the name of a DNS server for name resolution.

Specify "No" (no quotation marks) to indicate that DNS will be installed on this computer for name resolution.

Otherwise, the network adapter must be configured to use a DNS server name first.

• 0 | 2 | 3

• No default

• This entry specifies the domain functional level. This entry is based on the levels that exist in the forest when a

new domain is created in an existing forest. Value descriptions are as follows:

• 0 = Windows 2000 Server native mode

• 2 = Windows Server 2003


• No default

• This entry is the NetBIOS name that is used by pre-AD DS clients to access the domain. The

DomainNetbiosName must be unique on the network.

• 0 | 2 | 3

• This entry specifies the forest functional level when a new domain is created in a new forest as follows:

You must not use this entry when you install a new domain controller in an existing forest. The ForestLevel

entry replaces the SetForestVersion entry that is available in Windows Server 2003.

• 0 = Windows 2000 Server



• Yes | No

• The default value changes depending on the operation. For a new forest, the DNS server role is installed by

default. For a new tree, a new child domain, or a replica, a DNS server is installed by default if an existing DNS

infrastructure is detected by the Active Directory Domain Services Installation Wizard. If no existing DNS

infrastructure is detected by the wizard, a DNS server is not installed by default.

• This entry specifies whether DNS is configured for a new domain if the Active Directory Domain Services

Installation Wizard detects that the DNS dynamic update protocol is not available. This entry also applies if the

wizard detects an insufficient number of DNS servers for an existing domain.

•



NewDomain

NewDomainDNSName

ParentDomainDNSName

Password

PasswordReplicationAllowed

PasswordReplicationDenied

RebootOnCompletion

RebootOnSuccess

ReplicaDomainDNSName

%systemroot%\NTDS

• This is the path of the fully qualified, non-UNC directory on a hard disk on the local computer that will host the

AD DS log files. If the directory exists it must be empty. If it does not exist, it will be created.

• Tree | Child | Forest

• "Tree" means the new domain is the root of a new tree in an existing forest. "Child" means the new domain is a

child of an existing domain. "Forest" means the new domain is the first domain in a new forest of domain trees.

• No default

• This entry is used in "new tree in existing forest" or "new forest" installations. The value is a DNS domain name

that is currently not being used.

• No default

• This entry specifies the name of an existing parent DNS domain for a child domain installation.

• <Password> | *

• No default

• This entry specifies the password that corresponds to the user account that is used to configure the domain

controller. Specify * to prompt the user to enter credentials. For protection, passwords are removed from the

answer file following an installation. Passwords must be redefined every time that an answer file is used.

• <Security_Principal> | NONE

• No default

• This entry specifies the names of computer accounts and user accounts whose passwords can be replicated to

this RODC. Specify "NONE" (no quotation marks) if you want to keep the value empty. By default, no user

credentials will be cached on this RODC. To specify more than one security principal, add the entry multiple

times.

• <Security_Principal> | NONE

• This entry specifies the names of the user, group, and computer accounts whose passwords are not to be

replicated to the RODC. Specify "NONE" (no quotation marks) if you do not want to deny the replication of

credentials for any users or computers. To specify more than one security principal, add the entry multiple

times.

• Yes | No

• This entry specifies whether to restart the computer after you install or remove AD DS regardless of whether

the operation was successful.

• Yes | No | NoAndNoPromptEither

• This entry specifies whether the computer must be restarted after AD DS has been installed or removed

successfully. A restart is always required to complete a change in an AD DS role.

• No default

•



ReplicaOrNewDomain

ReplicationSourceDC

ReplicationSourcePath

SafeModeAdminPassword

SiteName

SkipAutoConfigDNS

Syskey

SYSVOLPath

TransferIMRoleIfNeeded

This entry specifies the FQDN of the domain in which you want to configure an additional domain controller.

• Replica | ReadOnlyReplica | Domain

• This entry is used only for new installations. "Domain" (no quotation marks) converts the server into the first

domain controller of a new domain. "ReadOnlyReplica" (no quotation marks) converts the server into a RODC.

"Replica" (no quotation marks) converts the server into an additional domain controller.

• No default

• This entry specifies the FQDN of the partner domain controller from which AD DS data is replicated to create

the new domain controller.

• No default

• This entry specifies the location of the installation files that are used to create a new domain controller.

• <Password> | NONE

• No default

• This entry is used to supply the password for the offline administrator account that is used in Directory Service

Restore Mode. You cannot specify an empty password.

• Default-First-Site-Name

• This entry specifies the site name when you install a new forest. For a new forest, the default is Default-First-

Site-Name. For all other scenarios, a site will be selected by using the current site and the subnet configuration

of the forest.

• No default

• This entry is for expert users who want to skip automatic configuration of client settings, forwarders, and root

hints. The entry is only in effect if the DNS Server service is already installed on the server. In this case, you

will receive an informational message that confirms that the automatic configuration of DNS was skipped.

Otherwise, this entry is ignored. If you specify this switch, make sure that zones are created and configured

correctly before you install AD DS, or the domain controller will not operate correctly. This entry does not skip

automatic creation of the DNS delegation in the parent DNS zone. To control DNS delegation creation, use the

DNSDelegation entry.

• <system_key> | NONE

• This entry specifies the system key for the media from which you replicate the data.

• %systemroot%\SYSVOL

• This entry specifies a fully qualified, non-UNC directory on the hard disk of the local computer. This directory

will host the AD DS log files. If the directory already exists, it must be empty. If it does not exist it will be

created. The directory must be located on a partition that was formatted by using the NTFS 5.0 file system.

Locate the directory on a different physical hard disk than the operating system for best performance.

• Yes | No

• This entry specifies whether to transfer the infrastructure master role to this domain controller. This entry is



UserDomain

UserName

Removal operation parameters

AdministratorPassword

DemoteFSMO

DNSDelegationPassword

DNSDelegationUserName

IgnoreIsLastDcInDomainMismatch

IgnoreIsLastDNSServerForZone

IsLastDCInDomain

useful if the domain controller is currently hosted on a global catalog server, and you do not plan to make the

domain controller a global catalog server. Specify "Yes" (no quotation marks) to transfer the infrastructure

master role to this domain controller. If you specify "Yes," make sure that you specify the ConfirmGC=No

entry.

• No default

• This entry specifies the domain name for the user account that is used for install AD DS on a server.

• No default

• This entry specifies the user account name that is used for installing AD DS on a server. We recommend that

you specify the account credentials in the <domain>\<user_name> format.

• No default

• This entry is used to specify the local administrator password when you remove AD DS from a domain

controller.

• Yes | No

• This entry indicates whether a forced removal happens even if an operations master role is held by the domain

controller.

• <Password> | *

• No default

• This entry specifies the password for the user account that is used to create or to remove the DNS delegation.

Specify * to prompt the user to enter credentials.

• No default

• This entry specifies the user name to be used when the DNS delegation is created or removed. If you do not

specify a value, the account credentials that you specify for the AD DS installation or for the AD DS removal are

used for the DNS delegation.

• Yes | No

• This entry specifies whether to continue the removal of AD DS from the domain controller when either the

IsLastDCInDomain=Yes entry is specified or the Active Directory Domain Services Installation Wizard detects

that there is actually another active domain controller in the domain. This entry also applies to a scenario in

which the IsLastDCInDomain=No entry is specified, and the wizard cannot contact any other domain controller

in the domain.

• Yes | No

• This entry specifies whether to continue removing AD DS even though the domain controller is the last DNS

server for one or more AD DS-integrated DNS zones that the domain controller hosts.

• Yes | No

• This entry specifies whether the domain controller from which you remove AD DS is the last domain controller



Password

RebootOnCompletion

RebootOnSuccess

RemoveApplicationPartitions

RemoveDNSDelegation

RetainDCMetadata

UserDomain

UserName

Unattended installation return codes

The Active Directory Domain Services Installation Wizard returns a success code or a failure code after you complete

the unattended installation of a Windows Server 2008-based domain controller. For more information about the

unattended installation return codes, visit the following Microsoft Web site:

http://207.46.196.114/windowsserver2008/en/library/d2521765-9e7b-44b6-9021-496908f4b9521033.mspx?

mfr=true (http://207.46.196.114/windowsserver2008/en/library/d2521765-9e7b-44b6-9021-496908f4b9521033.mspx?mfr=tru

e)

in the domain.

• <Password> | *

• No default

• This entry specifies the password that corresponds to the user account that is used to configure the domain

controller. Specify * to prompt the user to enter credentials. For protection, passwords are removed from the

answer file after you install AD DS. Passwords must be redefined every time that an answer file is used.

• Yes | No

• This entry specifies whether to restart the computer after you install or remove AD DS regardless of whether

the operation was successful.

• Yes | No | NoAndNoPromptEither

• Determines whether the computer must be restarted after AD DS has been successfully installed or removed. A

restart is always required to complete a change in an AD DS role.

• Yes | No

• This entry specifies whether to remove application partitions when you remove AD DS from a domain

controller. "Yes" (no quotation marks) removes application partitions on the domain controller. "No" (no

quotation marks) does not remove application partitions on the domain controller. If the domain controller

hosts the last replica of any application directory partition, you must manually confirm that you must remove

these partitions.

• Yes | No

• This entry specifies whether to remove DNS delegations that point to this DNS server from the parent DNS

zone.

• Yes | No

• This entry specifies whether domain controller metadata is retained in the domain after AD DS removal so that

a delegated administrator can remove AD DS from an RODC.

• No default

• This entry specifies the domain name for the user account that is used to install AD DS.

• No default

• This entry specifies the user account name that is used to install AD DS on a server. We recommend that you

specify the account credentials in the <domain>\<user_name> format.

of 11How to use unattended mode to install and remove Active Directory Domain Services ...


Help and Support

©2008 Microsoft

REFERENCES

For more information, click the following article number to view the article in the Microsoft Knowledge Base:

223757 (http://support.microsoft.com/kb/223757/) Unattended promotion and demotion of Windows 2000 and

Windows Server 2003 domain controllers

APPLIES TO

•Windows Server 2008 Datacenter

•Windows Server 2008 Enterprise

•Windows Server 2008 Standard

Keywords: kbexpertiseadvanced kbhowto kbinfo KB947034

of 11How to use unattended mode to install and remove Active Directory Domain Services ...


2K8 Unattended DCPROMO

Documents

Transcript of 2K8 Unattended DCPROMO